Session 14Protecting your information assets II “Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning” Rich Cook http://manetheren.cl.msu.edu/~vanhoose/humor/0261.html
Review ofLearning • Importance of understanding some of the technical aspects of computer viruses, worms, trojan horses; • Importance of establishing organizational approaches to dealing with these vulnerabilities.
Session Objectives • To consider the concept of cyber terrorism, and its implications for the workplace • To identify key issues and legal aspects of online information use: data security, surveillance, privacy, confidentiality, provider responsibilities, and workplace implications.
Quote of the Day “I'd love to change the world, but they won't give me the source code!” (Unknown)
Cyber Terrorism • Term coined by Barry Collin, Senior Research Fellow at Institute for Security and Intelligence at Stanford University • US Dept of Defense: “actions taken to achieve information superiority by affecting adversary information, information-based processes, information systems, and computer-based networks while leveraging and defending one’s own information” • Ability to unleash technical devastation by “deliberate and systematic attack on critical information activities” • “Computer-generated terrorism” as the “ultimate deliberate destruction of our information infrastructure”
Cyber Terrorism / Warfare • Take place 1000s miles from target • Cannot be seen and traced by classical intelligence methods • All but indistinguishable from accidents, system failures, or hacker pranks • Use “social engineering” to get information – eg. pose as someone else who has legitimate rights to information • Absence of legal jurisdictions based on national and political borders – Internet does not have central location in physical world
'There are lots of opportunities' • In 1996, computer hacker allegedly associated with White Supremacist movement disabled a Massachusetts ISP after it attempted to stop the hacker from sending out worldwide racist messages under ISP’s name. Hacker signed off with the threat: “You have yet to see true electronic terrorism. This is a promise” • 1997: US Department of Justice – replaced department seal with swastika, and labeled it “US Department of Injustice” • In March 1997, a 15-year-old Croatian youth penetrated computers at a U.S. Air Force base in Guam.
EDT: Electronic Disturbance Theater • In 1998, ethnic Tamil guerrillas swamped Sri Lankan embassies with 800 emails a day over two week period. First known attack against a country’s computer system. • During Kosovo conflict in 1999, NATO computers blasted with email bombs by “hacktivists” protesting NATO bombings; web-defacements and virus-laden emails were directed to businesses, public organizations, and academic institutes supporting NATO. • During WHO activism in Seattle late 1999, thousands of “Electrohippies” at predetermined designated time used software that flooded WHO with rapid and repeated download requests
Is this cyber-terrorism? • Is this civil disobedience analogous to street protests and physical sit-ins, not acts of violence or terrorism? • 90% of all hacking activity are amateur hackers; estimate 4% detected • 1996-2000: 40 major corporations losing over $800M to computer break-ins • 1998-2000: CIA reports that US government systems have been illegally entered 250,000 times • Resort to blackmail and extortion eg target banks: Russian hacker tapped into Citibank transfer system and took $10M
Cyber Attacks • Critical computer systems • Disable utility services – water, electricity, gas • Banking • Communications networks • Transportation networks • Building credit card debts • Extortion by threats to unleash computer viruses
Concerns and Impacts • Undermine public confidence and trust of Internet based services • Limit willingness to access information • Threat to Government information systems that are no longer isolated or compartmentalized • Reliance on Net as form of direct delivery • Intertwining of government and private sector systems and networks and transfer of information to 3rd parties • Issues of access, confidentiality and integrity • Online profiling: aggregating consumer interests and preferences by tracking online moves and actual information submitted
PRIVACY & CONFIDENTIALITY • PRIVACY: the right to control one’s personal information and ability to determine how that information should be obtained and used = informational self-determination • CONFIDENTIALITY: one’s means of protecting personal information, usually in the form of safeguarding the information from unauthorized disclosure to 3rd parties; implies responsible safekeeping and custodial obligation on behalf of organizations
DATA SECURITY Protect personal information from wide range of threats: • Inadvertent use of unauthorized disclosure • Intentional attempts at interception • Data loss, destruction, modification
SOME KEY LEGISLATIONShttp://thomas.loc.gov/ • Computer Security Act, 1987 • Computer Security Enhancement Act, 2001 • Code of Fair Information Practices, 1980 • Children’s Online Privacy Protection Act, 1998 • Computer fraud and Abuse Act 1994 • Computer Crimes Act 1994 • Digital Signatures: http://www.epic.org/crypto/dss/ • International Cryptography Policy • http://www.epic.org/crypto/intl/
CODE OF FAIR INFORMATION PRACTICES • OECD (Organization for Economic Co-operation and Development) 1980 • USA and Canada are signatories • Place limitations on collection of personal data, restriction on uses, onus on purpose specification, openness, transparency and accountability
CODE OF FAIR INFORMATION PRACTICES8 Governing Principles • Collection Limitation: personal data only, obtained by lawful and fair means, and with knowledge or consent of consumer • Data Quality: only relevant to the purposes for which they are to be used • Purpose Specification: purposes for collection should be clearly specified • Use Limitation: personal data should not be disclosed, made available for purposes other than those specified
CODE OF FAIR INFORMATION PRACTICES8 Governing Principles • Security Safeguards: reasonable security safeguards in place to protect against risks of loss, unauthorized access, destruction, use, modification, disclosure • Openness: Policy of openness about developments, practices and policies • Individual Participation: individuals should be able to confirm from data controller the existence of personal data and be able to challenge it • Accountability: Data controller should be accountable for complying with measures which give effect to above principles
Observance of Codes? • Growth of electronic commerce • Online sales: 1997-8: $3billion -> $9Billion • 1999: revenue for Internet advertising exceeded outdoor billboard advertising • Only 25% Internet users go beyond browsing to purchase • Online consumer data collected mainly by: registration pages, survey forms, online requests, “cookies” and tracking software • Compile: personal interests and preferences, track online activities, data for target marketing
Observance of Codes? • Federal Trade Commission Survey 1998 US Children’s Sites - 89% collected personal information - 24% posted privacy policies - 1% requested parental consent prior to collection of children’s information
Children’s Online Privacy Protection Act, 1998 • Relates to websites directed to children under 13 that collect information • Legislative requirements: - provide parents notice of information practices - obtain prior, verifiable parental consent for collection, use and disclosure - parents able to request to view / review data collected - parents able to prevent further use of personal data - limit collection of information to only that necessary for activity - establish and maintain reasonable procedures to protect confidentiality, security and integrity of personal data collected
COOKIES: Internet Data Harvesters On the Internet or in a computer network, a file containing information about a user that is sent to the central computer each time a request is made. The server uses this information to customize data sent back to the user and to log the user's requests.
