Policy Manual


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Policy Manual

  1. 1. SIMS POLICY MANUAL E-Commerce Issues Sirkka L. Jarvenpaa Emerson H. Tiller © SIM International, 2000
  2. 2. SIMs Policy Manual of E-Commerce Issues Table of Contents Chapter Pages 1. Software and Business Method Patents for the Internet 2-6 2. Consumer Information Privacy on the Internet 7-16 3. Copyright and Data Protection in E-Business 17-20 4. Critical Infrastructure Security 21-28 5. Encryption/Cryptography 29-37 6. Trademarks, Domain Names and Cybersquatting on the 38-40 Internet 7. Taxation of Internet Commerce 41-46 8. Internet Content Restrictions 47-53 9. (DRAFT) E-business Strategies: Open Versus Closed 54-64 Customer and Competitor Environments 2
  3. 3. Software and Business Method Patents for the Internet Issue: Whether software and business method patents relating to the Internet will create undesirable monopolies in E-Commerce or, instead, are legitimate ways to protect innovative ideas. Background: Traditionally, mathematical algorithms, as might be contained in software, and “business methods” were considered unpatentable. They were considered too abstract and not novel enough to grant anyone a monopoly upon their use. The U.S. Patent and Trademark Office, however, has recently been granting patents for software and business methods -- in particular as they relate to the Internet. Examples of Internet- related software patents include: • Unisys: method of data compression called LZW used in a graphic format called GIF, which many web sites use in order to be compatible with older web browsers • Bruce Dickens: computer software windowing method that created a Y2K fix • Geoworks: software on Wireless Application Protocol that allows server computers to rearrange pages of information to fit on the screens of phones and mobile devices. Examples of Internet business method patents include: • Amazon.com (2 patents): 1-Click ordering (storing a customer's billing information so that they do not have to enter it every time they make a purchase); and Web Affiliate Program, including the process used to apply to become an affiliate, the technology used to link Amazon's databases to the affiliate site, and the billing system used to make sure the affiliate gets its share of the profits. • Priceline.com: reverse auctioning or “name your own price” on the Internet • Sightsound.com: selling of audio or video recordings in download fashion over the Internet • Home Gambling Network: remote, live wagering over the Internet • CyberGold: rewards to customers who receive and view online advertisements Note that the business method patents are on the business method idea, not the technology to accomplish the business method. The Internet software patents, by comparison, are patents on the specific software technology accomplishing the result. Thus, the business method patents are much broader as there may be several technologies (software and otherwise) that could be created to accomplish the business method but would be blocked from usage because they would infringe on the business method patent. However, most E-business method patents are implemented through software, which itself may be patentable. These patents create 20-year monopolies over the software technology or the business methods identified in the patent claims. And these Internet-related software and business method patents are proliferating. Between October 1998 and September 1999, 2,600 applications for computer-related business methods were filed. During that same time 3
  4. 4. period, 583 computer-related business method patents were issued. Business with these patents can prevent other businesses from using the software technology or business methods, or they can license them out for a fee. While the U.S. Supreme Court endorsed software patents some time ago, recent court cases have brought the business method and Internet related patents into sharper focus. The first case, State Street, did not involve the Internet, but rather a "hub and spoke" software program for managing an investment structure for mutual funds. The software facilitated the administration of mutual funds (the "spokes") by pooling their investments into a single portfolio organized as a partnership (the "hub"). The software determined changes in hub investment assets and allocated the assets among the spokes. The Federal Circuit Court of Appeals (the highest, and most specialized, court on patent matters besides the Supreme Court) held that software algorithms that lead to business methods, like the one at issue in State Street, were patentable. This case reversed a long history of judicial opinions suggesting otherwise. Another important case now under way involves Amazon.com’s effort to stop barnesandnoble.com from using “Express Lane,” a one-click check out mechanism similar to Amazon’s patented 1-Click checkout. The trial court issued an injunction against barnesandnoble.com (although it was later stayed) and the case is pending a final ruling. It is considered a critical case regarding the general validity of Internet business method patents. But other cases are also working through the courts, including a suit by Priceline.com against Microsoft’s Expedia for replicating Priceline.com’s “name your own price” business model for selling hotel rooms, airline tickets and other consumer goods and services. Conflict: There is considerable debate over the granting and use of these patents. Many argue that these patents will stifle the open nature of the Internet and discourage innovation. They argue that the open nature of software development is why the Internet has advanced as far as it has today, and to allow proprietary ownership over code will seriously undermine continued innovation. Influential legal scholar Lawrence Lessig states, for example, that "[t]he idea that [Amazon’s] 1-Click is so amazing that it deserves a government-granted monopoly is ridiculous.... These patents are going to change what the Internet is right now, which is a place for a broad number of people to play in the innovation game."1 Critics complain that these patent applications are generally overly broad and ignore “prior art” – that is, prior ideas that are known, which should defeat a patent claim that the idea is novel or non-obvious and thus patentable. Some attacks on Amazon’s business method patent have been direct in this regard arguing that Amazon’s 1-Click is a simple, logical and obvious use of the cookie system pioneered by Netscape and others and, thus, not deserving a patent by the very terms of patent law. These arguments have been generalized to the broader number of Internet software and business method patents. 1 Thomas E Weber , “Patents feuds may damp Web's spirit,” Wall Street Journal, B1, November 8, 1999. 4
  5. 5. With respect to stifling the open nature of the Internet, not everyone is in agreement. Many argue that patents have a role to play in even an open system. Q. Todd Dickinson, the Director of the U.S. Patent and Trademark Office, defends business method patents as spurring innovation and preventing rip-offs of inventors’ ideas. Jeff Bezos of Amazon.com has also defended his 1-Click patent, arguing that Amazon took risks and committed substantial time to the effort to create the ordering system. Moreover, many software patent holders say they have software patents "for defensive purposes", to press for cross-licensing, or to argue they were first to invent in case they are threatened with patent lawsuits by others. There is also debate over whether the USPTO is properly reviewing these patents for prior art. The critics claim that a major reason so many bad software and business method patents issue is that patent examiners do not have enough time and library resources to adequately consider the prior art. Critics have said the agency approves such patents too readily because its examiners do not understand current technology and Internet practices well enough. This hampers competition and innovation, they argue, by allowing commonplace business practices to be rendered private property, and by restricting innovation by entrepreneurs wary of infringement lawsuits. There are enforcement concerns with respect to these E-Patents. [insert international dimensions here] Some Key Players and Resources: • Jeff Bezos, CEO of Amazon.com. Champions the 1-Click patent but proposes reducing length of Internet patents to 3-5 years. • Jay Walker, founder of Walker Digital. Walker Digital is in the business of patenting new business method patents, including Priceline.com. • Kevin Rivette, a patent attorney and author of "Rembrandts in the Attic," a book on how to make the most aggressive use of patents. • Greg Ahorian, outspoken critic of software and business method patents. Operates the Internet Patent News Service. • Richard M. Stallman, software developer and founder of the GNU Project, launched in 1984 to develop the free operating system GNU. Outspoken critic of Amazon.com and software patents (www.gnu.org/people/rms.html) • Lawrence Lessig, Harvard Law Professor and leading scholar on Internet and intellectual property rights (http://cyber.law.harvard.edu/lessig.html). • Harvard Berkman Center for Internet and Society. Promotes open code approaches to the Internet (http://cyber.law.harvard.edu/). • Q. Todd Dickinson, Director of the U.S. Patent and Trademark Office (www.uspto.gov/web/offices/com/admin/). Defends USPTO practice in granting software and business method patents. • U.S. Patent and Trademark Office (www.uspto.gov) • Protest Site against Amazon.com: www.NoAmazon.com • Protest Site against Unisys: www.burnallgifs.com • Patent Guidelines: US Patent Office (1998) Artificial Intelligence, Business and Mathematics Patent Examination Guidelines 5
  6. 6. (http://www.uspto.gov/web/offices/pac/compexam/comguide.htm); US Patent Office (1996) Computer-Related Invention Guidelines (http://www.uspto.gov/web/offices/pac/dapp/oppd/patoc.htm); US Patent Office (1989) Patentability of Math Algorithms and Computer Programs (http://www.bustpatents.com/og1989.htm); Japan Patent, Implementing Guidelines for Computer Software Related Inventions at JPO Office (http://www.jpo- miti.go.jp/infoe/txt/soft-e.txt); UK Patent Office, Claims to Programs for Computers (http://www.patent.gov.uk/snews/notices/practice/programs.html). Key cases: • State Street Bank and Trust v. Signature Financial Group, 149 F.3d 1368 (Fed. Cir. 1998), cert. denied, 119 S. Ct. 851 (1999) (held that business methods are patentable). • ATT vs. Excel Communications, 172 F.3d 1352 (Fed. Cir. 1999), cert. denied, 120 S. Ct. 368 (1999) (applied rule of State Street decision in case dealing with business method patent on long distance telephone message handling). • Amazon.com v. Barnesandnoble.com, 73 F. Supp.2d 1228 (W.D. Wash, Dec. 1, 1999) (granted preliminary injunction against barnesandnoble.com for likely infringement against Amazon.com’s 1-Click ordering patent). Other: Amazon.com 1-click patent claim: Method and system for placing a purchase order via a communications network Issued/Filed Dates: Sept 28, 1999 / Sept 12, 1997 “We claim: 1. A method of placing an order for an item comprising: under control of a client system, displaying information identifying the item; and in response to only a single action being performed, sending a request to order the item along with an identifier of a purchaser of the item to a server system; under control of a single- action ordering component of the server system, receiving the request; retrieving additional information previously stored for the purchaser identified by the identifier in the received request; and generating an order to purchase the requested item for the purchaser identified by the identifier in the received request using the retrieved additional information; and fulfilling the generated order to complete purchase of the item whereby the item is ordered without using a shopping cart ordering model.” Jeff Bezos quotes: "We spent thousands of hours to develop our 1-Click process, and the reasons we have a patent system in this country is to encourage people to take these kinds of risks. (quoted in Thomas E Weber , “Patents feuds may damp Web's spirit,” Wall Street Journal, B1, November 8, 1999). “I now believe it's possible that the current rules governing business method and software patents could end up harming all of us -- including Amazon.com and its many 6
