Started by Gio Wiederhold, 26 Jan 2000, updated 22
Feb 2002.
Security versus Privacy?
Often confused.
Access protection is based on Metadata:
Release protection requires also
Here's Business Week's four-point plan to solve the Internet privacy mess 
.
If Lewis Carroll had written about Alice's adventures today, she would find herself passing through the looking glass and into cyberspace. She would meet up with dodos, duchesses, and eggheads, some of whom would spout the rough equivalent of '''Twas brillig, and the slithy toves....'' The journey also would be full of rude surprises. As in Carroll's books, she would eventually discover who she really was. But many others she had never met would learn about her, too. Indeed, with every click of the mouse, a bit more of her privacy would vanish down the rabbit hole.
These days, a lot of people are stumbling on similar unpleasant surprises. Thanks to a string of privacy gaffes involving DoubleClick (DCLK), RealNetworks (RNWK), Amazon.com (AMZN), and other major Web sites, consumers are learning that e-commerce companies have an intense interest in their private information. For about 9 cents, some medical data sites will sell you your neighbor's history of urinary tract infections. Your speeding tickets, bounced checks, and delayed child-support payments are an open book. In the background, advertising services are building profiles of where people browse, what they buy, how they think, and who they are. Hundreds of sites already are stockpiling this type of information--some to use in targeted advertising, others to sell or trade with other sites. (Concepts).
It will get worse. The tricks being played today are child's play compared with what's coming. Web sites that want to know you better will soon be able to track your movements on Web phones, palm devices, and video games, and parse the data with more subtle software. Online services can be layered with mounds of data about each person. Interactive TVs, for instance, have the potential to correlate the Web sites you visit at work with the ads you see at home in the evening.
Web surfers don't need extra proof that this gold rush for personal data is alarming. In a new Business Week/Harris Poll (fix), 92% of Net users expressed discomfort about Web sites sharing personal information with other sites. The public outcry has grown so loud that in February, search engine AltaVista Co. promised to ask explicit permission before sharing visitors' personal information with other companies. On Mar. 2, DoubleClick bowed to public pressure on a similar point: The company, which serves up ads on many Web sites, has created anonymous digital snapshots, or ''profiles,'' of millions of cybersurfers, based on where they browse and what they do online. DoubleClick had planned to link profiles with much more specific information, including names and addresses culled from real-world databases that cover 90% of American households. The company dropped that controversial plan, and within days, smaller rival 24/7 Media Inc. abandoned a similar strategy.
Anonymous tracking and profiling by DoubleClick and 24/7 can be very subtle.
But sometimes privacy violations hit you in the face. We have all heard the
examples of sociopaths who stalk their victims online. We have seen the
statistics on ''identity theft,'' in which criminals suck enough personal data
off the Net to impersonate other people. Perhaps these are extreme examples.
Even without them, many cybersurfers are starting to feel that they have spent
quite enough time at this particular Mad Tea Party. They are ready for privacy
rules that set some plain and simple boundaries. In the March Business
Week/Harris Poll, 57% of respondents said government should pass laws on how
personal information is collected. ''What's going on today is exponentially
more threatening to those who want to protect privacy,'' says Eliot Spitzer,
New York's state attorney general who has proposed privacy legislation. People
can't make informed decisions on the Net because they lack the necessary
information. ''What we're confronting is a market failure,'' says Spitzer.
Responding to a growing chorus of privacy-related complaints, some states
have drafted legislation ranging from curtailing the sale of personal
information to the creation of a privacy ombudsman. But this piecemeal,
state-by-state approach is a muddle. Scattershot laws will only create more
confusion. Over time, they will choke budding e-business in complex litigation
and red tape.
Business Week believes there is a better way. Instead of a conflicting patchwork of state rules, the federal government should adopt clear privacy standards in the spirit of the Fair Information Practices--a philosophical framework for privacy protection that has been adopted worldwide over the past 25 years. The broad principles are essential (Details) (!fix):
(How to Draw the line) (fix! ).
''All of these bits you are sending out are your digital DNA,'' says Tara
Lemmey, president of the Electronic Frontier Foundation. ''You should have
control of that.''
Regulation flies in the face of the approach industry has been championing. For the past four years, Net companies have insisted that they can police themselves on privacy. ''Industry initiatives and market forces are already doing a good job,'' says Daniel J. Jaye, co-founder of Engage Technologies Inc., which dishes up ads on the Web.
In other words, the market will punish companies that fall afoul of
consumers. Bringing in the government, execs say, will pile bureaucratic layers
on top of the Net. This could undercut the very promise of efficiency that many
online businesses are counting on. The Internet, they say, is supposed to draw
companies closer to their customers, allowing them to anticipate their desires.
With profile data, they can target their ads, slash wasteful and random
marketing costs, design products faster, and build higher profit margins. (AcXiom) (fix!).
Profiling provides the underpinnings of a new way of doing business upon which
the Net Economy is built.
Laws that require businesses to seek users' permission before they collect or use data about Web-surfing habits could kill this goose, they say. And why do that, industry execs ask, when they are making such fine strides in protecting consumer privacy? As a positive sign, Net businesses trumpet a May, 1999, Federal Trade Commission survey in which 66% of companies queried had privacy policies.
