Offline - Algonquin College

advertisement
Privacy and Security: “Feeling Safe in CyberSpace?”
Privacy and Security:
“Feeling Safe in CyberSpace?”
Reg Dyer
December 6, 2002
1
Privacy and Security: “Feeling Safe in CyberSpace?”
2
Table of Contents
Abstract .......................................................................................................................................... 3
Who Should Read this Article? ............................................................................................... 3
Introduction ................................................................................................................................... 4
Are You Safe in CyberSpace? ...................................................................................................... 6
Cyber Breakdown ..................................................................................................................... 6
Global Cooling........................................................................................................................... 8
Comfort with Your Cyber PET ............................................................................................... 9
Conclusions .................................................................................................................................. 11
Recommendations ....................................................................................................................... 12
Glossary ....................................................................................................................................... 13
References .................................................................................................................................... 14
Appendix ...................................................................................................................................... 16
Privacy and Security: “Feeling Safe in CyberSpace?”
3
Abstract
Security and privacy of personal information is a much-discussed topic in the expanding
online universe. The Internet is growing at an alarming rate and is still very much uncontrolled
from a security and privacy perspective. Progress in this area has been slow at best. For
example, Canada only upgraded their information and privacy laws to include this new
environment in the late 90’s.
This uncontrolled environment is giving birth to many new tools designed to enhance privacy
and security features in the online environment. Although these tools are a positive step, they do
not guarantee security and privacy of our personal information. There is a need for continued
research and development in this area from both a technical perspective and social perspective.
Changes will only occur through deliberate action on our part.
Security and privacy of personal information is at the least, very difficult in this global
environment. These issues involve many stakeholders, from the individual PC and Web user, the
IT professional, commercial operations, to the governments of the world. The online
environment is such that in order to guarantee protection and privacy, co-operation must be
secured from all stakeholders.
This article highlights some of the key issues for individuals, government, and corporations.
It offers little in terms of recommendations other than to keep abreast of these issues, to take
action at a personal level, and to question every request for personal and private information.
Key-words : security, privacy, personal information, government, privacy enhancing tools,
PET, privacy acts, privacy statutes
You can view the article online at: Online Version
Who Should Read this Article?
This introductory article is targeted at the IT professional and advanced online user interested
in learning more about personal security in an increasingly un-secure on-line environment. It is
assumed the reader has a background in IT with little knowledge of online security environment
and related issues.
Privacy and Security: “Feeling Safe in CyberSpace?”
4
Introduction
“… U.S. Customs officials at Los Angeles International Airport ran a routine check of
passengers on a TWA flight from London and scored a hit on a Richard Lawrence Sklar, a
fugitive wanted for his part in an Arizona real estate scam. ... the fifty-eight-year-old passenger
was strip-searched, moved from one holding-cell to another, and handcuffed to several violent
offenders. The only problem was that the authorities had the wrong man.” (Forrester and
Morrison 1997)
The above example could have been you. It was made possible by the advances in computer
and communications technology. It occurred due to inaccurate information being stored in a
government database. With the rapid technological advancements of today, come a number of
surprising and serious privacy and security concerns. Old and new moral issues related to basic
human rights and an individual’s right to privacy are discussed in books like “Computer Ethics,
Cautionary Tales and Ethical Dilemmas in Computing’ and monitored by watchdog groups like
the Global Internet Liberty Campaign and Privacy International. Computer technology,
particularly telecommunications technology and the World Wide Web, have “compressed time
and space.” They have made the world seem like a smaller place. At the click of a button, for
little to no cost, you can communicate with an individual on the opposite side of the world. This
gives rise to major issues with our online environment, especially the privacy and protection of
personal information in a networked environment. Ray Panko gives a modern day description of
the various types of attackers in our cyberspace.
