Privacy and Security: “Feeling Safe in CyberSpace?” Privacy and Security: “Feeling Safe in CyberSpace?” Reg Dyer December 6, 2002 1 Privacy and Security: “Feeling Safe in CyberSpace?” 2 Table of Contents Abstract .......................................................................................................................................... 3 Who Should Read this Article? ............................................................................................... 3 Introduction ................................................................................................................................... 4 Are You Safe in CyberSpace? ...................................................................................................... 6 Cyber Breakdown ..................................................................................................................... 6 Global Cooling........................................................................................................................... 8 Comfort with Your Cyber PET ............................................................................................... 9 Conclusions .................................................................................................................................. 11 Recommendations ....................................................................................................................... 12 Glossary ....................................................................................................................................... 13 References .................................................................................................................................... 14 Appendix ...................................................................................................................................... 16 Privacy and Security: “Feeling Safe in CyberSpace?” 3 Abstract Security and privacy of personal information is a much-discussed topic in the expanding online universe. The Internet is growing at an alarming rate and is still very much uncontrolled from a security and privacy perspective. Progress in this area has been slow at best. For example, Canada only upgraded their information and privacy laws to include this new environment in the late 90’s. This uncontrolled environment is giving birth to many new tools designed to enhance privacy and security features in the online environment. Although these tools are a positive step, they do not guarantee security and privacy of our personal information. There is a need for continued research and development in this area from both a technical perspective and social perspective. Changes will only occur through deliberate action on our part. Security and privacy of personal information is at the least, very difficult in this global environment. These issues involve many stakeholders, from the individual PC and Web user, the IT professional, commercial operations, to the governments of the world. The online environment is such that in order to guarantee protection and privacy, co-operation must be secured from all stakeholders. This article highlights some of the key issues for individuals, government, and corporations. It offers little in terms of recommendations other than to keep abreast of these issues, to take action at a personal level, and to question every request for personal and private information. Key-words : security, privacy, personal information, government, privacy enhancing tools, PET, privacy acts, privacy statutes You can view the article online at: Online Version Who Should Read this Article? This introductory article is targeted at the IT professional and advanced online user interested in learning more about personal security in an increasingly un-secure on-line environment. It is assumed the reader has a background in IT with little knowledge of online security environment and related issues. Privacy and Security: “Feeling Safe in CyberSpace?” 4 Introduction “… U.S. Customs officials at Los Angeles International Airport ran a routine check of passengers on a TWA flight from London and scored a hit on a Richard Lawrence Sklar, a fugitive wanted for his part in an Arizona real estate scam. ... the fifty-eight-year-old passenger was strip-searched, moved from one holding-cell to another, and handcuffed to several violent offenders. The only problem was that the authorities had the wrong man.” (Forrester and Morrison 1997) The above example could have been you. It was made possible by the advances in computer and communications technology. It occurred due to inaccurate information being stored in a government database. With the rapid technological advancements of today, come a number of surprising and serious privacy and security concerns. Old and new moral issues related to basic human rights and an individual’s right to privacy are discussed in books like “Computer Ethics, Cautionary Tales and Ethical Dilemmas in Computing’ and monitored by watchdog groups like the Global Internet Liberty Campaign and Privacy International. Computer technology, particularly