  7. 7. shareholders, the folks to whom I have a strong responsibility, not only ethical, but legal and fiduciary as well.” – Jeff Bezos, in suggesting a 3-5 year length for business method patents (AN OPEN LETTER FROM JEFF BEZOS ON THE SUBJECT OF PATENTS) (Spring 2000). 7
  8. 8. Consumer Information Privacy on the Internet Issue: Whether self-regulation versus governmental regulation of privacy builds the confidence of consumers in Internet business Relevance to E-Business Managers: Consumer information privacy on the Internet deals with the use of personal data, which is critical for the success of an Internet business. It allows a merchant to know who its customers’ identity, interests, and needs, and thereby tailor the relationship process and the offerings to increase customer satisfaction and customer convenience. The availability and sale of personal information has been one of the engines of growth in Internet business. The growth in the number of Internet users has increased the concern over the ability of an individual to control the terms under which personal information is acquired and used on the Internet. The concern about privacy comes from customers, who are wary of vendors using the data or supplied information in an exploitive manner. Several high profile cases have occurred where information about customers has been gathered without their knowledge or without full disclosure of the purpose of data collection, resulting in an outcry of customer complaints (e.g., Real Networks). DoubleClick found that the mere announcement of targeting and profiling led to customer hysteria. The consumer confidence in the Internet is critical for the development of electronic commerce. The majority of people not online say that they stay off because of privacy concerns. Some reports suggest that 55% of U.S. web users mistrust the present handling of privacy. Interest groups are playing a watchdog role. The Federal Trade Commission (FTC) has released a report that suggests that only 20% of the websites manage privacy adequately. Moreover, online worries are being extended to offline concerns. Privacy is another legal activity in development. There are some 300 privacy proposals at the federal level and a plethora of others on the state levels. E-business managers must stay abreast with these developments to avoid a “Privacy Valdez.” Background: Personal information is information identifiable to an individual. E- businesses have access to a wealth of information about online customers. To access a web site or services, customers may complete online registration forms, where they reveal contact information, financial data, and personal interests. To purchase goods or services online, customers may send credit card numbers and shipping addresses over the Internet. As customers click on advertisements or link to Web pages, e-business may use cookies to record and store their surfing habits. Much of the data collected contains personally identifiable information. E-businesses have incentives to collect personal information. First, they may use the information for their own marketing purposes. For example, an e-business may personalize its web site for each individual customer to ensure that the customer’s attention is focused on goods or services that he is most likely to wantgiven his past 8
  9. 9. surfing habits. Second, e-businesses may sell customer information to other companies, who use the information to market directly to those customers. Finally, e-businesses may collect personal information because the nature of their business requires the information. For example, medical web sites require customers’ personal medical history to deliver medical services. With existing technology, Internet merchants can collect vast amount of data, most of it invisibly, and put together a complete profile of a person. Detailed tracking of a user’s movements coupled with personally identifiable information has led to concerns over the rise of identity theft. Some predict that within the next 6 to 8 months, most web users will witness the siege of their identity. Governmental Regulation The online collection of personal information gained widespread attention in 1998 when the Federal Trade Commission (FTC) published its first study of online privacy practices. The study analyzed the presence of privacy statement on commercial web sites. The study found that although customers ranked the lack of privacy protection as the top reason for not using the Internet, a substantial number of e-businesses collected personal information without posting or maintaining a privacy policy. Only 14% of the sites in the FTC’s sample posted any type of privacy disclosure. A 1999 Georgetown University study (sponsored partly by the FTC) revealed an improvement from the prior year: 67 % of the sites posted a privacy statement. However, the content analysis of these statements suggested inadequate protection. Some companies posted statements that give the company the right to do anything with the personal information Only 13.6 percent followed the FTC’s “fair information practices” that would likely become law if the U.S. government regulated privacy. Other studies suggest that companies fail to comply with their own policies. In 1999, the FTC handled more than 11,000 complaints against online auction sites alone. The FTC’s “fair information practices” are reflected in the Privacy Act of 1974 which focused on government sue of personal information. Although the U.S. Government has endorsed the standards, it has never passed legislation on them. The Organization for Economic Cooperation and Development (OECD) passed guidelines governing privacy in 1980 and those guidelines are based on fair information practices. Fair information practices are: o Notice/Awareness: website would be required to provide consumers notice of their information practices, such as what information they collect and how to use it o Choice/Consent: web sites would be required to offer consumers choices as to how that information is used beyond the use for which the information was provided (for example to consummate a transaction) o Access/Participation: web sites would be required to offer consumers reasonable access to that information and an opportunity to correct inaccuracies o Security/Integrity: websites would be required to take reasonable steps to protect the security and integrity of that information. 9
  10. 10. In summer 1999, the FTC informed Congress that the new Internet privacy laws are not needed at this time and endorsed a policy of self-regulation. It warned that they did not “foreclose [the] possibility of legislative or regulatory action” in the future. Privacy advocates disagreed with the FTC’s decision calling for a comprehensive privacy law. Partially because of the concerning results from 1998 FTC WebSurf, Congress passed the Children’s Online Privacy Protection Act (COPPA). But other than COPPA, the Clinton administration has avoided governmental regulation of online privacy practices except on the sectorial level (health and financial services). Instead, the administration has encouraged e-businesses to adopt self-regulatory approaches to privacy protection in order to protect the free growth of the Internet. Although the administration has assumed a hands-off approach for now, it has charged both the FTC and the National Telecommunications and Information Administration (NTIA) with monitoring online privacy protection to ensure the effectiveness of self-regulation. If self-regulation is ineffective, the administration says it will turn to governmental regulation of online privacy. A recent Business Week/Harris poll reported that 57% of Americans believe that it has become time for the government to step and regulate privacy; only 15% believe that self-regulation is the way to go. In May 2000, the FTC released the results of the 2000 WebSurf. The study found that only 20% of the sites provided adequate consumer protection. Whereas in 1999, FTC gave a green light to over 60% sites, this had dropped to 20% later due to the FTC changing the rules. While in the past, the FTC had largely checked for the existence of a privacy statement, in 2000 the study analyzed the content of the statement and to the extent to which it met the four requirements of the Fair Information Practices. The FTC 2000 WebSurf suggested that the Federal Trade Commission has taken a more active role in enforcing fair information practices online. Business Self-Regulation Approaches E-businesses have taken self-regulation seriously because they want to avoid governmental regulation and because they recognize that privacy protection is simply good business. Since 1998, the percentage of web sites providing privacy notices has grown from 14 %2 to 24 %3. Several organizations, including TRUSTe and BBBOnline, have launched privacy seal programs that provide third party monitoring of an enrolled web site’s privacy practices. Finally, e-businesses themselves have changed their privacy practices in response to consumer pressure. For example, DoubleClick abandoned plans to merge data relating to online surfing habits with offline personal data when consumer groups protested. Three approaches to self-regulation have emerged: o First, e-businesses may police their privacy practices by holding themselves to restricted privacy policies. American Express employs this police approach. 2 As found in a 1998 FTC study published at http://www.ftc.gov. 3 As found in a 2000 enonymous.com survey published at http://www.privacyratings.org. 10
