COMM

Subcommittee on Communications

Past Session: Past Session:
36-2 36th Parliament, 2nd Session (October 12, 1999 - October 22, 2000)
Select a different session
 

Proceedings of the Subcommittee on
Communications

Issue 3 - Evidence

OTTAWA, Monday, June 12, 2000

The Subcommittee on Communications of the Standing Senate Committee on Transport and Communications met this day at 11:07 a.m. to examine the policy issues for the 21st century in communications technology, its consequence, competition and the outcome for consumers.

Senator Marie-P. Poulin (Chairman) in the Chair.

[English]

The Chairman: As you know, witnesses, this subcommittee of the Transport and Communications Committee is continuing its special study of the explosion of the communications and the telecommunications industries. This study, titled "Convergence, Competition and Consumers," is will address, in three parts, the special study. This is phase one. The focus of phase one is to examine where we are at in terms of implementing the technology and the knowledge required to be part of this new explosion. Phase one also examines privacy issues and the concerns that Canadians have with privacy, even with the new legislation that has just been proclaimed.

We know that you will be addressing one of the key activities, which is the financial transactions of individual Canadians and companies. You will also be addressing e-commerce and the fact that Canada, by the year 2003, has an objective to enjoy and be very involved in this new way of doing business.

I would like to say a special hello to Mr. Shaughnessy, Mr. Howey and Mr. Braidwood. I know you will introduce your colleagues, Mr. Shaughnessy.

[Translation]

I would also like to thank you for having taken the time to come and speak to us. We are very much aware of the fact that Canadian men and women are greatly concerned about the issue of the confidentiality of information shared using today's new methods of communication. We would like to know what Canadian banksintend to do and would also about the trade issues that affect all Canadians.

[English]

Mr. Kelly Shaughnessy, Vice-President, Operations, Canadian Bankers Association: Thank you for the opportunity to speak to you today about the banking industry's views on communications issues, including privacy and security in the new economy. While we do not represent telecommunications companies, our members are major users of telecommunications networks. In 1999, there were in excess of 2.5 million computer banking customers registered with the major banks, and this number continues to grow rapidly. Complete customer information is central to helping our customers achieve their financial goals with integrity.

The Canadian Bankers Association provides information, research, advocacy, and educational and operational support services on behalf of its members, the chartered banks of Canada. Established in 1891, the CBA represents 49 banks -- eight Schedule I banks, which are domestically based, and 41 Schedule II banks, most of which are subsidiaries of foreign banks.

The banking industry is evolving rapidly, due in large part to the fast pace of technological change and, especially, customer requirements that are driven by technology. New technology has enabled banks and their subsidiaries to meet increased customer demand for more convenient access to financial services. In 1999, the banks' investment in technology was $2.8 billion. Such a large expenditure is necessary because banks operate multiple delivery channels at one time, as customers typically do not want to completely forgo one channel for another.

Electronic banking has grown rapidly because of consumer demand for more convenient and flexible financial services. Over 85 per cent of routine banking transactions are now performed electronically rather than in person.

A 1998 Ernst & Young technology report estimated that Internet and PC banking transactions will grow by 292 per cent between 1998 and 2001. The Internet provides an opportunity for banks to enhance services and to add value, for example, by offering a wider range of mutual fund products to their customers. The bank is able to retain the customer relationship and cross-sell other products by acting as an intermediary for the various products purchased.

A key driver to the growth of e-commerce is customer confidence in conducting Internet transactions. Customer confidence is contingent upon addressing privacy and security concerns with doing business on-line. Mr. Howey will now address how the banking industry handles privacy issues in the new wired world.

Mr. Norman Howey, Director, Financial Sector Policy, Regulatory and Corporate Affairs, Canadian Imperial Bank of Commerce: The protection of personal information is a fundamental tenet of the business of banking and always has been. A leader in the protection of customer information, the industry introduced its first privacy code in 1986 -- the only industry code, at that time, that went beyond a statement of principles and stipulated measures for the protection of customer information.

In 1996, the Canadian Bankers Association took the lead again when the CBA Privacy Model Code became the first industry code to be deemed compliant with the Canadian Standards Association's model code for the protection of personal information.

The focus of the Canadian Bankers Association code is on full disclosure in customer control of personal information. It provides, among other things, that, customers have the right to withhold consent for further use of their personal information at the time of application for a bank service or product, or may withdraw it at any time thereafter. It also provides that banks must obtain customer consent to share information with subsidiaries, that banks recognize the special sensitivity of personal medical information, particularly with respect to insurance subsidiaries. The code also provides that this type of information is not shared between banks and insurance subsidiaries or, indeed, any other subsidiaries or affiliated companies. The code also provides that redress is available through the banks' complaint-handling processes, with ultimate recourse to the Canadian banking ombudsman -- CBO.

The code also provides that oversight is provided by each bank's internal audit process or compliance function. Reports of findings from regular reviews are made to a committee of the bank's board of directors. The code also provides that banks collect information to be able to serve our customers better; banks do not sell their customer information to third parties.

Recognized both nationally and internationally as a sound and comprehensive model, the CSA code was incorporated as a schedule to Bill C-6 -- the personal information protection and electronic documents act -- to set out the principles of privacy protection. The banking industry fully supports this legislation, which gives legal recognition to electronic documents, and other regulatory initiatives that will promote the continued growth of electronic commerce.

The Canadian Bankers Association also endorsed the Principles for Consumer Protection in Electronic Commerce that was released last year by Industry Canada. These principles set out the measures that responsible vendors on the Internet should put in place to fully inform and protect customers who use their Web sites. The principles include insuring that the agreement to purchase is fully informed and intentional, protecting privacy and security, and ensuring that any problems with a purchase can be easily resolved. The banking industry's active involvement, along with other stakeholders in the development of these principles, demonstrates our continued commitment to the protection of personal information for all delivery channels. The Canadian Bankers Association's Privacy Model Code is congruent with these principles.

The Canadian Bankers Association has published booklets that consumers on the Internet may find useful. Samples of these booklets are included in your information package today.

The first booklet, "Safeguarding Your Interests," is a consumer protection kit that outlines the banks' obligations to customers, how customers can protect themselves, and how to resolve customer complaints through our redress procedures. It includes a list of safety tips for conducting on-line business transactions. These tips are based on the Principles for Consumer Protection in Electronic Commerce, compiled by Industry Canada.

The Canadian Bankers Association also produced a booklet entitled "E-Commerce Comes of Age," which acts as a primer for businesses and consumers who are interested in transacting business via the Internet. The booklet addresses a number of consumer concerns, such as privacy, consumer protection and security. These publications are also available on our Web site: www.cba.ca.

I also note that the Canadian Banking Ombudsman has published a booklet to explain its role in complaint resolution. This information is available on the Canadian Banking Ombudsman's Web site: www.bankingombudsman.com.

The Canadian Bankers Association is sponsoring, together with Industry Canada, the Canadian Chamber of Commerce, and the Canadian Institute of Chartered Accountants, a series of e-commerce seminars that provide information to owners of small and medium-sized businesses, wishing to market their goods and services via the Internet. More information on these seminars is also included in your package today.

In the new wired world, bank customer privacy protection will be maintained. Banks will continue to respect the right of privacy of individual customers for personal information, while responding to the needs of legitimate banking business.

Mr. Braidwood will now say a few words on the steps that the industry is continuing to take to ensure that banking transactions remain secure.

Mr. David Braidwood, Senior Manager, Security and Standards, Royal Bank of Canada: Security is also integral to the growth of electronic commerce. Without it, the protection of personal information and privacy cannot be assured. The banks, together with other financial institutions, have always been leaders in the use of technology and the corresponding security techniques. We have been using state-of-the-art security techniques, based on what I will call traditional cryptography, to protect data moving over computer networks for many years now.

Indeed, the primary tool used by banks to protect electronic transactions is cryptography. In very simple terms, traditional cryptography allowed us to provide the security objectives of confidentiality through the techniques of encryption and of integrity through the technique of message authentication. This is used in the world-leading Interac network, which we all know and love.

The appropriate security technique for the Internet is a new style of cryptography, which is called public key cryptography. Public key cryptography is based on the fact that every participant has a connected pair of keys. They have a public key and a private key. It introduces the new concept of digital signatures. Digital signatures identify the parties involved. That is, they provide the security services of identification and authentication. They also verify that the transaction took place. This is the security service of non-repudiation. As well, they confirm that the message was not modified. This is the security service of integrity.

For full implementation of public key cryptography, we need to implement a public key infrastructure, PKI. The public key infrastructure is a formal system of policies, tools and techniques that implements public key cryptography in such a way as to give assured levels of security and interoperability. A PKI introduces the further concepts of digital certificates and certification authorities. Before I continue, let me define what some of these terms mean.

A digital certificate is the electronic equivalent of credentials, such as a passport or drivers licence. It binds an owner to a public key and, subsequently, to the corresponding private key.

A certification authority is the trusted entity with the knowledge to issue and verify digital certificates upon which trading partners can rely. A digital signature is the electronic signature associated with a message that in combination with a digital certificate authenticates the message sender, guarantees the integrity of the message and ensures that the message cannot be denied.

The role of the certification authority is as an issuer of digital certificates and as an on-line repository of up-to-date information about the certificate's validity. Before issuing certificates, the certification authority will conduct due diligence to authenticate the identity of the entity or person to whom the certificate is being issued. The certification authority also continually validates the certificates and revokes or reissues them as necessary.

Canadian banks are in the process of implementing their own public key infrastructures and certification authorities. In addition, the banks are currently involved, through the Canadian Payment Association, in the development of a Canadian financial public key infrastructure for payment. This will facilitate interoperability between individual bank public key infrastructures and between banks and other public key infrastructures, such as the Government of Canada public key infrastructure. As well, it will facilitate interoperability with PKIs in other countries. Under the Canadian Payments Association framework, participating members will issue digital certificates to their own customers that will be used to guarantee the authenticity and integrity of the data being transmitted over the Internet. It will eliminate client denial of the original message. The Canadian Payment Association will act as the root certification authority, or bridge, between individual bank public key infrastructures.

Public key infrastructure services will increasingly be used by the banks to protect electronic financial transactions, whether it is a small credit card purchase or a multimillion-dollar lending or investment arrangement. It is a logical extension of that service that banks might also certify the exchange of binding contracts that accompany the financial transaction and provide additional services such as electronic safekeeping. Banks may decide to issue certificates to their customers not only to facilitate financial transactions but also to facilitate other types of transactions. Once a Canadian citizen has a certificate, the Personal Information Protection and Electronic Documents Act sets out the legal foundation for the recognition of electronic signatures based on that certificate being broadly accepted.

I have spoken briefly about the technology used by the banking industry to enhance the security of electronic transaction and to protect customer information and privacy. However, I also wish to mention that a customer's best defence against e-commerce fraud is the same caution that they would use in making any purchase. When buying a good or service on-line, one should do so at reputable merchants and look for both the company's privacy policy and a secure transaction capability before providing your payment card number on-line.