telecommunications technology and the World Wide Web, have “compressed time and space.” They have made the world seem like a smaller place. At the click of a button, for little to no cost, you can communicate with an individual on the opposite side of the world. This gives rise to major issues with our online environment, especially the privacy and protection of personal information in a networked environment. Ray Panko gives a modern day description of the various types of attackers in our cyberspace. Personal security and privacy issues are very broad based. They involve not only the individual, but have far greater reach, from your local bank branch to various government departments, and ultimately to the global community. In consideration of personal security and privacy, it behooves us to look at the affect of outside influences. These outside influences consist of governments, commercial operations, and individuals. The government perspective has been captured thru researching policy papers, plans, and statements. Plans such as the Minnesota Office of Technology master plan, offers a practical example of technology planning within a governing body. It considers, albeit briefly, the issues of privacy and security of personal data “In terms of security, both citizens and businesses must absolutely believe that Electronic Government Services provide impenetrable protection from theft, fraud or malicious use of their information” (Minnesota Office of Technology 2001) By looking at government reports to regulatory agencies like the US Federal Trade Commission, responsible for enforcing consumer protection statutes and other statutory regulations, we can get insight into what our governments see and should see as privacy and security concerns. Canadian views are obtained from sources like the recently updated statute on Information and privacy from the Alberta Government, practical applications like the policy statement by the Consumers’ Association of Canada. Views from government and watchdog organizations are not enough, companies like MobileInfo.com, specializing in wireless and mobile systems provide a commercial perspective Privacy and Security: “Feeling Safe in CyberSpace?” 5 on newer wireless technologies including hand held devices like PDA’s and cell phones. Probably of most concern to individuals would be security risks that affect them on a day-to-day basis. Exposures like unrestricted access to information stored on our PC, the ability of organizations to obtain personal information without our knowledge, or the possibility of outside agents corrupting our appliance (the computer) in one way or another. Jennifer Kyrin, an established corporate web page designer has uncovered a specific set of exposures relating to many World Wide Web search engines in particular. Have a concern about how secure your computer really is? You can visit sites like the Electronic Privacy Information Center and visit their online guide to practical privacy tools, or Privacy.net, more of a commercial advertisement, but still providing the service of showing you first hand what information is available to every single web site you visit. Gibson Research, grc.com is another site specializing in practical security. I have rejected sources offering a more specialized focus like Tim Ely’s report on privacy in the workplace or Gregory Walter’s article, which focuses too broadly on privacy and security. Most individuals entering cyberspace are or should be concerned about the protection of personal data and information. Privacy and Security: “Feeling Safe in CyberSpace?” 6 Are You Safe in CyberSpace? Computers and the World Wide Web have no sense of borders, nor recognition of an individual’s sense of security and right to privacy. Today, it is easier to browse information located in another country than it is to mail a letter. Governments, business, and some individuals have taken full advantage of these new technologies, using them to obtain and “link” information in databases together from distant and separate areas. In a sense, we could say that processing of information requires far less effort today than it did even five years ago. For example, personal credit can be granted within minutes of applying as today’s technology provides searching capabilities of multiple credit databases at the click of a button. With the advancements in technology, state governments, private business, and unethical people are abusing and violating our basic rights to security and privacy every single day. For example, hacking is very prevalent today because it requires little effort to do so. Hackers do not have to break into your house they just hack into your computer without ever leaving their residence. As can be seen from the following chart, the Internet is experiencing unprecedented growth (See appendix for data). Internet Growth Internet Growth Rate Month-year of 150 survey 100 50 0 Total Internet Host Count 72.4 Feb-00 Sep-00 Feb-00 Mar-01 109 93 72.4 93 Sep-00 109 Hosts in Millions Mar-01 Month - year of survey (Rutkowski 2001) With growth of this magnitude, security and privacy violations