2000 Legislative Session: 4th Session, 36th Parliament
SPECIAL COMMITTEE ON INFORMATION PRIVACY IN THE PRIVATE SECTOR
MINUTES AND HANSARD

MINUTES SPECIAL  COMMITTEE ON INFORMATION PRIVACY IN THE PRIVATE SECTOR Monday, June 12, 2000 3:30 – 4:30 p.m. Birch Committee Room Parliament Buildings, Victoria

Present: R. Kasper, MLA (Chair); P. Calendino, MLA; G. Clark, MLA; S. Orcherton, MLA; E. Walsh, MLA; G. Plant, MLA; G. Abbott, MLA; K. Whittred, MLA

Unavoidably Absent: J. Weisbeck, MLA (Deputy Chair); G. Janssen, MLA

Other Members Present: C. Hansen, MLA

1. The Chair called the Committee to order at 3:42 p.m.

2. The Committee discussed the proposed Electronic Transactions Act and heard testimony from the following witness:

o    Brent Grover, Senior Project Manager, Information Management, Corporate Policy and Standards, Information, Science and Technology Agency

3. The Committee reviewed a summary of recent polling experiences and heard testimony from the following witness:

o    Kevin McKee, Information and Privacy Analyst, Corporate and Information Access, Information, Science and Technology Agency

4. The Committee adjourned to the call of the Chair at 4:38 p.m.

Rick Kasper, MLA Chair

Craig James Clerk of Committees and Clerk Assistant

The following electronic version is for informational purposes only.
The printed version remains the official version.

REPORT OF PROCEEDINGS
(Hansard)

SELECT STANDING COMMITTEE
ON INFORMATION PRIVACY
IN THE PRIVATE SECTOR

MONDAY, JUNE 12, 2000

* Denotes member present

 [ Page 111 ]

The committee met at 3:42 p.m.

R. Kasper (Chair): If we could get our meeting started, we have an agenda here. The Clerk's office is just going to circulate kind of an. . . .

A Voice: Where's John?

R. Kasper (Chair): John's away. I believe he'll be back tomorrow, but he's away.

We've got here Byron Barnard, who is the ADM and deputy chief information officer for the Information, Science and Technology Agency. I'll call upon you, Byron, to at least give your introduction and what you'd like to talk to the committee about. I'll turn it over to you.

B. Barnard: Thank you very much, Mr. Chair.

You've met Chris Norman before. Chris Norman is the director of the corporate privacy and information access branch. I have Kevin McKee, as well, beside me on my right, and Brent Grover behind, who will take my place when I'm finished here in this chair.

We're going to review some of the technology aspects with you today. I'm going to specifically talk about the electronic transactions act, some work that is underway here. Kevin McKee will give you a bit of a summary of some of the polling information that's been done on privacy. Brent Grover will give you an overview of some of the technology topics on secure transactions. If there is some time, Kevin McKee will talk about some oversight and audit aspects, considerations that you may want to keep in mind while drafting legislation.

So maybe just in terms of background on. . . . You have a number of. . . . [Laughter.] Sounds like Windows is starting there.

[1545]

A Voice: Somebody's monitoring us.

B. Barnard: Microsoft is here.

A Voice: They're everywhere.

B. Barnard: You have a number of handouts. Each one of the topics that we're talking about here this afternoon. . . . The Clerk has some handouts for you.

I'll just refer to one here, Craig. It's the Globe and Mail article that's hot off the press today: "New Laws Aim to Ease Uncertainties of E-Commerce." What's happened here. . . . Just to give you a bit of background on e-transactions or electronic transactions legislation, in law there are really two schools of thought on this. The traditional view is that there is no need for electronic transactions legislation, that the practice of law has been well established in terms of contracts. And if there is a dispute, we go to court and litigate it. An emerging view, however, some of the new legal thinking, is that there is something fundamental changing out there in the environment. It has to do with electronic commerce and the introduction of technology, and the law needs to be brought up to date to accommodate it.

To that end, there have been some international bodies that have drafted some e-commerce template legislation or a model code, in that respect. There has also been some Canadian work by the federal government on the Uniform Law Conference in establishing, again, a template act or a model code for Canada. Several of the provinces, as indicated in this particular document that you should have now -- Saskatchewan, Manitoba, Ontario -- and the federal government have moved forward with their own electronic commerce legislation, their electronic transactions acts.

The key principle behind this is the notion of electronic equivalence -- the fact that because a transaction is done electronically, the transaction will not be invalid solely because it is in electronic form. The legislation that most jurisdictions have enacted does not compel electronic transactions, but it's enabling legislation. It indicates that consent may be inferred from an individual when they interact with government or a commercial organization. If they interact electronically, consent may be inferred that you can interact electronically with that individual or company in response.

