Security Versus Privacy

Laws have not been capable of determining how privacy will be achieved in any practical sense. The ECPA is one step in privacy rights. But as we have mentioned, it can do harm as well as do good when it comes to your personal information. You can't have privacy of data without security, but you can have security with no privacy. Privacy refers to data, consumer characteristics, preferences, and any information that needs to be kept private and confidential. Security, on the other hand, refers to access mechanisms and control of data and devices. Security applies to both client-side and server-side aspects of user information. To attain privacy, security measures must be taken by both the corporation and the user.

To keep your information out of the hands of malicious hackers and very determined marketers, a company can install very good security measures over data transactions. Such an example is when you are buying a product with your credit card; a company typically encrypts all the information and stores it on a secure server in its organization. The whole transaction process has good security; SSL connectivity on the Web site and data encryption on the server end is performed. Your credit card information is verified, and no one can capture your traffic en route to the company. This secure transaction means nothing to you if all your information is then sold to a marketing company. Recently, one company, eTour, which stated in its privacy policy that it “will not give out your name, residence address, or e-mail address to any third parties without your permission, for any reason, at any time, ever,” sold part of its customer database to Ask Jeeves. Even though the site had good security measures over consumer data, personal information still made its way to a marketing company. Your personal privacy has just been compromised even though great security features were used during the transaction.

Security begins with the privacy policy of any site you are using. These policies don't go into detail about what security measures the site is taking, but they can give you some comfort that the site takes security of data and transactions seriously and has dedicated resources to this end. Not many companies have put security clauses in their privacy policies, but hopefully that trend will change. Taking the Dell privacy policy as an example, it mentions Dell's commitment to security in one segment:

“Internet Commerce: The online store at dell.com is designed to give you options concerning the privacy of your credit card information, name, address, e-mail and any other information you provide us. Dell is committed to data security with respect to information collected on our site. We offer the industry standard security measures available through your browser called SSL encryption, (please see Dell's Store Security page for details on these security measures). If at any time you would like to make a purchase, but do not want to provide your credit card information online, you can place an order without credit card information and a representative will contact you. Alternatively, you can always contact a sales representative over the telephone. Simply call 1-800-WWW-DELL. It has always been a Dell practice to contact customers in the event of a potential problem with your purchase or any normal business communication regarding your purchase.”

This type of proactive measure regarding the security of your information gives the user some idea of the steps that might be taken by the site. But even if this type of information is included in a privacy policy on the site, how does the user know that security measures are actually in place to meet the privacy statements? The answer is that there is almost no way of knowing. Some organizations have come up with a certification process a site can go through to check security measures. After the site meets the requirements, it receives a seal of approval. Two such companies that provide this certification are Verisign (http://www.verisign.com/) and TruSecure (http://www.trusecure.com/). The problem with these certifications is that there is no standard set of checks and government regulations that can give the general public a baseline to understand what the certifications actually mean. Another problem with certifications is that it is merely a point-in-time process. The minute the certifying company has placed its seal on the site and finished testing the security measures, the actual security posture of the site might have already changed. Everyday, a new hacker exploit becomes known and can invalidate all the testing and certification of the site. Certifications do give the user some idea of the security over his data, and that is better than not having any idea of what steps a site takes to keep your data secure.

Online services can be particularly invasive when it comes to your personal information and your need to understand how they implement security over your data. One of the key aspects of securing your communications and transactions online is the use of encryption. Encryption is the technique of scrambling a message or transaction such that anyone who does not possess the right key does not have the ability to unscramble it. If you are chatting with someone using an encrypted connection, no one else can capture your information as it travels along the wire. Unintended recipients can't scrutinize your information. ICQ messaging is an example of unencrypted messages. Other people on the wire can intercept your messages and read them. Another benefit of encrypted messages and transactions is that the system administrators of the site you are using can't read your information.

You will notice a lock icon in the lower-left corner of the Netscape browser (see Figure 2.3) and a lock icon on the right side of Internet Explorer (see Figure 2.4). These indicate when encryption is being used. The lock is closed for Netscape and appears as yellow and closed in Internet Explorer when encryption is being used. This is just one example of the various security features that can be used by a site to ensure security of your data. Secure Sockets Layer (SSL) encryption is used in many Web applications to secure the transmission of data.

Any message containing private or sensitive information that is encrypted is secure until it reaches its destination and is then unencrypted. Various strong encryption programs, such as Pretty Good Privacy (PGP), are available. PGP is used to encrypt your content, such as an e-mail message. If someone does not have the right key to unlock an encrypted message, all he will see is gibberish. Another form of encryption is the use of the data as it travels along the wire or whatever medium is being used. The data is encrypted as it travels along the transport mechanism rather than being encrypted and then transmitted. SSL, which is used by many secure Web applications, uses this form of encryption. But there are also weak forms of encryption that can give the user a false sense of security. If the encryption scheme is weak and can be cracked, your information will be exposed without you knowing it.