will only increase. The Internet is still very much uncontrolled from a security and privacy perspective. Where do we start? We need to start by asking the question, “What are you concerned about?” Most individuals would concur with Dan Greer, “When I log into a machine, I want to know that my information is not being inadvertently shared with others. When I send an e-mail, I want to know that it is not being stolen, copied, or intercepted during transmission. When I trade stock online, I need to know that when I say "Buy 100" that is what happens and not some other transaction.” (Milojicic 2000) Cyber Breakdown There are many types of risks and attackers that may “break” into our personal and private world. Direct attacks on our personal computer are the most obvious and perhaps the easiest to Privacy and Security: “Feeling Safe in CyberSpace?” 7 secure. The exposure of personal information has extended well beyond that of your PC. Governments and commercial entities are now providing delivery of goods and services online making personal information held by these organizations at risk. Information is far more accessible through government and commercial web sites as they are accessed by hundreds of thousands of individuals. Is this really a concern in light of the continual advancements made in both hardware and software technology? Ray Panko, in his book about networks and telecommunications puts our concerns into perspective “In 2001, a major financial institution detected 1.5 attacks every second during one sample week. For non-Web (non-HTTP) transactions, an astounding 85 percent of all messages were unauthorized. Also in 2001, MessageLabs (a provider of outsourced virus detection services) detected an average of one virus in every 400 e-mails that it examined.” (Panko 2002) How safe do you feel now performing online banking? Even though you may think your PC is safe, you must also question your Internet and/or network provider and any commercial site where you do business. To paraphrase Jennifer Kyrin, a corporate web page developer since 1993, few files in a web site directory are completely secure. Search engines and related tools, which automate scanning, cataloging, and indexing of web site information, have access to any non-protected files in a web directory. This has allowed engines like Google, to catalog and search based on file type. Not only are html files visible, but also rich text files (rtf), PDF’s, postscript, Word documents, even spreadsheet files and PowerPoint presentations. (Kyrin 2002) Even commercial sites are subject to security “loop holes”. It could be your personal information attackers are obtaining from these un-secure sites. Perhaps, like me, you’re a user of wireless networks. These types of transmission mediums are even more at risk than traditional fixed networks like those found with most IP’s. CapsLock, a “mobile security niche solution provider” (CapsLock.fi 2002) has developed a list of what it sees as critical success points for wireless networks. To summarize these points available at MobileInfo.com: not all wireless devices can or will provide hardware encryption, use a software solution for encryption; Encryption for wireless access does not automatically propagate from your fixed network, build encryption features into your web application; Plan and test your security measures, particularly those that have roaming capability; Different wireless applications require different levels of protection forcing you to tailor solutions to the needs of the application; A single solution is impossible in a wireless network that’s subject to such a wide variety of security threats, prepare to implement many different approaches. (MobileInfo.com 2001) Where do these attacks come from? To paraphrase Ray, attackers can be organized into five different types: experienced well seasoned hackers; individuals with little knowledge making use of “kiddie scripts”; criminals from organized crime and industrial/government spies; terrorists and governments intent on destroying a countries IT structure. (Panko 2002) One well-known privacy risk to most Internet users is cookies. A cookie is a small file written on your PC by a server. Honest use of cookies involve storing information regarding perhaps your web page preferences at a particular website, or storing the items in your online shopping cart to be restored next time you visit or shop at a site. Although this presents a risk of recording your purchases and preferences, dishonest use of cookies are more of concern. Privacy and Security: “Feeling Safe in CyberSpace?” 