The nature of most legislation has several parts to it. There is a definitions part; there is a functional equivalence part. There is an aspect of the legislation that deals with contract or dispute resolution and sets out the rules around that for electronic entities. And, fourthly, there is typically a part that affects bills of lading and commerce and trucking to deal with customs aspects. We are currently in the process of developing some legislation here in B.C.; it's under development as we speak.

With that, unless there are some questions, maybe I'll. . . . Part 2 of Bill C-6, as you may be aware, is the federal government's equivalent of the electronic transactions act.

R. Kasper (Chair): What is the status of that?

B. Barnard: It has been passed.

R. Kasper (Chair): Okay. Great. Do members have any questions?

B. Barnard: On with the next part then, I guess, which would be Kevin McKee giving you an update. There is a handout, also, on some of the polling activity. And if you'll excuse me, I've. . . .

G. Clark: Can I just ask one question?

R. Kasper (Chair): Sure. Yes.

G. Clark: This deals with the enforceability of contracts. It doesn't deal in any way with privacy issues around it.

B. Barnard: No.

G. Clark: So it doesn't deal with a requirement for superencryption or anything like that in terms of transactions.

B. Barnard: It's indifferent with respect to the privacy aspects. That's covered by privacy legislation.

G. Clark: Well, it's not covered by privacy legislation, but perhaps it should be. That's one of the issues we're dealing with.

[ Page 112 ]

G. Clark: All this really does is make contracts you enter into over the Internet, for want of a better word, enforceable, the same as any paper contract.

B. Barnard: "Functionally equivalent to" basically gives functional equivalence to an electronic signature as a natural signature and to an electronic document as a natural paper document.

G. Clark: Right. Do you think it's advisable to have the different legislation -- one that deals solely with making electronic signatures and electronic contracts -- enforceable, separate and distinct from the privacy concerns around them? In other words, just reading quickly through it, it looks like Ontario and others are bringing in e-commerce legislation that only deals with bringing the electronic side in concert with the paper economy. They don't deal with the encryption questions or privacy questions or sharing-of-information questions.

[1550]

G. Clark: I guess maybe the privacy issue is more difficult. This is my personal view. It seemed to me that if you're bringing in e-commerce legislation which legalizes or codifies the legal framework around which those issues are dealt with, there may be an advantage at the same time for the consumer to spell out -- at least, reasonably clearly -- expectations and legal rights that they may have with respect to the privacy of that information and the dissemination of that information.

R. Kasper (Chair): Chris Norman, director of corporate privacy and information access branch, did you want to add a comment?

C. Norman: One comment I might make on that is that the privacy legislation that was put into place at the federal level and I think is being contemplated in other provinces is very much intended to be technology-neutral. So along the lines of the point that was made in the briefing last time, they're trying to get to a place to say that this is not just an e-commerce issue or an electronic transactions issue, but this is a transactions issue, irrespective of medium.

So in one sense, if you tie the privacy parts too inextricably to e-commerce legislation, in essence you may be limiting the kind of scope that you want to cover. And if you notice, even in Bill C-6, the part that deals with the privacy issues is completely technology-neutral. They essentially tacked the e-transactions part onto it primarily for convenience to bring it through. But if you look at the e-transactions part, it's in essence very little more than a statement to say that if you've done it in paper, you can do it electronically -- full stop. The framework is more intended to try to address the full range of private sector commercial activity.

G. Clark: Well, maybe it's just me -- I don't know -- but it seems to me that there is a need for some regulation around ensuring privacy. Right now it's really completely caveat emptor. If I want to look up my. . . . In fact, I just did this. I looked up my mutual funds to see how much is in there -- a paltry amount. I didn't realize that I didn't have the most recent Netscape Navigator version, and it denied me access -- I looked at it, I guess, four or five months ago -- because I had to have superencryption to get access to it, which was fine with me. I just downloaded the new version and got access. And I was quite reasonably pleased with that just as a consumer, because I assume -- maybe that's correct or incorrect -- a certain level of security with respect to that information.

On the other hand, what would be stopping them, other than good business practices or concern about clients from a business perspective, from not having superencryption required for access? Therefore theoretically -- or more than theoretically, I guess -- it would be possible for someone to hack in and access that information.

I'm not saying that the government should say that everything has to be superencryption. Frankly, one concern I have is that the technology changes so fast that it would be very difficult in legislation, it seems to me, to prescribe a solution which may be defunct or invalid a few months or a few weeks hence.