Personal security and privacy issues are very broad based. They involve not only the
individual, but have far greater reach, from your local bank branch to various government
departments, and ultimately to the global community. In consideration of personal security and
privacy, it behooves us to look at the affect of outside influences. These outside influences
consist of governments, commercial operations, and individuals. The government perspective
has been captured thru researching policy papers, plans, and statements. Plans such as the
Minnesota Office of Technology master plan, offers a practical example of technology planning
within a governing body. It considers, albeit briefly, the issues of privacy and security of
personal data
“In terms of security, both citizens and businesses must absolutely believe that
Electronic Government Services provide impenetrable protection from theft, fraud or
malicious use of their information” (Minnesota Office of Technology 2001)
By looking at government reports to regulatory agencies like the US Federal Trade
Commission, responsible for enforcing consumer protection statutes and other statutory
regulations, we can get insight into what our governments see and should see as privacy and
security concerns. Canadian views are obtained from sources like the recently updated statute on
Information and privacy from the Alberta Government, practical applications like the policy
statement by the Consumers’ Association of Canada.
Views from government and watchdog organizations are not enough, companies like
MobileInfo.com, specializing in wireless and mobile systems provide a commercial perspective
Privacy and Security: “Feeling Safe in CyberSpace?”
5
on newer wireless technologies including hand held devices like PDA’s and cell phones.
Probably of most concern to individuals would be security risks that affect them on a day-to-day
basis. Exposures like unrestricted access to information stored on our PC, the ability of
organizations to obtain personal information without our knowledge, or the possibility of outside
agents corrupting our appliance (the computer) in one way or another. Jennifer Kyrin, an
established corporate web page designer has uncovered a specific set of exposures relating to
many World Wide Web search engines in particular. Have a concern about how secure your
computer really is? You can visit sites like the Electronic Privacy Information Center and visit
their online guide to practical privacy tools, or Privacy.net, more of a commercial advertisement,
but still providing the service of showing you first hand what information is available to every
single web site you visit. Gibson Research, grc.com is another site specializing in practical
security.
I have rejected sources offering a more specialized focus like Tim Ely’s report on privacy in
the workplace or Gregory Walter’s article, which focuses too broadly on privacy and security.
Most individuals entering cyberspace are or should be concerned about the protection of
personal data and information.
Privacy and Security: “Feeling Safe in CyberSpace?”
6
Are You Safe in CyberSpace?
Computers and the World Wide Web have no sense of borders, nor recognition of an
individual’s sense of security and right to privacy. Today, it is easier to browse information
located in another country than it is to mail a letter. Governments, business, and some
individuals have taken full advantage of these new technologies, using them to obtain and “link”
information in databases together from distant and separate areas. In a sense, we could say that
processing of information requires far less effort today than it did even five years ago. For
example, personal credit can be granted within minutes of applying as today’s technology
provides searching capabilities of multiple credit databases at the click of a button. With the
advancements in technology, state governments, private business, and unethical people are
abusing and violating our basic rights to security and privacy every single day. For example,
hacking is very prevalent today because it requires little effort to do so. Hackers do not have to
break into your house they just hack into your computer without ever leaving their residence.
As can be seen from the following chart, the Internet is experiencing unprecedented growth
(See appendix for data).
Internet Growth
Internet Growth Rate
Month-year
of 150
survey
100
50
0
Total Internet Host Count
72.4
Feb-00
Sep-00
Feb-00
Mar-01
109
93
72.4
93
Sep-00
109
Hosts in Millions
Mar-01
Month - year of survey
(Rutkowski 2001)
With growth of this magnitude, security and privacy violations will only increase. The
Internet is still very much uncontrolled from a security and privacy perspective.
Where do we start? We need to start by asking the question, “What are you concerned
about?” Most individuals would concur with Dan Greer, “When I log into a machine, I want to
know that my information is not being inadvertently shared with others. When I send an e-mail, I
want to know that it is not being stolen, copied, or intercepted during transmission. When I trade
stock online, I need to know that when I say "Buy 100" that is what happens and not some other
transaction.” (Milojicic 2000)
Cyber Breakdown
There are many types of risks and attackers that may “break” into our personal and private
world. Direct attacks on our personal computer are the most obvious and perhaps the easiest to
Privacy and Security: “Feeling Safe in CyberSpace?”
7
secure. The exposure of personal information has extended well beyond that of your PC.
