|
|
PRACTICES: E-BUSINESS SECURITY ADVISOR
Privacy vs. Security
Although privacy and security goals may at times seem at odds, successful e-businesses ensure that privacy and security initiatives are clearly explained, well understood, and complementary.
Privacy, with a capital "P," is moving to the top of the public agenda. You only need to look at legislative activity in the United States, United Kingdom, or any other country with high rates of Internet usage, or count the number of newspaper headlines and magazine cover stories, to see that privacy is a hot issue. It's a public debate that's likely to last for some time, with serious implications for businesses, especially for those that rely heavily on information systems and Internet technology.
Progress in any debate proceeds from consensus on basic definitions, so let's be clear about how we use the word "privacy." Much of the current debate over privacy concerns a subset of privacy in general, namely electronic or data privacy. In turn, many discussions about data privacy raise the issue of security, which often means information security, and a subset thereof, computer security. Unfortunately, confusion between data privacy and computer security can hinder a company's attempts to achieve excellence in either area.
Values vs. technology
In the context of data privacy, privacy refers to a value. To differing degrees, in different cultures, privacy is a right as well as a value. However, in the context of computer security, the term security doesn't refer to a value, but rather a methodology and a technology. As such, security is neutral; it can serve privacy or hinder it.
For example, a company may feel the need to filter outgoing e-mail to prevent company bank account details from being sent to a competitor, but that implies reading employees' e-mail, which some people consider to be an invasion of privacy.
Or consider a security technology such as biometrics, which can prevent unauthorized persons from accessing your data. It can also be used to track people's activity without their consent, which might be considered an invasion of privacy on the one hand, or a boost to security on the other.
One example is Super Bowl XXXV, where the faces of people entering the stadium were scanned with software that looked for matches with the faces of known criminals. Possible matches were sent to a police control room. While an improvement in the apprehension rate for known criminals would seem to be a goal shared by all members of society, some people objected to this activity because it was done without the knowledge or consent of the people being scanned. Of course, the existence of such knowledge or consent would have changed the security function of the system from detection to deterrence.
Bottom Line: Clearly, security and privacy are different. Of course, when considered in a broad sense, security can be a value. When we process valuable data with computers, we talk about keeping it secure. Computer security is typically defined as protecting the confidentiality, integrity, and availability of data and the systems that process it. But this definition contains a number of assumptions that transform security from a human value into a technical objective.
For example, ownership of data and the right of the owner to restrict access to that data is implied. But data ownership is a central issue in the electronic privacy debate. Do you own any data about yourself? Do you have the right to restrict the use of that data? Do others have the right to demand data from you in certain circumstances, such as purchase and delivery of services?
While computer security can enable restrictions on the use of data, and control access to data based on assigned rights to access that data, it can't decide the issue of legal ownership. The right of an entity to impose restrictions on the use of data isn't a question to which either the theory or practice of computer security can supply an answer. This becomes clear when we examine a couple of scenarios indicative of the gap between privacy and security.
Authentication vs. privacy
In the context of both computer security and e-business, authentication is the reliable identification of an entity, such as a user seeking access to a computer or network. One of the most widely used authentication mechanisms is user name and password. This is one of three types of identifier or factor used for authentication:
- Something you know (e.g., password, combination, personal identification number (PIN))
- Something you have (e.g., key, token, credit card)
- Something you are (e.g., signature, voice, fingerprint)
An authentication mechanism with only one factor is referred to as single factor. The more factors, the stronger the authentication. For example, if you need a PIN and a card, as with an ATM machine, that's stronger security than just a PIN or just a card. Also, since an identifier that's harder to duplicate is less prone to "spoofing," the more unique the identifier, the stronger the authentication. So, a long password is better than a short one, and a safe with one million combinations is harder to crack than one with a thousand. Finally, the tighter an identifier is tied to the entity it identifies, the stronger the authentication. For example, including a cardholder photograph on a card is a huge improvement in security. (When the Royal Bank of Scotland introduced this feature on ATM cards, fraud was reduced by 70 percent.)