On the other hand, it seems to me that consumers should have some degree of comfort that corporations which are working in an e-commerce world have some legislative regime which requires a high degree of security. It just seems to me that if you bring in legislation that only deals with legitimizing e-commerce legally and making it parallel with the paper economy, you are, in some respects, sanctioning that transaction by government. It just seems to me that it may make sense to have at least a part of the legislation or companion legislation that deals in some fashion with the regulatory regime around it for privacy purposes

[1555]

There's a whole range of transactions, but certainly in terms of government's interaction with business and with the public, those are the issues that we are dealing with all the time in trying to get program managers to first of all consider what the business requirements are. But they determine those business requirements. Once the business requirements are determined, then there are various ranges of how you protect the data and how you assure yourself of the identity of the party that you are dealing with. Now how much of that you want to build into legislation, I'm not sure.

G. Clark: Or can even build in. . . .

B. Barnard: Yeah.

S. Orcherton: I just want to follow up on that a little bit. When you say "around ordinary commercial dealings," yeah, the law, one would think, would apply. I mean, if I use my

[ Page 113 ]

G. Clark: You have to put it together then, when you. . . .

S. Orcherton: Well, I'd order mine actually already assembled, as some would know.

But in any event, that seems fairly straightforward to me. What concerns me is: where does all the information go? And I don't know a lot about these issues, but I know that they are of concern to lots of people -- about the privacy side of things.

Coincidentally, on television last night there was a newscast, and they were talking about how all of the information on all of the computers at some point touches the same point. And there's the capacity there to record all of those transactions, all of those dealings, all of those numbers, all of the information, in terms of your e-mail and in terms of all kinds of different things that go on. Have you had a chance to look at any of that? Have you considered those kinds of things? Is that true? Or is it something that's out there to. . . ?

B. Barnard: You raise a really important issue, which is something that I think the technology people are gradually becoming more and more aware of because of the privacy people. Even with your illustration of purchasing that lawn mower, in simple terms, they don't need any personal information from you. All the lawn mower suppliers need is to know that you've got money in the bank, which your Visa card basically assures them. They don't need to have any personal information, necessarily, other than a shipping address.

One of the things that we're focusing on quite a bit, or trying to focus on as we build awareness of this, is for people who are designing electronic commerce systems or systems that interact electronically to think about privacy as a design objective, not necessarily as an obstacle to overcome at the end of the process. They should think of it up front and actually justify, in many respects, through a privacy impact assessment, which Kevin has spent a lot of time on here. . . . Think about the aspects of personal information that you absolutely need to record.

I'll give another example here in the province. We've recently put up campground reservation capability, and it asks for your name and address. The bottom line is that we don't need that. All we need to know is that you've got the ability to pay for that campground reservation through a MasterCard number. What you need to know is that you're given some kind of a permit with a number on it, which says that if you show up at such and such a campground at a point in time, you are authorized to camp there. No personal information is required.

Having said that, there is the argument, though, in order to serve you better -- the fact that you have come to the campground reservation site, you've expressed an interest in camping and you've paid some money to make an on-line reservation. There is the service quality aspect of that, and they might say: "If you would consent to give some personal information, we could serve you better and provide you with some better services related to recreational activities in the province than in the past."

There is this whole issue where I think that, as you are well aware. . . .

G. Clark: We have recommendations for you.

B. Barnard: Right. The notion is that personal information really is an individual's personal property and theirs to consent to give and not an organization's right to assume that they can collect from you. I think there's a tremendous amount of awareness on the part of the public that has to be raised, as we move forward in this area of electronic commerce.

[1600]

The place that we started with this afternoon is a place that's technically outside our mandate but is, I think, of importance to the understanding of our mandate. That is the fact that the province is working -- in response to the work of the Uniform Law Conference -- on considering whether or not to implement, as a piece of legislation in British Columbia, legislation which has now been introduced in three other provinces in keeping, more or less, with the ULC recommendations. That is to put in place a basic structure of authenticity.

Authenticity, oddly enough, is actually not on our agenda of issues. The agenda of issues we have is so enormous that. . . . I'm delighted to hear that there is in fact consideration being given in the province to the important issue of authenticity. But I think that if we spent much more time on it, we'd be working as a committee until the year 2010. So let's move on.

R. Kasper (Chair): Now we're going to hear from Kevin McKee. Kevin, could you just state your name for the record and tell us what your official position is.

K. McKee: My name is Kevin McKee. I am a corporate information and privacy analyst with the corporate privacy and information access branch of ISTA.

Today I'm going to be speaking to you briefly on issues around polling information and views of the public with regard to privacy issues. You'll be receiving a three-page paper that has some basic information about the activity in polling, some of the focuses that that polling has predominated and then some simple questions and answers about major issues regarding polling that you may be asked about by the public.

