4/20/01
33
WEB PRIVACY
APRIL 20, 2001
Professors Varghese Jacob & Sumit Sarkar
University of Texas at Dallas
EMBA 2002
GROUP 227
Efrain Castro, Dinesh Parmar, Michael Raiford, Robert Reich, Kim Walker, Claudia Worme
Table of Content
Preface 3
Introduction 4
Privacy in Consumer Relationships 5
Enablers of Privacy Invasion 8
Methods of Protection 14
Harware and Software security solutions 15
Government Regulation 18
Governmental Iniatives 18
Government Adopted Laws 19
Privacy Bills Currently in Congress 22
Non-Government Privacy Organizations 23
International Regulations: European Union 25
Concluding Statement 25
Bibliography 27
Addendum A- Cybersurance By Lotte Chow: Far Eastern Economic Review March 15, 2001
Addendum B- The End of Privacy by Peter H. Lewis Fortune Magazine: March 19, 2001 Vol. 143, No. 6
Addendum C- Ambushed, A laundry list of hot digital issues awaits George W. Bush Carl M. Cannon Forbes ASAP February 19, 2001
Preface
Privacy on the WEB
Is there really any?
“You’ve got mail”, but is it secure?
Does a company have the right to profile your Internet use?
Does a company have the right to sell your personal information to other companies?
Do you have the right to know if you are being “watched”?
Do others have the right to gather personal data without your knowledge or permission?
Does a third party have the right to download files or other tracking software on to your computer without your consent or knowledge?
The answers to these questions elicits great debate. Currently individuals, government, and business are aligning in different camps as to just what is an invasion of privacy and what is just business.
Introduction
An invasion of privacy is defined as “intentional intrusion upon the solitude or seclusion of another that is highly offensive to a reasonable person”. Footnote: Webster’s Collegiate Dictionary. Privacy on the World Wide Web typically refers to security and confidentiality of personal and/or financial information obtained by businesses about their customers or trading partners. The privacy world is rapidly changing as a result of employees and consumers wanting to know more about the how’s, the what’s and where’s of their personal information being collected and disseminated. A recent Forbes article noted that 56% of Americans are “ very concerned” about intrusions into their personal privacy and 86% of computer users surveyed also believed that businesses should get explicit permission from users before collecting personal information about them. Foot note: Forbes ASAP February 19, 2001 Such levels of concern are obviously fodder for great privacy debates in federal and state regulatory agencies.
What has caused this recent interest and concern in personal privacy? The single largest factor is the trend of using profiling by on-line retailers to target individual preferences for direct solicitation, portfolio development and resale. In addition the proliferation of hacker attacks and the amount of data they can potentially access has added to the concern. Part of the issue is what is acceptable business practice and what is not when dealing with individual privacy and the gathering of personal information. Information about consumers is big business and very valuable, especially for start-ups in their effort to become first movers in a particular business sector. Ostensible to internal use of personal information, there is also a growing trend among businesses to sell captured information to other businesses.
The gathering and development of personal data has always been available via public records such as: Birth Certificates, passports, Department of Motor Vehicles, telephone books, online databases (Government and non-Government), school records, etc. but never with the accessibility that exists with today’s WEB-centric technology. The Internet has increased accessibility and shortened the time involved in linking data together, thus creating opportunities for personal profiling, marketing of personal information for a profit, and even identify-theft.
Privacy
Personal Security/ Privacy
Anonymity is still widespread on the Internet, although WEB Browsers and commercial WEB sites gather consumer information that sometimes may unnecessarily compromises the privacy of computer users. Individuals, as well as businesses, must educate themselves on methods and tools used to gather information and need to be proactive in the protection of personal information and habits. See appendix A: Titled Cybersurance
Privacy in the Workplace
According to the Privacy Foundation, two-thirds of fortune 500 American firms do some type of in-house electronic surveillance, while an estimated 27% of firms surveyed monitor email. Foot note Privacy Foundation, February 2001 WEB privacy has in recent years begun to trigger legal action as a result of employee’s expressing their right to privacy in the workplace and the monitoring of workplace activities.
