A SURVEY OF LEGAL ISSUES RELATING TO THE
SECURITY OF ELECTRONIC INFORMATION
TABLE OF CONTENTS
EXECUTIVE SUMMARY
Acknowledgements, Preface
Chapter 1 : Overview of Technology, Security, Privacy and the Law
A. Security and Information Technologies: General Comments
B. Privacy and Information Technologies: General Comments
C. Law and Technology: General Comments
[ASCII (63K)], [Word (82K)]
Chapter 2 : Creating, Preserving and Controlling Electronic Records
A. Obligations to create records
B. Obligations to preserve records
C. Obligations to control records (including records disclosed to third parties)
D. Summary
[ASCII (54K)], [Word (69K)]
Chapter 3 : Collecting and Sharing Personal Information
A. Sharing Personal Information: basic principles
B. Data Matching
C. Personal Identification Information (DNA, Smart Cards)
D. Transborder Data Flows
E. Summary
[ASCII (75K)], [Word (93K)]
Chapter 4 : Securing Government-Held Commercial Information
A. Sources of government-held proprietary information
B. Avoiding violations of intellectual property rights (see also ch. 6B)
C. Theft and fraudulent use of information
D. Protecting proprietary information within and outside the Access to Information Act
E. Summary
[ASCII (49K)], [Word (65K)]
Chapter 5 : Liability for Disclosing Confidential Information
A. Negligence
-
General comments
-
Policy decision to limit money spent on IT security
-
Obligation to use secure technology (Firewalls and Gateways)
-
Obligation to comply with policies
-
Limiting Liability
B. Other torts: abuse of power, invasion of privacy, breach of confidence
C. Breach of various specific statutory provisions (Access to Information Act,
Privacy Act, Official Secrets Act, Security Offences Act, Canadian Security
Intelligence Service Act, Income Tax Act, Excise Tax Act, Customs Act)
D. What measures permit managers to discipline employees
for unlawful disclosures of information?
E. Summary
[ASCII (82K)], [Word (110K)]
Chapter 6 : Integrity and Accuracy of Published Government Information
A. Liability for inaccurate government information provided to the public
B. Bulletin board operator liability for illegal dissemination of information
C. Summary
[ASCII (77K)], [Word (98K)]
Chapter 7 : Criminal Misuse of Information Technology
A. Computer sabotage
B. Creating and disseminating computer viruses
C. Computer fraud and other economic crimes
D. Unauthorized entry into or use of computers
E. Prohibited interception of communications of a computer
F. Trafficking in passwords, digital signatures and encryption keys
G. Possession of computer hacking tools
H. Summary
(see also: 4C: Theft and fraudulent use of information; 6B: Harassment, Hate propaganda and Obscenity; 8E: Computer searches and monitoring in a criminal investigation context)
[ASCII (31K)], [Word (44K)]
Chapter 8 : Computer Searches and Privacy
A. Why would the government want to search computers?
B. New technology and privacy laws: general comments
(authorized computer use and IT search and monitor policies)
C. Computer searches and monitoring in an internal management context
D. Computer searches and monitoring in a regulatory inspection context
E. Computer searches and monitoring in a criminal investigation context
F. Remedies
G. The law applied to various fact scenarios
H. Conclusion
[ASCII (127K)], [Word (158K)]
Chapter 9 : Electronic Records, Digital Signatures and Evidence
A. Is an electronic file a `writing,' `signature' or a record
(e.g.: s. 33 Financial Administration Act)?
B. What rules govern time, place and authority of a party in an electronic contract?
C. Who can give evidence about computer records (the hearsay rule)?
D. Is a computer printout a `business' record?
E. Is a computer printout an `original' record or a copy?
F. How to establish the reliability of electronic records
G. Replacing paper records with electronic copies, migration from one electronic format to another
H. Summary
[ASCII (75K)], [Word (95K)]
Chapter 10 : Management of Public and Private Encryption Keys
(revised from the original to remove solicitor-client privileged material)
A. Digital signature, confidentiality encryption, public keyprivate key encryption:
what are they and what are the legal issues relating to them?
B. What is a public key infrastructure?
C. Overview of how liability can arise from a PKI
D. Issuing, publishing and revoking keys and certificates
E. Contract liability
F. Tort liability (see also Chapter 5)
G. How can PKI liability be limited?
H. Other legal issues relating to the operation of a PKI
I. Issues for deciding whether or not to establish a PKI
J. Recommendations
[ASCII (93K)] [Word (144K)]
Chapter 11 : Procurement of Secure Technologies
A. General Comments
B. NAFTA Procurement Chapter
C. GATT Procurement Code (1979) and the
WTO Agreement on Government Procurement (1994)
D. NAFTA and the WTO
E. The Merit Program
F. Protecting cryptographic systems
G. The role of the Value Added Network (VAN)
H. Summary
[ASCII (48K)], [Word (63K)]
Glossary
Access controls
Advance card technologies (including smart cards)
Audit trails
Authentication
Authorization
Bulletin Board Systems
Clipper Chip: see encryption
Communications, Transmission, Computer Security (COMSEC, TRANSEC, COMPUSEC)
Data Matching
Digital Signature
Dynamic Data
EDI and electronic commerce
Encryption (including algorithm, symmetric and asymmetric encryption,
Digital Encryption Standard (DES), public key cryptography, digital signature, hash, confidentiality encryption, RSA algorithm, factoring problem, discrete logarithm problem,
public key infrastructure, public key certificates, key escrow (Clipper Chip)
Firewalls and Gateways
Hacking (examples of network security vulnerability)
Integrity
Internet (including World Wide Web, FTP, TELNET and Gopher)
Legacy system
Non-repudiation
Public key infrastructure, public key cryptography: see encryption
Sensitive information
TEMPEST
Tokens
Value Added Networks (VANs)
Virus (including trojan horse, worm, bacteria, logic bomb, time bomb and bugs)
[ASCII (52K)], [Word (65K)]
Annexes
(The Annexes are not included with the report.)
Annex A: Terms of Reference
Executive Summary of Information Technology Security Strategy
Terms of Reference of ITSS Steering Committee
Terms of Reference of Legal Issues Working Group
Annex B: Overview of Interdepartmental and other Committees
dealing with Information Law, Information Policy and Information Technology
(The list is now out of date and was never available in French or in a word processed format in any event.)
Annex C: Selected Statutory Provisions
A. definitions of key terms, such as "writing" and "record"
B. preservation of records in the National Archives Act and National Libraries Act
C. admissibility of records in the Canada Evidence Act
D. express permission to conduct business electronically
E. search and seizure of computers; assistance to authorities in operating computers
F. restrictions on the sharing of personal and commercial information
(provisions from the Privacy Act and Access to Information Act)
G. statutes authorizing use of the Social Insurance Number
(This Annex was never translated.)
Annex D: Statutory prohibitions from disclosure of information
under the Access to Information Act
(s. 24 / Schedule II exemptions)
(This Annex is a Schedule to the Access to Information Act and can be found with the Act. Go to the Department of Justice Web site at http://canada.justice.gc.ca, where the statutes are located.)
Annex E: Recommendations of the Department of Justice
Information Law Trends and Strategies Working Group (1993)
(This Annex contains some passages exempted under the Access to Information Act. For those portions that were not exempted, forward your request to the Department of Justice Access to Information and Privacy Office.)
|