In terms of polling activity, the advent of the Internet as a tool for commerce has brought about a significant change in attitude towards privacy. All of the polling and survey work done in the last few years has showed a heightened awareness of privacy and security of personal information, especially in the area of e-commerce activity. For example, in 1998, from the analysis that I did, a major poll was conducted approximately every second month that included aspects of privacy within the questions. In 1999 it was an average of one major survey per month, basically a doubling of activity.

[ Page 114 ]

What we have been able to determine so far is that the majority, probably as high as 90 percent of the polling and survey work that's been done, has related to the Internet and its usage. This appears to be the key issue to which they are linking privacy, rather than looking at the relationship to non-electronic commerce activity. But there have been some questions asked that have related to the ordinary transactions of everyday life, and those too have been expanding, though not at the same rate. Clearly electronic commerce and the Internet have become the chief issue.

In terms of the focuses -- there are three major focuses thus far -- most of the polling has been American, so there's a certain amount of flavour of issues within the United States related to it. The first one is: how significant is privacy as a limitation on the use of the Internet for e-commerce activity? And you'll see here some general information that we pulled out. Up to 75 percent of the people polled who do not use the Internet currently for purchases are acting out of concerns about privacy or the misuse of their personal information.

In a survey done in December '99, Angus Reid found that 88 percent of the public are concerned about the release of their personal information when shopping online. The questions, basically, in this area tend to demonstrate that people have a concern that companies might be releasing the information or using it for other purposes.

G. Clark: Is there a distinction on the age? Are older people more worried about the Internet and security than younger people?

K. McKee: There haven't been a lot of studies that showed differentiation. It tends to be younger-oriented, but that's probably because use of the Internet is much higher with younger age groups than it is with older age groups.

[1605]

K. McKee: Well, there's no tracking, independently, of the concern; it seems to be a general concern. The numbers actually show up as being a lot more young people expressing the concern, but that's because they tend to be the users of the Internet. So it's hard to determine.

G. Clark: It's young, under 50.

G. Plant: What I'm not sure about is the relationship between what people say and what they do. If all the people who know about. . . . People say they're concerned about their privacy rights when they're on line, but they go on line. And someone who might be more of a skeptic than me might say: "All right, so what?" What I'm interested in is whether you know if the polling finds a difference in the rate of alarm about privacy issues between the people who go on line and use the Internet for consumer transactions and the rest of the population, because if there's no difference, then, well, I think it's a significant fact.

I'm less sympathetic, in a way, to people who say they're highly alarmed about their privacy rights on the Internet if they're ordering 50 books a week from book companies on the Internet than to people who would legitimately say they're not going on line because they don't want to have their rights violated.

K. McKee: The one survey that was taken of people that are not using the Internet is what showed up the higher percentage: 75 percent stated that their primary reason was fear of misuse of their information. For those using the Internet, the levels are lower. It's still above 50 percent having some concern, but the numbers are not as significant as they are with non-users. It appears that there is a significant concern out there that is creating a barrier. How much that barrier is and how long it would last. . . .

One of the interesting things is that there was a computer company in California that offered computers for an extremely cheap price if you were willing to allow them to do profiles and then provide you with direct advertising aimed at you. A number of people that had expressed concern about privacy were quite willing to go ahead and do that when it also meant they were getting an economic benefit. So I think there's a balance of the issues there. I think you have to keep that in perspective.

R. Kasper (Chair): Chris Norman, you have a comment.

C. Norman: Looking at the polls, one comment of mine that perhaps addresses your point: even those who use the Internet seem to consistently indicate, when asked, that they would be more inclined to use the Internet for more things and more sensitive things if they felt more secure about their information. I think the other perhaps telling point in this regard is that corporate entities have a view that the Internet is being held back because of people's concerns about privacy. So you get it from both sides of the fence -- at least a perception that this is a problem and perhaps a holdback to a full embracing of it.

G. Plant: In that helpful answer, you blurred two things I try to keep distinct, although I know that they get overlapped. One is security, and the other is privacy. If you're asked for your MasterCard number before you order a book on line, the security issue is: how many other people in the world, unbeknownst to Amazon.com, are listening in on this conversation and going to get my MasterCard number without Amazon.com knowing anything about it? The privacy issue is not limited to but includes: what is Amazon.com going to do with my MasterCard number? Again, I hope I'm not being too much of a cynic or a skeptic, but I suspect that security is more alive than privacy in the front of people's minds when they're thinking about typing those numbers in. Do the polls tell us that?

[1610]

G. Plant: It's the distinction between the involuntary loss of privacy and the voluntary loss of privacy. At least, that's one way I look at it.

[ Page 115 ]

"Heavens, no; they'll steal my money and take my credit card," and all of these things. The real reason they won't do it is because they don't know how.