Governments and commercial entities are now providing delivery of goods and services online
making personal information held by these organizations at risk. Information is far more
accessible through government and commercial web sites as they are accessed by hundreds of
thousands of individuals. Is this really a concern in light of the continual advancements made in
both hardware and software technology? Ray Panko, in his book about networks and
telecommunications puts our concerns into perspective “In 2001, a major financial institution
detected 1.5 attacks every second during one sample week. For non-Web (non-HTTP)
transactions, an astounding 85 percent of all messages were unauthorized. Also in 2001,
MessageLabs (a provider of outsourced virus detection services) detected an average of one virus
in every 400 e-mails that it examined.” (Panko 2002) How safe do you feel now performing
online banking?
Even though you may think your PC is safe, you must also question your Internet and/or
network provider and any commercial site where you do business. To paraphrase Jennifer Kyrin,
a corporate web page developer since 1993, few files in a web site directory are completely
secure. Search engines and related tools, which automate scanning, cataloging, and indexing of
web site information, have access to any non-protected files in a web directory. This has allowed
engines like Google, to catalog and search based on file type. Not only are html files visible, but
also rich text files (rtf), PDF’s, postscript, Word documents, even spreadsheet files and
PowerPoint presentations. (Kyrin 2002) Even commercial sites are subject to security “loop
holes”. It could be your personal information attackers are obtaining from these un-secure sites.
Perhaps, like me, you’re a user of wireless networks. These types of transmission mediums
are even more at risk than traditional fixed networks like those found with most IP’s. CapsLock,
a “mobile security niche solution provider” (CapsLock.fi 2002) has developed a list of what it
sees as critical success points for wireless networks. To summarize these points available at
MobileInfo.com: not all wireless devices can or will provide hardware encryption, use a software
solution for encryption; Encryption for wireless access does not automatically propagate from
your fixed network, build encryption features into your web application; Plan and test your
security measures, particularly those that have roaming capability; Different wireless
applications require different levels of protection forcing you to tailor solutions to the needs of
the application; A single solution is impossible in a wireless network that’s subject to such a
wide variety of security threats, prepare to implement many different approaches.
(MobileInfo.com 2001)
Where do these attacks come from? To paraphrase Ray, attackers can be organized into five
different types: experienced well seasoned hackers; individuals with little knowledge making use
of “kiddie scripts”; criminals from organized crime and industrial/government spies; terrorists
and governments intent on destroying a countries IT structure. (Panko 2002)
One well-known privacy risk to most Internet users is cookies. A cookie is a small file
written on your PC by a server. Honest use of cookies involve storing information regarding
perhaps your web page preferences at a particular website, or storing the items in your online
shopping cart to be restored next time you visit or shop at a site. Although this presents a risk of
recording your purchases and preferences, dishonest use of cookies are more of concern.
Privacy and Security: “Feeling Safe in CyberSpace?”
8
Unscrupulous web site owners can use cookies to track your browsing habits and store
information about you that in turn could be sold or used illegally. Most browsers have the
capability to disable cookies, however more and more legitimate sites today require cookies to be
enabled.
Unsolicited advertising e-mail (SPAM) is cluttering the Internet. You can even find sites on
the Web that provide the capability to send email anonymously. The receiver cannot tell where
the message originated. Aside from a virus concern, these messages may not present an
immediate risk, however, you may unknowing confirm with the sender that your email address is
valid by clicking the link to remove yourself from their subscriber list. The operation now has
confirmation that they sent their message to a legitimate email address, which in turn they can
sell or use for further marketing.
Although these are but a few startling facts, issues of personal privacy and security have
global scope.
Global Cooling
Most states throughout the world recognize human rights to privacy in their constitutions. It
wasn’t until the early 1970's that states began to adopt more stringent privacy laws with regards
to the privacy of personal information. As of the late 90’s, very few states had recognized the
need to change privacy laws and legislation to encompass this new “online” technology. This is
evident within our own country, which only recently (1998) tabled legislation to address
information privacy and security issues. An exception to this was the European Union. The EU
recognized and acted towards protecting our privacy with regards to trans-border flow of
information with groundbreaking legislation in 1995.