  11. 11. o Second, e-businesses may seek to create a market in privacy by compensating consumers for personal information and then using that information as they see fit. Cybergold employs a market approach. o Third, consumers, instead of e-businesses, may control their own information by using software that allows them to block access or designate the types of information that will be revealed when they visit web sites. Many hold hope that future privacy enhancing technologies coupled with consumer education will elevate privacy protection to new levels within the self-regulation framework. Some privacy enhancing technologies include: 1. Intermute: a Java application to block undesired access to your computer when you are online 2. PGP 5.0: a powerful encryption program to guarantee the confidentiality of your messages to trusted recipients 3. PGP Cookie Cutter: a Windows 95 utility to delete selected cookies 4. Lucent Personalized Web Assistant: an application to be used for identifying yourself at a web site that shields your true identity 5. Anonymous technology: Anonymizer.com is a web site to be visited before you visit other web sites that provides you with an anonymous identity. File sharing programs such as Gnutella mask the identity of those using the system. 6. Platform for Privacy Preferences (P3P): P3P is an automated system that gives users more control over the information they disclose about themselves as they surf the Web. Under the proposal, site designers would post their privacy practices in a format the user's browser would understand. Web surfers could, in turn, set browser preferences to control how much information they want to release to web sites they visit. The criticism against self-regulation has grown in the last year. The press has featured prominently a number of online privacy gaffes. DoubleClick, Amazon.com, Microsoft, and Real Networks are just a few. Real Networks had a TRUSTe privacy seal on their site while they violated their own privacy statement by transmitting personal information from twelve million people. And TRUSTe has still yet to discipline Real Networks. TRUSTe’s response has included that privacy problems happen not because of malicious intent by the corporation but because “the left hand of a company doesn’t know what the right one is doing.” Businesses themselves are split on the balance between governmental and self-regulation. Some businesses fear that unless the federal government acts, states and local jurisdictions will pass their own privacy laws, leading to a mishmash of laws. Others insist that the Internet businesses can self-regulate. Consumer Ownership of Personal Information Customers give away their personal information in anticipation of some future value from that exchange (e.g., convenience, tailored products). While it is easy to see how merchants benefit from personal customer information, it is less clear what Internet customers have received in return for their personal information. The promises of greater 11
  12. 12. convenience (one-click shopping), personalization, and tailoring, have often fell short. Perhaps because of failed promises, customers have begun to claim ownership of their personal information and place economic value on the information that they share with merchants while transacting, communicating, and collaborating with them. Customers are willing to release this information if they can profit by doing so (e.g., compensation, gifts, coupons, rebates, special offers). Some merchants have begun to provide a flat sum of money for customers’ completing online surveys ($5-10) , providing a discount on the first purchase, or pay the customer a few cents when the information is sold to a third party. Firms whose main business is to sell personal information business have begun to pay surfers for the time they surf (e.g., 50 cents per hour), number of advertisements they look at, and the amount of information they share. Others argue that it is not possible to put a value on a piece of data on the customer (name, browsing pattern) as it depends on the context of the data. International Approaches Japan has followed closely the U.S. lead and has advanced ethical practices similar to the Fair Information Practices. The European Union has taken a governmental approach. The European Union passed a comprehensive privacy policy in 1995 and it became a law in member countries in 1998. Conflicts: 1. The most obvious conflict concerns self-regulation versus governmental regulation. The Clinton administration and e-businesses favor self-regulation since they believe that governmental regulation will stifle the growth of the Internet. Specifically, governmental regulation will erode consumer confidence and trust in e-businesses and will offer an inflexible approach to a rapidly changing online environment. Public interest groups note that self-regulation does not work, however. If e- businesses find an economically beneficial use for online data, they are unlikely to police themselves at an economic loss. Third-party private sector auditors are ineffective since those organizations survive on funding that audited businesses provide. Proponents of governmental regulation argue that without effective privacy protection, consumers will not purchase goods and services on the Internetand the Internet will not reach its full growth potential. Among self-regulatory efforts, a conflict exists over the most effective approaches. For example, many web sites are giving consumers the option to opt-out of information sharing. Many public interest groups believe that web sites should use an opt-in policy instead, however. Besides the issues of choice, there are issues of being informed. How does the privacy statement constrain the firm from changing their business model and their information uses in the future? The privacy statement covers what information the business collects, how it collects that information, and how it uses that information. The privacy advocates argue that if the data is collected under Version 1 of the privacy statement, then it can only be treated under Version 1 without approval from everyone who provided data. Other issues rally around who is responsible for the integrity of the data. 12
  13. 13. 2. A conflict also exists between the European and American approaches to privacy protection. In 1998, the E.U. implemented a privacy protection law that allows companies to collect personal data only when individuals consent to the collection, know how the data will be used, and have access to databases to correct or erase their information. The law does not allow the transfer of data from E.U. countries to countries with less stringent privacy policies. Since the U.S. has adopted a self- regulatory approach, its privacy policies are less stringent, and the E.U. law prohibits data transfer to the U.S. In March 2000, the U.S. and E.U. reached a safe harbor agreement that has not yet been ratified. Europe agreed it would not try to force the U.S. to impose an intrusive E.U. data-privacy law on all U.S. companies. In return, the U.S. agreed to set up a ""safe harbor'' – a list, to be maintained by the Department of Commerce, of companies that voluntarily adopt E.U.-style safeguards of their customers' private information. Companies that do not participate would risk a halt of data flows from Europe. The Europe-U.S. agreement has particularly been slow in resolving the issues of onward transfer of data and enforcement. 3. There is a conflict between privacy and anonymity. The privacy advocates argue that users have a right to stay anonymous. However, anonymous file sharing programs such as Napster and Gnutella are associated with rampant copyright violations. Because the users are anonymous, then right holders have no one to use. Industry leaders, whose businesses are dependent on copyright protection, have called for the elimination of anonymity for people who wanted to use services such as Napster. Some have even said that the issue of anonymity might become the most significant policy issue in the coming years. Legislation in the U.S.: 1. Fair Credit Reporting Act (1970): Governs the collection and disclosure of personal information in the credit reporting industry. 2. Privacy Act of 1974: Regulates government conduct pertaining to the collection, use, and disclosure of personal identifiable information (including electronic information). 3. Freedom of Information Act: Regulates government conduct pertaining to the disclosure of personal identifiable information (including electronic information). 4. Cable Communications Policy Act (1984): Requires cable companies to provide their customers with annual notice as to how their personal identifiable information is used (perhaps applicable to cable providers who provide Internet access). 5. Electronic Communications Privacy Act (1986): Protects private electronic communications from unauthorized access, interception, or disclosure by the government, individuals, or third parties. 6. Video Privacy Protection Act of (1988): Regulates disclosure of videotape rental information (application of the law to the Internet is unclear). 7. COPPA (Children’s Online Privacy Protection Act) (1998): Prohibits unfair or deceptive acts or practices in connection with the collection, use, or disclosure of personally identifiable information from and about children younger than 13 on the Internet. 13
  14. 14. 8. Gramm-Leach-Bliley Financial Services Bill (1999): The bill itself codifies the rights of financial consumers. The Clinton administration is currently drafting rules to implement privacy protections required by the bill. The proposed rules include a mandatory privacy notice and opt-out policy. Ethical Standards for Privacy The U.S. constitution does not contain any rights to privacy and no comprehensive privacy legislation exists in the U.S. However, there are ethical standards that firms should follow. o The National Telecommunications and Information Administration (NTIA) articulated the following fair information practices and enforcement mechanisms in 1998: 1. Principles of Fair Information Practices Fair information practices form the basis for the Privacy Act of 1974, the legislation that protects personal information collected and maintained by the United States government. In 1980, these principles were adopted by the international community in the Organization for Economic Cooperation and Development's Guidelines for the Protection of Personal Data and Transborder Data Flows. a. Awareness. At a minimum, consumers need to know the identity of the collector of their personal information, the intended uses of the information, and the means by which they may limit its disclosure. Companies are responsible for raising consumer awareness and can do so through the following avenues: 1) Privacy policies. Privacy policies articulate the manner in which a company collects, uses, and protects data, and the choices they offer consumers to exercise rights in their personal information. 2) Notification. Notification should be written in language that is clear and easily understood, should be displayed prominently, and should be made available before consumers are asked to provide personal information to the company. 3) Consumer education. Companies should teach individuals to ask for relevant knowledge about why personal information is being collected, what the information will be used for, how it will be protected, the consequences of providing or withholding information, and any recourse they may have. b. Choice. Consumers should be given the opportunity to exercise choice with respect to whether and how their personal information is used, either by businesses with whom they have direct contact or by third parties. c. Data Security. Companies creating, maintaining, using or disseminating records of identifiable personal information must take reasonable measures to assure its reliability for its intended use and must take reasonable precautions to protect it from loss, misuse, alteration or destruction. Companies should also strive to assure that the level of protection extended by third parties to whom they transfer personal information is at a level comparable to its own. 14