Employers monitor employees for various reasons, some of which are:
· Employee’s non-compliance with company policies
· Inappropriate use of work time
· Enforcement of company rules
· Protection of intellectual property
· Protection from liability for an employee’s misuse of company resources
Many employers believe that any transactions rendered on company owned computers or over the company’s electronic communications system are indeed the property of the company, and therefore, the organization has the undeniable right to access and control it. The law is still debating the issues and questioning if, in fact, the employee does have any reason to believe that their data is private or secure. While at the same time the courts do believe the employer has the right to guard electronic data in order to protect commercial trade secrets. Historically, courts have allowed employers to engage in corporate surveillance when there is a compelling reason to do so. Some reasons the court would support individual or group surveillance would be in the case of employees causing injury to other employees via racist, sexist, obscene, or harassing behavior. The law has not, in general, provided much encouragement for the employee to sue their employer for privacy violations but tends rather to support the right of the employer to control data over the employees right to privacy at the workplace. Individuals interested in their personal privacy at work should take the time to familiarize themselves with company policies concerning such things as email, Internet use, and general privacy practices. Most major corporations openly publish their monitoring practices in their policies and the courts have generally ruled in favor of the corporation in such cases.
Privacy in Consumer Relationships
The biggest privacy challenges to date involve collecting personal information for advertising purposes. The issue is not necessarily the gathering of the data, but the fact that in most cases the user is seldom notified that information was collected or was permission granted. Additionally, the user has no way of knowing if the data that was collected is correct or secure. Privacy groups are on high alert. A site that misuses the consumer information it collects will often find its reputation quickly tarnished as word surfaces via email, electronic newsgroups, and privacy alert WEB sites. Such behavior can result in financial losses, losses of expanded markets and extended customer bases and potentially regulatory fines. Example: America Online is dropping an advertising claim that “ at America Online, your security and privacy are always protected.” The Better Business Bureau said there was no way AOL could always protect customers when they venture out onto the Internet. Footnote: Better Business Bureau on-line. Another example is a recent decision by YAHOO! to liquidate it’s company affiliated and listed Adult Site and Services due to consumer pressures and privacy issues. Footnote: CNN, Time /Warner, April 13.
Service providers (ISP’s) and corporations that work to build trusting relationships and strong images in the areas of WEB privacy are proven to have the most lasting relationships with their customers because of their commitment to privacy issues, according to the Better Business Bureau on-line. To protect one’s self, individuals should take the time to review the privacy policy of the gatherer before providing any personal information. Additionally, it is recommended to only provide the minimum information required to complete the specific transaction and never offer information that is not relevant to the process or action being performed. For instance, one should not provide personal financial data on a site that would have no obvious need for this information.
What has enabled thE invasion?
The wide spread use of the Internet and E-mail by corporations and individuals is the predominant enabler of privacy invasion. Along with the Internet came the relative ease of information gathering. Due to poor or non-existent privacy polices as well as a public ignorant to the capabilities of sophisticated software to secretly gather information, we find ourselves more vulnerable than ever before. In addition, most corporations now use e-mail as their primary form of business communication and allow employees Internet access for business and personal use, but few businesses have educated their employees on the proper use, privacy policies or protection of email communication or the transfer of personal and business data.
Enablers of Privacy Invasion-Definitions
Cooperative Browsers
A cooperative browser is one that allows information to flow freely between itself and the WEB site being visited without notifying the user. The basic design of the browser makes it cooperative and the limited security built into the browser provides little protection against unexpected and unwanted access to a personal computer. These flaws will be highlighted in the following discussion of invasion of privacy enablers.
Cookies
Cookies are small files that are sent by a WEB server and saved by the WEB browser to store information about the user and or the user’s activities. The primary purpose of the cookie is to track personal use for pattern analysis. Normally an anonymous code is attached to the cookies but if a site requires you to register, there is a good chance they have customized the cookie to specifically identify the user. Cookies can be either persistent, meaning they remain on your system until deleted by the user, or sessional, which is deleted when you leave the WEB server. The use of the cookie is very simple. A WEB site that is set up to distribute cookies can copy a cookie to the visiting system on the initial visit and then create a cookie identifier each time the site is visited. With every visit, additional information can be added to the log.