“… conscious both of the shortcomings of law, and the many differences in the level of
protection in each of its States, the European Union passed a Europe-wide directive
which will provide citizens with a wider range of protections over abuses of their data.
The directive on the “Protection of Individuals with regard to the processing of personal
data and on the free movement of such data” sets a benchmark for national law. Each EU
State must pass complementary legislation by October 1998.” (Banisar and Davies 1998)
This ground breaking international agreement focuses on the collection and trans-border flow
of personal information. For state to continue trade with EU members, they are being forced to
adopt more comprehensive laws concerning the protection and privacy of personal data. It is
evident from this agreement that privacy and security of personal information has global
significance. Modern societies must decide what forms of data collection are necessary and what
constitutes an invasion of privacy. We must preserve our right to individuality and uniqueness in
order to block the growing invasion of privacy occurring today.
The European Union has made tremendous strides in placing privacy and information
protection at the forefront of their trade requirements. No other country has incorporated this
Privacy and Security: “Feeling Safe in CyberSpace?”
9
component into their trade packs on such an international scale. Governments and business are
both guilty of unethical behavior with regard to using, storing and sharing personal information
in electronic form. The rapid advancements in technology will undoubtedly contribute too
further abuse of this information. Most states, including the UN are placing privacy and security
issues under the human rights umbrella. Non-government organizations are being created which
specifically address personal information and privacy matters like Privacy International. It does
not appear that these issues are of primary concern to politicians. The general public in most
states have little education with regards to security of information being held in electronic form.
This leaves the responsibility up to the individuals developing the software used in the online
world.
Society as a whole must bear the main responsibility for moving forward the necessary
privacy and security issues, which state governments must address. Typical of many
government agencies in the US are the publishing of key security points as in the Minnesota
Office of Technology, master plan which states:
“To ensure the integrity of public data and alleviate the concerns of the public, the state
needs to think in new ways about how business is conducted. That includes:
· Authorizing credit card use
· Deciding who pays transaction fees
· Determining who has access to what information
· Archiving and managing electronic records
· Determining reliable return on investment figures
· Protecting information from fraud” (Minnesota Office of Technology 2001)
Government in our own country are following suit with Europe and the US with similar
legislation. For example, the Alberta Government recently updated its Freedom of Information
and Privacy Protection Act, a comprehensive document covering issues like the purpose,
manner, accuracy, retention, and correction of collected personal information. Its main purpose
is to provide for; our access to personal information, the way public bodies may collect personal
information, control over disclosure of personal information, and the right to have the
information corrected. (Alberta Government 2001)
Comfort with Your Cyber PET
Adherence by companies to the recently published government privacy and security acts
should alleviate some of our concerns. Most of this however is only visible to the Internet user
that takes the time to read the privacy and protection notes available on most sites. The
Consumers’ Association of Canada web site privacy and protection statement is quite well done.
In a nutshell it addresses the concerns of: collection and use of personal information, cookies, the
sharing of information, the impact of links it has with other sites, information collected via
surveys, on-line and off-line security of information and the correction of information.
(Consumers’ Association of Canada 2002)
Privacy and Security: “Feeling Safe in CyberSpace?”
10
More visible to the individual Internet user would the new influx of what is referred to as
privacy enhancing tools or PETs. PETs are an assortment of tools that give the user more
control over the management and to some extent the distribution of their personal information.
For example, with each release of new and improved browsers, I have personally found it more
and more difficult to locate and activate or deactivate different software features. I imagine
many online users would have no knowledge whatsoever in this regard, relying solely on the
default settings of their browser. For these people, PETs may play a very large role in offering
an understandable, simple, and easy to use interface for manipulating these features.