  15. 15. d. Data Integrity. Companies should keep only personal data relevant for the purposes for which it has been gathered, consistent with the principles of awareness and choice. To the extent necessary for those purposes, the data should be accurate, complete, and current. e. Consumer Access. Consumers should have the opportunity for reasonable, appropriate access to information about them that a company holds, and be able to correct or amend that information when necessary. The extent of access may vary from industry to industry. f. Accountability. Companies should be held accountable for complying with their privacy policies. 2. Enforcement The discussion of enforcement tools below is in no way intended to be limiting. The private sector may design the means to provide enforcement that best suit its needs and the needs of consumers. a. Consumer recourse. Companies that collect and use personally identifiable information should offer consumers mechanisms by which their complaints and disputes can be resolved. Such mechanisms should be readily available and affordable. b. Verification. Verification provides attestation that the assertions businesses make about their privacy practices are true and that privacy practices have been implemented as represented. c. Consequences. For self-regulation to be effective, failure to comply with fair information practices should have consequences. Examples of such consequences include cancellation of the right to use a certifying seal or logo, posting the name of the non-complier on a "bad-actor" list, or disqualification from membership in an industry trade association. Non-compliers could be required to pay the costs of determining their non-compliance. Ultimately, sanctions should be stiff enough to be meaningful and swift enough to assure consumers that their concerns are addressed in a timely fashion. When companies make assertions that they are abiding by certain privacy practices and then fail to do so, they may be liable for deceptive practices and subject to action by the Federal Trade Commission or appropriate bank or financial regulatory authority. o In June 1998, the Electronic Privacy Information Center recommended the following privacy practices: 1. web sites should make available a privacy policy that is easy to find. Ideally the policy should be accessible from the home page by looking for the word "privacy." 2. Privacy policies should state clearly how and when personal information is collected. 3. web sites should make it possible for individuals to get access to their own data. 4. Cookies transactions should be more apparent. 15
  16. 16. European Union Data Privacy Directive 1. Requirements a. Collectors of personal information must provide the data subject with notice of their collection practices b. A gatherer of personal information can only collect such information for “specified, explicit and legitimate purposes” c. Information must be adequate and relevant for the stated purpose, accurate and current, and maintained in personal identifiable form for only the amount of time needed to accomplish the stated purpose for collection d. Personal identifiable information can be processed only if the subject of the information gives unambiguous consent e. The data subject must be given a right of access and a right to object to the processing of his information f. The data collector must provide for confidentiality and security of the information g. Personal identifiable information transferred outside of the E.U. must only be to countries with "adequate" privacy protection 2. Recent events surrounding the Directive a. The European Commission said on January 11 that it would take five European Union member states to court for failing to implement rules designed to protect individuals' privacy on the Internet and other electronic networks. The E.U. executive said it had decided to take France, Luxembourg, the Netherlands, Germany and Ireland to the Luxembourg-based European Court of Justice for failing to fully implement the E.U.'s Data Protection Directive (Reuters, 11 January 2000) b. Tentative agreement on the Safe Harbor was reached in March. Details are still being finalized. Cases: 1. The FTC has launched investigations into a handful of web sites’ business practices. Yahoo! is the target of a current FTC investigation to determine whether it disclosed user data to third parties in violation of federal regulations. Earlier this year, DoubleClick was the target of an FTC investigation when it announced that it would combine online surfing habits cultivated by its ad network with personal information collected by transaction records. The FTC has also settled cases with KidsCom and GeoCities. 2. Private parties have filed six lawsuits against Doubleclick alleging deceptive privacy practices. Public Interest Groups: 1. Center for Democracy and Technology (http://www.cdt.org) 2. Electronic Privacy Information Center (http://epic.org) 3. Internet Privacy Coalition (http://www.privacy.org/ipc) 16
  17. 17. Government Organizations: 1. Federal Trade Commission (http://www.ftc.gov): Monitors deceptive business practices, which include privacy practices. 2. National Telecommunications and Information Administration (http://www.ntia.doc.gov): This agency of the U.S. Department of Commerce is charged with studying and monitoring the status of electronic privacy protection. Private Sector Auditors: 1. The Personalization Consortium is a group of 26 companies that police members’ privacy policies while educating consumers about personalization issues. Members must tell consumers what data is being collected in the personalization process and let them opt out of collection. 2. TRUSTe provides a fee-based service that promises to audit a site and issue a seal assuring visitors that the site's privacy policy is truthful. 3. BBBOnline is developing a privacy seal program that includes verification and consumer dispute resolution. Industry Associations: 1. Online Privacy Alliance (http://www.privacyalliance.org): The Alliance and all its members are strongly committed to meeting the Administration’s challenge to develop a strong, effective program for self-regulation in the online marketplace. The Alliance has adopted a set of guidelines for online privacy practices and a very strong set of principles for children’s online activities. Policymakers: 1. Alan Westin, a professor at Columbia University, is involved in the development of a self-regulatory privacy program for BBBOnline. 2. Mary Culnan, a professor at Georgetown University, is the author of the 1999 Georgetown Internet Privacy Policy Survey. She currently serves on the FTC Advisory Committee on Access and Security. 17
  18. 18. Copyright and Data Protection in E-Business Issues: To what extent should law protect both copyrighted information in cyberspace and the technological means used to self-protect? Managerial Questions: Does moving operations online create new content or software for which copyright protection should be sought? Would copyright protection be sufficient? If not, how should e-businesses protect their data or software from unauthorized use and distribution? How should e-businesses avoid being sued for copyright infringement? Background: U.S. copyright law has been used to protect the content of web sites, data, and Internet software programs from unauthorized copying and distribution. Businesses have found, however, that laws have limits in their effectiveness in cyberspace where content can be copied quickly by anonymous users. Many companies have decided to rely not only on traditional copyright law, but also on technical protections (anti-piracy measures) built into web sites or software to protect against unauthorized copying and distribution. The music industry, for example, is betting that secure copy-protection technologies, developed under the auspices of the Secure Digital Music Initiative (SDMI), will stop the unauthorized spread of new music through file sharing systems like Napster or Gnutella. Cyber Patrol, a screening software to protect children from pornographic sites, is another product with an anti-piracy feature. And CSS is the encryption program designed to prevent unauthorized copying of DVDs. Many of these anti-piracy measures have been “cracked” by hackers. This has created a growing consensus that copyright law should protect not only the content, but also the technical measures designed by firms to secure the content. In 1998, Congress passed the Digital Millenium Copyright Act (DMCA) which makes it illegal to break through passwords, encryption and other technological defenses that companies erect around their Internet content. The Act was designed to implement international treaties that the U.S. had signed at the World Intellectual Property Organization (WIPO) in 1996. The bill was originally supported by the software and entertainment industries, and opposed by scientists, librarians, and academics. At the last minute, certain controversial provisions were deleted, including a provision that would have provided copyright protection for databases even when the material in the databases was in the public domain. Some “fair use” protections were inserted for non-profit archives, libraries and educational institutions, and the bill was passed. Among other things, the DMCA: • Makes it a crime to circumvent anti-piracy measures built into most commercial software. • Outlaws the manufacture, sale, or distribution of code-cracking devices used to illegally copy software. 18
  19. 19. • Allows the U.S. Copyright Office to make exemptions to the antihacking provision. • Limits Internet Service Providers (ISPs) from copyright infringement liability for simply transmitting information over the Internet. • Requires “webcasters” to pay licensing fees to record companies. Several lawsuits have been brought under the anti-circumvention provisions of the DMCA. • Real Networks obtained an injunction against a portion of software created by Streambox that allowed users to capture or record “streamed” media sent via Real Networks’ copy-encoded format. • The Motion Picture Association of America (MPAA) filed lawsuits against web sites that posted software, or links to it, created by a 16-year-old Norwegian student that allowed DVDs to be played on Linux-based computers. • The Recording Industry Association of America (RIAA) filed a lawsuit against start-up company Napster, which allows music fans to trade music files directly from one another’s machine without posting them on a web site. • Universal City Studios brought suit against sites that posted a de-encryption program know as DeCSS. DeCSS de-encrypts CSS, a proprietary program that precluded copying of movies stored on DVD. A European legislative proposal bears broad resemblance to the Digital Millennium Copyright Act. Conflicts: File Sharing: A major conflict has arisen over the recent software programs that allow Internet users to share files over the Internet without paying for their use or distribution. Currently, most of the attention is focused on file sharing programs such as Napster that allow free exchange of music. But there are other file sharing programs that allow the sharing of any software file on a user’s computer. Wrapster, for example, allows any kind of file to be listed and traded over the Napster network. iMesh allows people to swap music, video and other multimedia files. That provides a broader range of options than Napster itself, which only supports MP3 files, but falls short of the capabilities of the new Wrapster technique. These programs and others like them are likely to pit software copyright owners against unauthorized users and those who assist in the file transfers. Some technological solutions have emerged: NetPD and Media Enforcer, which allow artists to monitor who is swapping their songs online and gather the Web addresses and usernames of traders. But new services such as Freenet and ZeroKnowledge are being developed that will make this job much more difficult, masking individual traces online and distributing content more widely around the Net. 19
