Tuesday, October 13, 2009

None of your business: Encryption

There is a fine line between individual privacy and what your employer
needs to know. Should schools be able to run background checks on
teachers, to verify credentials and make sure they have to past history
of child abuse or molestation? Certainly. Should your insurance
company be able to consider your past medical history before selling you
a policy? This is not as clear. Should you be able to remain
completely anonymous online, without even the government able to identify
you? This would protect, for example, a homosexual sailor who would
like to keep his job in the Navy but stay in touch with a boyfriend (this
actually happened and the sailor lost his job, see Don't
Ask, Don't AOL, by Margie Wylie). But shouldn't the government
be able to trace hackers who steal important financial information from
consumers at Amazon.com?


The apparent solution to the lack of privacy on the internet is a technique known
as encryption. Encryption is running
data through filters. One filter scrambles the message, a second
unscrambles it. Anyone who picks up the information in transit would
(in theory) see nothing but garbled characters. (To experience what
this is like, try opening an image file in a word processor). However,
such encryption would also allow people to hide far more easily online.
Many hackers can also run intercepted data through filters of their own
and recover the information. Business moves far more slowly than
the underground community of hackers.

In 1993, the government suggested that the government should hold a
key to all encryption. This way, data could only be accessed by the
receiving part (who would hold a 'key') or the government.
This idea was called a Clipper chip.
The Clipper chip used a mathematical formula known as the SLAPJACK algorithm.
Proponents argued that the Clipper chip (also referred to as "key escrow",
or, later, "key recovery") would thwart hackers and that wiretapping was
often vital to convicting a criminal. Opponents argued that truly
clever hackers would easily find their way around the Clipper's defenses
and that the SLAPJACK algorithm used in the chip had flaws. (Seeman,
Outline)
The Clipper chip initiative was backed by the White House, the National
Security Administration (NSA), and the Attorney General's office and has
been revised several times since it's advent. (EPIC, The
Clipper Chip
) The Commerce department shifted the focus of the
Clipper to comply with European regulations and many companies expressed
frustration with the Clipper initiative. The limits placed by the
government on encryption levels (56-bit) have been proved ineffective and
in March, 1998, internal government files were discovered by EPIC that
admitted that "key recovery" was expensive and impractical (CDT, Cryptography
Headlines
).

In more recent events, Congress is reviewing the Security
and Freedom through Encryption (SAFE) Act [full
text]
, introduced in late February by Representatives Bob Goodlatte
(R-VA) and Rep. Zoe Lofgren (D-CA). The SAFE Act ensures that US
citizens may use any form of encryption, anywhere, denies the government
the right to "key recovery", and creates penalties for using encryption
to cover a crime, among other things. (CDT, SAFE
HR 850
). The House vote on SAFE will take place in September.

The Online Privacy Alliance,
made up of prominent companies in communications and technology like IBM,
AOL,
and Time Warner, is trying to help
the internet industry self-regulate encryption and other privacy topics.
This may be a step in the right direction - if industry and government
can work together, encryption could be regulated but commonly used.
Still, this leaves out individual consumers and others whose privacy is
actually what is being debated. The Online Privacy Alliance
suggests a caveat emptor approach - consumers should look for privacy
policies and be careful where they post their information.


Last revised: 7/23/99

None of your business: Privacy

Do you have a secret? Have you ever lied? Are there certain
things you don't want your parents to know? How about your friends?
How would you feel if in twenty years, in the midst of a successful career,
someone told your boss that once, when you were 17, you tried some pot
at a party. Or that you are gay or have AIDS. What if they
got this information from an e-mail that you fully expected would not go
beyond yourself and the recipient, but was intercepted and posted on a
web page? That would be an unfair violation of your privacy.

While the Constitution does not literally guarantee your right to privacy,
over the past 223-odd years the Supreme Court has granted privacy protections
under, most notably, the Fifth Amendment's protection for self-incrimination
and the Fourth Amendments protection from unreasonable search and seizure
(Privacy Basics)
Fair
Information Practices
have been loosely followed by government and
industry. These are not laws - they are a set of industry ethics.
A generic
copy
of these policies states that practices should be open, individuals
maintain the right to know and see what data is being collected from them,
data collection should be limited, specific, and secure, and that data
collectors will be responsible for the use of the information.