Industry Canada has two booklets based on the Principles for Consumer Protection in Electronic Commerce -- one for consumers and one for businesses. These booklets provide guidance on what to look for in an Internet vendor and what a vendor should do to comply with the principles. If a vendor does not comply with the principles, one should exercise caution when purchasing from that vendor.

I will now pass it over to Mr. Shaughnessy, who will wrap up.

Mr. Shaughnessy: I wish to first reiterate that Canadian banks have always been leaders in consumer protection and privacy, as well as security. Canadian banks have made major investments in technology, to ensure that optimal safeguards are in place to protect the confidentiality of their customers' information and that banking transactions conducted electronically are secure.

We strongly support the federal government's efforts to make Canada the most connected nation in the world and a leader in the development and use of e-commerce. The government must follow a flexible approach to legislation and regulation, as exemplified by Bill C-6, to ensure that this vital segment of the economy continues to flourish.

However, as e-commerce is a global issue, there are outstanding issues that exist on a global level. These include jurisdiction, taxation and electronic signatures.

Jurisdiction: Which countries' laws apply to an electronic transaction? Which countries' courts have jurisdiction over Internet disputes surrounding issues such as liability, enforcement and repudiation? For example, in providing a financial service over the Internet, is a bank operating from its home country and enabling non-residents to make use of the services or is the bank providing a service in a foreign jurisdiction for which it may have to obtain a business licence? The issue of jurisdiction needs to be resolved.

The matter of taxation raises issues. How should e-commerce be taxed? Taxes should be technology-neutral.

What qualifies as an electronic signature and is it flexible enough to support global e-commerce? Electronic signatures should be recognized across borders. We encourage Canada's continued support of the UNCITRAL initiative on electronic signatures.

Senator Finestone: What is that?

Mr. Braidwood: There is a UN body that has been doing work on international guidelines for electronic signatures.

The Chairman: We will let you come back to us on that.

I would ask you to finish your presentation, and then we will move to questions, which will give you an opportunity to explain some of the recommendations that you are making.

Mr. Shaughnessy: Thank you again for providing us with an opportunity to express the banking industry's views on privacy and security issues underlying e-commerce. We would be pleased to answer any questions you may have.

The Chairman: Thank you so much. You were right in saying at the beginning that Canadians need to trust this new wired world, to ensure that all the opportunities that the banks are giving us are being used.

Senator Johnson: Recently, computer hackers have broken into Web sites and infected some with computer viruses. How do banks protect themselves from such computer terrorism?

Mr. Shaughnessy: Mr. Braidwood's area of expertise is in the electronic commerce security area, so I will ask him to address that.

Mr. Braidwood: As I said in my remarks, the Canadian banks have always been world leaders in applying the appropriate levels of security. This is certainly a new challenge to us in protecting our systems. However, there are techniques available and we employ the best that we can. Often, in the attacks that you hear of, the systems are not as well protected as the banks.

Senator Johnson: In your opinion, does the apparent increase in computer hacking reduce the scope for increased e-commerce? I know it can happen to anyone on the net, but everyone uses banks, so it is a big area to attack.

Mr. Braidwood: There are two levels. I am confident that the banks in Canada have appropriate protection. The technique that is used is firewalls. A lot of thought has gone into the new security technique of firewalls, and we implement the best available, at multiple levels.

Some of the other players, however, may have a concern, in terms of e-commerce at large. One example would be merchants on the Web. Their protection may not be as high as the banks'. The banks are trying to educate the merchants with whom they deal.

Senator Johnson: On a totally different topic, can you tell me how your ombudsman is working out? I am very curious to know how that is going.

Mr. Shaughnessy: In my former career, I spent more than 30 years with one of our member banks. I had the honour of being there when we agreed with the House of Commons industry committee to put in place a banking ombudsman in each of the individual banks and then the Canadian banking ombudsman, who today is Mr. Michael Lauber.

I believe the process is going excellently. I checked on this just a couple weeks ago with Mr. Lauber. In all the disputes that have gone to him since his office has been in place, not one bank has refused to go along with his recommendations. This is an excellent example of an ombudsman's process that is working well, and working in a very timely fashion, too.

Senator Johnson: People are using it?

Mr. Shaughnessy: They are using it. The normal dispute resolution process is that an attempt is made to resolve the dispute at the branch or operating unit level. Failing that, the client is encouraged to take the matter to the next level of management, which could be a regional manager or something like that. It then goes to the individual bank's ombudsman. Only after that process does the matter go to Mr. Lauber's Canadian banking ombudsman office. As I say, it seems to be working very well. It would seem that the vision we had when we put the ombudsman process in place is being achieved.

Senator Johnson: Have there been instances of PIN numbers being cracked? What level of security does one have vis-à-vis their PIN number? I am asking because, of course, I use a PIN number all the time; however, I always check my statement. I keep track more than I ever did before.

Mr. Braidwood: The technical protection on the PIN numbers is very high. I know of no case in Canada where a PIN number has been attacked. Certainly, there have been cases where cameras or other means have been used to observe a PIN being entered. That tends to be the method whereby any compromise in that area occurs.

Mr. Shaughnessy: Some people make their PIN numbers too personal, such as a variant on an address or date of birth.

Senator Finestone: Just to pick up what Senator Johnson was saying with respect to the PIN number, the potential for compromise is something I have often thought about. I think most consumers, like Senator Johnson, have some interest in this matter.

I have a question about what happens when I do a bank transaction at an ABM rather than at one of the few tellers I can find -- and I must say that one of my big complaints is that the lineups at the bank are too long and the service at the counter is too long. When I do a transaction at an ABM, I get a slip of paper that tells me the details of my transaction. What happens if I carelessly drop that paper into a wastepaper basket? If someone retrieves it, can they learn my PIN number or my account number? Is that slip of paper of any use to them?

Mr. Shaughnessy: I will speak in general, and then I will ask Mr. Braidwood to address how the Royal Bank does it. In general, no, if that slip has any numerical digits on it they in no way reference your PIN number.

Mr. Braidwood: The Royal Bank does not do that internally for our own customers at our own machines, but, typically, that is done for customers of other banks. Within the Royal Bank, the account number cannot be used in any way without the PIN. The two are required. However, to answer your original question, as well, there is nothing on that slip of paper that gives any hint whatsoever of what the PIN would be.

Senator Finestone: Let's say I am in downtown Montreal and I decide to use the Interac machine at Concordia University. That machine has not been installed by my bank; it belongs to another bank. How does that machine, which collects 50 cents or $1 on my Interac transaction, know that I am the right person?

Mr. Braidwood: Whenever such a transaction occurs, it occurs under the umbrella of Interac. Interac has set standards to cover the routing of that transaction. The transaction will, in fact, go to your own bank, and the PIN is protected all the way through to your own bank and it is checked at your own bank, and then an accept or decline message is sent back.

Senator Finestone: So there is no potential for monkeying about in that area?

Mr. Braidwood: No.

Senator Finestone: I also notice that, in some banks, there are cameras monitoring the Interac machine. What is the purpose of those cameras?

Mr. Braidwood: To help in resolving disputes, basically.

Senator Johnson: In case there is a holdup?

Mr. Braidwood: Yes, for holdups as well. It depends. Sometimes there are cameras behind the machine; at other times, there is a camera in the lobby. They are generically installed for holdups, as you say, as well as to help in resolving disputes.

Senator Finestone: Privacy is an important and fundamental right but a limited one. In the interests of the safety and the well-being of citizens, cameras exist but what happens to the pictures? Who is responsible for them? Who owns them and who monitors them?

Mr. Shaughnessy: In general, those machines are there strictly for security purposes. The tapes would only be viewed if there were an occurrence, a holdup, a customer being molested, or something of that nature. The tapes would then be turned over to the appropriate authorities.

Senator Finestone: How long do you hold those tapes, and who has access to them?

Mr. Shaughnessy: The tapes are recycled. They are continuous-loop tapes. They are not held, as such. There is no vault of tapes or anything of that nature.

Senator Finestone: When a customer opens a new account at one of your banks, is his or her SIN number required?

Mr. Howey: We are required by Revenue Canada to ask for a SIN number if a client is taking out a product that involves income or interest. If the client refuses to provide it, we can still provide the product. Revenue Canada will go after the client directly. We have done our duty by asking for the number.

Senator Finestone: Revenue Canada asks the banking industry in general to request a customer's SIN number so that they can trace customers and build a profile on them?

Mr. Howey: No. The number is required by Revenue Canada in order to properly record and report income and interest earned on those products by the customer. The number is required for tax purposes.

Senator Finestone: Therefore, it is related to a lack of trust in the customer that they would report any bank-related income? The banks send out the statements and forms to be used. The customer has an obligation to file them, but then it is no longer the customer's obligation because Revenue Canada is watching to see whether he or she has done the right thing. Is that it?

I can appreciate, Mr. Howey, that you do not wish to answer for Revenue Canada. It is all right. I understand.

Mr. Howey: I would simply repeat that it is our duty to ask for the SIN. If a client chooses to withhold his or her SIN, because of reservations about how it might be used, then we have done our part; Revenue Canada will go after the client.

Mr. Braidwood: We are still required to produce the forms, such as T5s.

Senator Finestone: Does the T5 include any reference to the SIN number?

Mr. Howey: Yes, the SIN number is included if the customer provided it.

Senator Finestone: The SIN number causes big problems. When Mr. Diefenbaker introduced the social insurance number, he promised that it would only be used for health. It has seen a rather healthy growth of interest in very many areas.

Mr. Shaughnessy: We would only use it for income reporting purposes, as required by Revenue Canada. As Mr. Braidwood said, the T5 is a prime example. If we do not have the SIN information, we issue a T5 without it. I suppose Revenue Canada would attempt to match that by the name and address.

Senator Finestone: When you send out T5s, do you also send a copy to the government?

Mr. Shaughnessy: Yes, definitely.

Senator Finestone: You say that your services are clearly defined. I agree that they are. I do find the banking code to be very strong and that is important.

I am curious about something. If a customer goes to the wicket having decided to request a mortgage or some other specific service but to decline all other services, how and when does a customer know that you have bundled services together? Do you ask that customer for the right to put services together under his or her account and do you offer new things for which the customer has not signed? I think you call them bundled services?

Mr. Howey: Are you referring to marketing initiatives that we undertake from time to time, where a customer holds one account or product with us but we believe, based on the profile, that he or she might be interested in some other product? We may then send out some material about those other products.

Senator Finestone: That is one issue, yes. We will deal with that first.

Mr. Howey: At CIBC, we have a disclosure notice that is to be handed to a customer when they take out a new product or new service. The notice talks about that issue. That notice indicates that CIBC will share its information internally, within CIBC's group of companies, for marketing purposes but that a client who does not wish this to be done should telephone the bank or indicate to a teller that they do not want any cross-selling. That will be recorded on their record.

Senator Finestone: As you well know, witnesses, there has been a lot of discomfort with bundling or option marketing. Senator Fairbairn recently shared with us some research about the literacy level of the general population in Canada. A customer must be literate to understand the notice that you have just described; correct?

