SIMs Policy Manual of
Table of Contents
1. Software and Business Method Patents for the Internet 2-6
2. Consumer Information Privacy on the Internet 7-16
3. Copyright and Data Protection in E-Business 17-20
4. Critical Infrastructure Security 21-28
5. Encryption/Cryptography 29-37
6. Trademarks, Domain Names and Cybersquatting on the 38-40
7. Taxation of Internet Commerce 41-46
8. Internet Content Restrictions 47-53
9. (DRAFT) E-business Strategies: Open Versus Closed 54-64
Customer and Competitor Environments
Software and Business Method Patents for the Internet
Issue: Whether software and business method patents relating to the Internet will create
undesirable monopolies in E-Commerce or, instead, are legitimate ways to protect
Background: Traditionally, mathematical algorithms, as might be contained in software,
and “business methods” were considered unpatentable. They were considered too
abstract and not novel enough to grant anyone a monopoly upon their use. The U.S.
Patent and Trademark Office, however, has recently been granting patents for software
and business methods -- in particular as they relate to the Internet. Examples of Internet-
related software patents include:
• Unisys: method of data compression called LZW used in a graphic format called GIF,
which many web sites use in order to be compatible with older web browsers
• Bruce Dickens: computer software windowing method that created a Y2K fix
• Geoworks: software on Wireless Application Protocol that allows server computers to
rearrange pages of information to fit on the screens of phones and mobile devices.
Examples of Internet business method patents include:
• Amazon.com (2 patents): 1-Click ordering (storing a customer's billing information
so that they do not have to enter it every time they make a purchase); and Web
Affiliate Program, including the process used to apply to become an affiliate, the
technology used to link Amazon's databases to the affiliate site, and the billing system
used to make sure the affiliate gets its share of the profits.
• Priceline.com: reverse auctioning or “name your own price” on the Internet
• Sightsound.com: selling of audio or video recordings in download fashion over the
• Home Gambling Network: remote, live wagering over the Internet
• CyberGold: rewards to customers who receive and view online advertisements
Note that the business method patents are on the business method idea, not the
technology to accomplish the business method. The Internet software patents, by
comparison, are patents on the specific software technology accomplishing the result.
Thus, the business method patents are much broader as there may be several technologies
(software and otherwise) that could be created to accomplish the business method but
would be blocked from usage because they would infringe on the business method patent.
However, most E-business method patents are implemented through software, which
itself may be patentable.
These patents create 20-year monopolies over the software technology or the business
methods identified in the patent claims. And these Internet-related software and business
method patents are proliferating. Between October 1998 and September 1999, 2,600
applications for computer-related business methods were filed. During that same time
period, 583 computer-related business method patents were issued. Business with these
patents can prevent other businesses from using the software technology or business
methods, or they can license them out for a fee.
While the U.S. Supreme Court endorsed software patents some time ago, recent court
cases have brought the business method and Internet related patents into sharper focus.
The first case, State Street, did not involve the Internet, but rather a "hub and spoke"
software program for managing an investment structure for mutual funds. The software
facilitated the administration of mutual funds (the "spokes") by pooling their investments
into a single portfolio organized as a partnership (the "hub"). The software determined
changes in hub investment assets and allocated the assets among the spokes. The Federal
Circuit Court of Appeals (the highest, and most specialized, court on patent matters
besides the Supreme Court) held that software algorithms that lead to business methods,
like the one at issue in State Street, were patentable. This case reversed a long history of
judicial opinions suggesting otherwise.
Another important case now under way involves Amazon.com’s effort to stop
barnesandnoble.com from using “Express Lane,” a one-click check out mechanism
similar to Amazon’s patented 1-Click checkout. The trial court issued an injunction
against barnesandnoble.com (although it was later stayed) and the case is pending a final
ruling. It is considered a critical case regarding the general validity of Internet business
method patents. But other cases are also working through the courts, including a suit by
Priceline.com against Microsoft’s Expedia for replicating Priceline.com’s “name your
own price” business model for selling hotel rooms, airline tickets and other consumer
goods and services.
Conflict: There is considerable debate over the granting and use of these patents. Many
argue that these patents will stifle the open nature of the Internet and discourage
innovation. They argue that the open nature of software development is why the Internet
has advanced as far as it has today, and to allow proprietary ownership over code will
seriously undermine continued innovation. Influential legal scholar Lawrence Lessig
states, for example, that "[t]he idea that [Amazon’s] 1-Click is so amazing that it deserves
a government-granted monopoly is ridiculous.... These patents are going to change what
the Internet is right now, which is a place for a broad number of people to play in the
innovation game."1 Critics complain that these patent applications are generally overly
broad and ignore “prior art” – that is, prior ideas that are known, which should defeat a
patent claim that the idea is novel or non-obvious and thus patentable. Some attacks on
Amazon’s business method patent have been direct in this regard arguing that Amazon’s
1-Click is a simple, logical and obvious use of the cookie system pioneered by Netscape
and others and, thus, not deserving a patent by the very terms of patent law. These
arguments have been generalized to the broader number of Internet software and business
Thomas E Weber , “Patents feuds may damp Web's spirit,” Wall Street Journal, B1, November 8, 1999.
With respect to stifling the open nature of the Internet, not everyone is in agreement.
Many argue that patents have a role to play in even an open system. Q. Todd Dickinson,
the Director of the U.S. Patent and Trademark Office, defends business method patents as
spurring innovation and preventing rip-offs of inventors’ ideas. Jeff Bezos of
Amazon.com has also defended his 1-Click patent, arguing that Amazon took risks and
committed substantial time to the effort to create the ordering system. Moreover, many
software patent holders say they have software patents "for defensive purposes", to press
for cross-licensing, or to argue they were first to invent in case they are threatened with
patent lawsuits by others.
There is also debate over whether the USPTO is properly reviewing these patents for
prior art. The critics claim that a major reason so many bad software and business
method patents issue is that patent examiners do not have enough time and library
resources to adequately consider the prior art. Critics have said the agency approves such
patents too readily because its examiners do not understand current technology and
Internet practices well enough. This hampers competition and innovation, they argue, by
allowing commonplace business practices to be rendered private property, and by
restricting innovation by entrepreneurs wary of infringement lawsuits.
There are enforcement concerns with respect to these E-Patents. [insert international
Some Key Players and Resources:
• Jeff Bezos, CEO of Amazon.com. Champions the 1-Click patent but proposes
reducing length of Internet patents to 3-5 years.
• Jay Walker, founder of Walker Digital. Walker Digital is in the business of patenting
new business method patents, including Priceline.com.
• Kevin Rivette, a patent attorney and author of "Rembrandts in the Attic," a book on
how to make the most aggressive use of patents.
• Greg Ahorian, outspoken critic of software and business method patents. Operates
the Internet Patent News Service.
• Richard M. Stallman, software developer and founder of the GNU Project, launched
in 1984 to develop the free operating system GNU. Outspoken critic of Amazon.com
and software patents (www.gnu.org/people/rms.html)
• Lawrence Lessig, Harvard Law Professor and leading scholar on Internet and
intellectual property rights (http://cyber.law.harvard.edu/lessig.html).
• Harvard Berkman Center for Internet and Society. Promotes open code approaches to
the Internet (http://cyber.law.harvard.edu/).
• Q. Todd Dickinson, Director of the U.S. Patent and Trademark Office
(www.uspto.gov/web/offices/com/admin/). Defends USPTO practice in granting
software and business method patents.
• U.S. Patent and Trademark Office (www.uspto.gov)
• Protest Site against Amazon.com: www.NoAmazon.com
• Protest Site against Unisys: www.burnallgifs.com
• Patent Guidelines: US Patent Office (1998) Artificial Intelligence, Business and
Mathematics Patent Examination Guidelines
(http://www.uspto.gov/web/offices/pac/compexam/comguide.htm); US Patent Office
(1996) Computer-Related Invention Guidelines
(http://www.uspto.gov/web/offices/pac/dapp/oppd/patoc.htm); US Patent Office
(1989) Patentability of Math Algorithms and Computer Programs
(http://www.bustpatents.com/og1989.htm); Japan Patent, Implementing Guidelines
for Computer Software Related Inventions at JPO Office (http://www.jpo-
miti.go.jp/infoe/txt/soft-e.txt); UK Patent Office, Claims to Programs for Computers
• State Street Bank and Trust v. Signature Financial Group, 149 F.3d 1368 (Fed. Cir.
1998), cert. denied, 119 S. Ct. 851 (1999) (held that business methods are
• ATT vs. Excel Communications, 172 F.3d 1352 (Fed. Cir. 1999), cert. denied, 120 S.
