24 IT Pro September ❘ October 2002

Maintaining Privacyin an Online World

Anup K. Ghosh

I n a question and answer session withreporters and analysts at an event to launchSun Microsystem’s Jini technology inJanuary 1999, Sun Microsystems CEO Scott

McNealy brazenly declared, “You have zero pri-vacy anyway. … Get over it,” a comment that setoff a firestorm among privacy advocates.His viewson the folly of privacy protection resonatedamong many digerati with a cynical attitudetoward privacy.McNealy implies closing the barndoor on privacy is useless because the horse hasalready bolted. Every individual’s credit cardtransactions, phone calls, online browsing habits,and grocery store receipts are recorded in oneform or another, amassing so much personal datathat comprehensive monitoring of everyone’sdaily activities is already possible, if not existent.

For now, we rest comfortably, believing that allthese disparate data collectors are not colludingto fit all the pieces together. But, if someone didhave access to all this data, they could get a fairlycomplete picture of nearly every detail of our lives.

In the wake of heightened vigilance after 9-11and pervasive new technologies that can infringeon privacy, IT professionals will face the task ofbalancing privacy interests of the individual withcorporate profit-driven motives and nationalsecurity interests.

CURRENT STATE OFPRIVACY AND SECURITY

Commercial firms leveragedata-mining technology to clas-sify, track, profile, and monitorWeb site usage and onlinespending patterns.They use this

information to finely tune direct online marketingand measure return on investment for marketingdollars. As these technologies become moresophisticated, data warehouses grow in size, dis-parate databases of users’ profiles become inte-grated,and custom mass marketing to individualsbecomes feasible. Soon a company will be able toassemble all the different pieces of our lives, cap-tured in the bits from our increasingly digitizedworld.

Since 9-11,numerous companies have proposedusing these same monitoring technologies at keysecurity checkpoints, such as airports, to identifypotential terrorists. The killer app of this newbusiness opportunity is tying together disparategovernment agency databases into a single vir-tual database that someone or some agency canmine for indicators of potential terrorist activityor tendency.Thus, these technologies—developedto support more-efficient marketing—can useprofiles of known terrorists,and the prior and cur-rent activities of suspected threats, to identifypotential security risks.

As appealing as this might sound, the dark sideof this killer app would be misusing this capabil-ity to monitor the private lives of law-abiding cit-izens.Legal restrictions that prevent cross-sharingof personal data by government agencies andtechnical hurdles have kept this Orwellian sce-nario a fiction for now. However, in the currentclimate of fear produced by terrorist acts, law-makers and the public might willingly relax suchprohibitions, favoring national security over indi-vidual privacy.

In “Silicon Valley’s Spy Game” (The New YorkTimes, 14 Apr.2002), Jeffrey Rosen,a professor at

Rather than a burden,privacy protection can becomean opportunity to create consumer trust, based onemerging business practices.

Basic Tenets ofOnline Privacy

Inside

September ❘ October 2002 IT Pro 25

George Washington University and author of TheUnwanted Gaze: The Destruction of Privacy in America(Knopf,New York,2001),argues that the US is ill-equippedto make informed decisions about striking the balancebetween security and privacy in technology. Rosen sees acatch-22 situation,with technologists leaving the appropri-ate balance between security and privacy to politicians—politicians who are not technically adept enough to under-stand the policy ramifications of technology on nationalsecurity and individual privacy.

However, Rosen notes that in theface of congressional indifference andjudicial passivity, information tech-nology professionals, by default, nowdetermine the appropriate balancebetween security and individual pri-vacy. In Code and Other Laws ofCyberspace (Basic Books, New York,2000), Professor Lawrence Lessig ofStanford University argues that tech-nologists can design systems thatsimultaneously protect security and privacy. However,Lessig says that left to their own devices, vendors areunlikely to balance privacy with security.

SECURITY-PRIVACY CONUNDRUMMany people discuss security and privacy without under-

standing the distinctions and dependencies between them.Privacy refers to aspects of individuals or entities that

the owner wants to remain confidential—hidden from oth-ers.These aspects include

• personal data,all documents an individual wants to keepconfidential;

• properties, defining aspects of the individual or entity,including preferences (such as religious faith) and phys-ical attributes; and

• behavioral characteristics, such as schedules and shop-ping habits.