To discuss online privacy, there are a couple basic definitions to take
into account. I'm sure that no matter how little time you have spent
online, you have been asked if you would like to accept a cookie, or told
that a cookie has been sent. Well, of course,
you think at first. Mmmmm....cookie. Unfortunately, cookies
are not quite that tangible nor delectable. A cookie
is a piece of data that a web site collects about you when you visit (Cookie
Central,
Cookies).
The data varies with the web site - a commercial web site will collect
demographics
(that is, sex, age, and other advertising information) to learn more about
you, while an e-mail service may collect identifying
or personal (name, mailing address) information
to recognize you. Cookies allow a web site to be tailor made for
you as long as you stay in that domain name or each time you visit.
An CGI or JavaScript code in the beginning of the web page you visit instructs
you browser to send certain information to a server. If you have
ever checked a box saying "Remember My Password", you have set a cookie.

There are two aspects of privacy online. One is a need for protection
for yourself. Online stalking has been a problem, with people harassing
new 'friends' online and sometimes even threatening them, or confronting
them in person. The second is a need to protect your data from strangers.
This comes not from the fear of physical, but financial harm. The
first is the fear of being mugged on the way down to the mail box, and
the second is the fear of being mugged on the way back, while carrying
your paycheck and credit card bill.

The Communication Decency Act (CDA, see also section How
Obscene!: The Plot Thickens
) stated that telecommunications,
meaning the internet, e-mail, chat and chat programs (including IRC, AIM,
and ICQ) should not be used to purposely harass or intimidate. You
cannot e-mail bomb people. Also, under the law you must identify
yourself. This part of the CDA was unaffected by the Supreme Court
decision regarding obscenity clauses.

There are three levels
of online privacy provided by systems administrators (admin), like the
guy in the back room at school or AOL monitors. (Bowman, What
Is Privacy?
). The first is Complete Privacy. Here, the
admin agrees not to read any of your e-mail or keep track of where you
go on the web in any way. This obviously allows the most privacy,
but often creates a liability to admins and Internet Service Providers
(ISP). The second level is Almost Complete Privacy. Here admins
will look at your e-mails and chats if they suspect any sort of illegal
activity. The third level is No Privacy. Here admins are allowed
to look at any email you send, whether the subject is "My Plan To Plunge
The Internet Into Darkness" or "My Rave With Dave".

Your privacy is protected by some laws already. The Electronic
Communcations Privacy Act, created in the late 70's in response to the
Watergate scandal, already protects against interception of electronically
transmitted messages as well as the privacy of information stored within
a private computer system (Bowman, What
Is The Electronic Communications Privacy Act ("ECPA")
). But in
March of 1992, the FBI suggested that all communications be designed so
that law enforcement agents could tap into them from afar (Cranor, Digital
Liberties
). This would have made e-mail, the internet, chat rooms,
and even ISPs vulnerable to be intercepted at any time. Opponents
claimed that the first version of the bill gave the FBI privileges it had
not been afforded in older wiretapping laws. The FBI worked with
Senator Patrick Leahy (D-VT) and Representative Don Edwards (D-CA) to refine
a new bill (Edwards/Leahy
Digital Telephony Legisl
ation (HR 4922/S 2375)), which was passed almost
unanimously into law. ISPs were now exempt from the law. Some
considered this a failure, but most agreed that the protection afforded
to ISPs was a victory or at least a good compromise. However, this
simply makes intercepting data illegal. It does not make it impossible.

A recent survey by the Georgetown
Business School
states that 93% of commercial internet sites collect
some sort of data that may be used to identify your (this may be your home
address, you e-mail address, name, etc.) and 57% collect demographics. Over
one third of these sites did not post any information that they were collecting
data and/or what it would be used for. The report concluded that
only 10% of the commercial web sites that collected personal or demographic
information followed fair information practices in respect to notice, choice,
access, security and contact information. The Center for Democracy
and Technology believes that "the study shows that definite progress
has been made in making many more Web sites privacy sensitive. But those
numbers also show that real fair information practices are incorporated
by only a small number of sites and most sites have yet to embody more
than minimum disclosure of their information practices."




Last revised: 7/23/99