maintaining trust in an electronic world professor peter p. swire george washington university...
TRANSCRIPT
![Page 1: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/1.jpg)
“Maintaining Trust in an Electronic World”
Professor Peter P. Swire
George Washington University
Former Chief Counselor for Privacy for the United States Government
San Diego; July 11, 2001
![Page 2: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/2.jpg)
Overview:
Tylenol as an example of gaining trust My background Banking Heritage of Trust:
Security Privacy Authentication
![Page 3: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/3.jpg)
I. The Tylenol Example
History: Tylenol episode in 1982 7 people died from cyanide poisoned capsules Massive publicity worldwide Threatened a flagship product and Johnson &
Johnson itself
![Page 4: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/4.jpg)
The Immediate Response
Tylenol as a textbook case of good crisis management
All pills immediately taken off store shelves Principles:
Long-run considerations drive decisions Take action immediately Provide truthful information
![Page 5: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/5.jpg)
Visible Signs of Trust
Packaging sends strong, credible message that customer can trust the product
Pre-1982: Twist-off cap, then pills Today: Plastic wrap, then child-proof twist-
off cap, then foil seal to demonstrate physical integrity, then pills
![Page 6: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/6.jpg)
Lessons from Tylenol
You must prepare for public relations challenges, especially for new products online: Very fast press cycle today Public perception of risk stokes press stories
What are you doing for financial services on-line to reinforce customer trust?
What compares to the foil seal?
![Page 7: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/7.jpg)
II. My Background
Lawyer for banks and ABHC beginning in 1980s
Taught banking law 6 times in law schools Book on E.U. Data Protection Directive Academic writings on financial cryptography
and electronic payments Current research on computer security Editor of Cyberspace Law Abstracts
![Page 8: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/8.jpg)
Chief Counselor for Privacy
Early 1999 became Clinton Administration Chief Counselor for Privacy (new position)
Gramm-Leach-Bliley & privacy Money laundering & privacy Encryption policy changes 1999 Safe harbor talks Medical privacy (including payments) Other privacy & e-commerce policy
![Page 9: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/9.jpg)
III. Banking Heritage of Trust
Confidentiality and trust as great banking traditions
Trust: Safety and Soundness Financial stability & no runs Physical security -- the bank vault Trust that your money will be there
![Page 10: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/10.jpg)
Heritage of Trust
Trust as Confidentiality: Customer as borrower Customer as depositor Customer who seeks advice from banker Customer who uses a bank’s cash management
services Trust that banker will not disclose my business
![Page 11: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/11.jpg)
Heritage of Trust
Security Privacy Authentication
![Page 12: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/12.jpg)
IV. Security and Trust
Lessons from history Information sharing and computer security
![Page 13: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/13.jpg)
History: The Pay Telephone
The pay phone as a distributed payment system
Vulnerable pot of cash Early attacks by shock, gun, etc. Successive generations of learning by
security professionals Today, a mature & trusted technology
![Page 14: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/14.jpg)
Lessons from the Pay Phone
Challenge today -- can have big outflow of cash over computer networks
“Open networks” like “open road” with phone booth in remote location
We will need successive generations of learning
Will need new encryption, procedures, etc. to become the standard
![Page 15: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/15.jpg)
Security & Information Sharing
My current research: what should be hidden or open in computer security?
In physical world, security done by each institution -- competitors did not have the floor plans to your vault
Today, banks may use same software, hardware, standard procedures
Today, banks subject to same virus or other attack
![Page 16: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/16.jpg)
Security & Information Sharing
When banks have same infrastructure and subject to same attacks, new reason to share security data
ISACs -- Information Sharing & Analysis Centers part of U.S. critical infrastructure protection effort
Moral: will need to trust other security professionals to face common threats, while guarding company proprietary information
![Page 17: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/17.jpg)
V. Privacy
Is confidentiality in banking outdated? Perhaps:
Lower cost for all information flows One-to-one marketing uses data to deliver what the
customer wants, at a profit Mergers for banking, insurance, securities, etc. to
match customers with new products Customer profiling to reduce fraud and money
laundering
![Page 18: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/18.jpg)
Privacy
Is confidentiality in banking outdated? Perhaps not:
Don't you, as an individual, expect your financial information to be treated confidentially?
