1
Privacy and Security: “Feeling Safe in CyberSpace?”
Privacy and Security:
“Feeling Safe in CyberSpace?”
Reg Dyer
December 6, 2002
Table of Contents
Abstract
Who Should Read this Article?
Introduction
Are You Safe in CyberSpace?
Cyber Breakdown
Global Cooling
Comfort with Your Cyber PET
Conclusions
Recommendations
Glossary
References
Appendix
Abstract
Security and privacy of personal information is a much-discussed topic in the expanding online universe. The Internet is growing at an alarming rate and is still very much uncontrolled from a security and privacy perspective. Progress in this area has been slow at best. For example, Canada only upgraded their information and privacy laws to include this new environment in the late 90’s.
This uncontrolled environment is giving birth to many new tools designed to enhance privacy and security features in the online environment. Although these tools are a positive step, they do not guarantee security and privacy of our personal information. There is a need for continued research and development in this area from both a technical perspective and social perspective. Changes will only occur through deliberate action on our part.
Security and privacy of personal information is at the least, very difficult in this global environment. These issues involve many stakeholders, from the individual PC and Web user, the IT professional, commercial operations, to the governments of the world. The online environment is such that in order to guarantee protection and privacy, co-operation must be secured from all stakeholders.
This article highlights some of the key issues for individuals, government, and corporations. It offers little in terms of recommendations other than to keep abreast of these issues, to take action at a personal level, and to question every request for personal and private information.
Key-words : security, privacy, personal information, government, privacy enhancing tools, PET, privacy acts, privacy statutes
You can view the article online at: Online Version
Who Should Read this Article?
This introductory article is targeted at the IT professional and advanced online user interested in learning more about personal security in an increasingly un-secure on-line environment. It is assumed the reader has a background in IT with little knowledge of online security environment and related issues.
Introduction
“… U.S. Customs officials at Los Angeles International Airport ran a routine check of passengers on a TWA flight from London and scored a hit on a Richard Lawrence Sklar, a fugitive wanted for his part in an Arizona real estate scam. ... the fifty-eight-year-old passenger was strip-searched, moved from one holding-cell to another, and handcuffed to several violent offenders. The only problem was that the authorities had the wrong man.” (Forrester and Morrison 1997)
The above example could have been you. It was made possible by the advances in computer and communications technology. It occurred due to inaccurate information being stored in a government database. With the rapid technological advancements of today, come a number of surprising and serious privacy and security concerns. Old and new moral issues related to basic human rights and an individual’s right to privacy are discussed in books like “Computer Ethics, Cautionary Tales and Ethical Dilemmas in Computing’ and monitored by watchdog groups like the Global Internet Liberty Campaign and Privacy International. Computer technology, particularly telecommunications technology and the World Wide Web, have “compressed time and space.” They have made the world seem like a smaller place. At the click of a button, for little to no cost, you can communicate with an individual on the opposite side of the world. This gives rise to major issues with our online environment, especially the privacy and protection of personal information in a networked environment. Ray Panko gives a modern day description of the various types of attackers in our cyberspace.
Personal security and privacy issues are very broad based. They involve not only the individual, but have far greater reach, from your local bank branch to various government departments, and ultimately to the global community. In consideration of personal security and privacy, it behooves us to look at the affect of outside influences. These outside influences consist of governments, commercial operations, and individuals. The government perspective has been captured thru researching policy papers, plans, and statements. Plans such as the Minnesota Office of Technologymaster plan, offers a practical example of technology planning within a governing body. It considers, albeit briefly, the issues of privacy and security of personal data
“In terms of security, both citizens and businesses must absolutely believe that Electronic Government Services provide impenetrable protection from theft, fraud or malicious use of their information” (Minnesota Office of Technology 2001)
By looking at government reports to regulatory agencies like the US Federal Trade Commission, responsible for enforcing consumer protection statutes and other statutory regulations, we can get insight into what our governments see and should see as privacy and security concerns. Canadian views are obtained from sources like the recently updated statute on Information and privacy from the Alberta Government, practical applications like the policy statement by the Consumers’ Association of Canada.