Anonymity is becoming harder to achieve with the technology we want to use. However, some methods of using the Internet anonymously are still available if you feel the security of your personal information through the services you use is not good enough. Anonymous re-mailers and Web browsing are available to you. Determining the name and e-mail address of anyone who posts messages or sends e-mail is easy, so programs that anonymously mail and enable you to surf the Internet have been developed. Hushmail (http://www.hushmail.com) is one example of secure e-mailing that provides anonymity and security over your messages. One popular anonymous browser site is Anonymizer (http://www.anonymizer.com). A Web surfer can use Anonymizer to browse sites, and no information about him will be captured unless the surfer specifically submits information, such as in a sign-up form. We will spend more time on these topics in Chapter 6, “Understanding the Online Environment: Addresses, Domains, and Anonymity,” and Chapter 7.

If a site is using security in all your purchase transactions or in messaging on its site with functions like a forum board, what is the guarantee that after it has securely collected your information it will keep it secure in the future? Do you know whether it has good internal security measures? You have no real guarantees. You have no idea what it does in its network operation centers to secure your data after it has stored it. One example of good encryption and transaction security but bad backend processing security is the hack of A&B Sound's (http://www.absound.ca/) online store. This site took orders securely but was successfully hacked, and some online consumer credit card information was stolen and posted to the A&B Sound Web site. The backend systems were insecure even though the transaction process was encrypted and secure.

There is a trade-off between security and privacy from a law enforcement perspective. The more secure a system is and the more messages are kept private using such technologies as 128-bit encryption, the harder it is for law enforcement agencies to monitor criminal activities. If a hacker encrypts all messages with a very strong encryption scheme that law enforcement can't crack, they will not be able to prosecute the hacker with incriminating e-mail messages. If child pornographers have total anonymity on the Internet, they can post material and break laws with the possibility of capture being extremely low. If you have ever posted a message to a newsgroup, you will find that you can post anything, from pirated software to pornography without identifying yourself. Attorney General John Ashcroft, speaking at the Computer Privacy, Policy, and Security Institute, said, “On the Internet, it is easy for a criminal to create a fictitious identity to perpetrate frauds, extortions, and other crimes. Because many computer crimes—such as trading pirated software or child pornography—can be committed entirely online, this anonymity can significantly complicate an investigation.” The Justice Department's Computer Crime and Intellectual Property Section, the FBI's Computer Crime Squads, and the National Infrastructure Protection Center (among other agencies) are faced with the problem of anonymous crimes online. For law enforcement officials to gain access to subscriber transactional records, they must obtain a court order demonstrating that the records are relevant to an ongoing criminal investigation (Communications Assistance for Law Enforcement Act, 18 USC § 2703(d)). Laws are both a help and hindrance to our security, which is different from our privacy.

Corporate security measures, as they pertain to the security of your personal information, are beyond your control. Security over your personal information on your own system is a totally different matter, though. Technologies such as personal firewalls, wireless devices, and encryption have enabled the consumer to more easily take security into her own hands. We have mentioned cookies as a method of tracking your use of some Web site and notifying the site when you return and what you have used on the site. To counter this invasion of your privacy, programs such as CookiePal have been developed (see Figure 2.5).

This program notifies you when a site is trying to store and use cookies to track your activity. (These technologies are covered in greater detail in Chapter 7.) You can implement your own security procedures to care for your personal information on your own system. After you understand how to implement security at home, you will have a better understanding of how companies implement security and keep your information private.

The cost of security measures necessary to ensure good consumer privacy is also a major roadblock that companies face when considering how much security should be in place. The bottom line usually drives most business decisions, and your privacy can be a casualty of that bottom-line dollar amount. A home user can implement a personal firewall, install a program such as CookiePal, encrypt e-mail, and have secure Web browsing for a minimal amount of dollars. For a large corporation with thousands of users, however, the cost of security can be astronomical. For Web portal sites, security is usually not the highest priority. Making money is, and anything that impedes this goal will be removed. Security can be a roadblock to fast implementation of a new service or product.

Home user security has taken on new meaning with all the access we now have. Personal firewalls and personal intrusion detection systems are enabling the home user to implement strong security measures to keep his information and systems secure from the client side of connectivity. In the past, the consumer didn't have as much to worry about—companies were mostly the target of attackers. With consumers who have their own mini-networks and at-home businesses with Web sites, security over those connections has come to the forefront of technology. Numerous applications and devices exist to enable home security; we will discuss these in Chapter 10, “Understanding Your PC Operating System and Its Security Features.” The consumer is not totally reliant on companies to keep his data secure; he's responsible for client security, and the company he submits his information to is responsible for server-side security.

