Printer Friendly

The encryption factor.

Web customers need to trust that their personal data is secure but, explains Juliet Hoskins, privacy does not mean anonymity, and attacks on new forms of tracking technology are counter-productive

The concept of privacy lies at the heart of internet business, particularly among new users, already uncertain about the security of transactions, who are now concerned about how their information may be used. Privacy does not mean anonymity. While we may wish for anonymity ourselves, we mistrust it for others. "A signed love letter is flattering; an anonymous love letter is creepy," points out Stuart Baker, a solicitor at US firm Steptoe & Johnson.

Privacy should mean that personal information is seen only by those who need to see it and is not passed to unscrupulous third parties. The debate centres on whether to preserve anonymity, or to implement strong authentication so that the information trail can be properly controlled.

The argument over privacy and authentication is similar to that over encryption. Do you limit strong encryption in case it gets into the wrong hands, or do you regulate against the people who would abuse it? Originally, governments argued that strong authentication was more important for secure networks than strong encryption and did not try to stop strong authentication. Now many are trying to do just that. Attacks on authentication technologies are a worrying trend.

Intel's new P3 processor, for instance, contains a processor serial number unique to that chip and can be set to reveal its serial number. Similarly, Microsoft has incorporated into its software a method of identifying each document with a globally unique identifier (GUID) that includes information about the machine on which it was produced. This has already been used to track the author of the Melissa virus.

Privacy groups attacked these developments as soon as they were announced and governments followed, but the US Federal Trade Commission and state attorneys general did not sue Intel and Microsoft. Europe claims not to regulate technology, but several government agencies conveyed a simple message: "disable those technologies or face unpleasant sanctions."

"The attack on these technologies is ironic," Baker says. Privacy advocates led the fight against the FBI's effort to restrict encryption technology, claiming that technologists, not government, should determine which technologies are deployed, particularly if they provided security for responsible users. The FBI was restricting technology simply because it might be misused by a few. Surely it was better to regulate the misuse than to deny everyone better security.

But when it came to authentication, the arguments were reversed. Privacy advocates admitted that the serial number and GUID may make network users more accountable and secure, but they could be misused to track users through cyberspace. Their answer, however, was not to regulate unscrupulous users -- they wanted these capabilities removed from the hardware and software to preserve anonymity.

But if we do that, we end up trusting networks of anonymous, unaccountable users. We want to share information with some people and not with others. If there's no way to tell who's using the network ar who's accessing our data, then we can't tell whether or not our expectations have been met. International law is still a long way behind technology and the protection of data is a key debate. While the US relies on sell-regulation, the EU believes in laws.

This divergence has caused severe problems for those sending data from Europe to America. "The EU directive 95/46 on the protection of individuals over the processing of personal data and on the free movement of such data protects users and prohibits data transmissions to countries without the same level of protection," explains Dr Andreas Mitrakas, GlobalSign NV. "Data collected in Europe cannot be transmitted to the US for storage or processing."

An issue of substance may also arise over the personal data of applicants for digital certificates. Many of these services are offered by European and overseas providers on the world wide web. The EU directive says that personal data collected in Europe should remain in Europe.

Of course there have been scandals. "A well-known advertising banner company briefly took its stock off the market this year, after its data collection practices were investigated," says Eric Arnum, US editor at the European Forum for Electronic Commerce (EEMA). "When the company serves up a banner on one of its 11,000 websites, it gives out a `cookie', a unique code which signals to the company when it has a return visitor. People who don't erase their cookie.txt file provide details about how often they visit all those sites.

"The company crossed the line when it launched a personalisation service to collect names, ages, incomes, education, home location, ages of children etc. The company could attach a name and an income to a cookie -- it could tell which rich suburban men bought on-line porn, which kids bought the latest NSyncalbum, and where their mothers worked."

Juliet Hoskins is editor of EEMA Briefings for The European Forum for Electronic Commerce EEMA will be exhibiting at e-business Expo 2000, 7-9 November 2000, Olympia, London

In the US, data protection is based on self-regulation. The Federal Trade Commission said in May that this was not working. A survey of websites found that just 20 per cent adhered to principles of notice, consent, access and security:

* Notice -- companies must provide clear and conspicuous notice about what information will be collected and how it may be used;

* Consent -- consumers will "opt in" before personally identifiable information is collected, used or disclosed. Consumers must be able to opt out when non-personally identifiable information is collected;

* Access -- companies must provide access to personal data and an opportunity to correct it;

* Security -- companies must protect the security and confidentiality of information. Notice of breaches in security must also be provided.
COPYRIGHT 2000 Chartered Institute of Management Accountants (CIMA)
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2000 Gale, Cengage Learning. All rights reserved.

 Reader Opinion

Title:

Comment:



 

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:information gathering practices in e-buisness
Author:Hoskins, Juliet
Publication:Financial Management (UK)
Article Type:Brief Article
Geographic Code:4EUUK
Date:Oct 1, 2000
Words:964
Previous Article:Out of cash.
Next Article:Fighting in the aisles.
Topics:


Related Articles
Macrovision Encryption System Secures International Satellite Transmission for Orbit Communications.
Ingrian Networks Brings Data Encryption to Higher Education Ensuring Security of Sensitive Information.
Recent Customer Findings Underscore Need for Unified Enterprise Key Management Strategy.

Terms of use | Copyright © 2014 Farlex, Inc. | Feedback | For webmasters