Tavani and Moors in their 2001 paper on privacy, protection, control and PETs have put
forward a solid argument stating we should not be lead to believe “that because one has
increased control, one has increased privacy” (Tavani and Moors 2001). To paraphrase Tavani
and Moor, although these tools provide the individual with the ability to manage and exert some
level of control over their personal information, you should not believe that this indicates full
control and security over your personal information.(Tavani and Moors 2001)
For a sample of the various kinds of PETs, visit the Electronic Privacy Information Center’s
Online Guide to Practical Privacy Tools. To summarize, PETs on this page come from a number
species with the abilities to protect your email, cloak you with invisibility (while you surf and
email), eat cookies, and encrypt just about anything. (EPIC 2002) This is by no means a
complete list. You should visit their site for more.
Privacy and Security: “Feeling Safe in CyberSpace?”
11
Conclusions
The European Union set the precedence in the international arena by placing personal
information regulations at the forefront of their trade agreements. This alone forces any state
trading with the EU to adopt their principles. Change must take place on a state-by-state basis.
We need to continue to motivate our governments to create laws to address specific data privacy
areas such as; the collection and limitation of information collected; the purpose of the
information; the limitation of disclosure to 3rd parties with or without the individuals consent; the
security and safeguards of the information held by the collectors; the openness of the information
to the subjects; the quality and accuracy of the information; the right of the subjects to inspect
the information being stored and finally to make the collector of such information accountable to
the subject. In this expanding online universe our rights to protection and privacy of personal
information are being violated every time we logon. Software and hardware manufacturers must
incorporate features that guarantee our personal information is kept private and secure.
Here are some ideas how we can make a difference individually:
 By questioning every request by a government or business for personal information
 By demanding the ability to manage and control our personal information in the online
environment
 By making use of PETs to improve manageability of security features
 By using sites like the Computer Security Resource at the National Institute of Standards
for checking validated lists of security products (NIST)
 By visiting site like privacy.net and grc.com (Gibson Research) both of which offer
consumer services and provide you with the ability to test the security of your PC
(grc.com) and to view a sample of the personal information freely available to every site
you visit (privacy.net)
 Questioning and contacting sites that violate our protection and privacy rights
As a group in information technology professionals, we can make a difference by
 Keeping informed about privacy and security issues
 Familiarizing yourself with government privacy and security acts and statutes
 Ensuring the software you develop includes security and privacy features if applicable
 Following an industry acceptable code of ethics
What can be done by commercial entities? Dan Greer says it best “When people with billions
of dollars on the line are going to want the kind of loss protection that the insurance industry can
provide. I don't think that industry is going to let its underwriting standards collapse just because
it seems hard or inconvenient to set up the proper security in the e-world.” (Milojicic, Greer
Interview IEEE Apr-Jun 2000)
Is “BIG Brother” or “LITTLE Brother” watching YOU in cyberspace?
Privacy and Security: “Feeling Safe in CyberSpace?”
Recommendations
I recommend you take the list of “what you can do to make a difference” from the
conclusions section of this report, add your own ideas to the list and place that list beside
your portal to the online universe. Let it serve as a daily reminder that you need to be
concerned about the security of your personal information in the online universe.
12
Privacy and Security: “Feeling Safe in CyberSpace?”
13
Glossary
Big Brother
Cookie
Encryption
Hacker
Kiddie script
Little brother
PDA
Roaming
SPAM
Transmission medium
Do you really need to ask?
Data created by a Web server that is stored on a user's computer. It provides a way
for the Web site to keep track of a user's patterns and preferences and, with the
cooperation of the Web browser, to store them on the user's own hard disk.
(techweb.com)
The reversible transformation of data from the original (the plaintext) to a difficultto-interpret format (the ciphertext) as a mechanism for protecting its confidentiality,
integrity and sometimes its authenticity. Encryption uses an encryption algorithm
and one or more encryption keys. See encryption algorithm and cryptography.
(techweb.com)
Although it takes only a little knowledge to gain unauthorized entrance into most
computers to extract information and/or perform some prank or mischief at the site,
the term has unfortunately become synonymous in the popular press with "cracker,"
a person who performs an illegal act. This use of the term is not appreciated by the
overwhelming majority of hackers who are honest professionals. See cracker, hack,
samurai and script kiddie. (techweb.com)
Automated scripts used to take advantage of a security flaws in a system. Requires
very little knowledge to make use of said scripts.
Commercial organizations or business that obtain your personal information without
your consent.
