Skip to content.
|Networking government in New Zealand.
You are here: Home » Policies » Trusted Computing & DRM » Principles and Policies » Interpretation of Information Confidentiality & Integrity Policies

Interpretation of Information Confidentiality & Integrity Policies

Information Confidentiality and Integrity Principles

Government use of trusted computing and digital rights management technologies must not compromise the privacy rights accorded to individuals who use government systems, or about whom the government holds information.

The use of trusted computing and digital rights management technologies must not endanger the integrity of government-held information, or the privacy of personal information, by permitting information to enter or leave government systems, or be amended while within them, without prior government awareness and explicit consent.

Information Confidentiality and Integrity Policies

10. Awareness of TC/DRM functionality

When deploying hardware or software, or using information provided by an external party, agencies will take all reasonable measures to ensure that they are aware of the inclusion of TC/DRM functionality.

Rationale

This policy ensures agencies are aware of the inclusion of TC/DRM functionality when they deploy hardware or software, so that they are then in a position to follow the policies that apply in such circumstances.

The policy is designed to guard against situations such as if:

  • an agency purchases digital content, which is accompanied by software that enforces digital restrictions, and the software is installed either without the agency's awareness or without the agency realising that it has TC/DRM functionality; or
  • an agency installs hardware, which includes TC/DRM functionality to periodically report on the system configuration and its use to some external party, without the agency's knowledge or explicit permission.

In the situations described above, the agency is unaware that it had just installed a TC/DRM solution, and is therefore in no position to comply with the policies that apply when installing a TC/DRM system.

Supports all four Principles.

Scope & Interpretation

"Functionality" refers to algorithms capable of performing activity when certain conditions are met, e.g. enforcing digital restrictions, or communicating information about system configuration to external parties. It refers neither to the passive digital restrictions tags that may accompany information, nor to information being received in an encrypted state.

"Reasonable measures" will need to be determined by each agency based on the level of risk in each instance. The level of risk will be directly tied to the nature of the relationship between the deployment and the effect on the integrity of government-held information. Such measures may, for example, include:

  • explicit declaration or warranty from the solution provider;
  • independent certification by an authority approved by the government.

The reputation of the provider, the contents of the end user licence agreement (EULA), and the presence or absence of Centre for Critical Infrastructure Protection (CCIP) advisories, may be taken into account.

Agencies should note that digital content may be accompanied by auto-installing TC/DRM software, designed to enforce digital restrictions on the content, and possibly on other content as well. Such software may attempt to install without notifying the user, and may attempt to hide its presence and operation once installed. Measures will be necessary to guard against such activity.

11. Knowledge of information flows

Agencies must know enough about any information flows into or out from their TC/DRM systems that could involve collection or transmission of personal information, to ensure knowledge and acceptance of:
  • when such events occur;
  • what is collected or transmitted;
  • the purpose of collection;
  • who is collecting the information;
  • who will receive and/or share the information;
  • for how long they will hold the information, and under what conditions; and
  • if applicable, who will amend and update the information and how it will get done.

Rationale

Knowledge of the information flows is necessary in order for agencies to be sure that operation of their systems will not lead to contravention of the Privacy Act, either by themselves or by a third party.

Supports Principle 2.

Scope & Interpretation

Agencies must ensure that users of their systems are informed, as prescribed by the Privacy Act, when information is collected about them.

Agencies must ensure that personal information collected by their systems is protected as prescribed by the Privacy Act, and not kept longer than required for its lawful purpose. This poses a particular challenge if personal information is forwarded to an external party, e.g. as part of a remote attestation process.

If use of TC/DRM technology results in collection or transmission of personal information, then agencies also need to take into account how their obligations and responsibilities under other legislation other than the Privacy Act might be affected.

12. Communications specifications

Agencies will operate a TC/DRM solution only if:
  • a specification is provided that documents the triggers and content of any communications (including attestation and other background communications) that leave from or arrive at the computer, and
  • the solution does not perform any communications that are not described in the communications specification, and
  • any communications that would be unacceptable to government can be 'opted out of'.
The solution should be verified for conformity to the communications specification by a competent authority recognised by the government for this purpose.

Rationale

TC/DRM solutions may require:

  • attestation communications, possibly involving non-government systems;
  • encrypted traffic entering and leaving government computer systems.

Such communications and other unknown activity can compromise the integrity of government systems and information. Government needs to know enough about what is being sent/received, and the circumstances under which this will happen, to be satisfied that the integrity of government information and related systems will be maintained.

Supports Information Confidentilaity and Integrity Principles.

Scope & Interpretation

The onus for compliance with this policy will rest with each agency.

Nevertheless, it is recognised that it will be difficult and sometimes impossible for an agency to determine what types of communications may be generated by a particular TC/DRM solution.

Therefore, this policy provides for an agency to require the developer of the technology to document any communications that could affect the integrity of government-held information, and for that documentation to be independently verified.

There are many ways that this verification process could be undertaken, and more work is required to identify the most appropriate ways for this to be done. One possible approach may be through the establishment of an international body, trusted by the New Zealand government (and other governments).

Any such an endeavour will take time and much consultation and cooperation between a wide range of stakeholders before it can be completed.

In the meantime, agencies will need to comply with this policy using 'best efforts' and through establishment of good communication with cooperative providers of the technologies.

It must be made clear, before government adoption of a TC/DRM solution, what the implications may be for a product's functionality if certain communications are opted out of.


[ Previous | Next ]