Mr. Howey: In our case, we ask our employees to try to talk about the piece of paper during the process. Given that there are other pieces of paper involved, I suspect that often both the customer and the banker may be in a hurry and that, as such, the discussion does not take place. The staff is to make the option available, according to our procedures. Our staff will talk about it, if the opportunity presents itself, rather than saying to the client, "Here is a piece of paper; go away and read it."

Senator Finestone: I remember when the Royal Bank opened its first service for handicapped people; I believe it was for the visually impaired. We have been very proud of several of your services, but complaints do come into the offices of members about services that were never requested, particularly relating to mortgages and insurance.

I believe the banks should be held to a very high moral standard. The banks are dealing with the daily bread and the daily concerns of the general population, with their homes and their financial needs, whatever those may be.

Do you agree that banks require a higher moral standard? Is it not your opinion that a bank should have verbal contact with a client before adding services or changing rates?

Mr. Shaughnessy: Some rates change as a function of interest rate movements within the country. Obviously, a savings account rate can go up in the same way as a demand loan, a floating-rate mortgage, or something of that nature.

I am a client of one of the banks at this table here and I do believe that, in the case of floating-rate mortgages, for instance, the client is notified when rates change. When a service charge is changed, the Bank Act lays out a lengthy procedure that banks must follow, including a notification period. Certainly, bundled service packages are not forced upon any client. They are offered because, very often, bundled services have significant financial merit and can save a client a lot of money.

Your point on literacy is very well taken. I am pleased to say that, for years, I have been a director at ABC Canada, where Senator Fairbairn is a tremendous supporter. I have been a director there because, as a member of the financial services industry, I believe that we need to deal with the issues surrounding literacy.

As an industry, we encourage our employees to sit down and audibly verbalize the contents of documents with any client who is illiterate or is numeracy-challenged.

Senator Finestone: Do you consider your processes to include informed consent given verbally or in writing? Would you call it informed consent in the full meaning of that expression?

Mr. Shaughnessy: In general, yes. The banks have tens of millions of clients, literally.

Senator Finestone: Therefore, you are twice as obligated to be morally trustworthy.

Mr. Shaughnessy: One thing Canadians banks have going for them is an incredible degree of trust with their clients. The clients may not agree with certain issues, but when it comes to trust, it is certainly there. I believe the banks operate at a very high moral standard.

Senator, if you were to ask me to say that such and such could never happen, I obviously could not do that because somewhere, sometime, out there amongst the millions of client the banks have I am sure there will be an incident where a client does not feel that he or she has that degree of information. However, as Senator Johnson pointed out when she was asking about the complaint resolution process, I believe we have an excellent complaint resolution process, including the Canadian banking ombudsman, to deal with those types of issues.

Senator Finestone: I can recall a discussion around that ombudsman and hearing him in committee. Would you be comfortable in ensuring that we have an informed consent from people in society before they undertake another option?

Mr. Shaughnessy: I believe that such exists today with the privacy code and the information that the client gives when they open an account or buy a product or service. I believe the banks today are operating at a very high standard in that respect.

Senator Finestone: I gather that you are supportive of the e-commerce and would not be uncomfortable with that being the rule of law in a country that believes in privacy for its people?

Mr. Howey: We are very supportive of the Personal Information Protection and Electronics Document Act, Bill C-6. Again, the main component of that legislation is the Canadian Standards Association model code, which is the basis for our privacy policy today. We feel that we are a long way towards complying with Bill C-6 already, although it does not kick in until January 1. And, yes, we are supportive of it.

I wish to add something about informed consent. To point out the obvious, this is not a one-time event. If a customer changes their mind tomorrow because they get a telephone call from CIBC or something in the mail that they do not like, and they tell us about that, we will change their preferences on the spot.

Senator Finestone: That is, if they say yes in the first place and then change their mind?

Mr. Howey: With the marketing opportunities that I have been talking about, we clearly tell them that we are going to do it. If they do not want it done, then we will not do it. That is an ongoing thing. At any time, they can say, "I got a call at dinner time last night, and I am upset about it. Do not dare call me at dinner time again." We use that opportunity to say, "Would you like to receive materials in the mail?" Quite often they will say yes, but no telephone calls. We have the ability to make that distinction with our computer system. We can record that a customer does not wish to receive telephone calls but would be receptive to mail.

Again, it is in our own best interests to get this right. If we upset a customer, they will not buy from us or be satisfied customers. This is pretty much self-policing stuff. We don't need to have a stick held over us to do it.

Senator Finestone: You should occasionally, as I am sure you do, stand in line at a bank. Just come down here on Sparks Street and stand in line in a bank. Last week, I waited 45 minute to be served. I was depositing money, not taking it out. It was irritating to have to wait for so long. I do not making a deposit at the banking machine, although I use the machine to make a withdrawal.

I found your comment about the public key infrastructure interesting. I know that we are moving more and more towards firewalls and that cryptography is becoming more sophisticated, so that we have built-in protection. Nevertheless, how do I ensure that the vendor who is getting my credit card or my banking card is a good vendor, one who is respectful of my rights and keeps my transactions and my information secure? I note that on page 8 you provided guidance to us on what to look for in an Internet vendor or what an Internet vendor should do to protect my privacy.

Within Canada, how do we apply the principle? If I order a gadget that I saw on a cooking program or I order records or books that are advertised over the Internet, what protection do I have that the vendor I am ordering from is a good corporate citizen? How can I assure myself that they respect and the privacy of their clients, that they will not share my personal information or sell my name to a list? I see Mr. Braidwood is smiling. Have you found yourself wondering the same thing?

Mr. Braidwood: No, I was just thinking that the answer to that question could take days.

Senator Finestone: I am trying to find the answer. The public is watching this and they want answers to these questions. You pick up the telephone when you see an interesting ad. You think, "I think those new windshield wipers or that gravy scooper or those magazines sound very good." However, when it comes time to give them my credit card number I get nervous. I wonder who will use this information and for what. Can you walk us through that?

Mr. Braidwood: I will try to give a relatively brief answer.

This is an area where we clearly do have yet have all the answers. The people who are buying, particularly over the Internet at the moment, are what we would classify as early adopters. For any new product, like a microwave, there are early adopters, and then middle and late adopters.

Senator Finestone: There are innovators, and there are those who are not innovators.

Mr. Braidwood: Yes. Anyone who is buying over the Internet today needs to have some level of education and training in this area. We are looking to put in place something like a seal, such as the Better Business Bureau type of seal.

Senator Finestone: I think we already had an experience with that Better Business Bureau type of seal that was rather disturbing, was it not?

Mr. Braidwood: It was indeed.

Senator Finestone: Good Housekeeping was stolen.

Mr. Braidwood: We should look for privacy policies, for instance. I was just checking my own bank's Web site, and I notice that on every single page on that Web site at the bottom there is a link to an area entitled "Your Privacy." There is another link to "Security." Wherever you are in a Royal Bank site, can you jump out to see about privacy and security.

Senator Finestone: Does that occur in all your eight banks and 41 affiliates?

Mr. Braidwood: This is over the Internet. We have a very solid policy that everything under Royal Bank Internet comes under the same controls. That is the type of control that we would expect to be on merchant sites as well, and we would advise customers to look for that.

Senator Finestone: You expect it to be there, but there is no way to ensure that it is.

Mr. Braidwood: There is no way to ensure.

Mr. Shaughnessy: This goes back to an earlier comment that was made I believe by yourself in respect of trust. The Canadian banks, and I think most of the major banks in the world, have a trust relationship with their clients, and that is a very strong and significant trust relationship. I think a customer dealing with one of Canada's banks, and frankly with one of the large global banks, has that degree of trust.

When dealing with a retailer in another industry, one should have a degree of knowledge about the retailer they potentially may do business with. Simply because one is on the Internet does not mean that one should be dealing with someone who is totally anonymous.

My recommendation, pending the introduction and full rollout of other measures, such as the public key infrastructure and certificates of authority, is to know whom you are dealing with.

Senator Finestone: Do you think we need a general privacy charter that would have guidelines such as the quality that exists at present in the banking association?

Mr. Howey: It is somewhat early in the game to say that we need more legislation at this time.

Senator Finestone: I do not mean legislation, I was speaking about an overarching policy or guideline so that you could look at what you are doing and say, "Yes, this would be fair for Canadians, this would put us in the trust category, because these are the rules that we would have to follow."

Mr. Howey: The Personal Information Protection and Electronic Documents Act has enough detail in it. It is not just comprised of broad guidelines on privacy; there are the 10 interrelated privacy principles and a fair amount of detail on what needs to be done and what cannot be done. It will eventually apply to all business organizations in Canada engaged in commercial activity, when its fully implemented.

I would say that the banking industry supports that legislation and would like to see how it plays out, how it works. We have been living with it for a number of years through our own code, which is based on the Canadian Standards Association code, which is the basis of the act. It has worked for us four a number of years. It should work for other businesses; it needs to be given a chance.

Senator Finestone: We have been speaking about the wired world. What is happening with the wireless world? Is it as strongly connected?

The majority of the world does not have access to the same kind of protected telephony as those who live in industrialized countries; nor do they have the extent of telephony interconnects. I have heard people from Pakistan saying that they are not always sure how much electricity they will get in the course of a day or if they will receive electricity consistently, for more than 15 or 20 minutes at a time. If one is working on the concepts that we are talking about, in terms of creativity and intellectual competence and skills to use all this new interconnect and international communication technology, will the potential for a wireless world versus a wired world have an impact in any way?

Mr. Shaughnessy: It is interesting that you should bring that up. A few weeks ago, I was at an international payments conference, held in Belgium. In Europe, especially in some of the Scandinavian countries, they do not speak about e-commerce any more; they talk about m-commerce and being mobile and the wireless world, and that type of thing. The Scandinavian countries seem to be leaders in this respect. I know our member banks have a number of wireless initiatives.

Mr. Braidwood: From a security view, there is little difference. In our wired world, part of the transmission may well be wireless. The security must be complete end-to-end, irrespective of how the bits and bites are transmitted.

Senator Finestone: I was in Germany and attempted to use various credit cards and only my American Express card worked. On my return to Canada, I learned that the wires had been down. That was very disconcerting. Will that be a common situation when the wireless world is fully functional?

Mr. Braidwood: Certainly in some countries communications is worse than ours. The local connections in those countries may improve over time.

The Chairman: Senator Finestone brought up the terms "wired" and "wireless." The study that we are doing follows on a report that this subcommittee tabled in the Senate. It was called "Wired to Win."

The report was tabled in early 1999. One of our recommendations touched on privacy and security. Therefore, all senators were extremely happy when Minister Manley came forward with Bill C-6, relating to personal information protection and electronic documents. That legislation will come into effect January 1 of next year.

You brought up the jurisdiction issue. We also touched on that in our first report. One of our recommendations was that our country should act to ensure privacy rights on the Web but through discussions with other countries.

Could you tell us the international venues that your association is using to discuss these common concerns regarding privacy and security and for the information that is shared worldwide?

