Search the Archive

The Australian Government Information Management Office Archive

Annex A - Legal and Privacy Issues with PKI

A.1 What laws govern digital signatures?

The Electronic Transactions Act 1999 (Cth) (ETA) states that for the purposes of a law of the Commonwealth, a transaction is not invalid because it took place wholly or partly by means of one or more electronic communications. This is intended to allow electronic transactions to be treated as equivalent to offline paper transactions. From 1 July 2001 all Commonwealth laws fall under the ETA except those specifically excluded. Commonwealth agencies are thereby expected to accept electronic transactions from clients made pursuant to most Commonwealth laws.

Further information on the ETA can be found on the Attorney-General's Department website at: http://www.law.gov.au/publications/ecommerce/Welcome.html

A.1.1 What laws govern the relationships between entities within Gatekeeper?

The following diagram shows some of the various parties in the Gatekeeper strategy and the legal relationships that commonly exist between those parties.

 

 For the most part, legal and financial liability will be managed contractually, including NOIE, seeking to minimise risks falling unfairly or unduly either on the Commonwealth or on Subscribers, and to have loss or liability result more directly from breaches of core responsibilities by CAs, RAs and Subscribers.

A.2 Management by agencies of PKI liability risks

NOIE has recommended liability management policies for Commonwealth agencies. They are intended to result in an equitable sharing of risks among agencies, CAs and their clients.

A.2.1 The need for agencies to manage PKI risks

While Gatekeeper (the trust framework for applying public key infrastructure to online transactions with Commonwealth agencies) is a rigorous scheme designed to satisfy authentication, confidentiality, message integrity and non-repudiation needs for those transactions, PKI-related losses may still be suffered by parties dealing with agencies or otherwise using Gatekeeper certificates. Those parties might choose to claim compensation or damages from the Commonwealth in addition to the relevant CA or RA.

Potentially, large numbers of persons may rely on Gatekeeper certificates to obtain and verify another party's identity, and they may suffer significant losses if they provide goods or services, credit or funds to parties they do not intend to. Further, they run the risk of an end user repudiating a contract on the basis of a PKI failure such as an error in the certificate or inadequacy in the certificate revocation process.

Such risks are greater in an 'open' PKI community, e.g. where liability management cannot be managed by the Commonwealth through contracts with all Relying Parties. This will be the case with ABN-DSCs where Subscribers will not necessarily be Agency clients or even Subscribers to Gatekeeper Accredited CAs.

A rigorously designed and maintained PKI, applying Gatekeeper standards or comparable third party certification and checking for example, is likely to go a long way to minimising such errors and losses. However, this needs to be supported by a legal risk management policy in case losses do nonetheless occur.

A.2.2 Scope of these recommendations

This paper sets out proposed legal liability positions which NOIE, on advice from its legal advisers, considers appropriate to be taken by Commonwealth agencies managing or participating in the Gatekeeper Strategy.

These positions seek to encourage professionalism by Gatekeeper service providers (notably CAs and RAs) and at the same time limit Commonwealth liability risks and the extent to which providers can transfer risks to agencies and their clients for losses caused by their own professional failings. This position, set out in A.2.3 section 4, is intended to ensure that public confidence in Gatekeeper is not unduly prejudiced by subscribers having to bear unreasonable risks of losses that are not their fault.

In this paper we need to distinguish several different capacities in which a Commonwealth Agency may act:

1. NOIE as Gatekeeper manager, designing and implementing Gatekeeper policies and standards and accrediting Gatekeeper service providers.
2. Commonwealth agencies wishing to act as Gatekeeper accredited service providers
   - CA or RA.
3. Commonwealth agencies which commission Gatekeeper accredited RAs and CAs to provide them or their clients with PKI services.
4. Commonwealth agencies whose employees are Subscribers to CAs or RAs (holding and using keys and certificates when transacting with Agency clients); all PKI-using agencies will be in this category.
5. The Commonwealth represented by the ATO and DEWR, as responsible for the operation of the Australian Business Register.

A.2.3 Recommended liability guidelines for Commonwealth Agencies

NOIE, as Manager of the Gatekeeper Strategy

NOIE will not accept liability for:

• the use of a Gatekeeper certificate (e.g. an ABN-DSC) where a government Agency was not a party to the transaction supported by the certificate (notably business-to-business transactions); or
• an act or omission of a Gatekeeper accredited service provider in breach of its Head Agreement with NOIE, or its NOIE accredited Certificate Policy (CP), accredited Certification Practice Statement (CPS) or Subscriber Agreement.

Also, in accrediting a Gatekeeper service provider, or its CP and CPS, NOIE gives no warranty as to:

• the standard or suitability of any services thereby provided;
• the suitability of the CP and CPS and other Gatekeeper accredited documents for subscribers or relying parties. In particular, whenever appropriate, subscribers should be advised to consider seeking independent professional advice as to the risks and liabilities which may result from their signing a Subscriber Agreement or becoming party to a CP or CPS.