So what does this aspect of security have to do with privacy? The most unique identifiers, and thus the strongest authentication factor, are biometrics -- quantifiable personal characteristics -- of which fingerprints are perhaps the best known. Just as fingerprints can prove a criminal's guilt, they can prove that the person logging into the network as Jane Doe really is Jane Doe, and not someone who guessed Jane Doe's password.
Some people, however, have become so sensitive about sharing personal data that they object to enrolling in biometric authentication systems. For example, a recent contributor to the employment advice column of a major newspaper complained that his company's plan to "make employees submit to fingerprinting to log into company workstations" was an invasion of privacy. On one side you have security professionals cheering the company's decision to improve the level of authentication, while on the other side you have people suspicious of how their employer might use, or abuse, this data.
The Good News: Fortunately, there is a middle ground. If the company had done a better job of explaining why they intended to deploy the technology, they would have caused fewer concerns. That's because, unlike fingerprinting used by law enforcement, fingerprint systems used for access control don't capture or store a complete image of your fingerprint. The data they capture would be useless for law enforcement. Indeed, some of these systems are incapable of reproducing an image of your fingerprint, since all they store is a mathematical abstraction of the image against which they measure the momentary reading obtained from the scanner when you log in. Furthermore, the better biometric systems go to considerable lengths to prevent any leakage of the data they use by encrypting it, erasing it from memory, and so on.
But: Identity can't be proven to the high levels of certainty required by some transactions without the presentation of strong credentials and unique identifiers, and these tend to involve personal data. There are times when private data must be shared, as anyone who has applied for a mortgage well knows.
Smart Move: The smart enterprise attempts to strike the right balance between both goals. It's sensitive to the privacy concerns of those individuals from whom it obtains private data, and it handles that data with care, explicitly stating in a privacy policy how it will and won't be used.
Security technology can be employed at this point to control authorized access to personal data. Consider the aforementioned example. The employer could obtain fingerprints for identification, but limit their use for that purpose alone, and only within the company system. But security can only help in this way if help is sought. There are many situations in which companies that request personal data for one purpose feel they have a right to use it for other purposes. One example is companies that sell their customer list to other companies seeking to market to those customers. If it was against company policy to do this, security technology could help to prevent it from happening, but security has nothing to say, or any role to play, about whether such a policy should or shouldn't exist.
A new approach with Microsoft HailStorm?
Security is equally silent on a question that's central to the data privacy debate: Who owns personal data? This is a question every e-business must ask. And there aren't any easy answers, although from time to time some temptingly simplistic ones surface. For example, Microsoft recently presented e-businesses with HailStorm, a part of its emerging .NET initiative. Described as a "user-centric architecture and set of XML Web services," HailStorm has been given the ambitious goal of facilitating the integration of "the silos of information that exist today." The basic idea is to orient information services around people, instead of around a specific device, application, service, or network. Examples include accessing your personal calendar from a wide variety of devices, or even giving someone else limited access to that data to simplify event scheduling.
The intention is to put users "in control of their own data and information, protecting personal information and providing a new level of ease of use and personalization." HailStorm aims to make user consent the basis for who can access user information, what they can do with it, and how long they have that permission. Thus, HailStorm relies on "an affirmative consent model as the way applications, services, and devices interact with users."
At first, HailStorm sounds like music to the ears of anyone who's worried about data privacy. In the white paper outlining the project, Microsoft describes the approach taken by HailStorm as radical, saying it "turns the industry debate over online privacy on its head ... with the assumption that the user controls all personal information and gets to decide with whom to share any of it and under what terms." This is in contrast with the present situation, characterized by "how much organizations can get away with with respect to an individual's information."