When people talk about security, they often mean themechanisms to provide data confidentiality, integrity, andauthentication. To maintain privacy of personal data, secu-rity mechanisms must be employed to protect informa-tion that should remain private; this is the clear linkbetween security and privacy. This need for securityapplies to both individuals protecting their own privacyand to corporations that must protect the private data theycollect. Individuals who wish to keep data such as docu-ments on a computer or Web-browsing records privatecannot expect these aspects to remain private withoutusing available security provisions. Likewise, corporationsthat do not have a secure infrastructure cannot ensure theconfidentiality of collected data.

The dependency between security and privacy is not

symmetric.Although you must have security provisions toensure privacy,having a privacy policy does not imply secu-rity, and having a secure infrastructure does not imply pri-vacy.For example,even if a company that collects personaldata stores it in an ultrasecure facility, the company couldchoose to sell or otherwise disseminate this data, poten-tially violating the privacy of individuals. Even though thispoint might seem obvious, it is important to avoid confus-ing boasts of security with expectations of privacy.

Likewise,boasts of privacy are suspectunless an organization demonstratesthat it can and will secure the data.Acompany without the technical meansor desire to protect its data can insti-tute a laudable privacy policy,but sucha policy is not worth the HTML inwhich it is written.

Security and privacy, though dis-tinct, intricately relate to each other.Though many people use these termsinterchangeably, it is foolhardy to talk

about privacy without security, or for companies to talkabout security while ignoring the privacy implications ofthe data they collect.

ONLINE-PRIVACY POLICIESMost e-businesses are keenly aware that it is politically

correct, if not imperative, to have posted online privacypolicies.What is unclear is what these policies should say,and how to implement and enforce them. Businesses havea responsibility to not only develop privacy policies but toenforce them through adequate data security protectionmeasures.

Privacy concernsTo develop a meaningful privacy policy, consumers’ pri-

vacy concerns are a good starting point.These will, in turn,guide the development of basic privacy policies that com-panies will need to implement. Online users have at leastfour main privacy concerns:They want to know

• what information the site collects;• how the site owner uses that information and for what

purpose;• how the site owner secures, shares, rents, sells, or other-

wise disseminates the information; and• how much personal information about an individual can

businesses collect, aggregate, store, and ultimately use.

These concerns highlight the uncertainty about businesspractices in collecting and using personal data.The lack ofpublished information or knowledge about existing prac-tices in data collection and use causes much of the fear sur-rounding privacy. Privacy involves not only confidentialityof personal data, but also privacy of behavior. For exam-

IT pros, by default, now determine the appropriate balance

between securityand individual

privacy.

26 IT Pro September ❘ October 2002

P R I V A C Y

ple, most people accept the fact that companies monitortheir employees inside corporate networks (to detectintruders, for instance), but do companies have the rightto profile consumers shopping at their site? Do companieshave the right to sell these profiles? Who owns this data,and is the data covered by contract? These questions stilllack definitive answers.

The following are examples of users’ privacy concerns:

• When I surf the Web from work and send out e-mail,what information about my onlineusage is my employer collecting?

• What information do cookies storeabout my Web-browsing habits, andwho sees this information?

• When I register my computer onlinewith the manufacturer or the oper-ating-system vendor,what informa-tion do they receive about my com-puter?

• When my hard drive starts spinning arbitrarily and mymodem lights start flashing,who or what is using the net-work?

Government agencies have considered these questions.The Fair Information Practice Principles (Records, Com-puters and the Rights of Citizens; US Department ofHealth, Education and Welfare; 1973) and Privacy Online:A Report to Congress (US Federal Trade Commission,June1998; http://www.ftc.gov/reports/privacy3/) provide basictenets of online privacy. The “Basic Tenets of OnlinePrivacy” sidebar summarizes these principles.

What businesses know about youNot having information about what personal informa-

tion a company collects makes many users uneasy. In theonline world, the medium’s nature also compounds theproblem.Data sent back and forth between software appli-cations is opaque: You are largely blind to what informa-tion your computer is sharing.