The second observation I would make is that younger people. . . . Perhaps I shouldn't even use age here as the criterion. With people who are computer literate and actually know what they're doing, their concerns are more apt to be around the methodology of making the information secure. I'm asking: is that a fair observation, or is there anything in the polling that indicates that?

K. McKee: At this point it's very difficult to make that determination. The polling has not tended to differentiate by age. Where the polling has differentiated is between general polls like Angus Reid, where they do a cross-section of the entire populace, and polls that aim at users of the Internet. And so. . . .

G. Clark: Which does differentiate on the basis of age, to some extent.

K. McKee: Exactly. It does -- unofficially, I guess, would be the way to put it. But it's very difficult to determine exactly whether it's fear of using the system and what might happen to you, or whether it's a belief that things that would be damaging will happen to you. The polls don't distinguish between those two.

C. Norman: I think that perhaps we can reach two conclusions here. One is: even if the percentages are perhaps, one could say, artificially high because people are lumping a number of things together, I think what we've seen in the polling is a consistently high level of concern, particularly about electronic commerce activities. And there are perhaps a whole variety of reasons why people might have that concern, but the perception is seen as a very real factor.

The other thing I think is important is that even if people are confusing, to some extent, security and privacy, or using them somewhat interchangeably, one of the things that is useful to keep in mind is that even if your concern is security, what you're worried about is what the security allows vis-à-vis your privacy. So if you're looking at it and saying, "I don't trust that people aren't going to get access to these things or that my stuff's going where it's supposed to go," what it is at heart that you're really concerned about is either a financial problem or a privacy issue. So -- I think Kevin mentioned it earlier -- to some extent, the security is a bit of a subset of the broader privacy concern. And I think that's. . . .

G. Plant: Yeah, but theft is also invasion of your privacy. And when people are worried about their MasterCard number being given out over the Internet and being at large, they're worried about theft. Yes, they're worried about the invasion of their personal autonomy and control over their MasterCard number. But I guess. . . .

Interjection.

G. Plant: Well, yeah. I want to try to hang on to the idea of security at the risk not of drawing an unrealistic dividing line but of recognizing the distinction, to see if at some point in our analysis it helps us figure out what our mandate as a committee is. I think, for example, that our ability as a committee to deal with the idea of encryption technology has got to be different from our ability as a committee to deal with the idea of basic expectations of privacy rights and how they apply. I'm more comfortable with the latter than I am with the former.

S. Orcherton: Here's where I think, by way of example, that it kind of crosses. Both things sort of interact with each other. Here's the example: my young fellow was on the computer and downloading free games -- okay? Fair enough. We all know that nothing in the world is free, and, of course, at some point the game company is going to send something along saying: "If you want this, you have to pay for it." Well, they did that. But it came to my e-mail address, and my son has no idea what that is. He doesn't know what the code is to get into it. How did that company get the e-mail address when he downloaded that game from the computer?

[1615]

S. Orcherton: I know. But that's the example. The concern is: as legislators, how do we protect against that kind of technology interacting on the Net? I mean, really, it's an example, but I think it's one of the things that the public's looking at. They're saying: "Gee whiz, you know, I don't mind buying this, or I don't mind having a look at this game. But how did they get onto my e-mail? And then what are they doing with that? Are they watching? Are they now monitoring all my e-mail?"

A Voice: Of course.

S. Orcherton: So how do we protect against that kind of thing?

R. Kasper (Chair): Okay, first Chris Norman and then Kevin -- I think you may want to get in on this. How about you, Brent?

B. Grover: I'll let my two colleagues do it first.

R. Kasper (Chair): Okay, great. Chris, go ahead.

C. Norman: That's why I think what is important is to take a step back and look at it in a technology-neutral way. And you set parameters around the collection, use and disclosure of personal information, because that's what we're talking about here. It's not trying to keep up with the little technology quirks and things that people can invent to invade the privacy. It's to set a framework within which they operate, so that they cannot collect information about you without your knowledge. They cannot use it for purposes that you're not aware of. It's the idea of informational self-control.

Your example is a perfect one to illustrate the point that we should try not to be technology-neutral but to have an

[ Page 116 ]

P. Calendino: The question is: how did they get the e-mail, which is the security issue?

G. Clark: Or cookies -- they put what are called cookies in. . . .

R. Kasper (Chair): Kevin, did you. . . ?

G. Plant: No, we're now. . . . Steve's example is pure privacy; Steve's example is unauthorized, internal, secondary use of personal information.