NOIE will ensure the above risk management mechanisms are appropriately reflected in head agreements and CPs and CPSs which it accredits.

NOIE has also developed guidance for government representatives when promoting the Gatekeeper strategy and digital certificates, so as to minimise the risk that these might be "oversold", leading to possible undue reliance and expectations on the part of Gatekeeper users as to their functionality and robustness. See further A.2.5.

Commonwealth Agencies Acting as Gatekeeper Accredited Service Providers

These will be subject to the same accreditation conditions applied by NOIE to all private sector Gatekeeper service providers. Liability management for Commonwealth Agency CAs and Ras is expected to include:

• strict adherence to the Gatekeeper Strategy and relevant Australian standards, including to Gatekeeper accredited CPs and CPSs;
• awareness raising among their Subscribers;
• quality control over their own operations;
• insurance cover (agencies should first check whether Comcover can offer this cover); and
• risk allocation and liability management in their CPs and Subscriber Agreements.

Commonwealth Agencies which Commission Gatekeeper Accredited Service Providers

Specifically, service agreements between accredited service providers and agencies commissioning them to issue certificates to Agency clients should:

• confirm that certificates are issued by Gatekeeper Accredited service providers acting as independent contractors (and not as agents for Commonwealth agencies, thereby minimising the risk that agencies might be liable for failings on the part of RAs or CAs);
• confirm that liability for any losses resulting from a fundamental deficiency on the part of the Gatekeeper accredited service provider, in the circumstances set out in Section 4 below, will be borne by the provider. This would mean that the Agency would not be liable by reason of having merely commissioned the provider, and would have a remedy against the provider where the Agency is in the position of a subscriber or relying party;
• allow the Agency, when acting as a relying party, to recover from the CA (or RA) a (capped) amount for any loss it suffers as a result of an act or omission by the CA (or RA) in the circumstances covered by the second and third paragraphs of paragraph 4 below.

Commonwealth Agencies Using Gatekeeper Certificates

Agencies whose employees hold keys and certificates will usually be in the same position as other (individual and business) Subscribers, in that CAs will generally attempt to minimise or limit their liability to all certificate holders by various disclaimers in their standard form Certificate Policies and Subscriber Agreements.

In order to ensure that public confidence in Gatekeeper is not unduly prejudiced by subscribers having to bear unreasonable risks of losses not their fault, NOIE proposes not to accredit a CP or Subscriber Agreement tendered by an applicant CA which seeks to avoid liability for breaches of certain core professional responsibilities by transferring resultant losses to Subscribers and Relying Parties.

This policy is essentially the position adopted by the European Community in its Directive on Digital Certificates.

The core professional responsibilities which RAs and CAs will not thereby be permitted to avoid are:

1 The CA must ensure, at the time a Certificate is issued to the key holder, that:
- the Certificate Information is accurate;
- the Certificate contains all the elements required by the Certificate Profile; and
- the key holder is in possession of the Private Key corresponding to the Public Key included in the Certificate.

2 If the CA (or RA depending on the PKI implementation model) generates Key Pairs, it must ensure that each Key Pair is an operable pair of cryptographic Keys.

3 The CA (or RA depending on the PKI implementation model) must:
- revoke a Certificate if requested by the key holder or Business Entity;
- register the revocation of the Certificate so that this information is readily available to a Relying Party.

While this policy will not be applied retrospectively to service providers already accredited, it will be expected to apply when they seek re-accreditation or when negotiating the annual extension of their head agreement with NOIE.

At the same time, Gatekeeper Accredited CPs will also set out responsibilities for Subscribers and Relying Parties to handle their private keys securely and to exercise due diligence in checking the identity of parties to Gatekeeper certificates and the validity of their certificates. These responsibilities in CPs will usually be made legally binding by incorporation into Subscriber

Agreements to which agencies and their clients - as certificate holders - would be party. Losses for breaches of those responsibilities will generally be expected to lie with the relevant party (this could include a Commonwealth Agency whose employees are Subscribers).

The Commonwealth represented by the ATO and DEWR, as responsible for the operation of the ABR.

ATO and DEWR are responsible for the operation of the Australian Business Register and have already disclaimed liability for any errors in the Australian Business Register, as indicated in the following preamble to the online ABR available at: http://www.abr.business.gov.au/

Due to the limitations outlined below, neither the Registrar of the ABR nor the Commonwealth accept any liability arising from use of or reliance upon the Service.

Neither the Registrar of the ABR nor the Commonwealth guarantees that the information available through the Service (including search results) is accurate, up to date or complete. This is because the official ABR is based on information supplied by businesses to the Registrar of the ABR. That information may have changed since it was supplied by the business and was included in the ABR, despite requirements on entities to formally notify the Registrar of any changes. You should consider verifying any information obtained through the Service from other sources.

In addition, while we will make reasonable efforts to regularly update the information available through the Service from the official ABR, the information available through the Service may not be as current as the information in the official ABR.