We are not persuaded by these arguments. Few Web sites give consumers real choices over the data that get collected online. There is no proof that if given a choice--especially bolstered with financial incentives proffered by Web merchants--consumers won't willingly hand over some personal data. As for privacy policies, the same FTC survey showed that while more than 90% of companies polled collected personal information, fewer than 10% actually followed all of the established Fair Information Practices.
In short, self-regulation is a sham. The policies that companies have posted under pressure from the government are as vague and confusing as anything Lewis Carroll could have dreamed up. One simple example: When people register at Yahoo! Inc. (YHOO) for one of its services, such as My Yahoo, they are asked to provide their birth date and e-mail address--ostensibly as a safeguard if they forget their user name and need prompting. But Yahoo also uses that information for a service called the Birthday Club, sending product offers from three to five merchants to users via e-mail on their birthday.
Don't look for transparency here. Most sites don't limit how they or their
partners use consumer information. And Web sites can transfer information to
partners without telling their own customers. Many sites also change their
practices at will and without warning.
ICons: 
Because privacy breaches are so corrosive to consumer trust, some Web execs actually welcome broad national standards. IBM (IBM) and Walt Disney Co. (DIS) have decided not to advertise on Web sites that don't have privacy policies. Privacy codes must be clearer, says Chris Larsen, CEO and founder of E-Loan Inc. (EELN), an online loan service that has its privacy policies audited. ''I think the industry has squandered the opportunity to take care of this on its own.'' IBM Chairman Louis Gerstner doesn't go that far. But he has warned Net executives that they must get serious. ''I am troubled, very troubled, by leaders who have failed to recognize our responsibility in the transformation of the new economy,'' he says.
We hope other Web execs are listening closely. The policies we propose are in the best interests of Web businesses. If more consumers can be assured that their personal information is safe, more of them will flock to the Net--and click, not exit. There are other explicit benefits for the industry. Privacy standards create a level playing field, so companies don't fall into an arms war, each trying to collect the most data--at any cost. ''Business will benefit from the right level of government involvement,'' says Nick Grouf, founder of PeoplePC, which offers cheap PCs and Net connections. ''Standards are good, but they need some teeth, and this is where government becomes a good partner.''
In the long term, the privacy protection that Business Week espouses will make life simpler for businesses on the Net. More than 20 states already are moving to enact some kind of guarantees. A minimum federal standard of online privacy would decrease the cost and complexity for companies. It also would increase trust. If businesses really want to be close to their customers, trust is paramount. This approach also will shrink the gap that has arisen between the U.S. and Europe, where privacy already is recognized as a right. The Europeans have stood firm, putting American companies in the peculiar position of extending greater privacy protection in Germany or France than at home.
It's time to iron out the inconsistencies. Here are our prescriptions for protecting personal privacy without jeopardizing the promise of e-commerce...
Privacy is a major issue for individuals, and information systems are central to the issue. There is a sense that privacy should be protected, but legal constraints are few, although some have been proposed [Gore:99]. Most of the issues relating to privacy are not technological, but builders of information systems have to be quite sensitive to the issues of privacy. Understanding privacy issues requires knowing who the participants are, what their perceptions are of the losses and benefits incurred when making their information accessible, and the technical capabilities that exist. Often the losses may be personal and the benefits societal, as, for instance in sharing healthcare information.
Lack of concern for privacy can be, and has been, the reason of failure of a number of projects that were technologically feasible. A well-known example was the Lotus 1991 project to produce a listing of all people in the United States, with addresses and preferences [Culnan:91]. When this project became known, negative reactions of the unwilling participants were so strong that it was abandoned. Even recent governmental efforts to introduce a unique health-care identification number, perhaps modeled on the Social Security Number, have been stymied, and more complex, indirect schemes are now being proposed, that will satisfy some, but not all of the objectives envisaged by its proponents [Margolis:99]. The Social Security Number (SSN) itself is formally restricted to uses related to the social benefit system, but since that systems has been broadened so greatly, it is also used for Federal tax records, hence for State tax records, and for health care in the military. No major problems have occurred due to the use of the SSN in military health care, for instance, and still, further broadening of the use of the SSN leads to excited reactions in the U.S. In many European countries government involvement in private lives has a long history and such reactions are muted, but strong laws exist forbidding linkages of data from diverse sources. Some of these laws have their origin in the misuse of private data by totalitarian governments, but their acceptance is also based on emotional reactions to perceived loss of privacy.
Recent privacy issues go beyond identification of individuals. The design of the new generation of Intel chips provides a unique chip identification [Intel:99]. Such an identification has been requested, among others, by software distributors who wish to limit software piracy, by keying software licenses to specific computers. Again, a very negative reaction ensued, with the arguments that release of the number will allow vendors and governments to track communication activities performed on that computer, and presumably relating those activities to an individual. The final outcome of this argument is not clear. Intel is trying to assure the public that the release of the number can be blocked, although the frustrated reaction of Scott McNealy, president and chief executive of Sun Microsystems, a competitor, has been: "You already have zero privacy, get over it" [Markoff:99]. Similarly, the Microsoft Windows 98 operating system transmits at registration time information to Microsoft, which includes the identification number of the software, and associates it with personal information.
