Session 14Protecting your information assets II

“Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning” Rich Cookhttp://manetheren.cl.msu.edu/~vanhoose/humor/0261.html

Review ofLearning

• Importance of understanding some of the technical aspects of computer viruses, worms, trojan horses;

• Importance of establishing organizational approaches to dealing with these vulnerabilities.

Session Objectives

• To consider the concept of cyber terrorism, and its implications for the workplace

• To identify key issues and legal aspects of online information use: data security, surveillance, privacy, confidentiality, provider responsibilities, and workplace implications.

Cyber-Terrorism

Quote of the Day

“I'd love to change the

world, but they won't give me the

source code!”

(Unknown)

'There are lots of opportunities'

Cyber Terrorism• Term coined by Barry Collin, Senior Research Fellow at

Institute for Security and Intelligence at Stanford University

• US Dept of Defense: “actions taken to achieve information superiority by affecting adversary information, information-based processes, information systems, and computer-based networks while leveraging and defending one’s own information”

• Ability to unleash technical devastation by “deliberate and systematic attack on critical information activities”

• “Computer-generated terrorism” as the “ultimate deliberate destruction of our information infrastructure”

Cyber Terrorism / Warfare

• Take place 1000s miles from target• Cannot be seen and traced by classical intelligence

methods• All but indistinguishable from accidents, system failures,

or hacker pranks• Use “social engineering” to get information – eg. pose as

someone else who has legitimate rights to information• Absence of legal jurisdictions based on national and

political borders – Internet does not have central location in physical world

'There are lots of opportunities'

• In 1996, computer hacker allegedly associated with White Supremacist movement disabled a Massachusetts ISP after it attempted to stop the hacker from sending out worldwide racist messages under ISP’s name. Hacker signed off with the threat: “You have yet to see true electronic terrorism. This is a promise”

• 1997: US Department of Justice – replaced department seal with swastika, and labeled it “US Department of Injustice”

• In March 1997, a 15-year-old Croatian youth penetrated computers at a U.S. Air Force base in Guam.

EDT: Electronic Disturbance Theater

• In 1998, ethnic Tamil guerrillas swamped Sri Lankan embassies with 800 emails a day over two week period. First known attack against a country’s computer system.

• During Kosovo conflict in 1999, NATO computers blasted with email bombs by “hacktivists” protesting NATO bombings; web-defacements and virus-laden emails were directed to businesses, public organizations, and academic institutes supporting NATO.

• During WHO activism in Seattle late 1999, thousands of “Electrohippies” at predetermined designated time used software that flooded WHO with rapid and repeated download requests

• Is this cyber-terrorism?• Is this civil disobedience analogous to street

protests and physical sit-ins, not acts of violence or terrorism?

• 90% of all hacking activity are amateur hackers; estimate 4% detected

• 1996-2000: 40 major corporations losing over $800M to computer break-ins

• 1998-2000: CIA reports that US government systems have been illegally entered 250,000 times

• Resort to blackmail and extortion eg target banks: Russian hacker tapped into Citibank transfer system and took $10M

Cyber Attacks

• Critical computer systems• Disable utility services – water, electricity, gas• Banking• Communications networks• Transportation networks• Building credit card debts• Extortion by threats to unleash computer viruses

Concerns and Impacts• Undermine public confidence and trust of Internet based

services• Limit willingness to access information• Threat to Government information systems that are no longer

isolated or compartmentalized• Reliance on Net as form of direct delivery• Intertwining of government and private sector systems and

networks and transfer of information to 3rd parties• Issues of access, confidentiality and integrity• Online profiling: aggregating consumer interests and

preferences by tracking online moves and actual information submitted

Concerns and Implications• At&T Study 1999: 87% US citizens concerned about

online privacy• 70% uncomfortable about providing personal information

to businesses online”• Targum: “US fails to protect privacy on Web: “People

who log on to dozens of government web sites maybe unknowingly tracked, despite a privacy policy forbidding it”