  20. 20. Information Aggregators and Data Base Protection: Whether databases -- collections of facts like telephone directories, weather reports, stock tables and real estate listings, airline schedules, medical advice, city maps, basketball scores and other information -- can be copied, repackaged and distributed by competitors and other information aggregators. In a recent case involving Internet auction site eBay and information aggregator Bidder’s Edge, Judge Ronald Whyte proclaimed that the “bots” launched by Bidder's Edge were a "violation of eBay's fundamental property right to exclude others from its computer system." The judge issued a preliminary injunction barring Bidder’s Edge, which indexes online auctions so users can find the best deal, from automatically harvesting information from eBay. The court said Bidder’s Edge was “trespassing” by using the resources of eBay's computer systems without permission. According to the judge, the law recognizes no such right to use another’s property. The implications of this ruling could effectively outlaw "deep linking." Deep links take Internet users directly to a relevant item on another web site. They are the bread and butter of search engines, content aggregators and comparison-shopping sites. In an earlier precedent-setting case (Ticketmaster versus tickets.com), a U.S. court found that deep linking did not violate copyright protection, apparently resolving controversy surrounding the practice. The eBay case rests on the notion of “trespass” rather than “copyright.” The debate about Internet links is also being played out in the US Congress, where eBay is alone among leading US web publishers in supporting a bill that would prohibit the systematic extraction of information from databases compiled by companies. Yahoo!, Amazon.com, America Online and other Internet heavyweights oppose it. Last year the House Judiciary Committee approved a bill sponsored by Rep. Howard Coble, R-N.C., that would establish criminal penalties for the unauthorized use of material in databases. Opponents say the bill would allow companies with databases to control access to facts. The issue is just as vital to older businesses as they adapt to the Internet. For example, real-estate agents complain that online home-sale listings have been pilfered and reused. Publishers worry about pirating of their databases. Newspapers are nervous about classified advertising being copied. Some Key Players and Resources • Rep. Howard Coble, R-N.C. Introduced bill that would establish criminal penalties for unauthorized use of material in databases. • Senate Judiciary Committee Chmn. Orrin Hatch (R-Utah). Has promised "a series of hearings" on copyright problems created by new technologies. • Lawrence Lessig, Harvard Law Professor and leading scholar on Internet and intellectual property rights (http://cyber.law.harvard.edu/lessig.html). • James Billington, Librarian of Congress. Will make final decisions regarding exceptions to the DMCA’s anti-circumvention provisions. • Robin Gross, attorney who filed comments for the Electronic Frontier Foundation regarding Cyber Patrol litigation. Supported CPHack’s position. • Rapper Chuck D. Wrote in a recent New York Times op-ed article that, 'Music on the Internet is just a promotional device that helps to sell records.' Favors Napster. 20
  21. 21. • Metallica, heavy metal band. Suing Napster.com for contributory copyright infringement. • Michael Eisner, Disney CEO. Outspoken advocate on the need for stronger copyright protection. Key cases: • eBay v. Bidder’s Edge, Inc., No. C-99-21200 (Northern District of California, May 24, 2000) (used the principle of “trespass to a computer system” to prevent content aggregation by “bots”). • Universal City Studios v. Reimerdes (January 20, 2000) (injunction against DeCSS de-encryption software for DVDs). 21
  22. 22. Critical Infrastructure Security Issue: New security weaknesses caused by vulnerabilities in the Internet, as well as in web browsers and servers, have created a variety of new security risks. The types of risks include system-modifying attacks (viruses or “hostile” applets) and Denial-of-Service (DoS) attacks that consume a machine’s resources or make them unavailable. Attack technology is being developed in an open source environment where a community of interest develops this technology at a rapid pace. Several significant new forms of attack have appeared in just the past year such as the Melissa virus and DoS attacks. As attack technology evolves, it can be acquired by users with significant resources to hone and advance the technology, making it a much more serious threat to national security and the effective operation of government and business. Industry is acutely interested in protecting the critical infrastructure since almost 90% of the world’s information infrastructure, including the Internet, is run by industry. Government is also interested in protecting critical infrastructure security, as such protection runs into national security concerns. Business and government have disagreed on how, and by whom, critical infrastructure security should be maintained. Background: The threats to critical infrastructure come in a variety of forms: • Viruses. A virus is a program designed to perform some malicious action unknowingly triggered by an innocuous event (such as a user action, a certain date being reached, etc.). The defining characteristic of viruses is that they are self- replicating. With the ease of passing information between users greatly enhanced by the Internet, so too is the ease of a user unknowingly transmitting a virus. Also, the number of new viruses appearing is escalating at an alarming rate. According to PC Magazine, new viruses appear at the rate of more than 200 per month. • Hostile Applets and ActiveX Controls. Hostile applets are designed to take advantage of an applet’s capabilities. Because they are designed to execute on a user’s computer, if they contain malicious features, they can perform hostile acts such as damaging files or exposing them for unauthorized users to read without the user knowing. • Denial-of-Service Attacks (DoS). DoS attacks are among the biggest threats to reliable computing environments. The development of the Internet with distributed systems based on the client/server model has made many computer systems much more vulnerable to these types of attacks. DoS attacks include several different methods of making system resources unavailable and shutting down service. E-mail “bombs” – Consist of hundreds of duplicate messages and large files, thus potentially filling file systems or overloading mail servers and making them unavailable for valid use. “SYN flooding” – Inundates a server with requests to open new connections that carry invalid IP addresses, tying up the server as it tries to acknowledge unknown or nonexistent addresses. 22
  23. 23. “Ping of Death” attacks – Crash network servers or firmware by overloading them with illegally large ping packets. (“Ping,” short for Packet Internet Groper, is an Internet utility used to determine whether a particular IP address is online. It is used to test and debug a network by sending out a packet and waiting for a response.) IP fragment attacks – The so-called “Teardrop” attack targets a weakness in the reassembly of IP packet fragments on the destination host. When an IP packet is sent across the Internet, it often is broken up into smaller packets. These smaller packets indicate which data bytes of the original packet they hold (for example, bytes 128 through 255 of packet XYZ). The Teardrop virus will change these numbers, making them incorrect. When some destination hosts are unable to reconstruct the original packet because of these invalid numbers, they hang or crash. “False alarm” attacks – Trigger automatic firewall alarms designed to close down connections when attacked or cause other system shutdowns. In other words, this method uses the network’s or server’s own security tools to deny service. The Center for Education and Research in Information Assurance and Security at Purdue University (CERIAS) has identified the following key trends and factors facilitating cyber attacks on critical infrastructures: 1. Attack technology is developing in an open-source environment and is evolving rapidly. Technology producers, system administrators, and users are improving their ability to react to emerging problems, but they are behind and significant damage to systems and infrastructure can occur before effective defenses can be implemented. As long as defensive strategies are reactionary, this situation will worsen. 2. Currently, there are tens of thousandsperhaps even millionsof systems with weak security connected to the Internet. Attackers are (and will) compromising these machines and building attack networks. Attack technology takes advantage of the power of the Internet to exploit its own weaknesses and overcome defenses. 3. Increasingly complex software is being written by programmers who have no training in writing secure code and are working in organizations that sacrifice the safety of their clients for speed to market. This complex software is then being deployed in security-critical environments and applicationsto the detriment of all users. 4. User demand for new software features over security ones, coupled with industry response to that demand, has resulted in software that is increasingly supportive of subversion, computer viruses, data theft, and other malicious acts. 5. Because of the scope and variety of the Internet, changing any particular piece of technology usually cannot eliminate newly emerging problems; broad community action is required. While point solutions can help dampen the effects of attacks, robust solutions will come only with concentrated effort over several years. 6. The explosion in use of the Internet is straining our scarce technical talent. The average level of system administrator technical competence has decreased dramatically in the last 5 years as non-technical people are pressed into service as 23