The groups actively defending privacy are a mixed bag. There are very legitimate objections of groups that are truly concerned about civil liberties, say protecting individuals from being labeled by activities that they once performed, or mere accusations, but are now no longer valid. Many politicians have been unreasonably hurt by revelations of 'youthful indiscretions'. There are people engaged in viewing pornographic material, by all measures a very large, but not a vocal group, that prefer privacy. There are hackers, who do not wish to be constrained in the range and flexibility of their computing activities. There are legal experts, seeing a new area of formalization of what is now a very poorly defined right. There are groups that see privacy invasions as an intrusion of large government into their lives. There are groups that see privacy regulations as a means to prevent multi-national companies from gaining excessive benefit from merging operations over multiple countries and continents. There is likely even be a criminal element that is quite willing to exploit the benefit of privacy for their benefit.
Open records are desired by vendors of software and other merchandise that wish to limit fraud and advertisers that wish to focus their messages to those most likely to react. Most public health officials see great benefits in aggregating health histories to determine the natural course of disease and the effects and side-effects of medication. There are firms, who in the process of developing and testing new pharmaceuticals, must relate activities and reactions of patients under surveillance over long time periods. And there are law-enforcement officials whose task is hindered by an inability to track criminal activities and criminals across legal and national boundaries.
The largest group, of course, are the people that are sympathetic to both the legal and the emotional issues. They are the recipients of the confusing arguments of the privacy debate, but their reaction has been modest. For instance, few people worry in practice about the cookies that web-actions are accumulating on their computer files (see Section 3.2.5), although simple tools exist to refuse or remove them.
Protection of privacy requires secure systems, and security requires reliable operations [Rindfleisch:97]. Current operations are lacking in all aspects [ClaytonEA:97]. But perfect software is impossible [DenningM:97]. Encryption of data provides arbitrarily secure storage and transmission, at the cost of longer encryption keys, delays for encoding and decoding, complexity of key management, and an additional chance of loss if the key is lost.
In order to obtain confidential material, or the key to be able to decode such material, the receiver must be authenticated as being the intended person, and authorized to receive the material. Improved authentication schemes are an active research and development topic. Most remote authentication protocols rely on public key encryption methods [KentF:99], and are quite strong, although research in the topic continues [NTT:99]. Local systems are often not as well protected, especially where many users share system software and data [RussellG:91], and keys and data are not well protected.
The converse is also an issue. There are sites that publish material that is offensive, either by being hateful or morally objectionable. While freedom-of-speech does not permit their closure, there is a need to recognize such sites and classify them. Many use tricks to intrude on legitimate searches. For instance, when seeking information on some actresses, one might be led to a pornographic site. Tools to aid in recognition of inappropriate sites can help search engine providers and individuals to tailor their searches around such material [WangWF:98].
There are many instances where collaborators have legitimate reasons for access to some data, but those data are not clearly distinguished from other data. For instance, a medical record will contain data of various levels of concern, from basic demographics to information about sexual-transmitted and psychiatric diseases, which most patients would not want to share widely. Some data from the medical record must be shared with insurance companies, public health agencies, and researchers, but such releases must be filtered [WangWL:98].
Privacy and security are also an issue in business and government, and even more often a concern in their interaction. Similar instances of shared data occur in manufacturing, especially in the setting of virtual enterprises [HardwickSRM:96]. Dealing with this issue requires innovative methods to match customers to resources, this time in a restrictive manner [WBSQ:96].
In the wake of Super Tuesday, enonymous.com's services are being increasingly utilized, as interested citizens are logging on to politically-affiliated Web sites and supplying personal information. In an ironic collision of two of the biggest topics of the season -- presidential primaries and Internet privacy -- we are finding out how well, and how poorly, some of the main political news and candidate sites handle online privacy. According to enonymous.com, as of February 28th, none of the presidential candidates' official Web sites qualified for a four-star rating. In order to receive such a rating, sites must never contact Internet users without their explicit permission or share identifiable user information with third parties. Among the political party sites, only the Republicans' rnc.org qualifies for the four-star rating, while the national Democratic Web site democrats.org posts a one-star privacy policy, implying that the Democrats may share personally identifiable information without asking for opt-in permission. Among the political news sites, both c-span.org and nyt.com boast a four-star rating, while cnn.com and washingtonpost.com share a respectable three-star rating. Enonymous.com has a listing of all four-star rated sites on the Internet at , which also features one of the Company's new services, a search engine that can recover the one-to-four star rating of any site by typing in the URL. The company is currently preparing its first major research report for public testimony on the issue of Internet privacy, based on its comprehensive privacy ratings database. The in-depth study will be available in April 2000.
See
[Garfinkel:00] Simson Garfinkel: Database Nation, The Death of Privacy in
the 21st Century; OReilly, 2000. =TIHI= A graphic and blistering indictment
.. [Ralph Nader], lists many problems, few solutions.
See also the references and
entries marked =TIHI= in Gio's list of
current references.
See also the
references.