• 64 federal Web sites used files that allow them to track browsing and buying habits of Internet users. Eg. Depts. Education, Treasury, Energy, NASA, General Services Administration. 3.5 million visitors to NASA in March

PRIVACY & CONFIDENTIALITY

• PRIVACY: the right to control one’s personal information and ability to determine how that information should be obtained and used = informational self-determination

• CONFIDENTIALITY: one’s means of protecting personal information, usually in the form of safeguarding the information from unauthorized disclosure to 3rd parties; implies responsible safekeeping and custodial obligation on behalf of organizations

DATA SECURITY

Protect personal information from wide range of threats:

• Inadvertent use of unauthorized disclosure

• Intentional attempts at interception

• Data loss, destruction, modification

SOME KEY LEGISLATIONShttp://thomas.loc.gov/

• Computer Security Act, 1987• Computer Security Enhancement Act, 2001• Code of Fair Information Practices, 1980• Children’s Online Privacy Protection Act, 1998• Computer fraud and Abuse Act 1994• Computer Crimes Act 1994• Digital Signatures: http://www.epic.org/crypto/dss/• International Cryptography Policy• http://www.epic.org/crypto/intl/

CODE OF FAIR INFORMATION PRACTICES

• OECD (Organization for Economic Co-operation and Development) 1980

• USA and Canada are signatories• Place limitations on collection of personal data,

restriction on uses, onus on purpose specification, openness, transparency and accountability

CODE OF FAIR INFORMATION PRACTICES

8 Governing Principles

1. Collection Limitation: personal data only, obtained by lawful and fair means, and with knowledge or consent of consumer

2. Data Quality: only relevant to the purposes for which they are to be used

3. Purpose Specification: purposes for collection should be clearly specified

4. Use Limitation: personal data should not be disclosed, made available for purposes other than those specified

CODE OF FAIR INFORMATION PRACTICES

8 Governing Principles5. Security Safeguards: reasonable security safeguards

in place to protect against risks of loss, unauthorized access, destruction, use, modification, disclosure

6. Openness: Policy of openness about developments, practices and policies

7. Individual Participation: individuals should be able to confirm from data controller the existence of personal data and be able to challenge it

8. Accountability: Data controller should be accountable for complying with measures which give effect to above principles

Observance of Codes?

• Growth of electronic commerce• Online sales: 1997-8: $3billion -> $9Billion• 1999: revenue for Internet advertising exceeded outdoor

billboard advertising• Only 25% Internet users go beyond browsing to purchase• Online consumer data collected mainly by: registration

pages, survey forms, online requests, “cookies” and tracking software

• Compile: personal interests and preferences, track online activities, data for target marketing

Observance of Codes?

• Federal Trade Commission Survey 1998 US Commercial Sites

– 92% collect personal data– 15-20% post any disclosure regarding

information privacy policies– 2-5% post comprehensive privacy policyBusiest Sites on WWW– 97% collected personal information– 71% posted disclosure information– 44% had comprehensive privacy policies

• Federal Trade Commission Survey 1998

US Children’s Sites

- 89% collected personal information

- 24% posted privacy policies

- 1% requested parental consent prior to collection of children’s information

Observance of Codes?

Children’s Online Privacy Protection Act, 1998

• Relates to websites directed to children under 13 that collect information

• Legislative requirements:- provide parents notice of information practices- obtain prior, verifiable parental consent for collection, use and disclosure- parents able to request to view / review data collected- parents able to prevent further use of personal data- limit collection of information to only that necessary for activity- establish and maintain reasonable procedures to protect confidentiality, security and integrity of personal data collected

COOKIES: Internet Data Harvesters

On the Internet or in a computer network, a file containing information about a user that is sent to the central computer each time a request is made.  The server uses this information to customize data sent back to the user and to log the user's requests. 