Ct. 368 (1999) (applied rule of State Street decision in case dealing with business
method patent on long distance telephone message handling).
• Amazon.com v. Barnesandnoble.com, 73 F. Supp.2d 1228 (W.D. Wash, Dec. 1,
1999) (granted preliminary injunction against barnesandnoble.com for likely
infringement against Amazon.com’s 1-Click ordering patent).
Amazon.com 1-click patent claim: Method and system for placing a purchase order via a
communications network Issued/Filed Dates: Sept 28, 1999 / Sept 12, 1997
1. A method of placing an order for an item comprising: under control of a
client system, displaying information identifying the item; and in response to only
a single action being performed, sending a request to order the item along with an
identifier of a purchaser of the item to a server system; under control of a single-
action ordering component of the server system, receiving the request; retrieving
additional information previously stored for the purchaser identified by the
identifier in the received request; and generating an order to purchase the
requested item for the purchaser identified by the identifier in the received request
using the retrieved additional information; and fulfilling the generated order to
complete purchase of the item whereby the item is ordered without using a
shopping cart ordering model.”
Jeff Bezos quotes:
"We spent thousands of hours to develop our 1-Click process, and the reasons we have a
patent system in this country is to encourage people to take these kinds of risks. (quoted
in Thomas E Weber , “Patents feuds may damp Web's spirit,” Wall Street Journal, B1,
November 8, 1999).
“I now believe it's possible that the current rules governing business method and software
patents could end up harming all of us -- including Amazon.com and its many
shareholders, the folks to whom I have a strong responsibility, not only ethical, but legal
and fiduciary as well.” – Jeff Bezos, in suggesting a 3-5 year length for business method
patents (AN OPEN LETTER FROM JEFF BEZOS ON THE SUBJECT OF PATENTS)
Consumer Information Privacy on the Internet
Issue: Whether self-regulation versus governmental regulation of privacy builds the
confidence of consumers in Internet business
Relevance to E-Business Managers: Consumer information privacy on the Internet deals
with the use of personal data, which is critical for the success of an Internet business. It
allows a merchant to know who its customers’ identity, interests, and needs, and thereby
tailor the relationship process and the offerings to increase customer satisfaction and
customer convenience. The availability and sale of personal information has been one of
the engines of growth in Internet business.
The growth in the number of Internet users has increased the concern over the ability of
an individual to control the terms under which personal information is acquired and used
on the Internet. The concern about privacy comes from customers, who are wary of
vendors using the data or supplied information in an exploitive manner. Several high
profile cases have occurred where information about customers has been gathered
without their knowledge or without full disclosure of the purpose of data collection,
resulting in an outcry of customer complaints (e.g., Real Networks). DoubleClick found
that the mere announcement of targeting and profiling led to customer hysteria.
The consumer confidence in the Internet is critical for the development of electronic
commerce. The majority of people not online say that they stay off because of privacy
concerns. Some reports suggest that 55% of U.S. web users mistrust the present handling
of privacy. Interest groups are playing a watchdog role. The Federal Trade Commission
(FTC) has released a report that suggests that only 20% of the websites manage privacy
adequately. Moreover, online worries are being extended to offline concerns.
Privacy is another legal activity in development. There are some 300 privacy proposals at
the federal level and a plethora of others on the state levels. E-business managers must
stay abreast with these developments to avoid a “Privacy Valdez.”
Background: Personal information is information identifiable to an individual. E-
businesses have access to a wealth of information about online customers. To access a
web site or services, customers may complete online registration forms, where they
reveal contact information, financial data, and personal interests. To purchase goods or
services online, customers may send credit card numbers and shipping addresses over the
Internet. As customers click on advertisements or link to Web pages, e-business may use
cookies to record and store their surfing habits. Much of the data collected contains
personally identifiable information.
E-businesses have incentives to collect personal information. First, they may use the
information for their own marketing purposes. For example, an e-business may
personalize its web site for each individual customer to ensure that the customer’s
attention is focused on goods or services that he is most likely to wantgiven his past
surfing habits. Second, e-businesses may sell customer information to other companies,
who use the information to market directly to those customers. Finally, e-businesses may
collect personal information because the nature of their business requires the information.
For example, medical web sites require customers’ personal medical history to deliver
With existing technology, Internet merchants can collect vast amount of data, most of it
invisibly, and put together a complete profile of a person. Detailed tracking of a user’s
movements coupled with personally identifiable information has led to concerns over the
rise of identity theft. Some predict that within the next 6 to 8 months, most web users
will witness the siege of their identity.
The online collection of personal information gained widespread attention in 1998 when
the Federal Trade Commission (FTC) published its first study of online privacy practices.
The study analyzed the presence of privacy statement on commercial web sites. The
study found that although customers ranked the lack of privacy protection as the top
reason for not using the Internet, a substantial number of e-businesses collected personal
FTC’s sample posted any type of privacy disclosure. A 1999 Georgetown University
study (sponsored partly by the FTC) revealed an improvement from the prior year: 67 %
of the sites posted a privacy statement. However, the content analysis of these statements
suggested inadequate protection. Some companies posted statements that give the
company the right to do anything with the personal information Only 13.6 percent
followed the FTC’s “fair information practices” that would likely become law if the U.S.
government regulated privacy. Other studies suggest that companies fail to comply with
their own policies. In 1999, the FTC handled more than 11,000 complaints against online
auction sites alone.
The FTC’s “fair information practices” are reflected in the Privacy Act of 1974 which
focused on government sue of personal information. Although the U.S. Government has
endorsed the standards, it has never passed legislation on them. The Organization for
Economic Cooperation and Development (OECD) passed guidelines governing privacy
in 1980 and those guidelines are based on fair information practices. Fair information
o Notice/Awareness: website would be required to provide consumers notice
of their information practices, such as what information they collect and
how to use it
o Choice/Consent: web sites would be required to offer consumers choices
as to how that information is used beyond the use for which the
information was provided (for example to consummate a transaction)
o Access/Participation: web sites would be required to offer consumers
reasonable access to that information and an opportunity to correct
o Security/Integrity: websites would be required to take reasonable steps to
protect the security and integrity of that information.
In summer 1999, the FTC informed Congress that the new Internet privacy laws are not
needed at this time and endorsed a policy of self-regulation. It warned that they did not
“foreclose [the] possibility of legislative or regulatory action” in the future. Privacy
advocates disagreed with the FTC’s decision calling for a comprehensive privacy law.
Partially because of the concerning results from 1998 FTC WebSurf, Congress passed the
Children’s Online Privacy Protection Act (COPPA). But other than COPPA, the Clinton
administration has avoided governmental regulation of online privacy practices except on
the sectorial level (health and financial services). Instead, the administration has
encouraged e-businesses to adopt self-regulatory approaches to privacy protection in
order to protect the free growth of the Internet. Although the administration has assumed
a hands-off approach for now, it has charged both the FTC and the National
Telecommunications and Information Administration (NTIA) with monitoring online
privacy protection to ensure the effectiveness of self-regulation. If self-regulation is
ineffective, the administration says it will turn to governmental regulation of online
privacy. A recent Business Week/Harris poll reported that 57% of Americans believe
that it has become time for the government to step and regulate privacy; only 15%
believe that self-regulation is the way to go.
In May 2000, the FTC released the results of the 2000 WebSurf. The study found that
only 20% of the sites provided adequate consumer protection. Whereas in 1999, FTC
gave a green light to over 60% sites, this had dropped to 20% later due to the FTC
changing the rules. While in the past, the FTC had largely checked for the existence of a
privacy statement, in 2000 the study analyzed the content of the statement and to the
extent to which it met the four requirements of the Fair Information Practices. The FTC
2000 WebSurf suggested that the Federal Trade Commission has taken a more active role
in enforcing fair information practices online.
Business Self-Regulation Approaches
E-businesses have taken self-regulation seriously because they want to avoid
governmental regulation and because they recognize that privacy protection is simply
good business. Since 1998, the percentage of web sites providing privacy notices has
grown from 14 %2 to 24 %3. Several organizations, including TRUSTe and BBBOnline,
have launched privacy seal programs that provide third party monitoring of an enrolled
web site’s privacy practices. Finally, e-businesses themselves have changed their privacy
practices in response to consumer pressure. For example, DoubleClick abandoned plans
to merge data relating to online surfing habits with offline personal data when consumer
Three approaches to self-regulation have emerged:
o First, e-businesses may police their privacy practices by holding themselves to
restricted privacy policies. American Express employs this police approach.
As found in a 1998 FTC study published at http://www.ftc.gov.
