Canadian Census controversy continues

Started by TehBorken, May 14 06 02:55

Previous topic - Next topic

TehBorken

  [h3]Canadian Census controversy continues[/h3] [h5]Friday May 12, 2006 [nobr](05:00 PM GMT)[/nobr][/h5]By: [a href="http://members.axion.net/%7Ebbyfield"]Bruce Byfield[/a]

[font size="-1"]   Linux User Groups (LUG) and Canadian elected officials are responding to the news that [a href="http://trends.newsforge.com/article.pl?sid=06/05/04/233250&tid=136"]the Canadian online census forms block free software users from participating[/a]. Last week's story helped uncover the fact that the software used for the online census seems to violate several government policies and treaties.[/font]
[p style="" verdana;&quot=""]Some readers of the original article considered the issue of open access to government important enough to investigate and take action. Their findings add to the growing concern about the census among an activist minority of Canadians. Although agents at the Census Help Line had not heard of GNU/Linux when the article was posted, they have received enough complaints that they are familiar with it now.[/p] [p style="" verdana;&quot=""]The article was circulated in a news roundup distributed last week among employees of the Treasury Board, whose procurement policies seem to have been violated by the Census Web site, and stimulated the Vancouver LUG to contact other LUGs across Canada to [a href="%22http://www.vanlug.bc.ca/census/index.html%22"]coordinate a response[/a] to the situation.[/p] [p style="" verdana;&quot=""]The news also sparked discussion on the [a href="%22http://www.goslingcommunity.org/%22"]Ottawa chapter of Getting Open Source Logic INto Governments[/a] (GOSLING) mailing list. GOSLING is a collection of federal bureaucrats and consultants. Because many GOSLING members are government employees, the list is deliberately not archived online for their protection, and most members prefer to be cited anonymously, but much of the information cited in this article comes directly from this list.[/p] [p style="" verdana;&quot=""]After the article was published, I contacted Bill Siksay, Member of Parliament for Burnaby-Douglas, about the problem, as a constituent. Siskay wrote to Ivan P. Fellegi, chief statistician at Statistics Canada, the federal department responsible for the Census, and asked "what steps did Statistics Canada take to ensure that there would be wide ranging access to the on-line census by a variety of common operating systems, including the higher cost and lower cost systems? What reasons can you provide for the lack of access by Linux users?" He also complained about the "poor response" I received from Statistics Canada staff when I attempted to find answers on my own.[/p] [p style="" verdana;&quot=""]A week later, Fellegi has yet to reply. I did receive an email from Dale Johnston, assistant director, 2006 Census Communications, promising a reply "within the next day or two," but that was four days ago as this story was being filed.[/p] [p style="" verdana;&quot=""]The treatment of free software users is just part of a growing debate over how the 2006 census is being handled. For several weeks, one of the major issues has been that the [a href="%22http://www.vueweekly.com/articles/default.aspx?i=3918%22"]processing of census results has been outsourced to Lockheed Martin Canada[/a], a subsidiary of one of the largest defense contractors in the United States.[/p] [p style="" verdana;&quot=""]Despite [a href="%22http://www22.statcan.ca/ccr07/ccr07_006_e.htm%22"]Statistics Canada's assurance[/a] that "At no point does any contractor collect, handle, or possess confidential census responses," the concern is that the parent company in the United States may obtain confidential information about Canadian citizens, and be forced at some time to disclose it under the Patriot Act or an American court order. In response, [a href="%22http://countmeout.ca/%22"]CountMeOut.ca[/a], which bills itself as "the minimum-cooperation Guide to the 2006 Canada Census," offers tips on how to comply with the legal requirements to complete the census while doing it in such a way that the information must be tabulated manually, rather than with Lockheed Martin Canada's software. It's unclear how realistic such concerns are, but, when added to the technical and policy issues, they create the perception that the entire census has been mishandled.[/p] [p style="" verdana;&quot=""] Technical issues[/p][p style="" verdana;&quot=""]The lack of support for operating systems other than recent versions of Windows and Mac OS X in the online census is due to the use of [a href="%22http://www.entrust.com/internet-security-software/%22"]Entrust's Truepass[/a]. Members of GOSLING familiar with the software suspected it was a cause last week, but it is now confirmed. Although Johnston has yet to contact me, he did reply to inquiries by Tremaine Lea, one of those who blogged on the issue. According to Johnston:[/p] [blockquote style="" verdana;&quot=""] Statistics Canada has chosen to use PKI (Public Key Infrastructure) encryption to provide the industrial strength security and data privacy that the 2006 Census Internet application requires. The PKI encryption of data starts at the browser and goes all the way to the end server at Statistics Canada. In order to enable PKI encryption at the respondent's browser, the application uses a small j-ava a-pplet based on Entrust TruePass technology. At the time the Census application was developed, the version 7.1 of TruePass did not provide support for Linux.