Electronic Calling Cards

Advertising companies typically place cookies on individuals' computers when an advertisement is delivered, giving them the ability to track consumer behavior online and gauge the effectiveness of an ad campaign or target marketing to consumer preferences. Web sites also use the markers to hold passwords and personal information for custom services such as Web-based e-mail.

The burnt side of cookies• Using Find File, look for a file called cookies.txt (or MagicCookie

if you have a Mac machine). • Using a text editor, open the file and take a look. Odds are about

80/20 that you'll find a cookie in there from someone called "doubleclick.net".

• Likely you never went to a site called "doubleclick". So how did they give you a cookie?

• Go to www.doubleclick.net Read all about how they are going to make money giving us cookies we don't know about, collecting data on all World Wide Web users, and delivering targeted REAL TIME marketing based on our cookies and our profiles.

• Subscribers to the doubleclick service put a "cookie request" on their home page for the DoubleClick Cookie.

The burnt side of cookies• When you hit such a site, it requests the cookie and take a look

to see who you are, and any other information in your cookie file.

• It then sends a request to "doubleclick" with your ID, requesting all available marketing information about you.

• It seems clear that at least some of it comes from your record of hitting "doubleclick" enabled sites.

• You then receive specially targeted marketing banners from the site.

• Main concern is that all this is done without anyone's knowledge. Key issue: What right should anyone have to collect information about me without my knowledge, and why should they break my right to privacy?

www.doubleclick.net statementWhy shouldn't I opt-out of this cookie?DoubleClick believes all users should have a positive Web experience. Because of this belief, we allow advertisers to control the frequency (the number of times) a Web user sees an ad banner. We also deliver advertising based on a user's interests if that user has chosen to receive targeted advertising. We believe that frequency control, and relevant content makes advertising on the Web less intrusive by ensuring that users are not bombarded with repeat and irrelevant ad messages. Opting-out removes our ability both to control frequency of exposure to individual users and to increase the level of relevant content.

Some Privacy OrganizationsElectronic Privacy Information Center (EPIC) is a public-interest research center to protect privacy, the First Amendment, and values of U.S. Constitution.

Privacy Rights Clearinghouse (PRC) offering consumer-oriented information on topics ranging from cellular-phone eavesdropping to employee monitoring.

Computer Professionals for Social Responsibility (CPSR) is an alliance of computer professionals and others interested in impact of computer technology on society.

The Electronic Frontier Foundation (EFF) is a nonprofit civil liberties organization dedicated to protecting privacy, free expression, and access to online resources and information.

Center for Democracy and Technology (CDT) is a nonprofit organization dedicated to promoting constitutional civil liberties and democratic values in new computer and communications technologies.

Self-Regulation and Fair Information Practices

• Emergence of online seal programs• Sites require licenses to abide by codes of online

information practices & to submit to compliance monitoring

• Assurance for consumers that site is legitimate business that will process and protect sensitive information

• Display privacy seal on websites

Self-Regulation

• TRUSTe: launched 1999 by Commerce Net Consortium & Electronic Frontier Foundation

• Guidelines regarding personally identified information; submit to monitoring and oversight

• 5 DAY Complaints Resolution Procedure• 3rd Party Monitoring: use of “seeding” (unique

identifier planted with consumer information – track removal and honoring of agreement)

Self-Regulation

• BBB Online Privacy Seal Program 1999• Council of Better Business Bureaus• Covers “individually identifiable information” and

“prospect information”• Verisign• Cnet Certification

Question(s) of the day …

Are the concerns about computer privacy and security in this country as strong as they are in other nations? Is this a cultural issue? How can we study this?

Cyberterrorism Centers

• Institute for Security Technology Studies at Dartmouth (Visit)

Reading!!

• McMillan, R. (2004 March 17). Lessig: Be wary of IP extremists. InfoWorld.

• The article is accessible at: http://www.infoworld.com/article/04/03/17/HNlessig_1.html