WSJ poll on privacy in the new century Individuals and businesses cannot have each
purchase revealed to all the world
![Page 19: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/19.jpg)
Are there real privacy problems?
U.S. Bank case, 1999 Information here from public documents U.S. Bank made major commitments to change
600,000 checking account customers name, home phone & address, SSN, DOB,
product code, account number, routing & transit number
![Page 20: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/20.jpg)
U.S. Bank (continued)
330,000 credit card customers name, home address & phone, last purchase
date, date opened, current balance, credit limit, YTD finance charges, last payment date, amount last payment, SSN, DOB, behavior score, bankruptcy score
![Page 21: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/21.jpg)
U.S. Bank (continued)
Notice: “Periodically we may share our cardholder lists with companies that supply products and services that we feel our customers will value.”
Apparently no opt-out Apparently similar activities by other banks
![Page 22: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/22.jpg)
What problems from U.S. Bank?
Data released for unrelated purpose -- a dental plan
“Negative option” by Memberworks: Postcard then have 30 days to cancel If not, then billed annual fee ($59.95) Lots of complaints once fee taken out of
account
![Page 23: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/23.jpg)
New U.S. Privacy Law as a Response Notice -- the bank’s policy Choice -- customers can say no to transfers
to third parties Enforcement -- examiner authority as with
other consumer laws Anti-fraud: fight pretext calling and identity
theft, scrutinize risky data flows
![Page 24: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/24.jpg)
Why customer choice?
Don't “stop all marketing” Do respect choices of individuals who do
not want marketing or other transfers The price of opening an account should not
be undisclosed and unlimited data flows Consumers’ ability to choose creates trust,
and less need for fear
![Page 25: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/25.jpg)
What will happen next for privacy laws? In U.S., may have more privacy laws in
coming years Internet-specific law? Financial services laws -- state or federal?
Safe Harbor and financial services To satisfy regulators, press & public,
financial companies should expect to announce good policies & follow them
![Page 26: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/26.jpg)
VI. Authentication and Trust
In electronic environment, how can you be sure that it is the real customer?
First question -- do you need to know the identity? Cash Smart cards & can be without identity
![Page 27: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/27.jpg)
Levels of Authentication
Where identify, can have levels of authentication, often with loss limits
For ATMs, $300 daily limit and 4-digit PIN Debit cards as a loss limit -- customer can’t
lose more than the account balance For credit cards, customer has $50 loss limit
& banks have anti-fraud programs up to customer credit limit
![Page 28: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/28.jpg)
Authentication
But, how to do big transactions? For consumers, that may take a long time
Walk before run Amazon online before mortgage online Can “Grandma lose her house”?
![Page 29: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/29.jpg)
Authentication
For businesses, build infrastructure Banks as certificate authorities for digital
signatures Rely on institutional controls, much as you do
for large corporate checks Remember the pay telephone:
Successive generations Improve the ways to authenticate and be secure
![Page 30: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/30.jpg)
Conclusions
Tylenol and the foil seal: what are you doing to give visible demonstrations of trustworthiness?
Security– The pay phone & constant improvement– When to share information
![Page 31: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/31.jpg)
Conclusions (continued)
Privacy:– Confidentiality in banking is not outdated– Develop policies and follow them
Authentication– Walk before you run– Use stop losses & other tools to manage risk
To gain trust you must deserve trust:
![Page 32: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/32.jpg)
President Clinton, at Aspen Institute:
“Do you have privacy policies you can be proud of? Do you have privacy policies you would be glad to have reported in the media?”
![Page 33: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/33.jpg)
For security, privacy & authentication:
If you can be proud of your policies, then they will gain trust, and help your organization prosper, in the information age.
That is your job in the coming years
![Page 34: Maintaining Trust in an Electronic World Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States](https://reader033.vdocuments.us/reader033/viewer/2022061304/5513bd4355034653298b47e3/html5/thumbnails/34.jpg)
Contact Information
Professor Peter Swire Phone: (301) 213-9587 Email: [email protected] Web: www.osu.edu/units/law/swire.htm Presidential Privacy Archives:
www.privacy2000.org (containing privacy documents from Clinton Administration)