G. Clark: Rick, I think that. . . .

S. Orcherton: How do we deal with that?

G. Clark: I think that's easily dealt with, actually. I think Geoff's point. . . . I hadn't thought of it that way. It's a very important and, I think, useful distinction. The privacy issues around the uses of the information by the company which is purchasing it should be fairly easily remedied. Or at least there should be a fairly easy legislative framework around the use of the information, the inability to sell or the disclosure before you can sell the information -- all of that.

I hadn't appreciated. . . . This has always been my concern, and I use the Internet a lot every day. I buy lots of stuff on the Internet. I've never been worried about Amazon.com having my account number, because I assume they're a good business in practice. I actually like the fact that they recommend stuff to me; I don't have any problem with that, and I give them the ability to do that.

But I do worry every time I click that mouse that someone else is going to see my MasterCard number. That's why I think it's a useful distinction. It's a distinction that's important with respect to the marketing agencies and others who want to data-mine and get that information, which we can put some parameters around, it seems to me. I don't know how easy it is to enforce on the Internet these days, but I think at least you can put some framework around it. The security issue is. . . . I think a lot of concerns in the polling revolve around the unauthorized access of the material or the unauthorized sale of the information.

I wonder whether the province even has jurisdiction in these questions; others would know better than I. These become quasi-Criminal Code issues, do they not, in terms of the legality of. . . .? Effectively, if someone gets access to my MasterCard number for unauthorized use, it's just theft; they've stolen my MasterCard number. That seems to me to be a legal question, which is maybe important to codify and put in legislation. But it may be a federal issue more than it is ours.

G. Plant: One of the reasons. . . .

R. Kasper (Chair): Just hold on, Geoff. I just want to make sure that Kevin has an opportunity to answer or comment on the previous question. Then if anyone from the staff or the ministry would care to respond to Glen Clark's question relating to the issue of theft or potential theft. . . . Kevin -- because I don't want to lose sight of you.

K. McKee: I was going to say, Mr. Orcherton, that the story you told is actually the second area of polling, and that is concern about children's personal information. In fact, what was happening. . . . Several surveys have been done recently that showed that as high as 95 percent of companies oriented towards children are collecting information without parental consent, then storing and data-mining that information.

G. Clark: There's no question about that.

K. McKee: This issue hit the States late last year, and, I think, led to at least seven or eight different pieces of legislation being proposed federally in the U.S. It's a major concern, especially in the United States, that, even in the best surveys, parental consent is only required by about 30 percent of all of the companies that are working with children. There are no kinds of controls in that area whatsoever. It is a privacy issue, plus several other issues.

The other thing I want to point out, the last area, is personal financial information. In a recent survey of American financial institutions, 30 percent provide customers' private personal financial information to non-affiliated companies.

[1620]

K. McKee: Thirty percent who are willing to say that in the context of a poll.

G. Plant: Where would Equifax be, though? Would that be in or out of. . . ? Would it be affiliated or non-affiliated?

K. McKee: It would depend on who the ownership of Equifax is. The reality is that there is a significant percentage continuing to transfer and sell information. I don't believe the issue is as big here in Canada; the banks have a privacy code. But it is an issue.

R. Kasper (Chair): Did anyone of the ministry's staff have anything they wanted to add to what Glen had to say or respond to it? Chris.

C. Norman: The only comment I could make in that respect is that I think the federal government, or at least the people who designed C-6, understood that there would be, even with what they purport to be their trade and commerce powers, which would appear to be at the very least arguable. . . . They still are not able to cast a full net, in that there would be provincial activities that provinces would need to try to address with their own type of legislation. Even if you accepted what they purported as the full extent of their power. . . .

G. Clark: Even if you accept this distinction between privacy and security which we've made here?

C. Norman: Yes. I would believe that's the case.

Now, as you indicate, in some of the issues around security they could become criminal matters, and the jurisdic-

[ Page 117 ]

G. Clark: Can I ask this one question, though? I understand the sphere with respect to consumer protection and privacy issues around that. The distinction that Geoff has made here is one around security with respect to the material as well. Are you suggesting not only that any provincial legislation would deal with a regime which tries to be technology-neutral with respect to the privacy issues, but that we should also draw our attention to security issues around unauthorized use of material? I was asking. . . .

G. Plant: That's a good question.

G. Clark: I was asking him, yeah.

C. Norman: I think we'd have to do some research on that for you. I'm not sure where the line of one begins and the other ends, to be honest.

G. Clark: I guess, just thinking off the top of my head, if in other words. . . . It seems to me easy or relatively easy to set ground rules with respect to the willing purchaser or willing seller and what might be the rules around that. They'd be very similar to rules that exist now on the paper transaction. But with respect to the possibility of the secure nature of the transactions, then you'd be looking at legislatively requiring, it seems to me -- at least in a generic sense or a non-technology sense -- the requirement in the legislation that the best available technology be used either for encryption or for security purposes.