8 Unscrupulous web site owners can use cookies to track your browsing habits and store information about you that in turn could be sold or used illegally. Most browsers have the capability to disable cookies, however more and more legitimate sites today require cookies to be enabled. Unsolicited advertising e-mail (SPAM) is cluttering the Internet. You can even find sites on the Web that provide the capability to send email anonymously. The receiver cannot tell where the message originated. Aside from a virus concern, these messages may not present an immediate risk, however, you may unknowing confirm with the sender that your email address is valid by clicking the link to remove yourself from their subscriber list. The operation now has confirmation that they sent their message to a legitimate email address, which in turn they can sell or use for further marketing. Although these are but a few startling facts, issues of personal privacy and security have global scope. Global Cooling Most states throughout the world recognize human rights to privacy in their constitutions. It wasn’t until the early 1970's that states began to adopt more stringent privacy laws with regards to the privacy of personal information. As of the late 90’s, very few states had recognized the need to change privacy laws and legislation to encompass this new “online” technology. This is evident within our own country, which only recently (1998) tabled legislation to address information privacy and security issues. An exception to this was the European Union. The EU recognized and acted towards protecting our privacy with regards to trans-border flow of information with groundbreaking legislation in 1995. “… conscious both of the shortcomings of law, and the many differences in the level of protection in each of its States, the European Union passed a Europe-wide directive which will provide citizens with a wider range of protections over abuses of their data. The directive on the “Protection of Individuals with regard to the processing of personal data and on the free movement of such data” sets a benchmark for national law. Each EU State must pass complementary legislation by October 1998.” (Banisar and Davies 1998) This ground breaking international agreement focuses on the collection and trans-border flow of personal information. For state to continue trade with EU members, they are being forced to adopt more comprehensive laws concerning the protection and privacy of personal data. It is evident from this agreement that privacy and security of personal information has global significance. Modern societies must decide what forms of data collection are necessary and what constitutes an invasion of privacy. We must preserve our right to individuality and uniqueness in order to block the growing invasion of privacy occurring today. The European Union has made tremendous strides in placing privacy and information protection at the forefront of their trade requirements. No other country has incorporated this Privacy and Security: “Feeling Safe in CyberSpace?” 9 component into their trade packs on such an international scale. Governments and business are both guilty of unethical behavior with regard to using, storing and sharing personal information in electronic form. The rapid advancements in technology will undoubtedly contribute too further abuse of this information. Most states, including the UN are placing privacy and security issues under the human rights umbrella. Non-government organizations are being created which specifically address personal information and privacy matters like Privacy International. It does not appear that these issues are of primary concern to politicians. The general public in most states have little education with regards to security of information being held in electronic form. This leaves the responsibility up to the individuals developing the software used in the online world. Society as a whole must bear the main responsibility for moving forward the necessary privacy and security issues, which state governments must address. Typical of many government agencies in the US are the publishing of key security points as in the Minnesota Office of Technology, master plan which states: “To ensure the integrity of public data and alleviate the concerns of the public, the state needs to think in new ways about how business is conducted. That includes: · Authorizing credit card use · Deciding who pays transaction fees · Determining who has access to what information · Archiving and managing electronic records · Determining reliable return on investment figures · Protecting information from fraud” (Minnesota Office of Technology 2001) Government in our own country are following suit with Europe and the US with similar legislation. For example, the Alberta Government recently updated its Freedom of Information and Privacy Protection Act, a comprehensive document covering issues like the purpose, manner, accuracy, retention, and correction of collected personal information. Its main purpose is to provide for; our access to personal information, the way public bodies may collect personal information, control over disclosure of personal information, and the right to have the information corrected. (Alberta Government 2001) Comfort with Your Cyber PET Adherence by companies to the recently published government privacy and security acts should alleviate some of our concerns. Most of this however is only visible to the Internet user that takes the time to read the privacy and protection notes available on most sites. The Consumers’ Association of Canada web site privacy and protection statement is quite well done. In a nutshell it addresses the concerns of: collection and use of personal information, cookies, the sharing of information, the impact of links it has with other sites, information collected via surveys, on-line and off-line security of information and the correction of information. (Consumers’ Association of Canada 2002) Privacy and Security: “Feeling Safe in CyberSpace?” 