A personal digital assistant. Hand-held computer.
The ability to use a communications device such as a cellphone or PDA and be able
to move from one cell or access point to another without losing the connection.
(techweb.com)
To send copies of the same message to large numbers of newsgroups or users on the
Internet. People spam the Internet to advertise products as well as to broadcast some
political or social commentary. (techweb.com)
The physical medium through which a signal propagates.
Privacy and Security: “Feeling Safe in CyberSpace?”
14
References
Banisar, David and Davies, Simon. Privacy and Human Rights: An International Survey of
Privacy Laws and Practice. Privacy International. 1998.
<http://www.gilc.org/privacy/survey/intro.html > (5 December 2002)
CapsLock.fi Vision and Mission Statement.
<http://www.capslock.fi/index.php?page=vision_and_mission> (6 December 2002)
Consumers’ Association of Canada (CAC). Privacy and Security Statement May 28, 2002.
<http://www.consumer.ca/privacyandsecuritystatement.cfm> (3 December 2002)
Ely, Timothy Alan JR, E-Privacy in the Workplace (Employee Side) :A Report on Electronic
Privacy in the workplace, 16 April, 1999 < http://www.timely2.com/E-privacy.htm> (3
December 2002).
Epic.org EPIC Online Guide to Practical Privacy Tools, December 2, 2002.
<http://www.epic.org/privacy/tools.html> (3 December 2002)
Federal Trade Commission. Final Report of the FTC Advisory Committee on
Online Access and Security, May 15 2000. <http://www.ftc.gov/acoas/papers/finalreport.htm>
(3 December 2002).
Forester, Tom and Morrison, Perry. Computer Ethics: Cautionary Tales and Ethical Dilemmas
in Computing, 2nd Edition, MIT Press, Cambridge, Massachusetts, 1997, p. 347.
Government of Alberta, Alberta's Freedom of Information and Protection of Privacy Act, 2000.
<http://www3.gov.ab.ca/foip/legislation/foip_act/index.cfm> (3 December 2002)
Grc.com Gibson Research Corporation. <www.grc.com> (6 December 2002)
Kyrin, Jennifer. Your Files are not secure: Search engines can make secret files public, 2002.
<http://html.about.com/library/weekly/aa113001a.htm> (3 December 2002).
Milojicic, Dejan. IEEE. Trend Wars: Security and Privacy, Vol. 8, No. 2; April-June 2000, pp.
70-79
Minnesota Office of Technology. Master Plan, February 2001.
<http://www.state.mn.us/ebranch/ot/masterplan/masterplan.html> (3 December 2002).
MobileInfo.com. Wireless & Mobile Computing Security: Critical Success Factors for Wireless
Security, 2001. <http://www.mobileinfo.com/Security/success_factors.htm> (3 December 2002).
National Institute of Standards and Technology, Computer Security Resource
<http://www.csrc.nist.gov > (3 December 2002).
Privacy and Security: “Feeling Safe in CyberSpace?”
15
Panko, Raymond. Business Data Networks and Telecommunications, Upper Saddle River, NJ,
2002, p. 510.
Privacy.net. Privacy Analysis of your Internet Connection, 2002.
<http://www.privacy.net/analyze/> (3 December 2002)
Rutkowski, Tony. Internet Trends. Center for Next Generation Internet. 2001
<http://www.ngi.org/trends.htm> (5 December 2002)
Tavani, Herman, Moor, James. ACM Press, New York, NY, 2001, p6 - 11 ISSN:0095-2737. (3
December 2002)
TechWeb.com. TechEncyclopedia. <http://www.techweb.com/encyclopedia> (5
December 2002)
Walters, Gregory. ACM Press, New York, NY, 2001, p8-23 ISSN:0095-2737. (3
December 2002)
Privacy and Security: “Feeling Safe in CyberSpace?”
Appendix
The following table has been constructed from Internet statistics retrieved from the Center for
Next Generation Internet.
Month-year
of survey
Total Internet Host Count
Feb-00
Sep-00
Mar-01
72.4
93
109
(Rutkowski 2001)
16
Download