C. Norman: That's not the direction that C-6, as an example, has taken; it has set the standard of privacy protection. Then you as a retail entity or a commercial entity are expected to use whatever means are required to ensure that level of privacy protection. If that means a technological application or if it means locked filing cabinets or if it means a certain kind of consent forms or whatever, you must put into place the mechanisms to address those.

[1625]

C. Norman: Well, presumably you could have recourse under two mechanisms. Let's say that you had a privacy regime. You could potentially go after them for a privacy invasion. If they did something illegal, presumably you could go after them for legal recourse -- i.e., stealing your information or using it against the law. But I think you could commit a crime in one respect that might be independent from the other, and I think we need to look at how those dovetail.

G. Plant: Or a tort or a breach of implied term -- all of these things would be arguments out there in the new world rather than well-established principles.

G. Clark: Yeah -- interesting.

R. Kasper (Chair): Brent Grover, who is also with the ministry, would like to comment.

B. Grover: I'm just going to follow up Mr. Clark's statements with a couple of little points about where you tend to lose credit card numbers. I know that a lot of the focus is on when they're transmitted over the Internet. In fact, what we see from most companies is when they actually store your numbers on their particular databases within their company. That's when the credit card numbers go missing. The big example is CD Now from about six months ago, when they were hacked.

The other part has to do with the nature of the relationship when you're doing communications. Trust and certainty are sort of the keywords for most of this. It's a sender-receiver relationship. So if I'm going to send you a note saying, "Let's go for lunch," that's going to have a different kind of security requirement than me sending you my account information and saying: "Buy $10 million of stocks in my name." In some regards the senders and the receivers of the message have to take responsibility for what they think is going to be an appropriate level of security for the transaction that they're conducting, just like. . . .

G. Clark: It's caveat emptor, you're saying.

B. Grover: Caveat emptor, yeah. I mean, if you establish a relationship with a certain party, and you're comfortable giving them your credit card information, then you do so.

G. Clark: Brent, the problem with that is, if you accept that the majority of people are not using the Internet, it is because they are worried about security. And e-commerce is being held back by that concern. Regulators of government may wish to try to allay that concern of the public -- legitimate concern, I would say. You're saying: "Don't bother; if you don't want to use it, don't use it."

G. Plant: But there's already some evidence of that happening in major American. . . .

G. Clark: People aren't using it, yes.

G. Plant: Well, no. The evidence of corporate response. . . .

G. Clark: A private sector response to that, sure.

G. Plant: It's in the form of trust seals and the things that some of the major Internet on-line people are now doing. You know, a little thing appears on the web site to, say, supposedly give the consumer comfort that they have adhered to a certain set of standards that perhaps joenothing.com hasn't. One of the issues I know right now that's very alive in the United States is this debate about whether the self-regulatory thing, the market, will cure the problem or whether there is in fact a need for regulation.

R. Kasper (Chair): Kevin, just in response, and then we'll go on to Pietro next.

K. McKee: I was going to say that in the last of the Qs and As, there was a question about ways in which our per-

[ Page 118 ]

G. Clark: But again, Kevin, this is the same distinction. This is clear, and it's clear that governments are moving. We're talking about moving to regulate the use of that information to the willing-buyer or willing-seller kind of situation. The debate we were having was on the unauthorized use not by the person we give the information to but by unrelated parties.

K. McKee: What I'm saying, though, is that here the wording of the response is to keep the information confidential. That does not refer to someone stealing it from Amazon.com; that refers to the fact that they don't trust Amazon.com with the information.

G. Clark: Actually, Kevin, I'd say it refers to both.

K. McKee: It probably does.

G. Clark: They want it to be confidential.

K. McKee: So I think that there is that inherent concern out there. It's interesting from that survey, because the Harris poll said that 57 percent of all Americans want to move right now on privacy protection.

[1630]

Going back to the question that Glen posed, so you have this trust relationship, which is not so trustworthy, with the Amazon.coms of the world -- right? But then you have. . . . Well, you don't know whether the information that they have from you or your credit card number is secure or not. You think it is secure, but somebody else may have accessed it and used it.

What legal recourse is there? Chris was saying that there is something that you can do, but can you sue Amazon.com for somebody else that has stolen your credit card number and used it without your permission?

C. Norman: Again, I think we draw a distinction between somebody stealing something from Amazon.com and Amazon.com willingly selling it or using inappropriately. Then we get at the nub of it.