When you consider all the types of electronic transac-tions conducted each day, the number of opportunities formonitoring is staggering. Consider the following partiallist of electronic monitoring mechanisms people interactwith almost daily.ATM machines. Withdrawing money creates a locationrecord at a particular time and date.Cellular telephones. Because cell phones transmit radiowaves on specific frequencies, anyone with a radio fre-quency scanner could traditionally monitor a conversation.Voice privacy and encryption options,and alternative mod-ulation techniques on some phones and services, can offermore privacy than in the past.However,any cell phone con-versation still occurs over a radio. Cellular towers can alsohelp triangulate a cell phone’s position if the phone is on.

In the future, cell phones will transmit Global PositioningSystem coordinates to assist emergency responders in caseof an accident, among other applications.Credit cards. Credit card transaction histories provide afairly complete picture of a consumer’s life. Law enforce-ment officials and merchants can access credit histories.Electronic toll collection. Car transponders are becomingcommon in areas with toll roads on busy commutes. Anequipped car drives through a tollbooth, and the car’stransponder sends an account number to the receiver in the

booth. The system automaticallydeducts the toll from the user’saccount, and credit card chargesrefresh the prepaid balance. The sys-tem generates a timestamp each time adriver uses the toll road. Toll roadoperators don’t publicize how they col-lect and store this information.

Metro underground systems insome urban areas use proximity cards for the same pur-pose, again noting the time and location on system entryand exit, again creating a record of an individual’s loca-tion at a given time and a profile of their commuting habits.The alternative is to forgo the convenience of electronictoll collection and to pay by cash to maintain anonymity.Employee badges. Electronic badges,which once only pro-vided access to buildings, now can also help provide infor-mation about entry, exit, and location within a facility.Location-based computing. New mobile-commerce appli-cations for personal digital assistants with wireless con-nections to the Internet and street kiosks are emerging.These applications account for location information by,for example, dynamically planning a route to a destina-tion or selectively displaying marketing information basedon a person’s proximity to retail outlets. One privacy riskis that these applications can record where you were at aparticular date and time.Online monitoring. Employers typically reserve the rightto monitor all an employee’s computer usage from com-pany machines, from keystrokes to e-mail and Internetusage. Other people outside the company can also moni-tor online usage by collecting the trail of visit activity leftat each Web site.Phone calls. By default, each phone call you make broad-casts your phone number, unless you punch in a blockingcode.Surveillance cameras. From highways to conveniencestores, banks, and public squares, surveillance camerasrecord physical presence and enable remote online moni-toring. The problem is now moving into private spaces.Nanny cams, cameras that working parents use to monitortheir child care providers, pose their own privacy risks.Strangers driving through neighborhoods can use a high-gain antenna, a signal amplifier, and a laptop to captureand display video signals that broadcast the daily activity

You are largelyblind to what

information yourcomputer is sharing.

September ❘ October 2002 IT Pro 27

in someone’s home (J.Schwartz,“Nanny-CamMay Leave a Home Exposed,”The New YorkTimes, 13 Apr. 2002).The practice of cruisingaround (usually in an automobile) to surrep-titiously pick up video and wireless local areanetworking signals is called war driving.Automotive telematics. A fast-growing field,automotive telematics will provide two-wayconnectivity to the outside world (and theInternet) as well as remote diagnosis, andremote command and control capabilities.This technology will permit ubiquitous mon-itoring of automobile location, speed, andusage patterns.

PRIVACY IS GOOD BUSINESSIt’s clear from the preceding discussion that

there are many avenues via which companiescould run afoul of consumers intent on pro-tecting their privacy. However, protecting pri-vacy also offers new opportunities to business.For starters, privacy is a business unto itself,including software and consulting; one thatcontinues to grow as people’s fear of privacyinfringement tops the list of online concerns.

Privacy concerns also offer the opportunityto build good relationships between busi-nesses and consumers. Businesses that areforthright about what data they collect andhow they use it can leverage this openness intoestablishing relationships based on trust. Ifthese businesses keep their promises, cus-tomers will have even more reason to do busi-ness with them. In dealing with consumers,businesses should consider that most con-sumers do not object in general to data col-lection practices as they are already per-vasive; however, consumers are more con-cerned with what data is collected and how itwill be used. Deceitful data collection prac-tices where private data is collected from userswithout notification or choice risks earningthe wrath of consumer interest groups.