The fact that an entity is listed in the ABR is not a warranty of the commercial viability or continuing existence of the entity, nor is it a warranty that any apparent use by an entity of its Australian Business Number is in fact properly authorised by the entity.

Agencies using ABN-DSCs in dealing with business clients should advise their staff not to rely exclusively on the ABR when checking the identity of those clients, especially if they have any reason to doubt the authenticity or capacity of the sender.

A.2.4 Implementing the suggested recommendations among agencies and accredited service providers

The recommendations in this paper can be reflected in three different mechanisms:

• the accreditation information pack given to applicants for Gatekeeper accreditation;
• the Head Agreement between NOIE and accredited service providers; and
• a CA's Certificate Policy submitted for accreditation by NOIE.

NOIE officers are available to clarify these recommendations and how they might be applied in particular cases.

A.2.5 Public statements about Gatekeeper

It is recommended that, when promoting or making other public statements about the characteristics and benefits of the Gatekeeper Strategy, Commonwealth representatives do not overstate the authentication, security and non-repudiation strengths of PKI, leading to undue or unrealistic reliance on Gatekeeper by relying parties who might thereby suffer financial losses and sue the Commonwealth. This concern recognises that these strengths can be compromised by human error, especially on the part of users (Relying Parties).

Much of the integrity of the Gatekeeper strategy relies upon such aspects as how end users protect their keys from compromise or how they use those keys, or on how accurately their identity has been checked and authenticated by Gatekeeper accredited service providers. Despite rigorous accreditation processes administered by NOIE, and incorporating world-class standards, there are limits to the extent to which the Commonwealth can guarantee favourable PKI or Gatekeeper outcomes, and public statements would be imprudent if they were to ignore this.

These considerations apply to any Government infrastructure. However, the Gatekeeper strategy poses a particular risk as it is currently less understood by the wider community including businesses. For this reason Government clients which suffer loss as a result of an error by a Gatekeeper accredited service provider or apparent malfunction of a product or service seen as complying with Gatekeeper requirements may be more likely to consider legal action rather than recognising, and being able to avoid, their own errors. As a litigation tactic, litigants are likely to nominate the Commonwealth as a co-defendant when suing accredited CAs and RAs.

A note to reflect the above considerations should be given to all speech writers and speakers to ensure they are aware of the risk of Commonwealth liability if they engender over-reliance on Gatekeeper or its accredited service providers.

The following are examples of the types of statements that should be avoided:

• Gatekeeper is guaranteed by the Government;
• Gatekeeper certificates can be relied upon in all situations;
• You can have complete confidence in Gatekeeper accredited CAs and RAs;
• Gatekeeper provides complete assurance that you know whom you are dealing with in online transactions;
• Gatekeeper-supported transactions cannot be repudiated by the parties to them.

Rather, such statements should prudently be recast along the following lines:

• Gatekeeper is a Government administered scheme to encourage trust and reliability in online transactions;
• Gatekeeper certificates offer high levels of trust and confidence when issued, managed and used in accordance with Gatekeeper accredited policies and practices;
• You can be confident that Gatekeeper accredited CAs and RAs have satisfied rigorous standards for technology, security, privacy and business reliability;
• Gatekeeper provides confidence that you know whom you are dealing with in online transactions; and
  Gatekeeper-supported transactions cannot normally be repudiated by the parties to them.
• NOIE officers are available to clarify these guidelines in particular cases.

A.3 Privacy issues with PKI

Overall, PKI should enhance privacy. However, inadequate implementation of the technology has its own associated privacy risks.

The Commonwealth has developed the Gatekeeper PKI strategy to facilitate e-commerce and the take-up of online delivery of government services in Australia. This strategy includes a number of stringent privacy protections such as privacy-related Gatekeeper accreditation criteria for CAs and RAs (see http://www.noie.gov.au/projects/publickey/GatekeeperAccreditation.htm). These aim to ensure conformity of CA and RA operations with the requirements of the Information Privacy Principles under the Privacy Act 1988. NOIE's privacy policy for CAs and RAs is further spelt out in http://www.noie.gov.au/projects/publickey/Gatekeeper_privacy_recommendations_May2000.htm

At the end of 2000 NOIE invited the Federal Privacy Commissioner to consider issuing guidelines on the privacy implications and good practices for Commonwealth agencies using PKI for individuals. These will often be agencies that do not issue their own digital certificates but leave that to Gatekeeper accredited CAs, at the same time managing or influencing how certificates are used. Both NOIE and the Privacy Commissioner see this as an important issue and critical to building confidence in online government services.

In December 2001, following extensive consultation with Commonwealth agencies, consumer groups and industry, the Commissioner issued 'Privacy and Public Key Infrastructure: Guidelines for Agencies using PKI to Communicate or Transact with Individuals'. These are available at: http://www.privacy.gov.au/government/guidelines/index.html