  24. 24. system administrators. Additionally, there has been little organized support of higher education programs that can train and produce new scientists and educators with meaningful experience and expertise in this emerging discipline. 7. The evolution of attack technology and the deployment of attack tools transcend geography and national boundaries. Solutions must be international in scope. 8. The difficulty of criminal investigation of cybercrime coupled with the complexity of international law mean that successful apprehension and prosecution of computer crime is unlikely, and thus little deterrent value is realized. 9. The number of directly connected homes, schools, libraries and other venues without trained system administration and security staff is rapidly increasing. These "always-on, rarely-protected" systems allow attackers to continue to add new systems to their arsenal of captured weapons. Network firewalls are commonly used to enforce a site’s security policy by controlling the flow of traffic between two or more networks. Firewalls often are placed between the corporate network and an external network such as the Internet or a partnering company’s network. However, firewalls are also used to segment parts of corporate networks. A firewall system provides both a perimeter defense and a control point for monitoring access to and from specific networks. Conflict: To improve critical infrastructure security, the U.S. government has suggested interoperability of products and systems through standard-setting efforts. Many businesses, however, endorse adopting best practices for tackling critical infrastructure issues rather than setting standards. They believe that the marketplace and not the federal government should dictate preferred technologies (which would become de facto standards). Many in the IT industry views standards as a snapshot of technology at a given moment, creating the risks that technology becomes frozen in place, or that participants coalesce around the "wrong" standards. Many IT professionals favor an open source model for developing best practices, a model that is not constrained by technical rules or regulations. There also exists a debate regarding whether to consolidate activities regarding collection and analysis of cyber attacks. FBI director Louis Freeh and the Critical Infrastructure Assurance Office favor a single location for the collection, analysis, and dissemination of information regarding security threats. Industry prefers a more diffuse approach that currently exists whereby multiple organizations are working to evaluate vulnerabilities and threats as well as developing technical solutions. The challenge from this perspective is not to pull all data together, but to push it out to meet the varying needs of the various audiences. Richard Pethia of CERT stresses information sharing as the fundamental component to preventing cyber attacks. He maintains that IT professionals understand they can never hope to eliminate every vulnerability in their system. Therefore, they need data to help them determine which vulnerabilities are most critical and therefore likely to be exploited. Pethia states: “Our law enforcement and intelligence organizations must find 24
  25. 25. ways to release threat data to the operational managers of information infrastructures to motivate these managers to take action and to help them understand how to set their priorities.” Information sharing about cyberattacks, however, is problematic. Companies are currently reluctant to share sensitive information about security practices and network breaches with either government agencies or their competitors. Companies worry that trade secrets or other proprietary information could be compromised in the exchange. Additionally, they worry that the information on intrusions could be used against them in shareholder lawsuits, jeopardize their customer base, or even prove beneficial to the hacker community. Companies also fear sharing this information with government because of the possibility it may lead to increased regulation of the industry or e- commerce generally. Moreover, companies are concerned with protected individual customer’s privacy and fear that privacy breaches may occur inadvertently during information infrastructure investigations. Currently, corporations often have more to lose from damaged reputations than from the network attacks themselves. These organizations will not share security incident or loss information unless they have a high degree of confidence that this information will be protected from public disclosure. Industry professionals are urging the federal government to take steps to protect sensitive information, including creating exemptions from Freedom of Information Act (FOIA) requests. Many in industry believe that freedom from FOIA concerns is the most formidable obstacle, and that an exemption for this type of information sharing is the only option. Opponents of proposals to relax FOIA provisions believe industry might use the relaxed standards to protect itself from disclosing damaging information that should be released to the public. FBI Director Louis Freeh believes safeguards are currently in place to protect sensitive information. In his testimony before the Senate Judiciary Subcommittee on Technology, Terrorism and Government, he stated that under the Economic Espionage Act, passed in 1996, there are specific provisions for maintaining the confidentiality of information obtained during the process of a criminal prosecution. Therefore, any proprietary information is under specific and court-ordered protection to ensure it is not compromised in the course of the prosecution. Additional Proposals to Improve Critical Infrastructure Security: In addition to the debated solutions above, the Information Technology Association of America (ITAA) and CERT have suggested additional approaches to improving the current mechanisms for combating threats and responding to attacks on the nation’s critical infrastructure. 1. Building Awareness. The ITAA and its member companies are raising awareness of the issue within the IT industry and through partnership relationships with other vertical industries, including finance, telecommunications, energy, transportation, and health services. An awareness-raising campaign targeting the IT industry and vertical industries dependent on informationsuch the financial sector, insurance, electricity, transportation and telecommunicationsis being overlaid with a community effort directed at CEOs, 25
  26. 26. end users and independent auditors. The goal of the awareness campaign is to educate the audiences on the importance of protecting a company's infrastructure, and to instruct the steps they can take to accomplish this. The message is that information security must become a top tier priority for businesses and individuals. 2. Educating Computer Users. In an effort to take a longer-range approach to the development of appropriate conduct on the Internet, the Department of Justice and the ITAA have formed the Cybercitizen Partnership. The Partnership is a public/private sector venture formed to create awareness, in children, of appropriate on-line conduct. The effort focuses on developing an understanding of the ethical behavior and responsibilities that accompany use of the Internet. The Partnership will develop focused messages, curriculum guides and parental-information materials aimed at instilling a knowledge and understanding of appropriate behavior online. The ITAA believes that a long-range, ongoing effort to insure proper behavior is the best defense against the growing number of reported incidents of computer crime. 3. Expanding Research and Development. ITAA believes that between industry's market-driven R&D and government's defense-oriented R&D projects, gaps may be emerging that no market forces or government mandates will address. ITAA and its member companies actively support the President Clinton's call for an Institute for Information Infrastructure Protection. This institute, under consideration by the President's Committee of Advisors on Science and Technology, will focus limited government funding on targeted R&D projects conducted through consortia of industry, academia and government. Key Groups and Organizations • The Information Technology Association of America (ITAA) provides global public policy, business networking, and national leadership to promote the continued rapid growth of the IT industry. ITAA consists of 400 direct and 26,000 affiliate corporate members throughout the U.S., and a global network of 41 countries' IT associations. ITAA members range from the smallest IT start-ups to industry leaders in the Internet, software, IT services, ASP, digital content, systems integration, telecommunications, and enterprise solution fields. (www.itaa.org). • The National Infrastructure Protection Center (NIPC) is a multi-agency organization whose mission is to detect, warn of, respond to, and investigate computer intrusions and other unlawful acts that threaten or target our Nation's critical infrastructures. Located in the FBI's headquarters building in Washington, D.C., the NIPC brings together representatives from the FBI, other U.S. government agencies, state and local governments, and the private sector in a partnership to protect our Nation's critical infrastructures. (www.nipc.gov). • The President’s Commission on Critical Infrastructure Protection (PCCIP) was formed to advise and assist the President of the United States by recommending a national strategy for protecting and assuring critical infrastructures from physical and cyber threats. (www.pccip.ncr.gov) 26
  27. 27. • The Critical Infrastructure Assurance Office (CIAO) is a government agency charged with plotting a federal plan for protecting the nation's critical infrastructures from disruption or attack. (www.ciao.gov) • The Institute of Internal Auditors will be holding a series of briefings and meetings around the country, in conjunction with the CIAO and ITAA, to discuss critical infrastructure issues as they relate to internal company audits by accounting professionals. (www.theiia.org) • Americans for Computer Privacy (ACP) is a broad-based coalition representing financial services, manufacturing, telecommunications, high-tech and transportation, as well as law enforcement, civil liberty, pro-family and taxpayer groups. ACP supports policies that promote industry-led, market-driven solutions to critical information infrastructure protection and that oppose government efforts to impose mandates or design standards, or increase widespread monitoring or surveillance. (www.computerprivacy.org) • The Center for Education and Research in Information Assurance and Security at Purdue University (CERIAS) is a center for multidisciplinary research and education in areas of information security. (www.cerias.purdue.edu). • The CERT Analysis Center was recently established to address the threat posed by rapidly evolving, technologically advanced forms of cyberattacks. Working with sponsors and associates, the CERT Analysis Center collects and analyzes information assurance data to develop detection and mitigation strategies that provide high- leverage solutions to information assurance problems, including countermeasures for new vulnerabilities and emerging threats. The CERT Analysis Center builds upon the work of the CERT Coordination Center. The CERT Analysis Center extends current incident response capabilities by developing and transitioning protective measures and mitigation strategies to defend against advanced forms of attack before they are launched. Additionally, it provides the public and private sectors with opportunities for much-needed collaboration and information sharing to improve cyber attack defenses. • International Centre for Security Analysis (ICSA). Based at King's College London, ICSA is an international center of excellence that conducts research on the policy and technological implications of information assurance. ICSA addresses both the economic and defense aspects of the threats posed by electronic attack. ICSA is hosting the IAAC in order to enhance its research base and to strengthen links between academia and private and public sector end-users. (www.icsa.ac.uk) • World Information Technology and Services Alliance (WITSA). WITSA consists of the national information industry representative bodies from around the world. Its role is to develop public policy positions on issues of concern to the information industry and present these positions to governments and international organizations. (www.witsa.org) Key People • Richard D. Pethia, Director of the CERT Centers, Software Engineering Institute (SEI), Carnegie Mellon University 27