The future of online privacy might draw onan existing practice that is successful in thebrick-and-mortar world: Many people willrelease private information in return for dis-counts, rewards, or some form of compensa-tion. For example, with grocery club cards, shoppers giveup detailed profiles of their shopping habits, includingidentifying information, in return for discounts on gro-ceries. Some consumers might say they don’t have achoice—forgoing the club-card means paying higherprices. Grocery-club-card-sanctioned pseudonyms mightbe a business compromise, where stores get information

they seek on their customers’ shopping habits, while cus-tomers’ true identities remain private.

Online, customers might barter personal informationfor discounts on products or preferential service. Newonline commerce models that support private-informa-tion bartering are likely to emerge. In the interim, usersshould be wary of releasing personal information they

Any reasonable security policy shouldinclude provisions that cover thesebasic concepts.

➤ Notice and awareness. Pro-viding notice and awareness ofinformation collection practices is afundamental principle in good privacypractices. Without a notice written in layperson terms, peoplefrequently become uncertain about their online privacy.

➤ Choice and consent. With this principle, consumers can choosewhat personal data a company collects and must consent to howa company uses this data. Opt-in or -out are the consumer’salternatives in consenting to data collection. Opt-in requiresconsumers to take affirmative steps to let the company use per-sonal information, as described by the notice. Opt-out requiresconsumers to take affirmative steps to prevent the companyfrom using personal information. Most sites operate under anopt-out system. Opt-in favors consumer privacy; opt-out is lesssupportive of consumer privacy.

➤ Access and participation. This principle gives consumers rightsto access their collected information and challenge discrepan-cies they find.An example is the ability to obtain credit agencyreports and contest the accuracy of the listed information.

➤ Integrity and security. This principle supports the accuracy andsecurity of collected information. Collecting information fromreputable sources, cross-referencing sources, allowing consumeraccess and participation, and eliminating obsolete data helpensure data integrity. In addition to ensuring the data’s integrity(from an accuracy perspective), providers must take steps tosecure the data against leaks or other compromises.

These four basic principles of privacy should serve as a guide forbusinesses in maintaining good privacy practices for their cus-tomers. Today, most businesses have given thought to the noticeand awareness principle simply by posting privacy policies, but theytypically write these policies in a legalese that most customers finddifficult to comprehend. Frequently, companies find that no oneregulates or monitors their compliance to these policies.The moresteps companies take to adhere to these privacy principles, themore likely they are to build consumer trust about the informa-tion they are collecting and the manner in which they use it.

Basic Tenets of Online Privacy

28 IT Pro September ❘ October 2002

P R I V A C Y

would not share with strangers, and businesses should useprivacy concerns as an opportunity to build trusted rela-tionships with their customers.

A s long as the government does not regulate onlineprivacy policies, market forces will largely dictatethe practices of most businesses. If the market val-

ues data collection highly, then data collection will be hereto stay. Businesses that do not monitor their data collec-tion practices or violate privacy policies risk serious reper-cussions from an unforgiving public. Companies continueto face criticism from the media and on Wall Street foregregious breaches of trust. Given this climate, businesseswill seek solutions that show them to be good corporatecitizens while delivering maximum value to their cus-tomers.For businesses,privacy and profit must go hand-in-hand. �

Anup K. Ghosh is a program manager in the DefenseAdvanced Research Projects Agency (DARPA) Advanced

Technologies Office; he works in the information assuranceand survivability areas. Contact him at anup.ghosh@computer.org.

This article reflects the views of the author only and doesnot necessarily reflect the views of the Department ofDefense or the Defense Advanced Research ProjectsAgency. DARPA Distribution Statement A: Approved forpublic release, distribution unlimited.

For further information on this or any other computingtopic, visit our Digital Library at http://computer.org/publications/dlib.

Material from this article is adapted from Security & Privacy forE-Business, © 2001, Anup K. Ghosh, John Wiley & Sons. Thismaterial is used by permission of John Wiley & Sons Inc.

Don’t runthe risk!

Be secure.

Order yourcharter

subscriptiontoday.

• Wireless Security

• Securing the Enterprise

• Designing for Security

• Infrastructure Security

• Privacy Issues

• Legal Issues

• Cybercrime

• Digital Rights Management

• Intellectual PropertyProtection and Piracy

• The Security Profession

• Education

IEEE Security & PrivacyEnsure that your networks operate safely and provide critical services even

in the face of attacks. Develop lasting security solutions, with this new

peer-reviewed publication. Top security professionals in the field share

information you can rely on:

http : / / computer.o rg / secur i ty