This article by Stuart L. Adams, Jr. appeared in the 

Louisville Computer News

 

IS BIG BROTHER WATCHING YOU OR ARE YOU WATCHING BIG BROTHER

Privacy vs. Security on the Internet

(April 1999)

There are lots of good reasons for security on the Internet. There are also lots of ways to get it or get around it. According to a recent Associated Press article, the threat of an electronic "Pearl Harbor" is the most serious of the many dangers facing the U.S. Robert Ellsworth, former deputy defense secretary, was quoted as fearing a cyber-attack on critical information infrastructure, such as electrical power generators, telecommunications, and banking. One example would be "cyber-attacks" by a rogue state or terrorist group disguised as part of a Year 2000 glitch, which might deposit programs months in advance, which would become active on rebooting after an apparent Y2K shutdown. Because of this sort of threat, President Clinton has asked for $2.8 billion to be spent fighting "exotic forms of terrorism," ranging from chemical attacks to online hacks.

Recently CNN.com posted a story indicating the Pentagon ran a simulation based upon the scenario of North Korea hiring 35 hackers to crack the U.S. defense system, using commercially available equipment and software downloaded off the Internet, to prevent the U.S. Air Force from flying over Korea. According to the scenario, called Cyber Receiver, the hackers, without breaking any countries’ laws, worked their way into the 911emergency phone lines in 12 U.S. cities and shut them down. They then cracked 36 computers at the Pentagon, rendering army and navy commanders unable to tell if commands received by any computer were real or bogus.

James Adams (no relation), CEO of iDefense, whose mission is to "defend the critical infrastructure from cyberspace threats" is building "red teams" of superhackers to "test" the strength of systems of its customers. The company also indicates it is developing a certification method that it will use to evaluate and guarantee the safety of the infrastructures of the companies that retain it. Microsoft has reportedly joined as a charter member.

HACK ATTACKS ON THE RISE

A Computer Security Institute survey indicates that for the third year in a row, those responding indicated external attacks on their business computer systems increased, rising from 37% last year to 57% this year. At the same time, attacks from within also increased. Stating that it is not trying to harm freedom of expression, Raytheon Co. is suing 21 of its employees for inappropriately disclosing confidential data about the company through a company message board run by Yahoo. Since Raytheon doesn’t know the identity of the employees, it hopes to find out with subpoenas for Yahoo in a court action it has filed. While courts have upheld the rights of political activists to preserve their anonymity, courts have also upheld subpoenas for the personal data Internet service providers collect and retain on their customers.

There has also been a proliferation of Web sites devoted to hacker tools and methods. Many of these sites contain "cookbooks" for novices and experts to follow to experiment with hack attacks. The sites contain tales of successful attacks on government and business and many contain downloadable files which are the tools used by hackers to conduct the attacks. A few minutes spent at some of these sites would allow even the uninitiated rookie to crack many sites and do incredible damage. We’ve probably all heard the horror stories about sites on the Web which contain recipes for bombs, including enough information to build a nuclear device if you can get the ingredients. These hacker sites are the electronic equivalent, and may fuel even greater damage.

FREEDOMS BEING LEECHED AWAY

A quick look at an electronic forum hosted by InfoWorld gives us some perspective on major issues being debated in this arena. One string of discussion took the position that computers and the Internet have done nothing to infringe on our privacy and freedoms, since it is the inception of Social Security numbers as national ID numbers which erased all that. Another string taking the opposite approach, stated that previously the saving grace was that there was simply so much information "out there" that there was really no effective way to use or abuse it. Now, however, the string continues, that has changed, since the software tools are getting so sophisticated at seeking and gathering this mass of data and correlating it to specific individuals. Yet another insightful comment concludes "people don’t consciously give away their freedom...it seems to get leeched away piece by piece for semi-plausible reasons, but pretty soon all the little reasons add up and before you know it, your freedom is gone."

HAVE A COOKIE?

Any Web surfer understands that not all "cookies" (Persistent Client-Side Hypertext Transfer Protocol files) will leave a good taste. The cookie files are created at the request of the host Web site and left on the visitor’s hard drive containing personal data, so the visitor can be more easily identified when visiting the same site again. Although software is available to prevent cookie deposits or monitor and alert surfers to the situation, and most major browsers have configureable options on this, when browsers visit many Web sites, they typically add cookie files to their own hard drive and leave a trail of such electronic information at the sites they visit. Some of this may simply be the identity of the last previous site visited, but it can be much more.

As Web hosts started to realize the potential value of this information and a new breed of technology became available to again "glean and screen" this information, many of the Web sites became more "aggressive" in obtaining and using this data, and many automatically transmit this data to third parties for a fee. Now it is probably routine to invisibly obtain each visitor’s e-mail address and type of computer, as well as the address of the site from which the visitor linked. A demonstration of this data collection process, sometimes referred to as a "clickstream" can be seen at http://cdt.org, along with a copy of the Center for Democracy and Technology complaint to the FTC against Intel for its use of a Processor Serial Number (PSN), which becomes a personal identification number in its new Pentium III chip. At least one computer expert claims to have figured out a procedure to switch on, change and transmit the PSN without the individual consumer’s knowledge, even after a software patch was loaded to turn it off.