As found in a 2000 enonymous.com survey published at http://www.privacyratings.org.
o Second, e-businesses may seek to create a market in privacy by compensating
consumers for personal information and then using that information as they see
fit. Cybergold employs a market approach.
o Third, consumers, instead of e-businesses, may control their own information by
using software that allows them to block access or designate the types of
information that will be revealed when they visit web sites.
Many hold hope that future privacy enhancing technologies coupled with consumer
education will elevate privacy protection to new levels within the self-regulation
framework. Some privacy enhancing technologies include:
1. Intermute: a Java application to block undesired access to your computer when
you are online
2. PGP 5.0: a powerful encryption program to guarantee the confidentiality of your
messages to trusted recipients
3. PGP Cookie Cutter: a Windows 95 utility to delete selected cookies
4. Lucent Personalized Web Assistant: an application to be used for identifying
yourself at a web site that shields your true identity
5. Anonymous technology: Anonymizer.com is a web site to be visited before you
visit other web sites that provides you with an anonymous identity. File sharing
programs such as Gnutella mask the identity of those using the system.
6. Platform for Privacy Preferences (P3P): P3P is an automated system that gives
users more control over the information they disclose about themselves as they
surf the Web. Under the proposal, site designers would post their privacy
practices in a format the user's browser would understand. Web surfers could, in
turn, set browser preferences to control how much information they want to
release to web sites they visit.
The criticism against self-regulation has grown in the last year. The press has featured
prominently a number of online privacy gaffes. DoubleClick, Amazon.com, Microsoft,
and Real Networks are just a few. Real Networks had a TRUSTe privacy seal on their
site while they violated their own privacy statement by transmitting personal information
from twelve million people. And TRUSTe has still yet to discipline Real Networks.
TRUSTe’s response has included that privacy problems happen not because of malicious
intent by the corporation but because “the left hand of a company doesn’t know what the
right one is doing.”
Businesses themselves are split on the balance between governmental and self-regulation.
Some businesses fear that unless the federal government acts, states and local
jurisdictions will pass their own privacy laws, leading to a mishmash of laws. Others
insist that the Internet businesses can self-regulate.
Consumer Ownership of Personal Information
Customers give away their personal information in anticipation of some future value from
that exchange (e.g., convenience, tailored products). While it is easy to see how
merchants benefit from personal customer information, it is less clear what Internet
customers have received in return for their personal information. The promises of greater
convenience (one-click shopping), personalization, and tailoring, have often fell short.
Perhaps because of failed promises, customers have begun to claim ownership of their
personal information and place economic value on the information that they share with
merchants while transacting, communicating, and collaborating with them. Customers are
willing to release this information if they can profit by doing so (e.g., compensation,
gifts, coupons, rebates, special offers). Some merchants have begun to provide a flat sum
of money for customers’ completing online surveys ($5-10) , providing a discount on the
first purchase, or pay the customer a few cents when the information is sold to a third
party. Firms whose main business is to sell personal information business have begun to
pay surfers for the time they surf (e.g., 50 cents per hour), number of advertisements they
look at, and the amount of information they share. Others argue that it is not possible to
put a value on a piece of data on the customer (name, browsing pattern) as it depends on
the context of the data.
Japan has followed closely the U.S. lead and has advanced ethical practices similar to the
Fair Information Practices. The European Union has taken a governmental approach. The
member countries in 1998.
1. The most obvious conflict concerns self-regulation versus governmental regulation.
The Clinton administration and e-businesses favor self-regulation since they believe
that governmental regulation will stifle the growth of the Internet. Specifically,
governmental regulation will erode consumer confidence and trust in e-businesses
and will offer an inflexible approach to a rapidly changing online environment.
Public interest groups note that self-regulation does not work, however. If e-
businesses find an economically beneficial use for online data, they are unlikely to
police themselves at an economic loss. Third-party private sector auditors are
ineffective since those organizations survive on funding that audited businesses
provide. Proponents of governmental regulation argue that without effective privacy
protection, consumers will not purchase goods and services on the Internetand the
Internet will not reach its full growth potential.
Among self-regulatory efforts, a conflict exists over the most effective approaches.
For example, many web sites are giving consumers the option to opt-out of
information sharing. Many public interest groups believe that web sites should use an
opt-in policy instead, however. Besides the issues of choice, there are issues of being
informed. How does the privacy statement constrain the firm from changing their
business model and their information uses in the future? The privacy statement
covers what information the business collects, how it collects that information, and
how it uses that information. The privacy advocates argue that if the data is collected
under Version 1 of the privacy statement, then it can only be treated under Version 1
without approval from everyone who provided data. Other issues rally around who is
responsible for the integrity of the data.
2. A conflict also exists between the European and American approaches to privacy
protection. In 1998, the E.U. implemented a privacy protection law that allows
companies to collect personal data only when individuals consent to the collection,
know how the data will be used, and have access to databases to correct or erase their
information. The law does not allow the transfer of data from E.U. countries to
countries with less stringent privacy policies. Since the U.S. has adopted a self-
regulatory approach, its privacy policies are less stringent, and the E.U. law prohibits
data transfer to the U.S. In March 2000, the U.S. and E.U. reached a safe harbor
agreement that has not yet been ratified. Europe agreed it would not try to force the
U.S. to impose an intrusive E.U. data-privacy law on all U.S. companies. In return,
the U.S. agreed to set up a ""safe harbor'' – a list, to be maintained by the Department
of Commerce, of companies that voluntarily adopt E.U.-style safeguards of their
customers' private information. Companies that do not participate would risk a halt
of data flows from Europe. The Europe-U.S. agreement has particularly been slow in
resolving the issues of onward transfer of data and enforcement.
3. There is a conflict between privacy and anonymity. The privacy advocates argue that
users have a right to stay anonymous. However, anonymous file sharing programs
such as Napster and Gnutella are associated with rampant copyright violations.
Because the users are anonymous, then right holders have no one to use. Industry
leaders, whose businesses are dependent on copyright protection, have called for the
elimination of anonymity for people who wanted to use services such as Napster.
Some have even said that the issue of anonymity might become the most significant
policy issue in the coming years.
Legislation in the U.S.:
1. Fair Credit Reporting Act (1970): Governs the collection and disclosure of personal
information in the credit reporting industry.
2. Privacy Act of 1974: Regulates government conduct pertaining to the collection, use,
and disclosure of personal identifiable information (including electronic information).
3. Freedom of Information Act: Regulates government conduct pertaining to the
disclosure of personal identifiable information (including electronic information).
4. Cable Communications Policy Act (1984): Requires cable companies to provide their
customers with annual notice as to how their personal identifiable information is used
(perhaps applicable to cable providers who provide Internet access).
5. Electronic Communications Privacy Act (1986): Protects private electronic
communications from unauthorized access, interception, or disclosure by the
government, individuals, or third parties.
6. Video Privacy Protection Act of (1988): Regulates disclosure of videotape rental
information (application of the law to the Internet is unclear).
7. COPPA (Children’s Online Privacy Protection Act) (1998): Prohibits unfair or
deceptive acts or practices in connection with the collection, use, or disclosure of
personally identifiable information from and about children younger than 13 on the
8. Gramm-Leach-Bliley Financial Services Bill (1999): The bill itself codifies the rights
of financial consumers. The Clinton administration is currently drafting rules to
implement privacy protections required by the bill. The proposed rules include a
mandatory privacy notice and opt-out policy.
Ethical Standards for Privacy
The U.S. constitution does not contain any rights to privacy and no comprehensive
privacy legislation exists in the U.S. However, there are ethical standards that firms
o The National Telecommunications and Information Administration (NTIA)
articulated the following fair information practices and enforcement mechanisms in
1. Principles of Fair Information Practices
Fair information practices form the basis for the Privacy Act of 1974, the
legislation that protects personal information collected and maintained by the
United States government. In 1980, these principles were adopted by the
international community in the Organization for Economic Cooperation and
Development's Guidelines for the Protection of Personal Data and Transborder
a. Awareness. At a minimum, consumers need to know the identity of the
collector of their personal information, the intended uses of the information,
and the means by which they may limit its disclosure. Companies are
responsible for raising consumer awareness and can do so through the
1) Privacy policies. Privacy policies articulate the manner in which a
company collects, uses, and protects data, and the choices they offer
consumers to exercise rights in their personal information.