  28. 28. • Harris Miller, President of the Information Technology Association of America (ITAA) and President of the World Information Technology and Services Alliance (WITSA) • John S. Tritak, Director of the Critical Infrastructure Assurance Office (CIAO). As Director, Mr. Tritak is responsible for supporting the National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism in the development of an integrated National Infrastructure Assurance Plan to address threats to the nation's critical infrastructures, including communications and electronic systems, transportation, energy, banking and finance, health and medical services, water supply, and key government services. As Director, he will also coordinate a national education and awareness program, as well as legislative and public affairs initiatives. • Louis J. Freeh, Director of the Federal Bureau of Investigation, U.S. Department of Justice • Sen. John Kyl (R-AZ), Chairman of the Terrorism, Technology and Government Information Subcommittee of the Senate Judiciary Committee Other: Major Legislation. Emerging federal computer crime legislation can be divided into three broad categories: 1. enhanced law enforcement of cybercrime suspects 2. technical solutions to breaches of network security 3. improved information sharing Enhanced Law Enforcement. Senate Bill 2092, the Schumer-Kyl High-Tech Crime Bill, seeks to modify Title 18 of the United States Code relating to the use of pen registers and trap-and-trace devices. The bill provides law enforcement with nationwide trap-and-trace authority. Under current law, investigators who are trying to track a hacker must obtain a trap-and-trace order in each jurisdiction through which an electronic communication is made. S. 9092 amends current law to authorize the issuance of a single order to completely trace online communications to its source, regardless of how many intermediary sites through which it passes. Industry has expressed some concern that the bill would create undue administrative and financial burdens on the part of ISPs and other telecommunications companies to comply with the trap-and-trace provisionsnot to mention the possibility of breaching privacy policies they have established with their customers. Another industry representative doubts the bill will be enacted in the immediate future, if at all, due to a controversial provision that would treat some juvenile offenders as adults in a criminal proceeding. Technical Solutions. HR 2413, the Computer Security Enhancement Act of 1999, outlines a fellowship program to increase the number of skilled IT workers. There is currently a critical shortage of IT professionals and more specifically, an acute shortage of information security specialists. Expanding workforce development is a key prerequisite for protecting the nation’s critical infrastructure. 28
  29. 29. Encouraging Information Sharing. Bi-partisan information sharing legislation is expected to be introduced in the House of Representatives by Congressmen Tom Davis and James Moran, both of Virginia, within the next few weeks. The bill will seek to promote the formation of Information Sharing and Analysis Centers (ISACs) to facilitate the collection, analysis and dissemination of security data to government and industry. The bill will also create exemptions from Freedom of Information Act (FOIA) requests for information on network attacks on certain firms. The hope is that industry will feel more inclined to share information knowing that it will not be subject to a FOIA request. The bill also contains provisions that encourage information sharing without creating liability situations. 29
  30. 30. Encryption/Cryptography Issue: One of the principle aims of information security is data integrity, that is, ensuring that data in a file remains unchanged or that any received data matches what was sent. Encryption (the conversion of data into an unreadable form via an encryption algorithm) enables information to be sent across communication networks, which are assumed to be insecure, without losing confidentiality or integrity. Encryption can also be used for user authentication. For example, Lotus Notes uses encryption both for message confidentiality and to verify the sender’s identity to the recipient. Encryption provides assurances when the computer system or network cannot be trusted. Encryption is gaining popularity as more companies begin to rely on shared public networks such as the Internet rather than private leased lines for e-mail and electronic commerce. Encryption helps protect transmission of payment data, such as credit card information, and addresses problems of authentication and message integrity. Authentication refers to the ability of each party to know that the other parties are who they claim to be. Message integrity is the ability to be certain that the message that is sent is not altered or copied before reaching the recipient. Background: An encryption algorithm transforms plain text into a coded equivalent (known as cipher text) for transmission or storage. The cipher text is decrypted at the receiving end and restored to plain text. The algorithm uses a key, a binary number typically from 40 to128 bits in length for single-key systems or 512 to 2,048 bits or more for public-key systems. The data is “locked” for sending by using bits in the key to transform the data bits mathematically. At the receiving end, the key is used to unscramble the data, restoring it to its original binary form. The effort required to decode the unusable scrambled bits into meaningful data without knowledge of the key – known as breaking or cracking the encryption – typically is a function of the complexity of the algorithm and the length of the keys. In most effective encryption schemes, the longer the key, the harder it is to decode the encrypted message. Two types of algorithms are in use today: (1) shared single key (known as secret key or symmetric key) and (2) public key (or asymmetric key). 1. Single Key Encryption. In single-key algorithms, the same binary number is required to encrypt and decrypt the data. This single key must be kept secret for the information to remain secure. Therefore, a different shared key is required for each pair of users. The system is symmetric in that the same key and the same algorithm are used for both encryption and decryption. The Data Encryption Standard (DES), which officially became a U.S. government standard in 1977, is the leading single-key algorithm, with the standard specifying a 56- 30
  31. 31. bit key. Many experts consider longer key lengths of at least 90 bits necessary for the future. U.S military strength encryption requires key lengths of 1,024 bits or more. In 1998, RSA Data Security conducted a contest to see how quickly a 56-bit DES key could be broken. In July 1998, a team from the Electronic Frontier Foundation cracked a 56-bit key in 56 hours. Business are beginning to explore encryption methods other than those based solely on 56-bit DES keys including: 1) Triple-DES – Encrypts information three times using two different 56-bit keys, thus increasing the effective key size of DES so they are computationally more secure and, therefore, more difficult to break. Triple DES has an effective key length of 112 bits. The benefits of triple-DES include the fact that no known attacks have succeeded in breaking two 56-bit keys, it is incorporated easily into existing systems, and it is a standards-based algorithm. Drawbacks include the computing power required (three times that of normal DES) and the difficulty of managing and distributing keys associated with any secret-key algorithm. 2) International Data Encryption Algorithm (IDEA) – Encrypts information using 128-bit key and 8 rounds. IDEA is recognized as a fast, Triple-DES equivalent cipher. IDEA is considered secure, with no algebraic weaknesses that might make it susceptible to being broken. IDEA can be implemented in software or hardware and has similar performance characteristics to DES. 2. Public-Key Encryption. The other major type of algorithm in popular use is public-key encryption, which is based on two keys: one to encrypt the message and another to decrypt the message. The algorithm is not symmetric, so knowing the public encryption key is no help in being able to decrypt a message. Users wanting to receive encrypted information can announce their public key, which then is used by the sender to encrypt data to be sent to them. Public keys are typically stored in a public directory. Only the holder of the private key can decrypt the data. Public keys are attached to a digital certificate, which ties the user’s identity to the public key. The problem of managing a large number of public keys and making them widely available (yet easily revoked by their owners) is the primary challenge that should be addressed. Public-key encryption is gaining in popularity with the growth of e-commerce over the Internet, in particular because it does not require the exchange of private keys before sending encrypted messages, unlike single-key encryption. The most commonly used public key algorithm is RSA, created by RSA Data Security. RSA Data Security’s recommended key sizes are now 768 bits for personal use, 1,024 bits for corporate use, and 2,048 bits for valuable keys such as the key for a certificate of authority. RSA Data Security expects a 768-bit key to be secure until 2004. 31