On your home PC, security measures need to be put in place to cover the operating system, communication channels, and applications you use. The data you store on your computer is at risk from both attackers and legitimate companies. A company can easily store cookies and applications on your system if you are not careful. You have to understand what you are agreeing to do when using some Web sites. One such legal means being developed to trade consumer information is the Information Content and Exchange protocol (ICE). This protocol will be used to exchange consumer information more easily between businesses and will use the eXtensible Markup Language (XML) to provide businesses with a standardized method for exchanging users' personal information, preferences, and other types of data related to online business. The protocol is also designed to automate the process of negotiating the terms and conditions of syndication for this information. Consumers must be aware of the security issues with such technologies if they hope to keep their own information private and secure.

If you have ever downloaded freeware or shareware programs, you are taking a big risk that the maker hasn't installed some sort of backdoor or is retrieving more information than is necessary from your system. Freeware is great because it is free, but as we said, nothing is really free. Many hackers encode backdoors into free programs that can do anything from copy your data to destroy your computer.

One category of software that has developed recently is spyware. These are programs that perform hidden functions using the consumer's Internet connection, which the consumer has no knowledge about. One typical function is to send information to the producer of the software. A list of known spyware programs can be found at http://www.infoforce.qc.ca/spyware/enknownlistfrm.html. One example of spyware is TSADBOT, which is installed as a Windows Service with AdGateway by TimeSink/Conducent Technologies. It is loaded onto your system and makes network connections even when behind a firewall and persists even after the software it came with has been uninstalled. It connects to the Internet, downloading ads—whether the advertising-supported application is running or not—and implements an unauthorized proxy server on the user's system. Then, profiles are stored in encrypted files on the user's system and can be transmitted to Conducent by the TSADBOT software. With programs such as these running on your system, your data can be used and abused without your knowledge. Security becomes paramount on the client side in situations such as these. You need to know whether unauthorized activity is taking place on your own desktop before you start worrying about what corporations are doing with your information.

When using services provided by companies, such as free Internet access, the consumer must be aware of what the security risks are and what information he is giving away. One example of losing control of your data and computer system is the case in which Juno (http://www.juno.com), a service that provides free online access, changed the terms of its agreement with customers in early 2001. The new agreement said that customers must allow the downloading of software that would perform computational tasks on the home user's computer. The consumer must also leave his computer on, and Juno would have the right to “initiate a telephone connection from your computer to Juno's central computers.” So, the consumer loses control of his own computer, the service install software that the user has no idea about, and Juno can make phone calls from the user's computer. Your personal data would be at risk from the company itself. To get something for free, you would have to give away a lot of your rights to your own computer. There really isn't anything free anymore. You have no idea about what security breaches might be installed on your computer, with all your personal files at risk.

An industry-funded study by Robert W. Hahn, a Resident Scholar of the American Enterprise Institute, titled “An Assessment of the Costs of Proposed Online Privacy Legislation,” estimates costs of $30 billion or more to comply with possible Internet privacy legislation. This study was sponsored by the Association for Competitive Technology, and the results of the study have been attacked by various privacy organizations. The independence of the study can be questioned, but it does highlight the fact that security of private information is not a trivial matter when it comes to dollar amounts. As laws are still being defined in the U.S. to address security and privacy, the costs can't be readily estimated to any degree of certainty, other than to say that it will not be inexpensive for companies to implement security. As mentioned earlier, the U.S. privacy initiatives are largely self-enforced with little guidance from the government as yet on how to implement security procedures to protect our privacy.

Can you have privacy without good security? No. As we discuss security risks in detail in the following chapters, you will see that any lack of security can lead to a compromise of your personal information, both from home user systems and corporate systems. But does this mean that companies can install vast security measures, such as e-mail monitoring and data capture technologies (sniffing), on their networks and Web sites to look for hacker activity? This would be a good security feature but could also lead to the invasion of our privacy.

The FBI has developed a sniffing technology called DCS1000 (originally called Carnivore), a controversial e-mail monitoring program. DCS1000 was designed by the FBI to monitor e-mail communications of suspected criminals by seeking out packets of data in e-mail messages, using keywords or just capturing all e-mail from or to a specific e-mail address. DCS1000 is implemented at the ISP (assuming that the ISP cooperates with the FBI). A terminal box loaded with the software is installed with the ISP's equipment and is then attached to the network. With the terrorist attacks on the U.S. on September 11, 2001, more ISPs are cooperating with the FBI in implementing DCS1000. It has not yet been implemented in many ISPs, though.

Do the security features touted in the FBI's DCS1000 project outweigh the possible loss of privacy we will face with its technology monitoring all our e-mail messages at the ISP level? In 2000, the U.K. passed the Regulation of Investigatory Powers Act that allows the British government to access e-mail and other encrypted Internet communications for surveillance purposes.

These programs and laws lead to better security through criminal investigation, but consumer privacy is being compromised because of these security steps. There are no clear-cut lines between the need for security versus the need for privacy. But they do go hand in hand. The terms security and privacy can't be used interchangeably, but they are codependent.