2) Notification. Notification should be written in language that is clear and
easily understood, should be displayed prominently, and should be made
available before consumers are asked to provide personal information to
3) Consumer education. Companies should teach individuals to ask for
relevant knowledge about why personal information is being collected,
what the information will be used for, how it will be protected, the
consequences of providing or withholding information, and any recourse
they may have.
b. Choice. Consumers should be given the opportunity to exercise choice with
respect to whether and how their personal information is used, either by
businesses with whom they have direct contact or by third parties.
c. Data Security. Companies creating, maintaining, using or disseminating
records of identifiable personal information must take reasonable measures to
assure its reliability for its intended use and must take reasonable precautions
to protect it from loss, misuse, alteration or destruction. Companies should
also strive to assure that the level of protection extended by third parties to
whom they transfer personal information is at a level comparable to its own.
d. Data Integrity. Companies should keep only personal data relevant for the
purposes for which it has been gathered, consistent with the principles of
awareness and choice. To the extent necessary for those purposes, the data
should be accurate, complete, and current.
e. Consumer Access. Consumers should have the opportunity for reasonable,
appropriate access to information about them that a company holds, and be
able to correct or amend that information when necessary. The extent of
access may vary from industry to industry.
f. Accountability. Companies should be held accountable for complying with
their privacy policies.
The discussion of enforcement tools below is in no way intended to be limiting.
The private sector may design the means to provide enforcement that best suit its
needs and the needs of consumers.
a. Consumer recourse. Companies that collect and use personally identifiable
information should offer consumers mechanisms by which their complaints
and disputes can be resolved. Such mechanisms should be readily available
b. Verification. Verification provides attestation that the assertions businesses
make about their privacy practices are true and that privacy practices have
been implemented as represented.
c. Consequences. For self-regulation to be effective, failure to comply with fair
information practices should have consequences. Examples of such
consequences include cancellation of the right to use a certifying seal or logo,
posting the name of the non-complier on a "bad-actor" list, or disqualification
from membership in an industry trade association. Non-compliers could be
required to pay the costs of determining their non-compliance. Ultimately,
sanctions should be stiff enough to be meaningful and swift enough to assure
consumers that their concerns are addressed in a timely fashion. When
companies make assertions that they are abiding by certain privacy practices
and then fail to do so, they may be liable for deceptive practices and subject to
action by the Federal Trade Commission or appropriate bank or financial
o In June 1998, the Electronic Privacy Information Center recommended the following
policy should be accessible from the home page by looking for the word
2. Privacy policies should state clearly how and when personal information is
3. web sites should make it possible for individuals to get access to their own data.
4. Cookies transactions should be more apparent.
European Union Data Privacy Directive
a. Collectors of personal information must provide the data subject with notice
of their collection practices
b. A gatherer of personal information can only collect such information for
“specified, explicit and legitimate purposes”
c. Information must be adequate and relevant for the stated purpose, accurate
and current, and maintained in personal identifiable form for only the amount
of time needed to accomplish the stated purpose for collection
d. Personal identifiable information can be processed only if the subject of the
information gives unambiguous consent
e. The data subject must be given a right of access and a right to object to the
processing of his information
f. The data collector must provide for confidentiality and security of the
g. Personal identifiable information transferred outside of the E.U. must only be
to countries with "adequate" privacy protection
2. Recent events surrounding the Directive
a. The European Commission said on January 11 that it would take five
European Union member states to court for failing to implement rules
designed to protect individuals' privacy on the Internet and other electronic
networks. The E.U. executive said it had decided to take France, Luxembourg,
the Netherlands, Germany and Ireland to the Luxembourg-based European
Court of Justice for failing to fully implement the E.U.'s Data Protection
Directive (Reuters, 11 January 2000)
b. Tentative agreement on the Safe Harbor was reached in March. Details are
still being finalized.
1. The FTC has launched investigations into a handful of web sites’ business practices.
Yahoo! is the target of a current FTC investigation to determine whether it disclosed
user data to third parties in violation of federal regulations. Earlier this year,
DoubleClick was the target of an FTC investigation when it announced that it would
combine online surfing habits cultivated by its ad network with personal information
collected by transaction records. The FTC has also settled cases with KidsCom and
2. Private parties have filed six lawsuits against Doubleclick alleging deceptive privacy
Public Interest Groups:
1. Center for Democracy and Technology (http://www.cdt.org)
2. Electronic Privacy Information Center (http://epic.org)
3. Internet Privacy Coalition (http://www.privacy.org/ipc)
1. Federal Trade Commission (http://www.ftc.gov): Monitors deceptive business
practices, which include privacy practices.
2. National Telecommunications and Information Administration
(http://www.ntia.doc.gov): This agency of the U.S. Department of Commerce is
charged with studying and monitoring the status of electronic privacy protection.
Private Sector Auditors:
1. The Personalization Consortium is a group of 26 companies that police members’
privacy policies while educating consumers about personalization issues. Members
must tell consumers what data is being collected in the personalization process and let
them opt out of collection.
2. TRUSTe provides a fee-based service that promises to audit a site and issue a seal
3. BBBOnline is developing a privacy seal program that includes verification and
consumer dispute resolution.
1. Online Privacy Alliance (http://www.privacyalliance.org): The Alliance and all its
members are strongly committed to meeting the Administration’s challenge to
develop a strong, effective program for self-regulation in the online marketplace. The
Alliance has adopted a set of guidelines for online privacy practices and a very strong
set of principles for children’s online activities.
1. Alan Westin, a professor at Columbia University, is involved in the development of a
self-regulatory privacy program for BBBOnline.
2. Mary Culnan, a professor at Georgetown University, is the author of the 1999
Advisory Committee on Access and Security.
Copyright and Data Protection in E-Business
Issues: To what extent should law protect both copyrighted information in cyberspace
and the technological means used to self-protect?
Managerial Questions: Does moving operations online create new content or software
for which copyright protection should be sought? Would copyright protection be
sufficient? If not, how should e-businesses protect their data or software from
unauthorized use and distribution? How should e-businesses avoid being sued for
Background: U.S. copyright law has been used to protect the content of web sites, data,
and Internet software programs from unauthorized copying and distribution. Businesses
have found, however, that laws have limits in their effectiveness in cyberspace where
content can be copied quickly by anonymous users. Many companies have decided to
rely not only on traditional copyright law, but also on technical protections (anti-piracy
measures) built into web sites or software to protect against unauthorized copying and
distribution. The music industry, for example, is betting that secure copy-protection
technologies, developed under the auspices of the Secure Digital Music Initiative
(SDMI), will stop the unauthorized spread of new music through file sharing systems like
Napster or Gnutella. Cyber Patrol, a screening software to protect children from
pornographic sites, is another product with an anti-piracy feature. And CSS is the
encryption program designed to prevent unauthorized copying of DVDs.
Many of these anti-piracy measures have been “cracked” by hackers. This has created a
growing consensus that copyright law should protect not only the content, but also the
technical measures designed by firms to secure the content. In 1998, Congress passed the
Digital Millenium Copyright Act (DMCA) which makes it illegal to break through
passwords, encryption and other technological defenses that companies erect around their
Internet content. The Act was designed to implement international treaties that the U.S.
had signed at the World Intellectual Property Organization (WIPO) in 1996. The bill was
originally supported by the software and entertainment industries, and opposed by
scientists, librarians, and academics. At the last minute, certain controversial provisions
were deleted, including a provision that would have provided copyright protection for
databases even when the material in the databases was in the public domain. Some “fair
use” protections were inserted for non-profit archives, libraries and educational
institutions, and the bill was passed.
Among other things, the DMCA:
• Makes it a crime to circumvent anti-piracy measures built into most
• Outlaws the manufacture, sale, or distribution of code-cracking devices used
to illegally copy software.
• Allows the U.S. Copyright Office to make exemptions to the antihacking
• Limits Internet Service Providers (ISPs) from copyright infringement liability
for simply transmitting information over the Internet.
• Requires “webcasters” to pay licensing fees to record companies.
Several lawsuits have been brought under the anti-circumvention provisions of the
• Real Networks obtained an injunction against a portion of software created by
Streambox that allowed users to capture or record “streamed” media sent via
Real Networks’ copy-encoded format.
• The Motion Picture Association of America (MPAA) filed lawsuits against
web sites that posted software, or links to it, created by a 16-year-old
Norwegian student that allowed DVDs to be played on Linux-based
• The Recording Industry Association of America (RIAA) filed a lawsuit
against start-up company Napster, which allows music fans to trade music
files directly from one another’s machine without posting them on a web site.
• Universal City Studios brought suit against sites that posted a de-encryption
program know as DeCSS. DeCSS de-encrypts CSS, a proprietary program
that precluded copying of movies stored on DVD.
A European legislative proposal bears broad resemblance to the Digital Millennium
File Sharing: A major conflict has arisen over the recent software programs that allow
Internet users to share files over the Internet without paying for their use or distribution.