Mr. Shaughnessy: Banks, through central banks, generally participate in sophisticated international payment systems. Interac, the VISA network and MasterCard are examples. These are sophisticated systems with built-in international, global corporate governance structures.

The payments system in Canada, through the Canadian Payments Association, codifies the same type of corporate governance in a general basis. Thus, global banks, due to the thousands if not millions of transactions a day that go through the system globally, do have a very sophisticated corporate governance structure in place.

Mr. Braidwood: The banking industry has certainly worked with Industry Canada to a great extent over the years. In conjunction with the Organization for Economic Co-operation and Development, a significant amount of preparatory work has been done leading up to the wired world. Banking organizations address issues such as interoperability. The banking industry, in general, has supported a number of government initiatives in providing consultation and papers to different government departments.

Mr. Howey: On the privacy side, Industry Canada is just starting the process to get the legislation enacted in Bill C-6 approved -- although I am not sure that is the correct technical term -- or recognized by the European Union. That is a formal process that they hope to have completed by the end of this year. The banking industry is participating on the sidelines on that.

I had a couple of bankers from Japan come to see me last week. Japan is looking at something similar to that legislation, to give more teeth to their privacy protection regime.

In terms of privacy, it always amazes me how similar the concepts are in different parts of the world. You keep bumping into to the same principles, concerns and issues, at least in the commercial world, as you go around the world.

Senator Finestone: I see Stephanie Perrin, who I call the mother of the e-commerce bill, right behind you gentlemen. She is our next witness. We have had long discussions about the nature of the firewalls and the information. In particular, on the answer that you just gave, Canada had no choice but to go the e-commerce route. The OECD and the European Union made it eminently clear to both the United States and Canada that if they did not have decent privacy prosecution European countries would not do business in Canada. Am I accurate in that statement?

Mr. Howey: That was certainly the stance of the European Union, although the Americans were not too interested in adopting a formal law. After at least one year, they have come up with a safe harbour agreement, which is somewhat less than we have in Canada with the Bill C-6 legislation.

Senator Finestone: They wanted a very important contract from Germany to do their subway system. The Germans said, "Unless you put in some kind of protection on privacy, you will not get the contract." They had an undertaking, lickety-split. I do not think it is as strong as ours, is it?

Mr. Howey: That is what I am suggesting. It is a safe harbour regime as opposed to a federal law.

Senator Finestone: Is that at the national level or the state level?

Mr. Howey: I think it was put in place by Washington.

Senator Finestone: I do not think so. I think it was a state undertaking, pertaining to the place that was giving the contract.

I think we should look into that, Madam Chairman, because I think it could have an impact on how Canada should be dealing with the United States. We will comply with what has been set out by the Europeans and members of the OECD. However, the Americans are not. What does that mean to us? What does it mean in terms of gathering information about the work and people in Canada?

Mr. Braidwood: The banking industry worked with Stephanie Perrin in the formation of the OECD privacy policy, which the Europeans adopted. We are not just adopting directly what the Americans did.

The Chairman: I represent Northern Ontario in the Senate. One of the questions that I have been hearing in the last three or four years in Sudbury is about regional, personal services in banks. Although the wired world is giving individual Canadians more access to a lot more information and a diversity of services, many Canadians feel as if personal services are further away from them. What is the philosophy of our Canadian banks in the balance between personal service and electronic service?

Mr. Shaughnessy: Madam Chairman, I will talk about industry.

The Chairman: Mr. Shaughnessy, how many members do you represent?

Mr. Shaughnessy: I represent eight Schedule I banks and 41 Schedule II banks. The Schedule I banks are all domestically owned, while most of the Schedule II banks are foreign-owned. Of the Schedule II banks, a number of them would not be offering retail banking services; a number would be wholesale banks, as such.

In general, the banks have attempted to bring convenience -- and this is a very important message -- to their clients. When I started working for one of our member banks in my first career, you had to do your banking between 10 a.m. and 3 p.m. You could do your banking five days a week, and, perhaps, on Friday nights, when a bank may have been open until 6 p.m. or 9 p.m. You had to go into the bank branch during those periods of time. Today, people say, "You are pushing transactions out of the branches." I heard a statistic last week that the same number of transactions are actually occurring in the branches. What has happened is that in the electronic age there has been an explosion of transactions within the banking industry, and many of them are being done through ABMs, telephone banking, and now in excess of 2.5 million clients using Internet banking.

In general, the banks are trying to bring trusted financial advice to some of their clients through the branches. The clients are doing much of what we would refer to as the day-to-day transactions through these alternate electronic delivery channels that are available to them.

Perhaps Mr. Howey or Mr. Braidwood would like to comment on the strategies of their own banks.

Mr. Howey: I certainly emphasize your comments, Mr. Shaughnessy, and point out that the electronic channels allow banking 24 hours a day, seven days a week. We feel we are improving our services. As Mr. Shaughnessy mentioned in his remarks, we have not added one channel and abandoned another. We continue to layer these on top of each other and offer all of them simultaneously to all Canadians at a great cost.

We feel we have improved service dramatically. At the branch level, if Senator Finestone is able to make her deposit at the bank machine, then the person she would have dealt with at the counter is free to give trusted financial advice to Canadians who have investment questions and concerns that machines cannot handle yet.

Senator Finestone: I have to tell you that although I am not illiterate I like personal service. When I go to my bank in Annonciation, there are long lineups. People love personal service. However, you have been very busy cutting back all that personal service. I have to know what is new and what is coming up.

I would appreciate better regional services, as would the chairman. I know we have to become digitally competent, but I would prefer to have the competence of a face and a person to talk to.

I hope one of us will deal with the public key infrastructure, Madam Chair.

Senator Johnson: I do not understand these questions about personal service. I have not been to my bank personally for a year or even more. I do everything in an automated way. I pay all my bills that way.

Senator Finestone: You are so modern.

Senator Johnson: It is not that I am so modern; it is just that I no longer understand the world any other way. I know that there is service, if I need it. I have to ask you: Is it not unrealistic to suggest that we will continue to have local branches for everyone? Will the number of local branches not decline radically, and quite dramatically, over the course of the next five years?

This leads to the question of m-com. What kind of personal service will there actually be? I do not think there will be any, will there, unless you are looking for a big mortgage or something like that? I respect that some people want that kind of service, but I think it is unrealistic to think it will continue in the future.

Mr. Shaughnessy: I can only speak on behalf of the industry. Obviously, once again, we have representatives of two of the banks here. I do not believe that you will ever see the day -- and I know one should never say never -- where there will be no branches or nothing of that nature.

What we have done is added delivery channels. We have not taken a delivery channel away, we have added delivery channels. There have been branch closures but there are still thousands -- and we can get the number of branches for you -- of branches out there. We brought convenience. Those branches will look more and more like sales and service centres, where people, such as yourself, who might need a mortgage or want some advice on investment products will come in and transact that type of business.

With most of our members, there will still be the ability to transact, as Senator Finestone wishes, day-to-day services in that way. There is an evolution taking place, but I must emphasize the fact that it has not been at the exclusion of one of the delivery channels.

The Chairman: I have another question on the other aspect of banks. Our banking committee was in Chicago a few days ago doing some fact-finding on e-commerce and venture funds. It is obvious that banks have a huge role to play in the funding of new companies. Since our country wants to gear up vis-à-vis taking a bigger piece of the e-commerce world pie, how does the association view its responsibility regarding venture funding for these new small companies that are just starting up, be it in telecommunications or any type of services related to e-commerce?

Mr. Shaughnessy: We are now getting into proprietary issues amongst our members and I do not know if I can talk on behalf of the banks. I can say, though, and I would be pleased to give the information to the clerk of the committee, that the Canadian banks are major and significant suppliers of loan capital and otherwise to small business in this country. In fact, we are by far and away the single largest suppliers. Amongst the various banks, too, there are many examples of where successful companies have received venture capital financing from the banks. I do not have those numbers with me today; however, if you wish, I will have the bank's lending statistics, which we assembled on behalf of the House of Commons industry committee, presented to you. They are also on the CBA's Web site today.

The Chairman: That would be appreciated.

Senator Spivak: What has been the growth of e-commerce since its introduction in 1995 or 1996? How large is it and what is the difference to the banking association between e-commerce and B-to-B, business-to-business? That seems to be, as far as I can understand, a common platform that the companies themselves engage in. I am not sure.

Mr. Shaughnessy: E-commerce, vis-à-vis banks, is amazing. As Senator Johnson has said, if I understood correctly, she does not do her banking in the bank any more.

Senator Johnson: Rarely, unless I have a special need.

Mr. Shaughnessy: I am the same way. I find it a little perverse that I actually enjoy paying my bills now.

We said earlier that there are over 2.5 million Canadians today doing their banking through the Internet and PC banking access. That is a number that was zero a couple years ago, so that number is just taking off. I think Canadians are probably doing -- I am just making a personal comment here -- proportionately more transactions with their banks than they are doing with other retailers. That is the trust component that we talked about earlier.

Senator Spivak: That is not the only reason.

Mr. Braidwood: To answer Senator Spivak's question, certainly, as we have said before, it is still early days for e-commerce. Projections are that the business-to-business area will be huge compared to the regular customer-to-merchant business. The business-to-business, though, as I term it, is more that the entire transaction between two businesses is done electronically primarily over the Internet. Part of that is a payment, though, and the payment would go through the bank.

Also, in my earlier remarks, I said that the banks may well get involved in more of that business-to-business transaction, in that they may also get involved in giving assurance over some of the earlier interactions between two businesses.

Senator Johnson: This booklet you have included in your package is very good. I had a chance to scan it while we were talking. As we know, the digital or Internet revolution we are in is equivalent to the Industrial Revolution. I believe that fully.

In terms of individuals and businesses, I am trying to get a handle in my own mind about the fact of any possible conflict because so many people appearing before us continue to talk about privacy. Are you concerned about attempts to strengthen individual rights to privacy? Is there any privacy legislation proposed here, or anywhere else in the world, that would place an unreasonable burden on the banks?

Mr. Howey: That is a broad question. May I restrict my remarks to Canada?

Senator Johnson: Of course.

Mr. Howey: I mentioned that I had met with a couple of Japanese bankers last week and they are just thinking about the type of legislation that Industry Canada has successfully passed in April.

Again, we are very supportive. It is the kind of thing we have been doing for many years. How it is interpreted going forward will be important. Some things in the legislation are perfectly clear. We trust that the Privacy Commissioner will be level-handed in his decisions, and fair to both individuals who have concerns and businesses who have needs, and that there will be a proper balance between the two sides. Therefore, it remains to be seen how that legislation plays out vis-à-vis the Privacy Commissioner's role, and so on. For now, I am looking forward to the future from a privacy standpoint in Canada.

Senator Finestone: Would you refer to page 6 of your brief, Mr. Braidwood? You talked about traditional cryptography, how that is used now to protect data moving over computer networks for many years, and that the primary tool used by the banks to protect electronic transactions is cryptography. Now you are talking about moving into a new style of cryptography for the Internet. The Royal Bank is on Internet. I wonder about the implications of what you are calling public key cryptography, which is not as yet in place, and what you would advise this committee to consider with respect to the need to move or to enable the public key cryptography to take place. You talked about the connect keys, the pair of keys, the public key, the private key, and digital signatures.