10 More visible to the individual Internet user would the new influx of what is referred to as privacy enhancing tools or PETs. PETs are an assortment of tools that give the user more control over the management and to some extent the distribution of their personal information. For example, with each release of new and improved browsers, I have personally found it more and more difficult to locate and activate or deactivate different software features. I imagine many online users would have no knowledge whatsoever in this regard, relying solely on the default settings of their browser. For these people, PETs may play a very large role in offering an understandable, simple, and easy to use interface for manipulating these features. Tavani and Moors in their 2001 paper on privacy, protection, control and PETs have put forward a solid argument stating we should not be lead to believe “that because one has increased control, one has increased privacy” (Tavani and Moors 2001). To paraphrase Tavani and Moor, although these tools provide the individual with the ability to manage and exert some level of control over their personal information, you should not believe that this indicates full control and security over your personal information.(Tavani and Moors 2001) For a sample of the various kinds of PETs, visit the Electronic Privacy Information Center’s Online Guide to Practical Privacy Tools. To summarize, PETs on this page come from a number species with the abilities to protect your email, cloak you with invisibility (while you surf and email), eat cookies, and encrypt just about anything. (EPIC 2002) This is by no means a complete list. You should visit their site for more. Privacy and Security: “Feeling Safe in CyberSpace?” 11 Conclusions The European Union set the precedence in the international arena by placing personal information regulations at the forefront of their trade agreements. This alone forces any state trading with the EU to adopt their principles. Change must take place on a state-by-state basis. We need to continue to motivate our governments to create laws to address specific data privacy areas such as; the collection and limitation of information collected; the purpose of the information; the limitation of disclosure to 3rd parties with or without the individuals consent; the security and safeguards of the information held by the collectors; the openness of the information to the subjects; the quality and accuracy of the information; the right of the subjects to inspect the information being stored and finally to make the collector of such information accountable to the subject. In this expanding online universe our rights to protection and privacy of personal information are being violated every time we logon. Software and hardware manufacturers must incorporate features that guarantee our personal information is kept private and secure. Here are some ideas how we can make a difference individually: By questioning every request by a government or business for personal information By demanding the ability to manage and control our personal information in the online environment By making use of PETs to improve manageability of security features By using sites like the Computer Security Resource at the National Institute of Standards for checking validated lists of security products (NIST) By visiting site like privacy.net and grc.com (Gibson Research) both of which offer consumer services and provide you with the ability to test the security of your PC (grc.com) and to view a sample of the personal information freely available to every site you visit (privacy.net) Questioning and contacting sites that violate our protection and privacy rights As a group in information technology professionals, we can make a difference by Keeping informed about privacy and security issues Familiarizing yourself with government privacy and security acts and statutes Ensuring the software you develop includes security and privacy features if applicable Following an industry acceptable code of ethics What can be done by commercial entities? Dan Greer says it best “When people with billions of dollars on the line are going to want the kind of loss protection that the insurance industry can provide. I don't think that industry is going to let its underwriting standards collapse just because it seems hard or inconvenient to set up the proper security in the e-world.” (Milojicic, Greer Interview IEEE Apr-Jun 2000) Is “BIG Brother” or “LITTLE Brother” watching YOU in cyberspace? Privacy and Security: “Feeling Safe in CyberSpace?” Recommendations I recommend you take the list of “what you can do to make a difference” from the conclusions section of this report, add your own ideas to the list and place that list beside your portal to the online universe. Let it serve as a daily reminder that you need to be concerned about the security of your personal information in the online universe. 