Reality Check: There's been relatively little positive public reaction to HailStorm. Some Microsoft competitors have criticized it as another attempt at monopoly, only this time of data. Some developers have pointed out that Microsoft might not have the kind of reputation for security people are looking for when it comes to protecting sensitive personal data. Microsoft's e-business customers have been quiet, too, possibly because some of them are heavily dependent upon the collection, processing, and trading of personally identifiable data. To them, this "radical" approach to data ownership may be alarming.
Microsoft's presentation of its approach is also confusing. For a start, the idea of people controlling access to data about themselves isn't new. In some countries, this rule is enshrined in data protection laws that have existed for more than a decade. For example, the UK Data Protection Act of 1984 gave individuals rights as data subjects. These rights include giving individuals access to data stored about them, to have inaccurate information corrected or removed, and to claim compensation if stored information is misused. The origins of the Act can be traced to the European Rights Convention, Article 8, which gives individuals a right to respect for their private lives.
Indeed, it could be argued that the EU Rights Convention spells out personal data rights more clearly and directly than the U.S. Constitution. This is reflected in court decisions in the United States, which tend to go against people seeking control of their personal data use. For example, in the Avrahami case in 1996, Virginia's State Supreme Court ruled that a magazine could sell the names and addresses of its subscribers to another company without the consent of the subscriber, despite the existence of a state law which prohibits a person's name, portrait, or picture being used for the purposes of trade without consent.
So, HailStorm doesn't exactly turn the data privacy debate on its head, but merely weighs in on one side. It also makes a huge assumption about how this technology might work, which reveals the gap between ends and means, and between desired values, such as privacy, and enabling technology, such as security.
Microsoft says HailStorm uses "legal and technical mechanisms to prohibit any unauthorized use of the user's data." But those legal mechanisms vary between countries, and in some cases, they're not in place. There are some areas where controls do exist, such as the Gramm-Leach-Bliley Act, which addresses the responsibility of financial institutions to protect the privacy of the personal financial information of their customers, and medical data held by certain entities is covered by the Health Insurance Portability and Accountability Act (HIPAA). Neither of those legislative controls, however, is predicated on an assumption of personal data ownership, since they merely put into law specific reservations about certain uses of personal data.
Consider: With HailStorm, Microsoft claims that the user owns the data, but the HailStorm technology can't make that a reality. All the technology can do is control particular instances of personal data -- those in a HailStorm component, such as Microsoft Passport. Storing your name and address there won't prevent companies with whom you have accounts from sharing information about you. Even if Microsoft gets the security technology right, that technology can't decide the data ownership debate or establish data privacy. Only society can do that through privacy law, privacy standards, and privacy practice.
What to do
As society wrestles with privacy issues, that doesn't preclude you from dealing with privacy as an aspect of your business right now. You must know what privacy legislation applies to your business, and what privacy attitudes your customers, suppliers, partners, and employees have.
Best Bet: Whenever your company takes any action that has privacy implications, those implications must be weighed and the action handled accordingly. Many companies are appointing a chief privacy officer to oversee this function, while others are still dismissive of such a radical step. Some see the current level of concern over privacy as a passing fad. That's akin to someone in 1981 saying that personal computers were just a fad, or someone in 1991 saying the World Wide Web would never catch on.
In 2001, the debate over data privacy is just getting started. Easy answers are unlikely to emerge anytime soon. But there is one conclusion you can draw: Privacy is not about security, and security is not about privacy. Both, however, are company imperatives, and when handled properly, privacy and security strategies and practices are complementary.
Michael Cobb, CISSP-ISSAP, is the co-author of "IIS Security" and co-developer of IMCD, an automated Business Continuity and Incident Management Planning software solution.
Keyword Tags: e-Business Management, e-Commerce, E-Business Management, E-Commerce, Healthcare, HIPAA, International Business, Open Source, Privacy, Security, Strategy, Technology Management
ADVISORAMA Oxymoron: Microsoft innovation |
ARTICLE INFO
 FREE ACCESS
|
|
|
|
|