[/p] Although the most recent upgrade, TruePass version 8, now includes Linux, that development came too late for the census production schedule. We are currently investigating the feasibility of offering one option to open source users.[/p] [/blockquote] [p style="" verdana;&quot=""]A [a href="%22http://www22.statcan.ca/ccr02/ccr02_003_e.htm%22"]similar statement[/a] has been posted on the Statistics Canada site.[/p] [p style="" verdana;&quot=""]However, this answer, while good news for those GNU/Linux users who do not object to proprietary j-ava, still blocks users of other free operating systems. At any rate, [a href="%22http://www.sandelman.ottawa.on.ca/mcr/blog%22"]Michael Robertson, a GOSLING blogger[/a], points out that the PKCS#7, the [a href="%22http://en.wikipedia.org/wiki/PKCS#7%22"]public key cryptography standard[/a] that is probably the main reason for using TruePass, is also supported by OpenSSL, so the restriction on operating systems seems due to the choice of software, not to technical requirements.[/p] [p style="" verdana;&quot=""]Nor is accessibility to other operating systems the only issue with Secure Channel and TruePass. One post on the Ottawa GOSLING list from an IT employee of the Canadian government claims that the accessibility specialists he works with found that the online census would not work with any tools for visually impaired users. According to other information from GOSLING, this lack of accessibility was the main topic discussed by the Treasury Board's Government Look and Feel Accessibility Committee meeting on May 11.
 [/p][p style="" verdana;&quot=""]The security of the system also remains uncertain. Although a letter summarizing [a href="%22http://www22.statcan.ca/ccr07/ccr07_007_e.htm%22"]the results of an internal security audit by Census employees[/a] is available online, it mentions no details, including whether the audit included the client side a-pplet. An external audit seems to have been omitted entirely, although the [a href="%22http://www.tbs-sct.gc.ca/fap-paf/oss-ll/position_e.asp%22"]Canadian Common Criteria Evaluation and Certification Scheme[/a] exists for precisely that purpose.[/p] [p style="" verdana;&quot=""]Nor is any information available that might allow the public to judge the security of the site for itself. Several months ago, security students at the University of Ottawa who do a podcast called the [a href="%22http://phbo.blogspot.com/%22"]Parliament Hillbillies in Ottawa[/a] (the name plays on "Parliament Hill," a common synonym for the Canadian government in the media) found some basic information about TruePass. According to Aleks Essex, a member of the group, TruePass uses a technology called Session Encryption with Automated Login (SEAL) to provide cryptographic credentials, and the client-side a-pplet manages and encrypt these credentials. No other details were publicly available.[/p] [p style="" verdana;&quot=""]When the group filed an access to information request, they were denied source code, specifications, or even an outline of TruePass' security policy. Apparently, in order to protect the proprietary trade secrets of a supplier, the Canadian government is relying upon [a href="%22http://en.wikipedia.org/wiki/Security_by_obscurity%22"]security by obscurity[/a] -- a security policy that seems logical to lay users, but is rejected almost universally by experts.[/p] [p style="" verdana;&quot=""]In the midst of such issues, the only bright spot is that at least two people have reported being able to access the census online using GNU/Linux. One user posted a [a href="%22http://www.digital-copyright.ca/discuss/6211%22"]short report on the Digital Copyright Canada list[/a], and another provides [a href="%22http://trends.newsforge.com/comments.pl?cid=126112&sid=55978&tid=136%22"]step-by-step[/a] instructions using Gentoo, posted as a comment to the original article. However, while these reports prove that you should never underestimate the ingenuity of the free software communities, the required steps are lengthy enough that many users would never think of them.[/p] [p style="" verdana;&quot=""] Policy issues [/p] [p style="" verdana;&quot=""]These technical questions are accompanied by policy issues of equal importance. These policies are established partly by the Treasury Board of Canada, which sets out both the Web design standards and the procurement policies to be used by other ministries when hiring external consultants. In addition, policy is supposed to be determined by the [a href="%22http://strategis.ic.gc.ca/epic/internet/inait-aci.nsf/en/Home%22"]Agreement on Internal Trade[/a] (AIT), an agreement by Canadian provinces, and the [a href="%22http://www.dfait-maeci.gc.ca/nafta-alena/menu-en.asp%22"]North American Free Trade Agreement[/a] (NAFTA), a treaty signed by Canada, Mexico, and the United States, both of which (among other things) regulate how the government is supposed to interact with business.