  32. 32. Recommended key length schedules are published on RSA Data Security’s web site at www.rsa.com/rsalabs/newfaq. Digital Signatures. One application of public key encryption is evident in the development of digital signatures. A digital signature is an encrypted alphanumeric code attached to an electronic message that is both unique to the message and unique to the person sending it. The digital signature is assigned to the document by a digital signature software program. The sender then encrypts the alphanumeric code using his private key. The recipient verifies authenticity of the digital signature by using the sender’s public key to decrypt the message. If the verification process confirms the digital signature, the recipient has reasonable assurance that the message is authentic and has not been altered. While in theory only the sender can access his private key, there is a potential for the private key to be compromised if it is not protected. Certification Authorities (CAs) or other trusted third- parties can provide some assurance that available public keys correspond to the signer’s private key. CA’s can also revoke or suspend public keys, rendering the associated private key useless. Standardizing digital signatures using a public key infrastructure (PKI) is preferable because it ensures a high degree of data integrity and authentication while enabling users to conduct business transactions with multiple business partners, suppliers and customers without mandating a technology choice. In sum, digital signatures accomplish four goals: 1. Ensure data integrity – The recipient can determine if the data has been altered. 2. Ensure confidentiality – The sender can encrypt data such that only certain recipients can decrypt that data. 3. Ensure non-repudiation – The recipient cannot deny receiving a message because the public key used to decrypt the message returns a proof of receipt. 4. Provide authentication – The digital signature allows the recipient to identify who signed the message. Conflict: • PKI as the preferred encryption technology. PKIs, including the PKI-based digital certificates and signatures, are becoming the authentication system of choice for conducting e-business on the Internet. Reasons include a price decline in PKI products stemming from fierce battle among suppliers to gain market share as well as fundamental improvements in the system making it more flexible and easier to deploy. The primary application for PKI is b-to-b e-commerce with enterprise customers, business partners and suppliers. Applications driving the adoption of PKI included Internet-based financial transactions and customer service. IS managers are also deploying PKI for use with Internet-based b-to-c e-commerce, electronic funds transfer and sales applications. 32
  33. 33. The principal reason IS managers are selecting PKI-based systems is to manage enterprise risk arising from the use of Internet channels to conduct business. Compared with alternate authentication systems, only PKI-based digital certificates and signatures can be relied on to mitigate the financial risks associated with e- commerce. IS managers have identified the following criteria for authentication systems: 1. It must provide validity and integrity for invoicing and revenue-recognition purposes. 2. It must provide widespread and ubiquitous interoperability. 3. It must meet financial, auditing, legal and uniform commercial standards. 4. It must be economically practical to deploy and maintain. 5. It must be difficult or economically impractical to steal or duplicate. Traditional access security systems – passwords, hardware tokens, and biometric systems - fail to meet these requirements. Although passwords are the most common form of authentication, they do not provide sufficient proof of who an Internet user claims to be. Hardware tokens are impractical due to implementation. To be deployed effectively, IS managers would have to force customers, suppliers, and business partners to adopt the enterprise’s specific technology choice. Rather than making it easier to conduct business with the enterprise, token-based systems may merely route customers to competitors. Biometric signatures such as retinal scans, fingerprinting and voice signatures provide the best proof of identity. However, biometric systems are prohibitive to implement due to high costs. Moreover, they are difficult to implement because it requires customers to submit biometric signatures. However, The PKI-digital certificate system is not without security weaknesses. Security analysts maintain an astute hacker can access the private key over the Internet. Therefore, sealing entry to the private key with only a user name and password is not acceptable. Security developers have developed a variety of solutions to this problem, collectively known as “extended user authentication.” Essentially, these technologies, which can be hardware or software-based, require the user to enter some form of secured identification to access the password or the private key. There has been some debate as well regarding authorization-linked digital signatures versus identity-linked digital signatures. While governments have invested significant effort in developing the latter, IT professionals believe authorization linked signatures will be more important in protecting digital transactions and promoting e-commerce. • Government bans on strong encryption exports. The government’s concern with cryptography centers on its ability to ensure the continuing viability of intelligence operations. With the advent of strong encryption techniques, intelligence gathering organizations throughout the world are justifiably concerned that intelligence 33
  34. 34. gathering measures will be rendered obsolete. Therefore, extensive deployment of strong cryptography poses a serious security threat. However, by providing government access to keys, confidence in cryptography is undermined, thereby slowing its deployment. The U.S. government announced in September 1999 its revised approach to encryption. In short, the Clinton Administrations policy hopes to balance a competing range of national interests including promoting e-commerce, supporting law enforcement and national security, and protecting privacy. In short, under the new policy, any encryption commodity or software of any key length may be exported under license exception, after a technical review, to individuals, commercial firms, and other non-government end users in any country except for the seven state supporters of terrorism (Iran, Iraq, Libya, Syria, Sudan, North Korea and Cuba). Any retail encryption commodities and software of any key length may be exported under license exception, after a technical review, to any end user in any country, except for the seven state supporters of terrorism. Streamlined post-export reporting will provide government with an understanding of where strong encryption is being exported, while also reflecting industry business models and distribution channels. On April 3, the Electronic Privacy Information Center (EPIC) released a study on encryption policies in 135 countries. Cryptography and Liberty 2000 finds that that the trend toward relaxation of export controls is continuing, but also that law enforcement agencies are seeking new authority and new funding to gain access to private keys and personal communications. • How to manage the key network? Key recovery can be thought of as an encryption system (with a backup decryption capability) that allows authorized individuals, such as company officers or government officials, to decrypt encrypted text with the help of information supplied by one or more trusted parties who hold special data recovery keys. These data recovery keys are not the same as keys used to encrypt and decrypt the data, but rather provide a means of determining the data encryption/decryption keys. The term key escrow refers to the safeguarding of these data recovery keys with a government entity or government-licensed escrow agent. Key recovery mechanisms differ from key escrow in that the former provides a means of recovering the session key of a message so that in an emergency or for law enforcement requirements, the session key that encrypted a file can be recovered and that file (and only that file) can be decrypted. Typically, key recovery schemes use a random session key encrypted with the public key of the recipient as well as being encrypted with the public key of the key recovery center. The key recovery center then can unlock the random key used to encrypt that particular message or data file. The Key Recovery Alliance (KRA), a consortium of over 60 companies dedicated to strong encryption and to helping defined a policy framework for businesses and institutions, believes that many of the more recent forms of 34
  35. 35. key recovery offer stronger protection against unlawful search and seizure. Nevertheless, the KRA makes the following recommendations: 1. Establish legal access standards for government to Key Recovery information under conditions of due process, including procedures clearly stating the government's accountability and auditability. 2. Establish standards for the retention and destruction of Key Recovery information once it is acquired by government under lawful means. Once government acquires recovery information through duly authorized means (e.g., under court order), it must operate under clearly defined standards established by law governing the use and destruction of such information. 3. Establish procedures guaranteeing that government agencies, once key recovery information has been acquired and managed according to the two preceding items, will not use the information to modify the treatment of content in any form. Key Groups and Organizations 1. The Center for Democracy and Technology (www.cdt.org) works to promote democratic values and constitutional liberties in the digital age. With expertise in law, technology, and policy, CDT seeks practical solutions to enhance free expression and privacy in global communications technologies. CDT is dedicated to building consensus among all parties interested in the future of the Internet and other new communications media. 2. The Key Recovery Alliance (www.kra.org) is a group of more than 60 international companies (including IBM and TIS) that is dedicated to strong encryption and to helping define a policy framework for businesses and institutions. The Alliance focuses on the interoperability of key recovery technologies while supporting a wide range of existing industry solutions. 3. The Identrus Pilot Project (www.identrus.com) is a global trust organization created to provide authentication for digital certificates. Founding members include Bank of America, ABM AMRO, Bankers Trust, Barclays Bank, Chase Manhattan Bank, Citigroup, Deutsche Bank, and Hypo Vereinsbank. Using PKI technology, Identrus aims to establish a secure, global business-to-business e-commerce network by providing global CA services for b-to-b transactions . Initial users will be the corporate customers of the founding banks. 4. Business Software Alliance (www.bsa.org) is a trade organization representing the world's leading software developers before governments and with consumers in the international marketplace. BSA educates computer users on software copyrights; advocates public policy that fosters innovation and expands trade opportunities; and fights software piracy. BSA worldwide members include Adobe, Autodesk, Bentley Systems, Corel, Lotus Development, Macromedia, Microsoft, Network Associates, Novell, Symantec and Visio. 35