Views from government and watchdog organizations are not enough, companies like MobileInfo.com, specializing in wireless and mobile systems provide a commercial perspective on newer wireless technologies including hand held devices like PDA’s and cell phones. Probably of most concern to individuals would be security risks that affect them on a day-to-day basis. Exposures like unrestricted access to information stored on our PC, the ability of organizations to obtain personal information without our knowledge, or the possibility of outside agents corrupting our appliance (the computer) in one way or another. Jennifer Kyrin, an established corporate web page designer has uncovered a specific set of exposures relating to many World Wide Web search engines in particular. Have a concern about how secure your computer really is? You can visit sites like the Electronic Privacy Information Center and visit their online guide to practical privacy tools, or Privacy.net, more of a commercial advertisement, but still providing the service of showing you first hand what information is available to every single web site you visit. Gibson Research, grc.com is another site specializing in practical security.
I have rejected sources offering a more specialized focus like Tim Ely’s report on privacy in the workplace or Gregory Walter’s article, which focuses too broadly on privacy and security.
Most individuals entering cyberspace are or should be concerned about the protection of personal data and information.
Are You Safe in CyberSpace?
Computers and the World Wide Web have no sense of borders, nor recognition of an individual’s sense of security and right to privacy. Today, it is easier to browse information located in another country than it is to mail a letter. Governments, business, and some individuals have taken full advantage of these new technologies, using them to obtain and “link” information in databases together from distant and separate areas. In a sense, we could say that processing of information requires far less effort today than it did even five years ago. For example, personal credit can be granted within minutes of applying as today’s technology provides searching capabilities of multiple credit databases at the click of a button. With the advancements in technology, state governments, private business, and unethical people are abusing and violating our basic rights to security and privacy every single day. For example, hacking is very prevalent today because it requires little effort to do so. Hackers do not have to break into your house they just hack into your computer without ever leaving their residence.
As can be seen from the following chart, the Internet is experiencing unprecedented growth (See appendix for data).
(Rutkowski 2001)
With growth of this magnitude, security and privacy violations will only increase. The Internet is still very much uncontrolled from a security and privacy perspective.
Where do we start? We need to start by asking the question, “What are you concerned about?” Most individuals would concur with Dan Greer, “When I log into a machine, I want to know that my information is not being inadvertently shared with others. When I send an e-mail, I want to know that it is not being stolen, copied, or intercepted during transmission. When I trade stock online, I need to know that when I say "Buy 100" that is what happens and not some other transaction.” (Milojicic 2000)
Cyber Breakdown
There are many types of risks and attackers that may “break” into our personal and private world. Direct attacks on our personal computer are the most obvious and perhaps the easiest to secure. The exposure of personal information has extended well beyond that of your PC. Governments and commercial entities are now providing delivery of goods and services online making personal information held by these organizations at risk. Information is far more accessible through government and commercial web sites as they are accessed by hundreds of thousands of individuals. Is this really a concern in light of the continual advancements made in both hardware and software technology? Ray Panko, in his book about networks and telecommunications puts our concerns into perspective “In 2001, a major financial institution detected 1.5 attacks every second during one sample week. For non-Web (non-HTTP) transactions, an astounding 85 percent of all messages were unauthorized. Also in 2001, MessageLabs (a provider of outsourced virus detection services) detected an average of one virus in every 400 e-mails that it examined.” (Panko 2002) How safe do you feel now performing online banking?
Even though you may think your PC is safe, you must also question your Internet and/or network provider and any commercial site where you do business. To paraphrase Jennifer Kyrin, a corporate web page developer since 1993, few files in a web site directory are completely secure. Search engines and related tools, which automate scanning, cataloging, and indexing of web site information, have access to any non-protected files in a web directory. This has allowed engines like Google, to catalog and search based on file type. Not only are html files visible, but also rich text files (rtf), PDF’s, postscript, Word documents, even spreadsheet files and PowerPoint presentations. (Kyrin 2002) Even commercial sites are subject to security “loop holes”. It could be your personal information attackers are obtaining from these un-secure sites.