Currently, most of the attention is focused on file sharing programs such as Napster that
allow free exchange of music. But there are other file sharing programs that allow the
sharing of any software file on a user’s computer. Wrapster, for example, allows any
kind of file to be listed and traded over the Napster network. iMesh allows people to
swap music, video and other multimedia files. That provides a broader range of options
than Napster itself, which only supports MP3 files, but falls short of the capabilities of
the new Wrapster technique. These programs and others like them are likely to pit
software copyright owners against unauthorized users and those who assist in the file
Some technological solutions have emerged: NetPD and Media Enforcer, which allow
artists to monitor who is swapping their songs online and gather the Web addresses and
usernames of traders. But new services such as Freenet and ZeroKnowledge are being
developed that will make this job much more difficult, masking individual traces online
and distributing content more widely around the Net.
Information Aggregators and Data Base Protection: Whether databases -- collections of
facts like telephone directories, weather reports, stock tables and real estate listings,
airline schedules, medical advice, city maps, basketball scores and other information --
can be copied, repackaged and distributed by competitors and other information
aggregators. In a recent case involving Internet auction site eBay and information
aggregator Bidder’s Edge, Judge Ronald Whyte proclaimed that the “bots” launched by
Bidder's Edge were a "violation of eBay's fundamental property right to exclude others
from its computer system." The judge issued a preliminary injunction barring Bidder’s
Edge, which indexes online auctions so users can find the best deal, from automatically
harvesting information from eBay. The court said Bidder’s Edge was “trespassing” by
using the resources of eBay's computer systems without permission. According to the
judge, the law recognizes no such right to use another’s property. The implications of this
ruling could effectively outlaw "deep linking." Deep links take Internet users directly to a
relevant item on another web site. They are the bread and butter of search engines,
content aggregators and comparison-shopping sites. In an earlier precedent-setting case
(Ticketmaster versus tickets.com), a U.S. court found that deep linking did not violate
copyright protection, apparently resolving controversy surrounding the practice. The
eBay case rests on the notion of “trespass” rather than “copyright.”
The debate about Internet links is also being played out in the US Congress, where eBay
is alone among leading US web publishers in supporting a bill that would prohibit the
systematic extraction of information from databases compiled by companies. Yahoo!,
Amazon.com, America Online and other Internet heavyweights oppose it. Last year the
House Judiciary Committee approved a bill sponsored by Rep. Howard Coble, R-N.C.,
that would establish criminal penalties for the unauthorized use of material in databases.
Opponents say the bill would allow companies with databases to control access to facts.
The issue is just as vital to older businesses as they adapt to the Internet. For example,
real-estate agents complain that online home-sale listings have been pilfered and reused.
Publishers worry about pirating of their databases. Newspapers are nervous about
classified advertising being copied.
Some Key Players and Resources
• Rep. Howard Coble, R-N.C. Introduced bill that would establish criminal penalties
for unauthorized use of material in databases.
• Senate Judiciary Committee Chmn. Orrin Hatch (R-Utah). Has promised "a series of
hearings" on copyright problems created by new technologies.
• Lawrence Lessig, Harvard Law Professor and leading scholar on Internet and
intellectual property rights (http://cyber.law.harvard.edu/lessig.html).
• James Billington, Librarian of Congress. Will make final decisions regarding
exceptions to the DMCA’s anti-circumvention provisions.
• Robin Gross, attorney who filed comments for the Electronic Frontier Foundation
regarding Cyber Patrol litigation. Supported CPHack’s position.
• Rapper Chuck D. Wrote in a recent New York Times op-ed article that, 'Music on
the Internet is just a promotional device that helps to sell records.' Favors Napster.
• Metallica, heavy metal band. Suing Napster.com for contributory copyright
• Michael Eisner, Disney CEO. Outspoken advocate on the need for stronger copyright
• eBay v. Bidder’s Edge, Inc., No. C-99-21200 (Northern District of California, May
24, 2000) (used the principle of “trespass to a computer system” to prevent content
aggregation by “bots”).
• Universal City Studios v. Reimerdes (January 20, 2000) (injunction against DeCSS
de-encryption software for DVDs).
Critical Infrastructure Security
Issue: New security weaknesses caused by vulnerabilities in the Internet, as well as in
web browsers and servers, have created a variety of new security risks. The types of risks
include system-modifying attacks (viruses or “hostile” applets) and Denial-of-Service
(DoS) attacks that consume a machine’s resources or make them unavailable. Attack
technology is being developed in an open source environment where a community of
interest develops this technology at a rapid pace. Several significant new forms of attack
have appeared in just the past year such as the Melissa virus and DoS attacks. As attack
technology evolves, it can be acquired by users with significant resources to hone and
advance the technology, making it a much more serious threat to national security and the
effective operation of government and business.
Industry is acutely interested in protecting the critical infrastructure since almost 90% of
the world’s information infrastructure, including the Internet, is run by industry.
Government is also interested in protecting critical infrastructure security, as such
protection runs into national security concerns. Business and government have disagreed
on how, and by whom, critical infrastructure security should be maintained.
Background: The threats to critical infrastructure come in a variety of forms:
• Viruses. A virus is a program designed to perform some malicious action
unknowingly triggered by an innocuous event (such as a user action, a certain date
being reached, etc.). The defining characteristic of viruses is that they are self-
replicating. With the ease of passing information between users greatly enhanced by
the Internet, so too is the ease of a user unknowingly transmitting a virus. Also, the
number of new viruses appearing is escalating at an alarming rate. According to PC
Magazine, new viruses appear at the rate of more than 200 per month.
• Hostile Applets and ActiveX Controls. Hostile applets are designed to take advantage
of an applet’s capabilities. Because they are designed to execute on a user’s
computer, if they contain malicious features, they can perform hostile acts such as
damaging files or exposing them for unauthorized users to read without the user
• Denial-of-Service Attacks (DoS). DoS attacks are among the biggest threats to reliable
computing environments. The development of the Internet with distributed systems
based on the client/server model has made many computer systems much more
vulnerable to these types of attacks. DoS attacks include several different methods of
making system resources unavailable and shutting down service.
E-mail “bombs” – Consist of hundreds of duplicate messages and large files, thus
potentially filling file systems or overloading mail servers and making them
unavailable for valid use.
“SYN flooding” – Inundates a server with requests to open new connections that
carry invalid IP addresses, tying up the server as it tries to acknowledge
unknown or nonexistent addresses.
“Ping of Death” attacks – Crash network servers or firmware by overloading them
with illegally large ping packets. (“Ping,” short for Packet Internet Groper, is
an Internet utility used to determine whether a particular IP address is online.
It is used to test and debug a network by sending out a packet and waiting for
IP fragment attacks – The so-called “Teardrop” attack targets a weakness in the
reassembly of IP packet fragments on the destination host. When an IP packet
is sent across the Internet, it often is broken up into smaller packets. These
smaller packets indicate which data bytes of the original packet they hold (for
example, bytes 128 through 255 of packet XYZ). The Teardrop virus will
change these numbers, making them incorrect. When some destination hosts
are unable to reconstruct the original packet because of these invalid numbers,
they hang or crash.
“False alarm” attacks – Trigger automatic firewall alarms designed to close down
connections when attacked or cause other system shutdowns. In other words,
this method uses the network’s or server’s own security tools to deny service.
The Center for Education and Research in Information Assurance and Security at Purdue
University (CERIAS) has identified the following key trends and factors facilitating
cyber attacks on critical infrastructures:
1. Attack technology is developing in an open-source environment and is evolving
rapidly. Technology producers, system administrators, and users are improving
their ability to react to emerging problems, but they are behind and significant
damage to systems and infrastructure can occur before effective defenses can be
implemented. As long as defensive strategies are reactionary, this situation will
2. Currently, there are tens of thousandsperhaps even millionsof systems with
weak security connected to the Internet. Attackers are (and will) compromising
these machines and building attack networks. Attack technology takes advantage
of the power of the Internet to exploit its own weaknesses and overcome defenses.
3. Increasingly complex software is being written by programmers who have no
training in writing secure code and are working in organizations that sacrifice the
safety of their clients for speed to market. This complex software is then being
deployed in security-critical environments and applicationsto the detriment of
4. User demand for new software features over security ones, coupled with industry
response to that demand, has resulted in software that is increasingly supportive
of subversion, computer viruses, data theft, and other malicious acts.
5. Because of the scope and variety of the Internet, changing any particular piece of
technology usually cannot eliminate newly emerging problems; broad community
action is required. While point solutions can help dampen the effects of attacks,
robust solutions will come only with concentrated effort over several years.