Electronic Calling Cards Advertising companies typically place cookies on individuals' computers when an advertisement is delivered, giving them the ability to track consumer behavior online and gauge the effectiveness of an ad campaign or target marketing to consumer preferences. Web sites also use the markers to hold passwords and personal information for custom services such as Web-based e-mail.
The burnt side of cookies • Using Find File, look for a file called cookies.txt (or MagicCookie if you have a Mac machine). • Using a text editor, open the file and take a look. Odds are about 80/20 that you'll find a cookie in there from someone called "doubleclick.net". • Likely you never went to a site called "doubleclick". So how did they give you a cookie? • Go to www.doubleclick.net Read all about how they are going to make money giving us cookies we don't know about, collecting data on all World Wide Web users, and delivering targeted REAL TIME marketing based on our cookies and our profiles. • Subscribers to the doubleclick service put a "cookie request" on their home page for the DoubleClick Cookie.
The burnt side of cookies • When you hit such a site, it requests the cookie and take a look to see who you are, and any other information in your cookie file. • It then sends a request to "doubleclick" with your ID, requesting all available marketing information about you. • It seems clear that at least some of it comes from your record of hitting "doubleclick" enabled sites. • You then receive specially targeted marketing banners from the site. • Main concern is that all this is done without anyone's knowledge. Key issue: What right should anyone have to collect information about me without my knowledge, and why should they break my right to privacy?
www.doubleclick.net statement Why shouldn't I opt-out of this cookie?DoubleClick believes all users should have a positive Web experience. Because of this belief, we allow advertisers to control the frequency (the number of times) a Web user sees an ad banner. We also deliver advertising based on a user's interests if that user has chosen to receive targeted advertising. We believe that frequency control, and relevant content makes advertising on the Web less intrusive by ensuring that users are not bombarded with repeat and irrelevant ad messages. Opting-out removes our ability both to control frequency of exposure to individual users and to increase the level of relevant content.
Electronic Privacy Information Center(EPIC) is a public-interest research center to protect privacy, the First Amendment, and values of U.S. Constitution. Privacy Rights Clearinghouse (PRC) offering consumer-oriented information on topics ranging from cellular-phone eavesdropping to employee monitoring. Computer Professionals for Social Responsibility (CPSR) is an alliance of computer professionals and others interested in impact of computer technology on society. The Electronic FrontierFoundation (EFF) is a nonprofit civil liberties organization dedicated to protecting privacy, free expression, and access to online resources and information. Center for Democracy and Technology (CDT) is a nonprofit organization dedicated to promoting constitutional civil liberties and democratic values in new computer and communications technologies. Some Privacy Organizations
Self-Regulation and Fair Information Practices • Emergence of online seal programs • Sites require licenses to abide by codes of online information practices & to submit to compliance monitoring • Assurance for consumers that site is legitimate business that will process and protect sensitive information • Display privacy seal on websites
Self-Regulation • TRUSTe: launched 1999 by Commerce Net Consortium & Electronic Frontier Foundation • Guidelines regarding personally identified information; submit to monitoring and oversight • 5 DAY Complaints Resolution Procedure • 3rd Party Monitoring: use of “seeding” (unique identifier planted with consumer information – track removal and honoring of agreement)
Self-Regulation • BBB Online Privacy Seal Program 1999 • Council of Better Business Bureaus • Covers “individually identifiable information” and “prospect information” • Verisign • Cnet Certification
Question(s) of the day … Are the concerns about computer privacy and security in this country as strong as they are in other nations? Is this a cultural issue? How can we study this?
Cyberterrorism Centers • Institute for Security Technology Studies at Dartmouth (Visit)
Reading!! • McMillan, R. (2004 March 17). Lessig: Be wary of IP extremists. InfoWorld. • The article is accessible at: http://www.infoworld.com/article/04/03/17/HNlessig_1.html