Business Threats

The illegal threats posed by businesses to the consumers are not as clear cut as those of hackers or cyberterrorists. The “New Economy” that has been built around the Internet is most subtle. Information is a form of currency on the Internet that can be stolen and traded. New technologies and concepts, such as profiling and targeting, are not strictly illegal. With these borderline functions on the rise, the Internet has quickly motivated privacy groups to take action against legal threats to consumer information.

Businesses have few legal restrictions as yet in compromising consumer personal information. Chapter 4 discusses various laws in place to either help or hinder businesses with regard to using personal information. With the lack of controls and laws, businesses can easily take advantage of the consumer without breaking any laws.

Companies can easily cross the few lines that have been drawn to secure personal information. Corporate espionage has always been a factor in doing business, but with the advent of the Internet and the connectivity of businesses, it's easier for one company to break into a rival and steal information, which can be anything from product specifications to customer lists. Customer information is increasingly more valuable with all the data mining techniques now available. The Computer Security Institute in conjunction with the FBI produces the “Computer Crime and Security Survey,” which states that more than 50% of respondents said that the information sought in probes would be of use to U.S.-owned corporate competitors and U.S.-owned corporate competitors are likely sources of industrial espionage. Also in the survey, 26% cited foreign competitors as a likely source of attack. The prize in many cases can be customer and client information.

If you have ever filled out a survey on a company Web site when making a purchase, you might wonder why you must do that. How will that information be used? With recent acts being passed in the U.S. against how information is collected and used, the consumer might think he is protected. But it's very difficult to nearly impossible for any agency to monitor the millions of Web sites that can collect information and ensure they are in compliance with the changing privacy laws. How is the consumer to know which laws affect information collection and use when companies do not even know in many cases that they are breaking the law? Businesses today have an opportunity to use information technologies to their competitive advantage, and that enticement can cause them to go one step beyond what is strictly legal. The deadline for compliance with the Gramm-Leach-Bliley Act (GLB) has passed and left many companies out of compliance. A recent survey of banks, mortgage brokers, and insurance companies showed a failure to fully inform online customers of their privacy rights according to the requirements of the act. The Center for Democracy and Technology (CDT) examined 100 Web sites and privacy practices by organizations affected by GLB and found that 80 did not provide advice on how to restrict access to their information and 34 shared customer information outside the guidelines set by GLB. Of the 100 sites, only 22 offered customers clear and simple opt-out mechanisms.

Any large company or global company has connections to partners, vendors, and even customers. By letting other organizations and people connect to their systems, companies are opening up potential holes in their systems that can allow an attacker a chance to get to your information. If a company sets up a connection incorrectly with a partner that allows unrestricted access to corporate assets, what is to stop that partner from pilfering information? If a company sells products over its Web site and customers can log in and check their orders, an inadvertent misconfiguration or not applying a patch to the system can give someone access to customer information that can be stolen. The very fact that a large company can offer a diverse range of services and form partnerships and alliances with other companies can put your personal information in jeopardy from an attack.

As you will see in later chapters, security is not that easy to implement. Any company that has your information and is connected in some form to the outside world can be subject to attack. As we have discussed, security spending is on the rise because hacker attacks are on the rise. A company can be an unknown ally to the attacker if it implements weak security measures to protect your information. Secure information and communication systems enables e-commerce, but being complacent about such security can be the death of e-commerce. There is no way to guarantee a risk-free environment in which a business can operate and protect your personal information. Businesses can be your worst enemy by enabling malicious attackers to easily access their systems and your data by lack of security measures. Proper controls require planning and careful implementation, which is not really prevalent yet when it comes to security-related issues. Security has always been an afterthought in doing business until recently. Companies that are not proactive in monitoring and managing the risk to your information will enable illegal access to your data and invasion of your privacy. There are always new types of attacks, services, and vulnerabilities that must be addressed on a daily basis to do business in this new economy.