6. The explosion in use of the Internet is straining our scarce technical talent. The
average level of system administrator technical competence has decreased
dramatically in the last 5 years as non-technical people are pressed into service as
system administrators. Additionally, there has been little organized support of
higher education programs that can train and produce new scientists and educators
with meaningful experience and expertise in this emerging discipline.
7. The evolution of attack technology and the deployment of attack tools transcend
geography and national boundaries. Solutions must be international in scope.
8. The difficulty of criminal investigation of cybercrime coupled with the
complexity of international law mean that successful apprehension and
prosecution of computer crime is unlikely, and thus little deterrent value is
9. The number of directly connected homes, schools, libraries and other venues
without trained system administration and security staff is rapidly increasing.
These "always-on, rarely-protected" systems allow attackers to continue to add
new systems to their arsenal of captured weapons.
Network firewalls are commonly used to enforce a site’s security policy by controlling
the flow of traffic between two or more networks. Firewalls often are placed between the
corporate network and an external network such as the Internet or a partnering company’s
network. However, firewalls are also used to segment parts of corporate networks. A
firewall system provides both a perimeter defense and a control point for monitoring
access to and from specific networks.
Conflict: To improve critical infrastructure security, the U.S. government has suggested
interoperability of products and systems through standard-setting efforts. Many
businesses, however, endorse adopting best practices for tackling critical infrastructure
issues rather than setting standards. They believe that the marketplace and not the federal
government should dictate preferred technologies (which would become de facto
standards). Many in the IT industry views standards as a snapshot of technology at a
given moment, creating the risks that technology becomes frozen in place, or that
participants coalesce around the "wrong" standards. Many IT professionals favor an open
source model for developing best practices, a model that is not constrained by technical
rules or regulations.
There also exists a debate regarding whether to consolidate activities regarding collection
and analysis of cyber attacks. FBI director Louis Freeh and the Critical Infrastructure
Assurance Office favor a single location for the collection, analysis, and dissemination of
information regarding security threats. Industry prefers a more diffuse approach that
currently exists whereby multiple organizations are working to evaluate vulnerabilities
and threats as well as developing technical solutions. The challenge from this perspective
is not to pull all data together, but to push it out to meet the varying needs of the various
Richard Pethia of CERT stresses information sharing as the fundamental component to
preventing cyber attacks. He maintains that IT professionals understand they can never
hope to eliminate every vulnerability in their system. Therefore, they need data to help
them determine which vulnerabilities are most critical and therefore likely to be
exploited. Pethia states: “Our law enforcement and intelligence organizations must find
ways to release threat data to the operational managers of information infrastructures to
motivate these managers to take action and to help them understand how to set their
Information sharing about cyberattacks, however, is problematic. Companies are
currently reluctant to share sensitive information about security practices and network
breaches with either government agencies or their competitors. Companies worry that
trade secrets or other proprietary information could be compromised in the exchange.
Additionally, they worry that the information on intrusions could be used against them in
shareholder lawsuits, jeopardize their customer base, or even prove beneficial to the
hacker community. Companies also fear sharing this information with government
because of the possibility it may lead to increased regulation of the industry or e-
commerce generally. Moreover, companies are concerned with protected individual
customer’s privacy and fear that privacy breaches may occur inadvertently during
information infrastructure investigations.
Currently, corporations often have more to lose from damaged reputations than from the
network attacks themselves. These organizations will not share security incident or loss
information unless they have a high degree of confidence that this information will be
protected from public disclosure. Industry professionals are urging the federal
government to take steps to protect sensitive information, including creating exemptions
from Freedom of Information Act (FOIA) requests. Many in industry believe that
freedom from FOIA concerns is the most formidable obstacle, and that an exemption for
this type of information sharing is the only option. Opponents of proposals to relax FOIA
provisions believe industry might use the relaxed standards to protect itself from
disclosing damaging information that should be released to the public.
FBI Director Louis Freeh believes safeguards are currently in place to protect sensitive
information. In his testimony before the Senate Judiciary Subcommittee on Technology,
Terrorism and Government, he stated that under the Economic Espionage Act, passed in
1996, there are specific provisions for maintaining the confidentiality of information
obtained during the process of a criminal prosecution. Therefore, any proprietary
information is under specific and court-ordered protection to ensure it is not
compromised in the course of the prosecution.
Additional Proposals to Improve Critical Infrastructure Security: In addition to the
debated solutions above, the Information Technology Association of America (ITAA)
and CERT have suggested additional approaches to improving the current mechanisms
for combating threats and responding to attacks on the nation’s critical infrastructure.
1. Building Awareness. The ITAA and its member companies are raising awareness of
the issue within the IT industry and through partnership relationships with other vertical
industries, including finance, telecommunications, energy, transportation, and health
services. An awareness-raising campaign targeting the IT industry and vertical industries
dependent on informationsuch the financial sector, insurance, electricity, transportation
and telecommunicationsis being overlaid with a community effort directed at CEOs,
end users and independent auditors. The goal of the awareness campaign is to educate the
audiences on the importance of protecting a company's infrastructure, and to instruct the
steps they can take to accomplish this. The message is that information security must
become a top tier priority for businesses and individuals.
2. Educating Computer Users. In an effort to take a longer-range approach to the
development of appropriate conduct on the Internet, the Department of Justice and the
ITAA have formed the Cybercitizen Partnership. The Partnership is a public/private
sector venture formed to create awareness, in children, of appropriate on-line conduct.
The effort focuses on developing an understanding of the ethical behavior and
responsibilities that accompany use of the Internet. The Partnership will develop focused
messages, curriculum guides and parental-information materials aimed at instilling a
knowledge and understanding of appropriate behavior online. The ITAA believes that a
long-range, ongoing effort to insure proper behavior is the best defense against the
growing number of reported incidents of computer crime.
3. Expanding Research and Development. ITAA believes that between industry's
market-driven R&D and government's defense-oriented R&D projects, gaps may be
emerging that no market forces or government mandates will address. ITAA and its
member companies actively support the President Clinton's call for an Institute for
Information Infrastructure Protection. This institute, under consideration by the
President's Committee of Advisors on Science and Technology, will focus limited
government funding on targeted R&D projects conducted through consortia of industry,
academia and government.
Key Groups and Organizations
• The Information Technology Association of America (ITAA) provides global public
policy, business networking, and national leadership to promote the continued rapid
growth of the IT industry. ITAA consists of 400 direct and 26,000 affiliate corporate
members throughout the U.S., and a global network of 41 countries' IT associations.
ITAA members range from the smallest IT start-ups to industry leaders in the
Internet, software, IT services, ASP, digital content, systems integration,
telecommunications, and enterprise solution fields. (www.itaa.org).
• The National Infrastructure Protection Center (NIPC) is a multi-agency organization
whose mission is to detect, warn of, respond to, and investigate computer intrusions
and other unlawful acts that threaten or target our Nation's critical infrastructures.
Located in the FBI's headquarters building in Washington, D.C., the NIPC brings
together representatives from the FBI, other U.S. government agencies, state and
local governments, and the private sector in a partnership to protect our Nation's
critical infrastructures. (www.nipc.gov).
• The President’s Commission on Critical Infrastructure Protection (PCCIP) was
formed to advise and assist the President of the United States by recommending a
national strategy for protecting and assuring critical infrastructures from physical and
cyber threats. (www.pccip.ncr.gov)
• The Critical Infrastructure Assurance Office (CIAO) is a government agency charged
with plotting a federal plan for protecting the nation's critical infrastructures from
disruption or attack. (www.ciao.gov)
• The Institute of Internal Auditors will be holding a series of briefings and meetings
around the country, in conjunction with the CIAO and ITAA, to discuss critical
infrastructure issues as they relate to internal company audits by accounting
• Americans for Computer Privacy (ACP) is a broad-based coalition representing
financial services, manufacturing, telecommunications, high-tech and transportation,
as well as law enforcement, civil liberty, pro-family and taxpayer groups. ACP
supports policies that promote industry-led, market-driven solutions to critical
information infrastructure protection and that oppose government efforts to impose
mandates or design standards, or increase widespread monitoring or surveillance.
• The Center for Education and Research in Information Assurance and Security at
Purdue University (CERIAS) is a center for multidisciplinary research and education
in areas of information security. (www.cerias.purdue.edu).