Would you elaborate on that with respect to security services, for our consideration?

Mr. Braidwood: The technology has been there for many years; what we have needed is the legal infrastructure. That is what Part 2 of the Personal Information Protection and Electronic Documents Act puts in place. It is the electronic documents side of that legislation that puts the necessary infrastructure in place to recognize the legality of electronic signatures.

Senator Finestone: That is in Bill C-6.

Mr. Braidwood: Absolutely. That is in place and we can now move ahead with implementing that level of security.

Senator Finestone: I read pages 6 and 7 again, and I wondered whether there was a lack of comfort or whether you are awaiting something other than the implementation of this legislation. Those pages we see mention that a PKI introduces the concept of digital certificates and certification authorities. There is an explanation of the meaning, and then it states that before these certificates are issued, there is a criteria to be followed. Is that not inherent in everything you have undertaken to date? Are there any changes that will be applied as a result of this new undertaking? It is followed by the list of questions, so I wondered if there was anything that we needed to reaffirm. Madam Chair, I will leave that to you, please.

The Chairman: Mr. Shaughnessy, did you want to reaffirm your statements?

Mr. Shaughnessy: Mr. Braidwood is an expert in that public key infrastructure, CAs, et cetera. It will expand the scope of what is happening today. Currently, we, as an industry and our individual banks, are very satisfied with the security that exists with respect to today's infrastructure and those transactions that the senator might do through her Internet banking. However, the PKIs and the CAs bring a signature to a transaction. Therefore, in its Nth degree, you would be able to do virtually anything, when the laws are in place, that you can do on paper today. Is that correct?

Mr. Braidwood: That is correct. The main thing that it facilitates is the interoperability between customers of different banks. At the moment, the security on the Internet is mainly between the customers and their own banks.

Senator Spivak: Will it require duplication in hard copy? Will it be the final word? Will you not need any other hard copies to authenticate a transaction?

Mr. Braidwood: That is correct. You will not need anything else.

Senator Spivak: It will reduce the paper flow.

The Chairman: Thank you, Mr. Shaughnessy, Mr. Howey, and Mr. Braidwood, from the Canadian Bankers Association. We know that you will be sending additional information. I trust that if we call upon you with additional questions over the next few weeks we can count on your responses, because your input is crucial to the quality of our report.

Mr. Shaughnessy: Thank you for giving us the opportunity to attend here today, to address the committee and answer your questions. Most certainly, we would be more than pleased to work with the committee in its deliberations going forward.

The Chairman: Thank you.

Our next witnesses are Ms Stephanie Perrin from Zero-Knowledge Systems and Mr. Brian O'Higgins from Entrust Technologies. Welcome to you both.

Ms Stephanie Perrin, Chief Privacy Officer, Zero-Knowledge Systems Inc.: Madam Chair and committee members, I am pleased to speak to you this morning.

Before I review a few of the highlights of our brief, I should say, perhaps, as Senator Finestone has already indicated, that I have been heavily involved in Bill C-6 -- the Personal Information Protection and Electronic Documents Act. Therefore, when we applaud Canada for taking leadership in this regard, it is not exactly a disinterested applause.

Zero-Knowledge Systems is the only company in the world developing a cryptographically secure privacy and identity management infrastructure for the Internet. It is one of the brand new dot coms that we hope will flourish in Canada. We would urge you to create the environment so that we can flourish. We employ more than 230 people; our head office is in Montreal. As well, we have just opened an office in California -- Silicone Valley -- and we hope to open an office in Europe. We are capitalizing on what we perceive to be a global desire for privacy and for privacy security and technology.

When I was at Industry Canada, we talked about a need for codes of practice and standards, international standards, legislation, privacy-enhancing technologies and public education. Now that I find myself as the Chief Privacy Officer of Zero-Knowledge, I say the same things. We are very pleased to see passage of the law that guarantees rights. Frankly, we legislate what we care about; and if, in Canada, we care about privacy, we should have legislation, as has the rest of the developed world. However, the law is not enough. We need public education and an understanding of the risks to privacy. We need to build the legal requirements into the infrastructure itself so that we can protect against the wholesale collection of information by the technology itself.

To that end, Zero-Knowledge Inc. released a product entitled "Freedom" in December. That product is available as a download from the Internet. It is also available on CD-ROM. It goes deep into the structure of your personal computer and protects your IP address and your identity. Parents can allow their children to use it to surf using a pseudonym and can set filters to prevent a child from releasing personal information, such as name, address and phone number, which can be unknowingly released.

It manages cookies, which you have no doubt heard about, by setting up a cookie jar. Basically, it is a piece of public protection for the Internet.

You will see, in our literature, that we talk about anonymity, which we believe is threatened in the global information infrastructure. That is not to say that we believe that people should transact all of their business anonymously. However, we believe that if we do not have the capacity to ensure a range of identity management, in the Internet, we will have set up a surveillance structure. Thus, we start with protecting that identity and by putting the control of releasing the identity into the hands of the user.

I will mention, briefly, the recommendations that we have for the committee.

Again, we applaud the passage of the Protection of Personal Information and Electronic Documents Act. We think this gives us global leadership. Previous speakers were talking about the safe harbours in the United States. The United States has got itself into a situation now where the large companies will be able to avail themselves of safe harbours. They will be able to join the club, as it were, and make a commitment. However, small business is not in that club. In Canada, all businesses are going to be treated alike under the legislation. We have no requirements to hire big auditing companies to guarantee to customers that the requirements of a safe harbour are being met. We have a Privacy Commissioner that we hope will have the funds to do that. It is, in fact, a much cleaner and more flexible option than going with self-regulation. The notion that self-regulation is cheaper is one of the biggest myths.

Furthermore, the European Union has been stopped from making a pre-emptive determination that North America or the United States is not a safe place with and block flow. That does not mean that a data commissioner will not block a flow on an individual case-by-case basis. It does not mean that a consumer in Europe will not take a case to the court of human rights in Europe, which we see as the next step coming.

We think that we have got world leadership here with the legislation that has passed. We would like to move on in developing some of the technology that will implement it in the structure.

Our first recommendation is that we would like this committee to have a look at what Ireland has done in turning itself into the Celtic tiger in Europe. There are a number of policies that they have taken to facilitate the development of high-tech companies, and they have turned that country around. Canada now has policy and legal leadership. We could do the same thing.

I am not going to speak a great deal about cryptography because Mr. O'Higgins, from Entrust Technologies, is certainly more knowledgeable than I about the technology. However, we, at Zero-Knowledge, believe that strong cryptography is the linchpin of the information economy. We must find ways to remove the barriers to the use of it. We must ensure that we are not pressured to put further controls on encryption from the international arena, for the sake of protecting our companies and enabling these systems that we are putting in place.

I have spoken a little about building privacy into the new information technologies. We have recently hired Dr. Stefan Brands, a renowned Dutch cryptographer. We are moving forward to build this graduated information-control system into the public key infrastructures and into the browsers that we are building to do synonymous Web surfing. We feel that there should be public debate before moving on any limits to the ability to surf synonymously and anonymously.

We hear rhetoric about how privacy interferes with law enforcement. We would suggest that lack of privacy, lack of the ability to protect people, to protect identities, is causing a lot of the cyber crime. If there were good security in place, much of the cyber crime would not be taking place.

As a company, we are determined to build as much as we can into our product to assist law enforcement and to stop the kinds of attacks that we see in the press. We have already done that, and we are working to get greater cooperation with law enforcement so that we can be aware of what needs to be done in this regard and cooperate with them further. When we actually sit down with law enforcement people, we find that they are well aware of the need for our products to protect people. In fact, in a recent meeting with a group in Canada one of the officers said, "Well, you certainly do make my job more difficult when you are investigating, but I sure want my wife to use your products." As we move to a global network, we must realize that protection, having locks on the doors, comes first.

We were very enthusiastic about Senator Finestone's proposed charter. People do not understand the degree to which there is intrusion in these information infrastructures. They do not understand the amount of surveillance that already is taking place. We do not like the direction we are heading as a society, where everything is known about us. We think that public debate should take place, and we would applaud this committee for taking some leadership in assuring that we have that discussion.

There are a number of fora internationally, usually taking place behind closed doors -- discussions regarding international crime, money laundering, and the limits to privacy. There are other camps that are attempting to get privacy in place. Those two segments must get together and discover where there is common ground. They must discuss how the architecture can be set up to facilitate the kind of society that we now know and that we want to grow towards.

I would be pleased to answer any questions honourable senators might have.

Mr. Brian O'Higgins, Executive Vice President and Chief Technology Officer, Entrust Technologies: Thank you for the opportunity to appear before this committee. My comments will focus on new technology for providing Internet security and privacy, technology that our company is involved with. Some of the charts I will be referring to can be found in my handout.

We are interested in the Internet because of the amount of business that is taking place there. On page 2, there is a chart representing the number of transactions and the dollar value of those transactions on the Internet. Of course, there are several analysts, all of whom have different numbers, but it is huge and growing fast.

Business-to-business activity is 10 times that of business-to-consumer activity; however, we are in the early days. We are only at 1 per cent of what is going to happen. Last year, approximately $1 billion was transacted on the Internet. That is less than one per cent of the business-to-business transactions alone. There is room for tremendous growth. We are just starting.

We are the world leaders in what is called public key infrastructure technology. Essentially, this is using cryptography to make the transactions themselves secure. We had, according to Data-Quest last year, 35 per cent world market share. We are actually growing faster than the market. We have estimates that our worldwide market share is about 40 per cent.

The company was created January 1997, spun out of NorTel. Today, we employ over 900 people, in 35 countries. The product itself speaks five languages, and we are expanding throughout the world, as again, business using the Internet does.

When looking at adding security and trust to transactions on the Internet, the analysts divide the pie into three categories -- business internal, business-to-business transactions, and business-to-customer transactions. However, it is identical technology that is providing security and trust in all three camps. That is called public key infrastructure.

When talking about security and trust, we must know who the person is. We keep information confidential. We need to know if the person with whom we are dealing is authorized to do a given transaction. In addition, we need to confirm any of these transactions and due payment, and have the entire audit trail. These are fundamental. These are functions we do now in the physical world, and we need to do the equivalent in the electronic world.

On page 5, I refer to value-added PKI -- PKI being public key infrastructure. This is a summary of some of the security benefits that the technology provides. The benefits include authentication to prove who you are, authorization so that you know what you are allowed to see and do, confidentiality to keep information only for intended recipients, and data integrity, to keep information tamper-proof. Non-repudiation is a very strong evidence trail. One cannot deny having taken part in a transaction or alter it after the fact. There are also audit trails to unravel the communication, and figure out what went wrong.

One element of the technology is called digital certificates, or digital ID. Think of these as an electronic version of your passport. That is the thing that proves who you are. It is issued by something called a certification authority, and the public infrastructure takes care of managing these certificates throughout their lifetime.