Employer Spying

Most companies have the capability to legally monitor the e-mail, phone conversations, and any other forms of communications by employees using company resources. Employers are concerned with raising worker productivity; preventing theft; avoiding legal liability, corporate espionage, and harassment; and preventing lawsuits through inappropriate use of company resources. Where that line is between what is legal monitoring of company resources and spying or breaking of eavesdropping laws is very vague. In one recent case, the U.S. federal court system's chief administrator dropped requirements on monitoring the Internet communications of the judicial branch because of the backlash from judges on invasion of privacy issues and laws that could potentially be broken. The monitoring policy would have asked all employees to waive their privacy rights while using the resources of the office. But what happens in companies in which the employee has no say?

Federal law, which regulates phone calls with persons outside the state, does enable unannounced monitoring for business-related calls. (See Electronic Communications Privacy Act, 18 U.S.C 2510.) Personal calls cannot be monitored, though, only business calls. Using cell phones or pay phones can help you keep conversations private, but you can inadvertently be monitored when making personal calls.

Numerous monitoring software programs are available that can let employers watch a computer screen and read all the e-mail messages of an employee. Such software can do everything from recording all applications being used to capturing every keystroke made and taking screen shots of the monitor every few seconds. A remote monitoring station can watch exactly what is being done on your computer and record all the actions you take. Several of the software packages that enable employers to monitor your actions include

• Little Brother (www.littlebrother.com)— This software, for $295, can be used to track up to 10 systems for Internet use and bandwidth consumption, can block sites, and can provide very detailed reports on employee surfing.

• Cyber Snoop (www.pearlsw.com)— This Internet monitoring and filtering package costs $49. Cyber Snoop gives the system administrator control over the Web, IRC chat, FTP, e-mail, and newsgroups and can report on employees' work activities on their computers.

• Stealth Keylogger Interceptor Pro (www.keyloggers.com)— For $69, this program covertly monitors keystrokes and saves them to a text-based .log file. The log is complete, retrieving times and dates, application and dialog names, filenames, pasted text, and keystroke actions. There is no evidence that the program is running on the target machine.

Even if you delete your e-mail, backup copies are always available, and even deleted e-mail can be recovered. Recovering deleted e-mail is actually quite simple. One of the many popular e-mail packages used by businesses is Microsoft Outlook, in which retrieving a deleted e-mail message is easy. In Outlook 2002, you can simply select Tools, Recover Deleted Items to undelete e-mail messages, as shown in Figure 5.1.

Monitoring software can get around encryption of data on your machine if the employer can monitor what is on your screen. If data is transmitted in an encrypted form, no one can read it unless he can decrypt it. However, after you've decrypted your e-mail, your employer can easily have a screen-monitoring program running that can view the unencrypted data on your monitor. In some cases, even if the employer states that it has the right to monitor all e-mails, it can be breaking a local or federal law by doing so.

Even though monitoring employees seems like a way to better secure the environment, it can be a breach of moral and legal boundaries when it comes to privacy. Fostering such an environment can actually lead to employee dissatisfaction with the workplace and decreased productivity. If such actions are left to only extreme cases, perhaps when an employee is caught hacking, then a company should use such tools. On a daily basis, though, these tools will only cause problems in the workplace and weaken the already limited privacy rights of everyone.

Insider Threats

The insider threat is very real when it comes to system compromises. Employees are a serious and large threat to companies and individuals. The 1999 Computer Security Institute/FBI report notes that 55% of respondents reported malicious activity by insiders. In one case reported by the FBI before the Senate Committee on Appropriations, an FBI employee, Shakuntla Devi Singla, used her access to use another employee's ID and password to delete data from a U.S. Coast Guard personnel database system. The costs to recover included 115 agency employees and 1,800 hours. In another case reported by the FBI, in January and February 1999 the National Library of Medicine (NLM) computer system was hacked. Montgomery Johns Gray III, a former computer programmer for NLM, had left a backdoor into the system, stole patient information, and posed a public health threat by stealing such personal medical information.

Employees have access to systems without having to hack their way in. By stealing a customer list and selling it to a rival, an employee can easily make money. Ex-employees also are a threat because they know so much about the systems, and frequently all their access to the company is not terminated when they leave. This easy access can enable them to go back into the system as legitimate users and steal information.