12 Privacy and Security: “Feeling Safe in CyberSpace?” 13 Glossary Big Brother Cookie Encryption Hacker Kiddie script Little brother PDA Roaming SPAM Transmission medium Do you really need to ask? Data created by a Web server that is stored on a user's computer. It provides a way for the Web site to keep track of a user's patterns and preferences and, with the cooperation of the Web browser, to store them on the user's own hard disk. (techweb.com) The reversible transformation of data from the original (the plaintext) to a difficultto-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. See encryption algorithm and cryptography. (techweb.com) Although it takes only a little knowledge to gain unauthorized entrance into most computers to extract information and/or perform some prank or mischief at the site, the term has unfortunately become synonymous in the popular press with "cracker," a person who performs an illegal act. This use of the term is not appreciated by the overwhelming majority of hackers who are honest professionals. See cracker, hack, samurai and script kiddie. (techweb.com) Automated scripts used to take advantage of a security flaws in a system. Requires very little knowledge to make use of said scripts. Commercial organizations or business that obtain your personal information without your consent. A personal digital assistant. Hand-held computer. The ability to use a communications device such as a cellphone or PDA and be able to move from one cell or access point to another without losing the connection. (techweb.com) To send copies of the same message to large numbers of newsgroups or users on the Internet. People spam the Internet to advertise products as well as to broadcast some political or social commentary. (techweb.com) The physical medium through which a signal propagates. Privacy and Security: “Feeling Safe in CyberSpace?” 14 References Banisar, David and Davies, Simon. Privacy and Human Rights: An International Survey of Privacy Laws and Practice. Privacy International. 1998. <http://www.gilc.org/privacy/survey/intro.html > (5 December 2002) CapsLock.fi Vision and Mission Statement. <http://www.capslock.fi/index.php?page=vision_and_mission> (6 December 2002) Consumers’ Association of Canada (CAC). Privacy and Security Statement May 28, 2002. <http://www.consumer.ca/privacyandsecuritystatement.cfm> (3 December 2002) Ely, Timothy Alan JR, E-Privacy in the Workplace (Employee Side) :A Report on Electronic Privacy in the workplace, 16 April, 1999 < http://www.timely2.com/E-privacy.htm> (3 December 2002). Epic.org EPIC Online Guide to Practical Privacy Tools, December 2, 2002. <http://www.epic.org/privacy/tools.html> (3 December 2002) Federal Trade Commission. Final Report of the FTC Advisory Committee on Online Access and Security, May 15 2000. <http://www.ftc.gov/acoas/papers/finalreport.htm> (3 December 2002). Forester, Tom and Morrison, Perry. Computer Ethics: Cautionary Tales and Ethical Dilemmas in Computing, 2nd Edition, MIT Press, Cambridge, Massachusetts, 1997, p. 347. Government of Alberta, Alberta's Freedom of Information and Protection of Privacy Act, 2000. <http://www3.gov.ab.ca/foip/legislation/foip_act/index.cfm> (3 December 2002) Grc.com Gibson Research Corporation. <www.grc.com> (6 December 2002) Kyrin, Jennifer. Your Files are not secure: Search engines can make secret files public, 2002. <http://html.about.com/library/weekly/aa113001a.htm> (3 December 2002). Milojicic, Dejan. IEEE. Trend Wars: Security and Privacy, Vol. 8, No. 2; April-June 2000, pp. 70-79 Minnesota Office of Technology. Master Plan, February 2001. <http://www.state.mn.us/ebranch/ot/masterplan/masterplan.html> (3 December 2002). MobileInfo.com. Wireless & Mobile Computing Security: Critical Success Factors for Wireless Security, 2001. <http://www.mobileinfo.com/Security/success_factors.htm> (3 December 2002). National Institute of Standards and Technology, Computer Security Resource <http://www.csrc.nist.gov > (3 December 2002). Privacy and Security: “Feeling Safe in CyberSpace?” 15 Panko, Raymond. Business Data Networks and Telecommunications, Upper Saddle River, NJ, 2002, p. 510. Privacy.net. Privacy Analysis of your Internet Connection, 2002. <http://www.privacy.net/analyze/> (3 December 2002) Rutkowski, Tony. Internet Trends. Center for Next Generation Internet. 2001 <http://www.ngi.org/trends.htm> (5 December 2002) Tavani, Herman, Moor, James. ACM Press, New York, NY, 2001, p6 - 11 ISSN:0095-2737. (3 December 2002) TechWeb.com. TechEncyclopedia. <http://www.techweb.com/encyclopedia> (5 December 2002) Walters, Gregory. ACM Press, New York, NY, 2001, p8-23 ISSN:0095-2737. (3 December 2002) Privacy and Security: “Feeling Safe in CyberSpace?” Appendix The following table has been constructed from Internet statistics retrieved from the Center for Next Generation Internet. Month-year of survey Total Internet Host Count Feb-00 Sep-00 Mar-01 72.4 93 109 (Rutkowski 2001) 16