P. Calendino: No, that I understand.

C. Norman: One of the things that I've asked Brent to do -- which was an incredible task, and he'll either do it today or at the next meeting -- is to try to sift through for you some of these particular issues around the idea of authentication, certification, encrypted technology. Hopefully, that will give us some clarity around some of the tools that are in place -- not to be technology-driven, but just so that we have some clarity around it.

But if we look at the issue of illegal activity as it currently exists, as someone did on Friday when they broke into my house and stole my Visa card, I would say that's criminal activity; that was a technologically neutral act of crime. I'm going to trust, as the police did, that they film this fellow using my card in a mall, and they're going to end up trying to catch this individual. If somebody went in and hacked into Amazon.com's database and stole credit card numbers out of that database and used them for fraudulent purposes, I assume that the law is going to go after that individual in a variety of jurisdictions and try to address that particular issue.

If Amazon.com collected the information inappropriately or willingly disclosed it or sold it, that's where privacy legislation will come into place, because it will determine what they can appropriately do, and then you go after them under that. They may not do anything illegal from the standpoint of a fraudulent activity. But under the privacy regime they may step all over the lines; that's where a hole currently exists, where companies could do all kinds of things with your personal information which might not be illegal currently but would be against what you would wish them to do. You at least have to have the right to have some control over that.

P. Calendino: Let me narrow that. I follow your reasoning here. But my transaction is only with Amazon.com; I don't know that somebody else is hacking into their program. Amazon.com may not be aware that somebody has hacked their information either. As the individual who has been charged $20,000 on my credit card without my knowledge, who do I go after? Can I go after Amazon.com now, before we introduce legislation? That's the question.

G. Plant: Actually, the weakness of that example is that it's not going to be $20,000. The credit card company takes the hit over whatever the limit is these days -- $100 or $200. So, I mean, that's the limit.

P. Calendino: No. People can go and use it in stores.

G. Plant: Yeah, but you're not liable. If someone steals your credit card. . .

G. Abbott: You're insured against it.

G. Plant: . . .you're insured against it.

A Voice: Yeah, by the credit card company.

G. Plant: At some point the banks are going to have to sit down -- I'm sure they're doing it already -- and figure out, given the risk of the scenario you're talking about: are they happy with the current limits? Or are they going to raise the limit so that it will then cause all of us, as credit card users, to become a bit more concerned about who gets our credit card number?

[ Page 119 ]

S. Orcherton: Covers it.

P. Calendino: . . .will not charge me for those expenses.

G. Plant: That's my understanding.

C. Norman: Correct, as it is now. Yeah.

R. Kasper (Chair): Okay. Kevin, do you have much more to give us?

K. McKee: No. As you can see, attached are a couple of questions and answers you may want to look at. They provide some statistical information as to the degree of concern. The polls vary somewhat, but not to any large degree; they're not completely differentiated. But at least they do demonstrate that it's an issue that is growing in concern; it's growing in terms of awareness at a very quick rate. I think that's a significant point that we want to make out of this: this is an issue that people are becoming more and more aware of.

[1635]

K. McKee: Part of it, I think, is an issue of: how much risk are they willing to assume? They're concerned about the issue; they see a problem. But because they perceive an immediate economic benefit, they might be willing to assume a certain amount of risk regarding that transaction.

I think what's happening, though, is that as people are beginning to realize just what's going on behind those transactions in terms of the transfer of information, etc., it's becoming more of an issue. Yes, there is growth in the Internet, but the projection they have is that it's slowing down, that it's not growing at the rate they assumed it would, and that one of the drags -- at least, that we're hearing from companies -- is this concern about people's protection of their information.

R. Kasper (Chair): Okay. Thank you. Now, next on the agenda: Brent Grover. How long is it going to take you to do what you envision doing to give your topic justice? We're five minutes past our appointed hour of adjournment.

B. Grover: I think that with the number of questions that have been going on, realistically, it's going to be 20 or 25 minutes. I can say all the things I need to say in about seven or ten minutes, but just from the number of questions, I think it will be longer.

R. Kasper (Chair): Okay. So what's the will of the committee, just looking at the hour? I know some members have other business.

[Interruption.]

R. Kasper (Chair): Well, that decided it. Okay, just before we adjourn, the committee will meet June 19, and we would have, first. . . .

A Voice: We're not sitting.

R. Kasper (Chair): Oh, that's right; we're not sitting. So it would go to June 25, then -- okay? And then, Brent and Kevin, you would come back. We also have Patricia McNamee, and she would also, hopefully, come. Okay?

A Voice: Yeah.

R. Kasper (Chair): Great. Thank you. We'll adjourn.

The committee adjourned at 4:38 p.m.

[ Return to: Legislative Assembly Home Page ]

Copyright © 2000: Queen's Printer, Victoria, British Columbia, Canada