• The CERT Analysis Center was recently established to address the threat posed by
rapidly evolving, technologically advanced forms of cyberattacks. Working with
sponsors and associates, the CERT Analysis Center collects and analyzes information
assurance data to develop detection and mitigation strategies that provide high-
leverage solutions to information assurance problems, including countermeasures for
new vulnerabilities and emerging threats. The CERT Analysis Center builds upon the
work of the CERT Coordination Center. The CERT Analysis Center extends current
incident response capabilities by developing and transitioning protective measures
and mitigation strategies to defend against advanced forms of attack before they are
launched. Additionally, it provides the public and private sectors with opportunities
for much-needed collaboration and information sharing to improve cyber attack
• International Centre for Security Analysis (ICSA). Based at King's College London,
ICSA is an international center of excellence that conducts research on the policy and
technological implications of information assurance. ICSA addresses both the
economic and defense aspects of the threats posed by electronic attack. ICSA is
hosting the IAAC in order to enhance its research base and to strengthen links
between academia and private and public sector end-users. (www.icsa.ac.uk)
• World Information Technology and Services Alliance (WITSA). WITSA consists of
the national information industry representative bodies from around the world. Its role
is to develop public policy positions on issues of concern to the information industry
and present these positions to governments and international organizations.
• Richard D. Pethia, Director of the CERT Centers, Software Engineering Institute
(SEI), Carnegie Mellon University
• Harris Miller, President of the Information Technology Association of America
(ITAA) and President of the World Information Technology and Services Alliance
• John S. Tritak, Director of the Critical Infrastructure Assurance Office (CIAO). As
Director, Mr. Tritak is responsible for supporting the National Coordinator for
Security, Infrastructure Protection, and Counter-Terrorism in the development of an
integrated National Infrastructure Assurance Plan to address threats to the nation's
critical infrastructures, including communications and electronic systems,
transportation, energy, banking and finance, health and medical services, water
supply, and key government services. As Director, he will also coordinate a national
education and awareness program, as well as legislative and public affairs initiatives.
• Louis J. Freeh, Director of the Federal Bureau of Investigation, U.S. Department of
• Sen. John Kyl (R-AZ), Chairman of the Terrorism, Technology and Government
Information Subcommittee of the Senate Judiciary Committee
Major Legislation. Emerging federal computer crime legislation can be divided into
three broad categories:
1. enhanced law enforcement of cybercrime suspects
2. technical solutions to breaches of network security
3. improved information sharing
Enhanced Law Enforcement. Senate Bill 2092, the Schumer-Kyl High-Tech Crime Bill,
seeks to modify Title 18 of the United States Code relating to the use of pen registers and
trap-and-trace devices. The bill provides law enforcement with nationwide trap-and-trace
authority. Under current law, investigators who are trying to track a hacker must obtain a
trap-and-trace order in each jurisdiction through which an electronic communication is
made. S. 9092 amends current law to authorize the issuance of a single order to
completely trace online communications to its source, regardless of how many
intermediary sites through which it passes. Industry has expressed some concern that the
bill would create undue administrative and financial burdens on the part of ISPs and other
telecommunications companies to comply with the trap-and-trace provisionsnot to
mention the possibility of breaching privacy policies they have established with their
customers. Another industry representative doubts the bill will be enacted in the
immediate future, if at all, due to a controversial provision that would treat some juvenile
offenders as adults in a criminal proceeding.
Technical Solutions. HR 2413, the Computer Security Enhancement Act of 1999,
outlines a fellowship program to increase the number of skilled IT workers. There is
currently a critical shortage of IT professionals and more specifically, an acute shortage
of information security specialists. Expanding workforce development is a key
prerequisite for protecting the nation’s critical infrastructure.
Encouraging Information Sharing. Bi-partisan information sharing legislation is expected
to be introduced in the House of Representatives by Congressmen Tom Davis and James
Moran, both of Virginia, within the next few weeks. The bill will seek to promote the
formation of Information Sharing and Analysis Centers (ISACs) to facilitate the
collection, analysis and dissemination of security data to government and industry. The
bill will also create exemptions from Freedom of Information Act (FOIA) requests for
information on network attacks on certain firms. The hope is that industry will feel more
inclined to share information knowing that it will not be subject to a FOIA request. The
bill also contains provisions that encourage information sharing without creating liability
Issue: One of the principle aims of information security is data integrity, that is, ensuring
that data in a file remains unchanged or that any received data matches what was sent.
Encryption (the conversion of data into an unreadable form via an encryption algorithm)
enables information to be sent across communication networks, which are assumed to be
insecure, without losing confidentiality or integrity. Encryption can also be used for user
authentication. For example, Lotus Notes uses encryption both for message
confidentiality and to verify the sender’s identity to the recipient. Encryption provides
assurances when the computer system or network cannot be trusted.
Encryption is gaining popularity as more companies begin to rely on shared public
networks such as the Internet rather than private leased lines for e-mail and electronic
commerce. Encryption helps protect transmission of payment data, such as credit card
information, and addresses problems of authentication and message integrity.
Authentication refers to the ability of each party to know that the other parties are who
they claim to be. Message integrity is the ability to be certain that the message that is
sent is not altered or copied before reaching the recipient.
Background: An encryption algorithm transforms plain text into a coded equivalent
(known as cipher text) for transmission or storage. The cipher text is decrypted at the
receiving end and restored to plain text. The algorithm uses a key, a binary number
typically from 40 to128 bits in length for single-key systems or 512 to 2,048 bits or more
for public-key systems. The data is “locked” for sending by using bits in the key to
transform the data bits mathematically. At the receiving end, the key is used to
unscramble the data, restoring it to its original binary form.
The effort required to decode the unusable scrambled bits into meaningful data without
knowledge of the key – known as breaking or cracking the encryption – typically is a
function of the complexity of the algorithm and the length of the keys. In most effective
encryption schemes, the longer the key, the harder it is to decode the encrypted message.
Two types of algorithms are in use today: (1) shared single key (known as secret key or
symmetric key) and (2) public key (or asymmetric key).
1. Single Key Encryption. In single-key algorithms, the same binary number is required
to encrypt and decrypt the data. This single key must be kept secret for the information
to remain secure. Therefore, a different shared key is required for each pair of users. The
system is symmetric in that the same key and the same algorithm are used for both
encryption and decryption.
The Data Encryption Standard (DES), which officially became a U.S. government
standard in 1977, is the leading single-key algorithm, with the standard specifying a 56-
bit key. Many experts consider longer key lengths of at least 90 bits necessary for the
future. U.S military strength encryption requires key lengths of 1,024 bits or more.
In 1998, RSA Data Security conducted a contest to see how quickly a 56-bit DES key
could be broken. In July 1998, a team from the Electronic Frontier Foundation cracked a
56-bit key in 56 hours.
Business are beginning to explore encryption methods other than those based solely on
56-bit DES keys including:
1) Triple-DES – Encrypts information three times using two different 56-bit keys,
thus increasing the effective key size of DES so they are computationally more
secure and, therefore, more difficult to break. Triple DES has an effective key
length of 112 bits.
The benefits of triple-DES include the fact that no known attacks have succeeded
in breaking two 56-bit keys, it is incorporated easily into existing systems, and it
is a standards-based algorithm. Drawbacks include the computing power required
(three times that of normal DES) and the difficulty of managing and distributing
keys associated with any secret-key algorithm.
2) International Data Encryption Algorithm (IDEA) – Encrypts information using
128-bit key and 8 rounds. IDEA is recognized as a fast, Triple-DES equivalent
cipher. IDEA is considered secure, with no algebraic weaknesses that might
make it susceptible to being broken. IDEA can be implemented in software or
hardware and has similar performance characteristics to DES.
2. Public-Key Encryption. The other major type of algorithm in popular use is public-key
encryption, which is based on two keys: one to encrypt the message and another to
decrypt the message. The algorithm is not symmetric, so knowing the public encryption
key is no help in being able to decrypt a message. Users wanting to receive encrypted
information can announce their public key, which then is used by the sender to encrypt
data to be sent to them. Public keys are typically stored in a public directory. Only the
holder of the private key can decrypt the data.
Public keys are attached to a digital certificate, which ties the user’s identity to the public
key. The problem of managing a large number of public keys and making them widely
available (yet easily revoked by their owners) is the primary challenge that should be
addressed. Public-key encryption is gaining in popularity with the growth of e-commerce
over the Internet, in particular because it does not require the exchange of private keys
before sending encrypted messages, unlike single-key encryption.
The most commonly used public key algorithm is RSA, created by RSA Data Security.
RSA Data Security’s recommended key sizes are now 768 bits for personal use, 1,024
bits for corporate use, and 2,048 bits for valuable keys such as the key for a certificate of
authority. RSA Data Security expects a 768-bit key to be secure until 2004.