Enter "portals" and personalized financial, hobby, business or other special interest sites. These relatives of the standard Internet Service Providers (ISPs) typically induce customers to use them at no cost by offering free e-mail as well as customizable Web content and links to a personalized selection of other Web sites. The key is to lure potential users to tell more information about themselves than to the other ISPs, so the portals can use their gleaning and screening tools to provide user tailored information and resources. This is great for allowing users to weed through the ever bourgeoning mass of data thrown at them on the Net. It also provides an opportunity for use and abuse by others.

Yahoo, Lycos, Excite and others post information about their policies on how the personal registration data they collect, such as e-mail and postal address, age, education, financial level, profession, shopping preferences, etc., will be used. The customer seems to get a windfall, in that the portal is doing most of the work for the customer, and the portal and its sponsors get an opportunity to drill down through layers of data to more narrowly target their customer profiles. This information can also lead a party in a lawsuit to locate an adverse party, through subpoenas to the portal, as in the Raytheon case and many others that have been filed.

DIGITAL FINGERPRINTS

Shame on you if you voluntarily give a portal personal information, if they do not post, and adhere to, a clear policy on use by third parties. A different situation arises, however, if your information is collected and archived or used by others without your knowledge. A non-Internet example can be found in the litigation filed by the South Carolina Attorney General over the use by a credit company which has purchased the rights to all the photographs and at least some personal data on every South Carolina applicant for a driver’s license. The company is attempting to create a national database containing not only the text on the application but also the photograph, to resell for the purpose of preventing fraud. Once again, the purpose seems fine on its face but many in South Carolina are upset that this "government information" has found its way out of state for commercial purposes.

Many of us subscribe to online publications, usenet newsgroups and forums. Sometimes these are indexed by postings to provide searchable databases including e-mail addresses, to find topics and facilitate responses to keep the string alive. Now, however, powerful software is being used to search the Internet to compile master lists of such data. Such search engines may already be capable of searching for every posting made by a particular individual, to determine what they are interested in and to compile an inventory of their all their various comments.

THE WIZARD OF ID

Que up the Pentium III and Windows 98. Recently Richard Smith of Phar Lap Software discovered that Windows 98 uses a subprogram called RegWiz, which supposedly only processed your new product registration form to send to Microsoft over the Internet. During the process, your PC produces two identification numbers called the hardware identification number (HWID) to uniquely identify the computer’s configuration and the Microsoft ID (MSID) to uniquely identify the user. Although the information was voluntarily keyed in by the customer, for the apparent purpose of allowing Microsoft to better diagnose and repair or prevent problems caused by the software installation on a wide variety of differently configured machines, it was learned that some personal information was still stored in the registry of Windows 98 and some was transmitted to Microsoft without the customer’s knowledge. If you also answered, during electronic registration of the product, that your machine was connected to a network using an Ethernet card, an additional batch of personal information was generated. Microsoft has now said it will alter its program and purge its database of any information it may have "accidentally" gathered improperly. Robert Bennet, Microsoft’s group product manger for Windows, has acknowledged that in some cases this information was transmitted to Microsoft during registration, even when the computer user clicked the choice to not send the data.

The outrage expanded when it was later learned that Windows 98 and some other Microsoft products also added a digital number to every document generated by the user, including not just word processing documents, but also e-mail, spreadsheets and others. These, when sent over the Internet, could at least theoretically be gleaned and screened, to trace back to an otherwise anonymous author. Suppose such a person was a police informant, whistle blower or abused spouse.

Microsoft has now pledged to purge this information and remove the offending code from its next release of Windows 98, which is scheduled to ship to PC manufacturers this summer. Microsoft has also pledged to make patches available around the time of publication of this article, at its Web site, http://officeupdate.microsoft.com/index.htm, which will stop creation of these numbers in Office 97 documents and purge the identifiers from existing files. The site currently has an article describing the problem and stating what the company intends to do about it.

LEGISLATION AND SELF-REGULATION

Unfortunately, there is no comprehensive set of privacy rights laws. We do have the Electronic Communications Privacy Act, which is essentially the 1986 revision of the federal wiretap statutes. This Act provides for both civil and criminal penalties for interception, disclosure or use of e-mail and other electronic media, but also contains some important exceptions. There are a multitude of federal and state laws already on the books and even more circulating for passage. There are also a growing number of sites devoted to privacy issues where you can learn more about the issues and potential solutions. Perhaps the industry will engage in self-regulation, but meanwhile, if you are concerned about your right to privacy and the increasingly rampant commercialization of these databases, learn more about what is happening to you so you can deal with it online and with your elected officials.