One of the main functions that these things are used for is a digital signature. It is an electronic equivalent of your pen-and-ink signature, but the user would see a little button on the screen. He would push the "sign it" button, and then would enter a password to identify the user. What happens is the actual transaction or the form he is signing is protected.

We also provide for end-to-end encryption. Along with signing an electronic form, it will be encrypted, and encrypted right to the back-end process, so it stays encrypted throughout the network, whether it is on a wireless network or encrypted throughout Web servers and so on. That contrasts with what is often used today for security on the Internet. The issue is transaction encryption versus SSL encryption. SSL is a function built in to today's browsers. It does very little, but there is a belief, on the part of a lot of merchants doing credit card transactions on the Internet, that if they turn on that level security everything is secure. That is very far from the truth, because the information that is important, like credit card numbers, end up in the clear on the merchant's server. Hackers do not sniff the one link to get one number, they break into the server and get 317,000 credit card numbers, like they did with CD Universe. Every security breach in the future will be a world record by definition, because there is more and more business done on the Internet, and when the security is breached, it will really shake public confidence in using this technology.

Sometimes issues are raised with privacy and public key infrastructure. Because you have a certificate that explains who you are, this does not mean that you compromise privacy in any way. In fact, most users, when they use the certificates, have an anonymous name on the certificate, or a random number. It allows the person who issued the certificate to identify the user, and that keeps that transaction then totally private. Never does identifying information about the user travel in the clear on the Internet. However, if a merchant is dealing with a customer, he needs to know who that person is so he can serve him properly.

Another tool that is often used is portals. When the Internet first started, we used to think it was any-to-any connectivity, but that is not the case. It is many-to-a-few, because users log on and connect to their favourite portal, which is then their jumping-off point for various services. Of course, the people in the business of providing portals are very anxious to keep users coming to their site again and again. The portal will maintain the user's certificates and information about him. It will do it in a way that is transparent to the user, so the user is able to push the "sign it" button on forms, do transactions that are encrypted end to end, digital signature end to end. The person managing the portal manages all the infrastructure things on behalf of the user.

To the user, this might all look like a password. They enter a password and they log on, but it is very, very different from a password. Traditional passwords go in the clear on the network or are compared to something on a server. These passwords never leave the user's local environment. They are used essentially to unlock the certificates, which are used to encrypt and put digital signatures on information end to end. If we want to do stronger identification to the user for when he logs on, people use smart cards or biometrics. You just put more and more steps in, which would give a user greater certainty on this when he is logging on. You do the appropriate amount of steps for the type of transaction you are doing.

When we look at the business-to-consumer environment, it is very quickly not going to be PCs. The bulk of Internet transactions will be done through cellphones and other embedded devices. Depending on the various analysts you look at, they will totally overtake within the next five years the number of PCs. The Gartner Group says that by 2004 there will be one billion Internet-connected users on wireless devices versus only half a billion on PCs. It is just more convenient for users. These devices have microbrowsers built in, they connect to what are called WAP servers, the wireless equivalent of Web servers, and do normal transactions.

The public infrastructure technology to secure the transactions is identical, whether it is a wireless device or any of these computers, and, in fact, we are the first in the world to issue what are called WAP server certificates. Our customers for this are all in Finland and Norway and Hong Kong; it is there that the wireless Internet is getting market acceptance first.

I will conclude with some recommendations. I think the Personal Information Protection and Electronic Documents Act is really the right style for legislation here. It is what I call a moderate touch for privacy. I believe people absolutely need privacy legislation; otherwise, they just will not do the right thing and there will be more spectacular breaches, which will erode public confidence.

Security needs to be market driven, and this encompasses all the issues with respect to managing certificates and digital signatures. The person who is running the portal will do his utmost to make sure he has a very secure face to his customers. He will offer single sign-on, so the user sees one password, whether he is on a cellphone or doing a transaction through a Sony PlayStation 2. Game consoles are very important. They have a Java-based browser built in and broadband connection to the Internet. You think of it as a game console initially, but it will be the PC for the masses. When Sega launched their Dreamcast, within six months they had sold 2 million units. Sony launched PlayStation 2 in Japan a couple of months ago; in one weekend, they sold a million units, the next week another million. It does graphics, has a broadband connection to the Internet, has a browser, has a smart card slot, and many people have these things. It is a perfect vehicle for transactions -- government-to-citizens, business-to-customers, and so on.

Senator Spivak: What is the cost?

The Chairman: We will get to the questions in just in a minute, Senator Spivak.

Mr. O'Higgins: There is still a problem with export reform, with all the legislation around cryptography. Canada has a stated policy to be equal to or better than what is out there. In practice, that is just not true. DFAIT is a year behind. It is causing Canadian companies tremendous stress right now, because, in the U.S., the technology we would provide is considered retail. There are virtually zero export controls; I just have to remember to whom I sold it. In Canada, by contrast, I have to go through an export permit, case by case, and that causes a big delay and a lot of stress for ourselves and our customers.

Government needs to be a model user of this technology. One example would be with income tax filing. Last year, 3.8 million users used off-the-shelf tax software on their PC to do their tax filing, but only 500,000 of those chose to e-file. The rest printed it off, signed it and put it in the regular mail. Only 15 per cent used e-file. CCRA will say that this is a great success, but what happened to the other 85 per cent? The government saves a lot of money. It costs $1.60 to rekey each tax form, so CCRA budgets $50 just on rekeying. If they took that $50 million and put it towards revenue collection, they would collect an additional billion.

These are examples of how electronic commerce is a win-win situation everywhere.

There are other examples. Canada has got a good start in doing electronic service delivery, at least government-to-government. It is starting to go government-to-business. Government-to-citizen is a big win in numbers. We should not let off any pressure rolling out secure services, and that will be a model user, and the rest of industry will follow.

The Chairman: Thank you. We will move to questions now.

Senator Spivak: I have a lot of questions about the way in which the technology has moved, but that is not really our current preoccupation. I do not really know why it is more convenient to use a hand-held device than to use a notebook, and I would like to hear your opinion on that.

Both of you have said that this will help deter crime. However, it will also mean that sophisticated criminals can use this technology in money-laundering transactions, for example, and go virtually undetected.

Is it your view that this will ensure that certain kinds of criminals can operate virtually undetected?

Mr. O'Higgins: The banking segment is our largest market segment. Our customers use this technology for many things. They automate many processes. At the same time, that adds much security and gives them greater certainty in audit trails and a greater ability to analyze information. As such, they could reduce fraud and money laundering because, when everything is electronic, they can automate tools to look for patterns of things going wrong.

Senator Spivak: Are you saying that the banking system can trace the activities of individuals who operate through it?

Mr. O'Higgins: The bank has to know who their customers are. The technology is used for many things. One is strong authentication -- knowing who the customer is, what accounts he is allowed to see, and how much money he can use. The digital signature allows you to automate the manual transactions.

Senator Spivak: This is transparent to banking systems, as an individual. Is it also transparent to government systems?

Mr. O'Higgins: The same thing would apply. The security is absolutely transparent to individuals and generally transparent to the application providers. The hard part is automating the manual process. We are moving something that used to be paper-based onto the Internet. That is the hard work. Adding the security to it is transparent and very easy.

Senator Spivak: In other words, it is not transparent on the Internet. It is transparent at the various places that you need to have it transparent, and it is not accessible via Internet to these places. Is that correct?

Mr. O'Higgins: Yes.

Senator Spivak: How would this prevent big time crime from operating in the same fashion? By "big time crime," I mean very sophisticated money-laundering operations, the sort of thing that we understand the Russian Mafia is doing with huge sums of money.

Mr. O'Higgins: This was the traditional debate a few years ago. Law enforcement was very concerned about the advent of strong encryption, making wiretapping more difficult. It is a true that it will be more difficult.

The question is how much they will really lose. Law enforcement has many techniques for surveillance, et cetera. The concept of putting alligator clips on the telephone line just does not apply to the Internet.

Senator Spivak: Will this prevent the CIA from listening in on telephone conversations of terrorist organizations? I guess that just applies to cellphones.

Mr. O'Higgins: Strong encryption will be available and people will use it. That is a very small downside against a very large upside.

Senator Spivak: Can you explain to me why this hand-held phenomenon is gaining such popularity? I understand why it is in Finland and such places where their mobile phones are more advanced than their fixed lines. Why do users find that more preferable than a portable?

Mr. O'Higgins: It is just convenience. We do not understand it much from culture, but the cellphone infrastructure is not wired well here and probably never will be, because of the geography and the expanse, compared to Europe, which is easier to wire and has a much more dense population. Therefore, the cost is lower.

Everyone has a phone with them in Finland. I was there last week to meet with customers. The phone becomes your wallet. You can buy a coke from a vending machine by dialing the number of the machine. It is multi-functional. Although you cannot browse a lot of catalogues, it will be a hybrid system. You will browse a catalogue on your computer and click the "buy" button. Your phone will ring. You will put your credit card in the phone, enter your PIN number, and press "okay." That is a "card-present" transaction. There is a world of difference in security and fraud between that and "card-not-present" transactions. If there is fraud in a card-not-present transaction, the merchant eats the fraud. If there is fraud in a card-present transaction, the card-issuing bank eats the fraud.

Everyone needs to go to card-present transactions on the Internet, and a device like the telephone is the perfect vehicle with which to do it.

Senator Spivak: Your system applies to all of those transactions?

Mr. O'Higgins: Absolutely.

Senator Finestone: Ms Perrin, what is the difference between what you are saying in terms of protecting anonymity and what Mr. O'Higgins is saying? Are they two different systems, or are they different applications to ensure my anonymity, protection and security?

Ms Perrin: Basically, it is the same public key infrastructure. I agree with everything that Mr. O'Higgins has said. We are concerned, once we get widespread public key infrastructure -- and it is worth noting that it is not widespread at the moment -- that we do not aggregate all the information about people under certain keys, certain identities.

Mr. O'Higgins just cited the example of purchasing a coke or purchasing something in a store. We would like to be able to do that synonymously. Currently, you can pay cash for anything, and we would like that to continue in the future. We want to get away from the notion of one public key architecture run by a bank, for example. We would like to ensure there are multiple architectures and that there are ways of downloading money to the wallet via phone without identifying where it came from. The interface point is your bank. The bank should always know who the individual is. At that point, you bring in controls to ensure that someone is not downloading, on a minute-by-minute basis, enough money to cleanse their entire illegal operation. The controls should not be by way of gathering information about consumers coming into the store.

Unfortunately, with the credit card model of life, the transactional data has been gathered over the years. You know from all of your privacy hearings that people do not understand how companies get a profile about them. If we move that to a public key authenticated architecture, we are just making it technologically easier to gather that data.

We are just trying to find a way to disaggregate the information in order that I can buy a Coke as Mickey Mouse rather than as Stephanie Perrin.

Senator Finestone: Mr. O'Higgins, what are you doing that is different?

Mr. O'Higgins: There are a number of applications that will bring our technology in, but the digital signature is a primary one. That is the ability to automate a manual process.