[/p] [p style="" verdana;&quot=""]According to [a href="%22http://www.tbs-sct.gc.ca/clf-nsi/inter/inter-01-01_e.asp%22"]Treasury Board guidelines on Web design[/a], all Government of Canada Web sites "must comply with W3C Priority 1 and Priority 2 checkpoints to ensure sites can be easily accessed by the widest possible audience". These guidelines include making provisions for accessibility for disabled users, and the need to design for browser and operating system independence, none of which the Canadian online census does.[/p] [p style="" verdana;&quot=""]Many of the [a href="%22http://www.tbs-sct.gc.ca/fap-paf/documents/iteration/iteration05_e.asp#_Toc518897089%22"]Treasury Board's principles for Conceptual Architecture[/a] have also been ignored on the site. The first principle states that government IT systems should be built to reduce "integrational complexity" by being built with reusable components "deployed independently of the deployment platform," while the sixth principle states that "Priority will be given to products adhering to industry standards and open architecture" and the twelfth declares that the Government "must be accessible to all citizens." A [a href="%22http://www.tbs-sct.gc.ca/fap-paf/oss-ll/position_e.asp%22"]Treasury Board position statement[/a] strongly suggests that free and open source software be used to meet such goals.[/p] [p style="" verdana;&quot=""]Furthermore, [a href="%22http://www.digital-copyright.ca/discuss/7%22"]Russell McOrmond[/a], another GOSLING blogger, points out that both the AIT and NAFTA establish that the government should encourage competition and avoid the appearance of favoritism.[/p] [p style="" verdana;&quot=""]NAFTA is particularly clear on this point. [a href="%22http://www.dfait-maeci.gc.ca/nafta-alena/chap10-en.asp?#Article1007%22"]Article 1007 of NAFTA[/a] states that all signatories of the treaty "shall ensure that its entities do not prepare, adopt or apply any technical specification with the purpose or the effect of creating unnecessary obstacles to trade." The article goes on to specify that technical specifications should be defined in terms of performance rather than design or descriptive. Specifications should not refer to "a particular trademark or name, patent, design or type, specific origin or producer or supplier" unless no alternative exists.[/p] [p style="" verdana;&quot=""]Nor should advice on these matters be received "from a person that may have a commercial interest in that procurement." In short, Article 1007 firmly establishes that open access is not just an abstract ideal, but an international obligation for the Canadian federal government. Yet, in its favoring of a few operating systems over others, its naming of commercial software on the site, and the lack of an external audit, the online census appears to have comprehensively ignored this obligation. If extenuating circumstances exist that would permit this oversight, they have not been stated.[/p] [p style="" verdana;&quot=""] What next? [/p] [p style="" verdana;&quot=""]The online census is a reasonably minor matter by itself. It will be over on May 16, and free software advocates who wish to avoid the penalties of $500 or three month's imprisonment for not completing the census by the deadline can always submit the hardcopy form. However, its technical and procedural shortcomings are an ongoing concern, because they will presumably shared by any Canadian government site using Secure Channel. Moreover, if anything is to be done, complaints are necessary. As one GOSLING member explained to me, the Treasury Board can set procurement policies, but relies on reports of violations in order to take action. Canadians concerned about these issues should [a href="%22http://www.tbs-sct.gc.ca/common/contact_e.asp%22"]contact the Treasury Board[/a] in the hopes of jump-starting an official response.[/p] [p style="" verdana;&quot=""]In the end, it's not just a matter of a few minutes' inconvenience, or even a matter of encouraging the use of free software. It's also a matter of open access to government, and of the government unofficially endorsing software vendors by requiring you to use them. Most people would be upset if they were told at the post office that they had to use UPS, even though they had a credit with Federal Express. They should be equally upset here.[/p] [p style="" verdana;&quot=""] [em]Bruce Byfield is a course designer and instructor, and a computer journalist who writes regularly for NewsForge, Linux.com, and IT Manager's Journal. He would like to thank all, both those cited and those who are anonymous, who contributed information to this article.[/em]
[/p][p style="" verdana;&quot=""][a href="http://trends.newsforge.com/article.pl?sid=06/05/12/144252&from=rss"]http://trends.newsforge.com/article.pl?sid=06/05/12/144252[/a][/p][p style="" verdana;&quot=""]
[/p]
The real trouble with reality is that there's no background music.