Perhaps, like me, you’re a user of wireless networks. These types of transmission mediums are even more at risk than traditional fixed networks like those found with most IP’s. CapsLock, a “mobile security niche solution provider” (CapsLock.fi 2002) has developed a list of what it sees as critical success points for wireless networks. To summarize these points available at MobileInfo.com: not all wireless devices can or will provide hardware encryption, use a software solution for encryption; Encryption for wireless access does not automatically propagate from your fixed network, build encryption features into your web application; Plan and test your security measures, particularly those that have roaming capability; Different wireless applications require different levels of protection forcing you to tailor solutions to the needs of the application; A single solution is impossible in a wireless network that’s subject to such a wide variety of security threats, prepare to implement many different approaches. (MobileInfo.com 2001)
Where do these attacks come from? To paraphrase Ray, attackers can be organized into five different types: experienced well seasoned hackers; individuals with little knowledge making use of “kiddie scripts”; criminals from organized crime and industrial/government spies; terrorists and governments intent on destroying a countries IT structure. (Panko 2002)
One well-known privacy risk to most Internet users is cookies. A cookie is a small file written on your PC by a server. Honest use of cookies involve storing information regarding perhaps your web page preferences at a particular website, or storing the items in your online shopping cart to be restored next time you visit or shop at a site. Although this presents a risk of recording your purchases and preferences, dishonest use of cookies are more of concern. Unscrupulous web site owners can use cookies to track your browsing habits and store information about you that in turn could be sold or used illegally. Most browsers have the capability to disable cookies, however more and more legitimate sites today require cookies to be enabled.
Unsolicited advertising e-mail (SPAM) is cluttering the Internet. You can even find sites on the Web that provide the capability to send email anonymously. The receiver cannot tell where the message originated. Aside from a virus concern, these messages may not present an immediate risk, however, you may unknowing confirm with the sender that your email address is valid by clicking the link to remove yourself from their subscriber list. The operation now has confirmation that they sent their message to a legitimate email address, which in turn they can sell or use for further marketing.
Although these are but a few startling facts, issues of personal privacy and security have global scope.
Global Cooling
Most states throughout the world recognize human rights to privacy in their constitutions. It wasn’t until the early 1970's that states began to adopt more stringent privacy laws with regards to the privacy of personal information. As of the late 90’s, very few states had recognized the need to change privacy laws and legislation to encompass this new “online” technology. This is evident within our own country, which only recently (1998) tabled legislation to address information privacy and security issues. An exception to this was the European Union. The EU recognized and acted towards protecting our privacy with regards to trans-border flow of information with groundbreaking legislation in 1995.
“… conscious both of the shortcomings of law, and the many differences in the level of protection in each of its States, the European Union passed a Europe-wide directive which will provide citizens with a wider range of protections over abuses of their data. The directive on the “Protection of Individuals with regard to the processing of personal data and on the free movement of such data” sets a benchmark for national law. Each EU State must pass complementary legislation by October 1998.” (Banisar and Davies 1998)
This ground breaking international agreement focuses on the collection and trans-border flow of personal information. For state to continue trade with EU members, they are being forced to adopt more comprehensive laws concerning the protection and privacy of personal data. It is evident from this agreement that privacy and security of personal information has global significance. Modern societies must decide what forms of data collection are necessary and what constitutes an invasion of privacy. We must preserve our right to individuality and uniqueness in order to block the growing invasion of privacy occurring today.
The European Union has made tremendous strides in placing privacy and information protection at the forefront of their trade requirements. No other country has incorporated this component into their trade packs on such an international scale. Governments and business are both guilty of unethical behavior with regard to using, storing and sharing personal information in electronic form. The rapid advancements in technology will undoubtedly contribute too further abuse of this information. Most states, including the UN are placing privacy and security issues under the human rights umbrella. Non-government organizations are being created which specifically address personal information and privacy matters like Privacy International. It does not appear that these issues are of primary concern to politicians. The general public in most states have little education with regards to security of information being held in electronic form. This leaves the responsibility up to the individuals developing the software used in the online world.
Society as a whole must bear the main responsibility for moving forward the necessary privacy and security issues, which state governments must address. Typical of many government agencies in the US are the publishing of key security points as in the Minnesota Office of Technology, master plan which states:
“To ensure the integrity of public data and alleviate the concerns of the public, the state needs to think in new ways about how business is conducted. That includes:
· Authorizing credit card use
· Deciding who pays transaction fees