Senator Finestone: It is good for lawyers, notaries, and accountants submitting income tax returns. That is what you are saying. Ms Perrin is saying that a private individual can purchase this and put it into their system and no one will know who they are except the bank.

Mr. O'Higgins: There is a difference between privacy and security. They are not equal. Privacy equals data signature plus data protection. My technology is primarily about data security. We take a transaction -- a file or an e-mail or an electronic form -- and absolutely protect it, end to end. We put a digital signature on it, and that is much more powerful than a written signature. Once you have a digital signature, you know who signed it. You also cannot change any one bit in the original file.

Senator Finestone: What is the difference from Ms Perrin's Zero-Knowledge technology? Does one go into my PC? I have not figured this out yet.

Mr. O'Higgins: Our technology can be used to provide for privacy, but privacy as a concept is about protecting your information or only disclosing the narrow amount necessary to do a certain transaction. Of course, privacy is also about informed consent, the opt-in and opt-out discussion, and the threshold of information sensitivity that should be used to decide on a privacy model. All of those issues are under the privacy umbrella.

Our technology is not primarily used for privacy. It is used to protect the transaction with encryption and digital signature. It is also used by many people to comply with privacy guidelines. It is just a very nice tool.

Senator Finestone: Any tool that protects my privacy is a nice tool. It is something that I think modern democratic civilizations would call an asset. In many other forms of society, like communism, they do not follow-up on protection of rights.

Senator Johnson: I want to know why I should trust you or your company to ensure that this happens? You are a private company in business. Why should I trust that you are doing this in the public interest?

Mr. O'Higgins: No, you would trust the bank to which I would sell my software, for example.

Senator Johnson: You sell to the institutions?

Mr. O'Higgins: I am a software provider. The Government of Canada is one of my customers. The RCMP and CSIS used our technology internally and now the whole government does so. They apply a lot of due diligence to how we build our software. Governments are actually the lead in the world in understanding cryptography and all the mistakes that people make in building systems. There are a lot of government standards given for security. We are generally first in the world to get those various designations, and there are several around the world.

Senator Johnson: You would not agree then with the remark by the CEO of Sun Microsystems, "You already have zero privacy. Get used to it." In following along with what you are saying, you do not agree with that?

Mr. O'Higgins: I definitely do not agree with that. It was a very unfortunate comment and I think the company spent the next year backing out of it. Privacy is being recognized all over the place as extremely important.

I still agree with your earlier comments that industry needs help. It needs some legislation to force proper behaviour on privacy issues because the consequences are so severe when something goes wrong.

Identity theft is another crime that is becoming common on the Internet. Recently, a Canadian domain that is used by many charities was hijacked by another company because there was very low authentication into the domain registrar, allowing someone else to take over that account.

Senator Finestone: Regarding the domain registrars, we learned that people are registering the names of stars or well-known personalities and then the person must buy back their own name. That is a terrible thing.

I still do not understand the difference between your work, unless it is because Mr. O'Higgins sells to big corporations and governments, and Ms Perrin sells Zero-Knowledge technology to protect our interests and prevent the stealing of identities by use of solid firewalls.

Does Ms Perrin's technology go to my personal computer? How does it fit into the wireless picture?

Ms Perrin: Yes. I must emphasize that our current product is just for Internet surfing and anonymous e-mail. We do not have anything for the cellphone yet. I do not think the consumer market is quite right. We will be building something, we hope, to provide for that market.

Let me give you an example. Rather than go out with a credit card on the cellphone for a day of shopping, we would like to build towards the ability to strongly authenticate to your bank, to download and transfer money to a "wallet" and then to spend that amount securely, anonymously.

The cryptography that authenticates this process is basically the same cryptography. We just want to make sure that we are not also securely authenticating exactly who we are with every transaction we make.

I do not know whether you spoke to the earlier witnesses about the Interac system in Canada. One of the good things we designed into the protocols for that system was a barrier between the bank and the product you are buying. The bank does not get a complete trail from Interac, as it does with credit cards. We want a model of electronic cash that allows you to buy in an anonymous way.

Senator Finestone: You have said something that intrigues me. Most people use a VISA or MasterCard. I had asked earlier about Interac. I did not get the same answer, but I was told it was protected. Is it better for a customer to make a purchase with cash picked up at an Interac machine rather than using a VISA or MasterCard?

Ms Perrin: If you want privacy, that system would take you back to the anonymous world.

Senator Finestone: This is important for all consumers. Let's assume that I wished to buy a purse or a dress or nylon stockings. If I make those purchases with cash that I got at the ABM, I have more anonymity than if I make those purchases with a credit correct; correct? In other words, data on my purchases is not being gathered, in the same manner as it is when I use a credit card. That keeps us in the same cash world, although it still ends up as half cash, half cashless. Have I got that right, Ms Perrin?

Ms Perrin: I think so. I should add a caveat, that I am not up to date with Interac. Systems change so rapidly. Perhaps they are moving ahead. Perhaps the credit cards are moving ahead to emulate that, but I doubt it.

Senator Finestone: We asked that question at the beginning of the hearing. I did not get that kind of assurance, but that would be a good question, Madam Chair, to ask the banking association and CIBC in writing. Is the same process in place there?

I have a question about e-mail and security and trust. If we use your systems, can I be assured that my employer cannot retrieve my e-mail?

Senator Spivak: They could not have prosecuted Microsoft.

Mr. O'Higgins: There are many issues in this question. Our technology is often used to secure e-mail by encryption and digital signing. It is typically used within an organization. I can provide that software product, but it depends how the product is run and the policies governing administrative positions.

A company can have absolute, guaranteed, total privacy for an end-user's transactions. Programs are often not run that way, for the simple reason of data backup and recovery. If an employee disappears, you need to be able to read his e-mail. There is very often a backup of the user's keys. That backup is under the control of the administrators. That is a switch that we have on our product. There is a lot of control over that backup ability and how we sell the product. If we sell the product with the backup ability turned off, we make our customers sign extra agreements, to understand what they are doing, because it is probably dangerous in a corporate environment. We have an option. It is required for some of our European customers. They need to be able to buy a product in that way. Our U.S. customers do not care if the feature is on or off, as long as they have control. However, I am selling a software product to a corporation, whose corporate IT department runs it on behalf of their end-users. This is not a public e-mail service for individuals; it is a totally different context.

Senator Finestone: There is an invasion of privacy issue when you see that you have the option to keep your e-mail personal. Last year, 27 per cent of major American companies monitored their employees' e-mail, which presents certain kinds of problems.

Senator Spivak: This could be the subject of collective bargaining in the future. Is that not an issue between employees and their administration? It is an impact; it is not the function of the technology. It seems to me that they may not have the right to look at private e-mail. For their corporate welfare, they might have a right to look at what are commercial transactions, but they may not have a right to look at private e-mail. Those issues are distinct.

Ms Perrin: As Mr. O'Higgins said, this is a very complex issue. One of my tasks as the Chief Privacy Officer at Zero-Knowledge is to ensure that everything we were doing as a company was of the very highest standard globally. We have had some roaring debates on these very issues. Frankly, if you are looking after the personal information of your customers, people outside or others, then you have to ensure that it is being protected. Part of protection is being able to see what your employees are doing, making sure that they cannot lock it up, swallow the key and leave. There is this balance to be struck.

Unfortunately, what happens in the 27 per cent that you were speaking to is that there is this great gulf between having the key available in an emergency, if an individual gets hit by a bus, for example, and day-to-day surveillance. I think that the unions are starting to pay attention to this surveillance.

I would like to draw attention to one other thing, that is, the retention of records. Privacy legislation and policies will make sure that you get rid of records when they are not needed, ephemeral e-mail included. There have been some very high-profile cases of an employee's e-mail being subpoenaed for all kinds of things. Once the documents are there, they can be dragged into court for divorce proceedings, libel, slander -- you name it. Thus, a proper privacy policy in place gets rid of the ephemeral e-mail. Most systems do not do that right now. With regard to the core documents that you need as a company, we should have decent filing systems in place to file that e-mail where they belong. Regrettably, most companies do not have such a system.

Senator Finestone: Do we need that as an improvement to the legislation or is this just a matter of a business code of practices? Was it covered under the CSA standards?

Ms Perrin: It is covered under the existing law and the standards that you should be doing these things. In fact, it states that you "shall" have retention schedules; but it is the area least looked at in most organizations. Certainly, the National Archives has been looking at those issues, in the context of the federal government, for many years. They are thorny and very difficult.

Senator Finestone: Within the scope of Personal Information Protection and Electronic Documents Act-6 and given the fact that we wish to indicate in our report where things need to be shored up so as to enable business to operate in the most efficient fashion using all the new technologies, whether wired or wireless, is this an area in which you envision the Privacy Commissioner having a role to play?

Ms Perrin: It is the kind of an area you could ask the Privacy Commissioner to study. I am afraid that right now he probably has more important things on the burner. However, certainly, this whole issue of archiving e-mail and the management of documents that are created comes home to haunt people when they receive a subpoena for the records and discover, "Gee, we have stuff that dates back 10 years."

Senator Finestone: Is there any kind of deadline date that is in place or should be in place?

Ms Perrin: We did not set particular dates. You are supposed to get rid of data when you no longer need it.

Senator Finestone: It has to be relevant to the issue.

Ms Perrin: That is right. You will find on the Internet -- and this is one of the reasons we feel we have to do some education and get people to surf anonymously -- that things people posted to news groups 10 years ago can be pulled up at déjànews.com and come back to haunt them. These records should be thrown out when they are no longer of use.

Senator Finestone: My last question is related to Zero-Knowledge Systems. It may be that I lack the understanding of the difference between Entrust, which is Nortel's product, and Zero-Knowledge. Is there a distinct difference between what Entrust has to do and what you have to do; and, in either case, is the SIN involved at any point?

Ms Perrin: They both involve strong security. They both employ public key cryptography. I think both are heading in the general direction of providing some strong security on the Internet. It is there that we part company. We are focusing on the consumer market and Internet. Mr. O'Higgin's company is focusing on business-to-business. In terms of the SIN, I do not think there is a linkage. Certainly, there would be no reason for the SIN to be at all involved in Zero-Knowledge's products and services.

Mr. O'Higgins: Our company is primarily involved in the business-to-business segment, although business-to-consumer to is starting to happen now, where you do more transactions. We sell our product to corporations. It is entirely up to my customer how they want to present their view to their constituents. I have never heard of a SIN or an equivalent being involved in this type of scenario; but I do not want to say it is impossible. One of my lead customers will be the People's Bank of China. They will be a model for security on Internet banking. They do it right, and they are just starting now. They show the highest growth in the world. In three or four years' time, they will have the largest Internet in the world. This is where a lot of Internet electronic commerce will be leading the model. At some point, you may involve an identity check of an individual before you issue him that certificate or the equivalent of the passport. Each company will do what they believe is appropriate.

