New Zealand could set an example to other governments, with its “principles and policies” on digital rights management (DRM) and managing trusted computing (TC) within government.
A State Services Commission report looks at the risks to government ownership and the use of information on behalf of citizens when protection schemes controlled by computer hardware and software vendors, and other third parties are taken into account.
The SSC says it deliberately couched the report it in international terms. “We hope other jurisdictions pick up on our ideas and participate in international debate on the questions [involved here],” says SSC spokesman Jason Ryan.
Local factors, such as New Zealand’s Privacy Act, have been sidelined to a “scope and interpretation” section at the end of each part of the report.
It seems New Zealand is an early mover when it comes to considering these issues.
“We have raised it in a variety of international forums, and a lot of overseas people said they’d not really considered it and that our work was quite groundbreaking,” says Ryan.
In particular, a paper on the subject, by a delegate from the New Zealand Privacy Commissioner’s Office, presented to a recent meeting of the International Working Group on Data Protection, held in Berlin, was very well received. It has since been further publicised on the working group’s website.
The New Zealand Government expressed concern about some consequences of and DRM and the TC model as far back as 2004, when it forbade government agencies to use some of the first modules of the new security model, produced by Microsoft, for fear it could lose control over the integrity of its own information, and so imperil the privacy rights of citizens.
The SSC report still advises caution and outlines the checks that must be made before using DRM or trusted computing software.
The concern is not only about access to, and integrity of, information, but also the possibility of worm and virus infection passing undetected in a file encrypted by a third party for TC or DRM purposes.
The government’s response has been expressed as a series of principles (why things are done) and policies (what is done to implement the principles). Agencies must further decide for themselves on standards (how things are done and compliance measured).
For example, the “information availability principle” says: “For as long as it has any business or statutory requirements to do so, government must be able to use the information it owns/holds [and] provide access to its information to others, when they are entitled to access it.”
The key policy under that principle is: “Any information that is relied on for execution of public business must be free from encumbrance by externally-imposed digital restrictions, except with the informed consent of government.”
Other principles provide for confidentiality, integrity, security and information availability.