Some common uses for Internet cookies are:
· Tracking users access. These cookies are “persistent” and configured to stay on your system for months or years.
· Tracking users with an identifiable code. This usually occurs after a registration. The site can then keep a detailed account of pages visited, items purchased, etc.
· “Session” cookies. These are often used in "Shopping cart" web sites to keep track of your order. “Session” cookies expire as soon as you exit the site.
· Personal preferences. This can be anonymous or linked to personal information provided during a registration. Cookies are supposed to be only accessible from the site that placed them there. However, a bug may allow other sites to access the information.
Tracing users via the Internet:
· IP Address. An IP address can be captured by opening a web page that requests a graphics file from a server, your IP address, as well as the type of e-mail program you are using is captured.
· Email address. Normally a user can only be traced back to their Internet Service Provider. However, some web-based e-mail accounts (such as Hotmail) display the senders real IP address in the header so a sender's ISP can often be determined even if they use an 'anonymous' account.
· Executable programs. By running an executable program virtually anything can be done on the hard drive. Files could be read, hidden "Trojan horse" programs can be loaded, and even programs that allow others to take control of your computer over the Internet can be installed.
To detect if you are being traced a "firewall" software can be installed. This program will alert you any time that your computer communicates over the Internet. Several personal Firewall software package are available to warn you about such communications. Footnote: PC World, March 20001
WEB Banners
The WEB Banner is an effective extension of the cookie. Advertisers discovered that simply creating WEB banners that redirected the reader to an Advertiser’s WEB site allows the advertiser to install a cookie and track every time the user accessed one of their advertisements. The interaction may work as follows: company A contracts with many on-line firms to display their advertising. The advertisement redirects the reader to the advertising WEB site where the cookie is installed and a log is started. The advertiser can then track all accessed locations of the user from that point on. This approach is very effective in determining WEB site usage patterns of individuals.
WEB Bugs
A WEB BUG is code written and attached to a small 1-pixel gif file setup on the WEB page or sent via email. A pixel is one dot on the computer screen making the graphic file basically undetectable by sight. Additionally, these WEB BUGS cannot be detected by anti-cookie filters and can read cookies installed from the same WEB site as well as run other executable code in the background. The WEB BUG is the most stealth of the commonly used methods for tracking or gathering information. Just about any executable code can be written into a WEB BUG and executed on the user’s personal computer without the knowledge of the PC owner. In most cases the user is not notified of it’s on the HTML page, much less the intended purpose for the WEB BUG. The question is, does a company have the right to download an executable file to a personal computer for the purpose of gathering information without the knowledge of the computer owner? Currently there is no law to govern this type of intrusion, only the integrity of the WEB site owner can govern the use.
Spyware
Spyware is software specifically developed to allow individuals or businesses to monitor computer usage. See Appendix 2 Fortune Magazine: March 19, 2001 Vol. 143, No. 6
Electronic monitoring of employees via high tech equipment has become more commonplace and easier to use. Email scanning software can be installed to search emails for key words and then perform any number of actions without the sender or receiver ever knowing the email was reviewed. Internet sites visited and duration of the stay at each site can be documented and analyzed by user. Inappropriate sites can be blocked from access using company systems. Stealth monitoring via data interception remote transmitters, sometimes called Sniffers, can be used to monitor electronic data remotely and simultaneously. In addition to the ability to capture data as it travels across the Internet, there are also programs designed to capture and redirect emails. The program captures all incoming email to an intended recipient and then redirects a copy of the email to another email box for review by the person doing the monitoring. These programs have proven very difficult to detect and prevent. Any information sent over the Internet is susceptible to capture and review. Most often this is done without approval or knowledge of the sender compromising the security and integrity of the individuals or businesses.