Senator Johnson: The writers and artists of this country have had considerable problems since the advent of the Internet. I am talking about copyright. We have been through that in the past. When the books are written, people can access them via the Internet. They can quote from them. This also applies to music. Is there any way your systems are designed to help them with these copyright problems? Can you help to stop this incredible abuse that is going on now with their work? It just struck me as I was sitting here that there might be some way this technology could be used for that.

Mr. O'Higgins: This technology has been looked at very aggressively for exactly those applications. Several of my customers work in these consumer areas. However, I am not optimistic that there is a solution. A lot of these approaches involve sealing up the MP-3 file so that only an appropriately qualified player knows how to unwrap it to play it. That is science fiction or wishful thinking.

A player would be more valuable if it were to play sealed-up objects plus unsealed ones. No matter what happens, someone will render it in a playing form. It will get out onto the Internet, where everything changes. It does not mean the music industry disappears; it means it changes a lot. I am sure there will be live performances. The channel is totally different for the artist to his audience. The world will change very dramatically, but I do not think anyone knows how it will change. There are many standard forums just beginning to look at how to wrap up music or put what is called a water mark on it, so that when it is copied, at least you could trace one person who owned it. Ms Perrin will get annoyed at that. That standard of activity is just starting.

Senator Johnson: What about our writers, our creators of literature? Have you heard of Heather Robertson's constant battle to get copyright of their works on the Internet? They have no control of it now. Anyone can access their material whenever they want, as they please. They are in court about this at the moment.

Mr. O'Higgins: The same thing has happened with the software industry. The response has been open sores. Industry has changed dramatically and just adapts with a new channel and a new environment.

Ms Perrin: This whole issue that journalists now have different kinds of contracts with their newspapers because of the Internet is a problem. The pricing structure, ownership, the permission to reuse, to re-digest and to produce again is a problem throughout society. Mostly writers are feeling it.

We are really concerned and I think most privacy advocates are concerned. We have been watching what has been happening in copyright management information systems. The technology has not been particularly secure. I realize that it is a difficult problem, but I remember asking them back in 1995, when I was at the OECD: "Why can you not put on it the same kind of thing that they have on dresses, where, if you walk out the door, you get an ink stain?" That is not good for business, so they did not design it that way. Rather than a little mole inside your copy of Lion King that will tell the world that this copy was sold to Stephanie Perrin and it is now in its two hundredth copy, why not have an inkblot explode on it when someone tries to do the wrong thing with it?

Mr. O'Higgins will no doubt tell me why that cannot be engineered, but we are looking at the prospect that everything you lay your eyes on, every newspaper you read, everything you surf on the Web, every book you buy, every Lion King will have your fingerprint digitally encrypted using Mr. O'Higgin's technology. They will use steganography to put it in the corner and we will have tattle tales all over. We have never had that kind of thought control.

When the CIA and the FBI wanted to do a library awareness program back in the 1960s and 1970s, they were stopped by the librarians. We are about to do this, in the name of copyright management, on the Internet, and it is of grave concern.

Senator Johnson: It is of grave concern and a huge challenge, do you not think?

Ms Perrin: Yes.

Senator Finestone: The dilemma is copyright and intellectual property, and which goes when and how. How do you live off the profits of your intellectual property and not follow the person and the individual, like a spy, through copyright infringement? It is really complicated. I like the inkblot, only I thought that was the Rorschach test.

Mr. O'Higgins: I really do not disagree with Ms Perrin. Many approaches are being attempted. Customers like Sony Corporation are building these devices that look at how to secure regional content. You could have an exploding inkblot so that the file disintegrates when it is misused, but no one will like it and they will not buy from that company anymore. No one will ever sell it that way. You must be careful.

I don't know what will happen, but the first stage is actually something very straightforward. It involves devices that will be able to have new downloaded software so that it can behave differently when people decide how they want it to happen. If you want to change a software device, you cannot load any piece of software, you must be sure it is the correct piece. My technology is used so the device will know who built it and will accept new software from the factory. Therefore, it is ready for the next copyright scheme that may come along.

Ms Perrin: The fundamental problem is that people do not like that. They will know when their copy explodes. For instance, a hacker was caught because he bragged about something on one of the chat groups. No doubt you have heard about that incident.

Senator Finestone: The love letter?

Ms Perrin: Yes. His watermark was on that piece and they could find out whose software created it. Who knew? In a free and democratic society, it is acceptable not to annoy the customer but to build a surveillance system into all the technology that most of them do not know about. This is the kind of benign Orwellian surveillance. It is fine if it is benign, but suppose it is not? How do you track the people who have access to this, who are largely that sort of cult group of techies who are behind the scenes in the companies? They are the group that really understands these things.

Senator Spivak: Maybe having the technology is the answer; that is to say, you patent it for so many years. Look ahead, into the future. Your technology may not mean that we do not need a banking system.

Mr. O'Higgins: I think banks are very threatened, especially credit card companies. You just have to look at what is happening at the example I talked about earlier in Finland. That was payment with no credit card company involved. The two most popular WAP applications -- that is, the Internet on your telephone -- are looking at your cellphone account balance and paying that at the bank. When do you a transaction, you can go into the car wash, a vending machine, and so on. The transaction is done between your phone and a machine and it is added to your telephone bill.

Senator Spivak: If we are entering a cashless society, period, banks will be like everyone else. They are middlemen. They may have other functions, but people may now have offers, IPOs, and so on, for money. You could see a system where you would not need banks?

Mr. O'Higgins: You can. In this example, the telcos become a bank. They would make a lot of money on the float or the transactions. That is what they are after. Especially in Europe, there are a lot of prepaid phones, because a lot of people move around and it is hard to get an account. In the wireless Internet world, the standards for security on it are ugly, but it does not matter if they are to be used. They wire in the telecode during the middle of all the transactions. By design intent, they help to write those standards. Ultimately, that particular set of standards will disappear, because you will want to go directly to the bank and someone will want to provide service right to the phone. For the short term, however, they will always be there.

Senator Spivak: Is there any literature on this, that is, explaining the financial implications? There must be some literature somewhere.

Senator Finestone: CIBC is not putting it out.

Mr. O'Higgins: I am not aware of a good summary on this. It is very new, but the notion of telcos becoming banks will definitely occur, and it will be led by Europe.

Senator Finestone: This is fascinating. We must ask the telcos what they know about this. The banks will tell us, will they not?

On page 3 of your presentation, Ms Perrin, you said that we should examine the initiatives that Ireland has taken in policy law and tax incentives that have allowed it to become the Celtic tiger. Cryptology is the linchpin of our information economy, as you have said. What is the Celtic tiger and what are the restrictions in the Wassenaar arrangement? That is on page 3 of the document from Zero-Knowledge Systems. Could you explain to us how this privacy should be built into the new information technology?

Ms Perrin: The Wassenaar arrangement is the agreement whereby leading nations -- and I am not sure how many countries participated in it, but they are leading nations -- agree on export controls for cryptography. They meet regularly. At the moment, mass market cryptography is not controlled, but there are restrictions such as those Mr. O'Higgins talked about earlier, in terms of getting an export licence for his business-to-business, slowing down the pace of development, and creating a sort of red tape in order to export cryptography. For instance, Zero-Knowledge has to put up a warning on the Web site that you cannot download to the controlled countries. We have filters on our servers to ensure that the material is not downloaded to restricted countries such as Iraq.

These are becoming more and more difficult to enforce in today's world. As Mr. O'Higgins pointed out, Canada has a very forward and aggressive cryptography policy, which was tabled about the same time that Bill C-6 was tabled. Unfortunately, in terms of keeping up with the paperwork, the United States and other countries, notably Ireland, have dropped the paperwork and we have not. Would that be a fair description of what is going on?

Senator Finestone: What do you mean by "dropping the paperwork"?

Ms Perrin: I will let Mr. O'Higgins talk about that.

Basically, we want to keep up with the leading countries in the world and make sure that we have less paperwork in place so that we can get to market faster with strong cryptographic products. Ireland has done this. That is one of the reasons that cryptocompanies are settling in Ireland, namely, so that they can move quickly.

Senator Finestone: Is this why they have earned the name the Celtic tiger?

Ms Perrin: Many things are involved. I am not an economist; however, I know that they have a favourable tax regime and good investment strategies. On the CBC program called Ideas, about a month ago, they discussed all the successes that Ireland is experiencing. If we are serious about moving forward in electronic commerce, Canada must be aggressive on this. All the countries are lined up at the starting gate here and we have to keep up with them.

Senator Finestone: Let us remember to get a copy of the transcript of that program, please.

Senator Spivak: That is a good idea.

Mr. O'Higgins: I agree with Ms Perrin's remarks. Ireland has done a tremendous job being very friendly for electronic commerce. The Dublin area has come to life over the last 10 years. There are several world-leading companies there. In particular, for the export of cryptography, there are no controls out of Ireland. In Canada, the stated policy is very good. It is equal or at least not behind any of the 33 Wassenaar nations, of which Ireland is a member. However, in practice, we do not comply with our policy.

The Chairman: Are we hearing you correctly? We could say that you find that our practices and regulations for exports are not keeping up with the rapidity required for e-commerce. Am I expressing well what you are saying?

Mr. O'Higgins: You summarized it very nicely.

The Chairman: What would you recommend, therefore, to permit Canadian businesses to be able to rapidly offer services to other countries?

Mr. O'Higgins: I would recommend an emergency action to revamp export policy in Canada.

The Chairman: Senator Finestone, do you have any other questions?

Senator Finestone: No. I want to remind the chair that the four of us are expected in another meeting in four minutes. We must have our minds clear on Air Canada policy.

The Chairman: Senator Johnson, do you have any other questions for our witnesses today?

Senator Johnson: I cannot get through them all now.

Senator Finestone: I would like to hear a wrap-up. I notice that each of them has recommendations. Could they be precise about the nature of the recommendations so that it will be helpful to our research staff, please?

Ms Perrin: Mr. O'Higgins has already stated it, and that covers a couple of our points. We need to revamp our cryptopolicy and make sure that we are at the cutting edge and the fastest. We need public debate on privacy enhancing technologies and their deployment as part of the critical information infrastructure protection program. We have to understand how important privacy is to confidence on to the Internet, to prevent identity theft, and generally as part of a secure infrastructure.

We urge the committee to look again at Senator Finestone's charter and look at something about which we have not spoken today, namely, the notion of intrusion. Privacy, as Mr. O'Higgins said, it is not just security, confidentiality or keeping the data private, it is making sure that no one intrudes, that you do not have to give information where you do not need it. With the technologies that we have spoken about today, namely, the copyright management system, the secure identification, the ability to spend from a wallet, whether it is from a cellphone or an Internet browser, you do not need to be identified.

Can we look into the whole concept of intrusion and what is acceptable under the Charter, both from government and from business? Business is not covered by the Charter, but a charter of rights that looked at what government can do would help to open some of these issues.

The Chairman: Next week, the RCMP is also appearing before us as a witness. We are trying to balance off immediately those two issues that you brought forward so well to our committee today.

Thank you so much for appearing before us today. We trust that, if our researchers have additional questions, they can go to you both and for additional answers.

The committee adjourned.