Recommended key length schedules are published on RSA Data Security’s web site at
Digital Signatures. One application of public key encryption is evident in the
development of digital signatures. A digital signature is an encrypted alphanumeric code
attached to an electronic message that is both unique to the message and unique to the
person sending it. The digital signature is assigned to the document by a digital signature
software program. The sender then encrypts the alphanumeric code using his private key.
The recipient verifies authenticity of the digital signature by using the sender’s public key
to decrypt the message.
If the verification process confirms the digital signature, the recipient has reasonable
assurance that the message is authentic and has not been altered. While in theory only
the sender can access his private key, there is a potential for the private key to be
compromised if it is not protected. Certification Authorities (CAs) or other trusted third-
parties can provide some assurance that available public keys correspond to the signer’s
private key. CA’s can also revoke or suspend public keys, rendering the associated
private key useless.
Standardizing digital signatures using a public key infrastructure (PKI) is preferable
because it ensures a high degree of data integrity and authentication while enabling users
to conduct business transactions with multiple business partners, suppliers and customers
without mandating a technology choice. In sum, digital signatures accomplish four goals:
1. Ensure data integrity – The recipient can determine if the data has been altered.
2. Ensure confidentiality – The sender can encrypt data such that only certain
recipients can decrypt that data.
3. Ensure non-repudiation – The recipient cannot deny receiving a message because
the public key used to decrypt the message returns a proof of receipt.
4. Provide authentication – The digital signature allows the recipient to identify who
signed the message.
• PKI as the preferred encryption technology. PKIs, including the PKI-based digital
certificates and signatures, are becoming the authentication system of choice for
conducting e-business on the Internet. Reasons include a price decline in PKI
products stemming from fierce battle among suppliers to gain market share as well as
fundamental improvements in the system making it more flexible and easier to
The primary application for PKI is b-to-b e-commerce with enterprise customers,
business partners and suppliers. Applications driving the adoption of PKI included
Internet-based financial transactions and customer service. IS managers are also
deploying PKI for use with Internet-based b-to-c e-commerce, electronic funds
transfer and sales applications.
The principal reason IS managers are selecting PKI-based systems is to manage
enterprise risk arising from the use of Internet channels to conduct business.
Compared with alternate authentication systems, only PKI-based digital certificates
and signatures can be relied on to mitigate the financial risks associated with e-
IS managers have identified the following criteria for authentication systems:
1. It must provide validity and integrity for invoicing and revenue-recognition
2. It must provide widespread and ubiquitous interoperability.
3. It must meet financial, auditing, legal and uniform commercial standards.
4. It must be economically practical to deploy and maintain.
5. It must be difficult or economically impractical to steal or duplicate.
Traditional access security systems – passwords, hardware tokens, and biometric
systems - fail to meet these requirements. Although passwords are the most common
form of authentication, they do not provide sufficient proof of who an Internet user
claims to be. Hardware tokens are impractical due to implementation. To be
deployed effectively, IS managers would have to force customers, suppliers, and
business partners to adopt the enterprise’s specific technology choice. Rather than
making it easier to conduct business with the enterprise, token-based systems may
merely route customers to competitors. Biometric signatures such as retinal scans,
fingerprinting and voice signatures provide the best proof of identity. However,
biometric systems are prohibitive to implement due to high costs. Moreover, they are
difficult to implement because it requires customers to submit biometric signatures.
However, The PKI-digital certificate system is not without security weaknesses.
Security analysts maintain an astute hacker can access the private key over the
Internet. Therefore, sealing entry to the private key with only a user name and
password is not acceptable. Security developers have developed a variety of
solutions to this problem, collectively known as “extended user authentication.”
Essentially, these technologies, which can be hardware or software-based, require the
user to enter some form of secured identification to access the password or the private
There has been some debate as well regarding authorization-linked digital signatures
versus identity-linked digital signatures. While governments have invested
significant effort in developing the latter, IT professionals believe authorization
linked signatures will be more important in protecting digital transactions and
• Government bans on strong encryption exports. The government’s concern with
cryptography centers on its ability to ensure the continuing viability of intelligence
operations. With the advent of strong encryption techniques, intelligence gathering
organizations throughout the world are justifiably concerned that intelligence
gathering measures will be rendered obsolete. Therefore, extensive deployment of
strong cryptography poses a serious security threat. However, by providing
government access to keys, confidence in cryptography is undermined, thereby
slowing its deployment.
The U.S. government announced in September 1999 its revised approach to
encryption. In short, the Clinton Administrations policy hopes to balance a
competing range of national interests including promoting e-commerce, supporting
law enforcement and national security, and protecting privacy. In short, under the
new policy, any encryption commodity or software of any key length may be
exported under license exception, after a technical review, to individuals, commercial
firms, and other non-government end users in any country except for the seven state
supporters of terrorism (Iran, Iraq, Libya, Syria, Sudan, North Korea and Cuba). Any
retail encryption commodities and software of any key length may be exported under
license exception, after a technical review, to any end user in any country, except for
the seven state supporters of terrorism. Streamlined post-export reporting will
provide government with an understanding of where strong encryption is being
exported, while also reflecting industry business models and distribution channels.
On April 3, the Electronic Privacy Information Center (EPIC) released a study on
encryption policies in 135 countries. Cryptography and Liberty 2000 finds that that
the trend toward relaxation of export controls is continuing, but also that law
enforcement agencies are seeking new authority and new funding to gain access to
private keys and personal communications.
• How to manage the key network? Key recovery can be thought of as an encryption
system (with a backup decryption capability) that allows authorized individuals, such
as company officers or government officials, to decrypt encrypted text with the help
of information supplied by one or more trusted parties who hold special data recovery
keys. These data recovery keys are not the same as keys used to encrypt and decrypt
the data, but rather provide a means of determining the data encryption/decryption
keys. The term key escrow refers to the safeguarding of these data recovery keys
with a government entity or government-licensed escrow agent.
Key recovery mechanisms differ from key escrow in that the former provides a means
of recovering the session key of a message so that in an emergency or for law
enforcement requirements, the session key that encrypted a file can be recovered and
that file (and only that file) can be decrypted. Typically, key recovery schemes use a
random session key encrypted with the public key of the recipient as well as being
encrypted with the public key of the key recovery center. The key recovery center
then can unlock the random key used to encrypt that particular message or data file.
The Key Recovery Alliance (KRA), a consortium of over 60 companies
dedicated to strong encryption and to helping defined a policy framework for
businesses and institutions, believes that many of the more recent forms of
key recovery offer stronger protection against unlawful search and seizure.
Nevertheless, the KRA makes the following recommendations:
1. Establish legal access standards for government to Key Recovery
information under conditions of due process, including procedures clearly
stating the government's accountability and auditability.
2. Establish standards for the retention and destruction of Key Recovery
information once it is acquired by government under lawful means. Once
government acquires recovery information through duly authorized means
(e.g., under court order), it must operate under clearly defined standards
established by law governing the use and destruction of such information.
3. Establish procedures guaranteeing that government agencies, once key
recovery information has been acquired and managed according to the two
preceding items, will not use the information to modify the treatment of
content in any form.
Key Groups and Organizations
1. The Center for Democracy and Technology (www.cdt.org) works to promote
democratic values and constitutional liberties in the digital age. With expertise in law,
technology, and policy, CDT seeks practical solutions to enhance free expression and
privacy in global communications technologies. CDT is dedicated to building
consensus among all parties interested in the future of the Internet and other new
2. The Key Recovery Alliance (www.kra.org) is a group of more than 60 international
companies (including IBM and TIS) that is dedicated to strong encryption and to
helping define a policy framework for businesses and institutions. The Alliance
focuses on the interoperability of key recovery technologies while supporting a wide
range of existing industry solutions.
3. The Identrus Pilot Project (www.identrus.com) is a global trust organization created
to provide authentication for digital certificates. Founding members include Bank of
America, ABM AMRO, Bankers Trust, Barclays Bank, Chase Manhattan Bank,
Citigroup, Deutsche Bank, and Hypo Vereinsbank. Using PKI technology, Identrus
aims to establish a secure, global business-to-business e-commerce network by
providing global CA services for b-to-b transactions . Initial users will be the
corporate customers of the founding banks.
4. Business Software Alliance (www.bsa.org) is a trade organization representing the
world's leading software developers before governments and with consumers in the
international marketplace. BSA educates computer users on software copyrights;
advocates public policy that fosters innovation and expands trade opportunities; and
fights software piracy. BSA worldwide members include Adobe, Autodesk, Bentley
Systems, Corel, Lotus Development, Macromedia, Microsoft, Network Associates,
Novell, Symantec and Visio.