Subject: Sep2000 ECMgt.com:
Privacy Concerns Increase
Privacy issues have always been a key reason for potential online consumers to avoid e-commerce. In the early days of e-commerce, a significant fraction of consumers thought that credit cards could be "snatched" off the Internet. Solid encryption using SSL has reduced most of those fears, and for the most part, new consumers don't worry about losing credit cards while online. However, as the Internet assumes "real world" status, issues that concern all consumers have migrated to the Web. These include:
Duplication and forgery, meaning buying from a copy cat site, unauthorized access to stored data, especially personal information and transaction history, and theft of credit card numbers from servers. Of all these, access to purchase history worries consumers most, as "anonymity" and privacy in purchasing is cited by 40% of Internet shoppers as a major reason for purchasing over the Internet.
How much of your life is on the Internet?
Many consumers don't want any personal information on the Internet, period. But this opens up the biggest issue; as most vertical industries, especially insurance, health care, government, and retail, are creating intranets and extranets for suppliers and partners, and websites for consumers, all of our most sensitive data is being interconnected over TCP/IP networks. Network and server security, now a $14 billion industry, is about letting the right people access data, and keeping everyone else out. As e-commerce (e.g. commerce) creates automated computer-to-computer purchases over networks in a "lights-out" mode, the integrity of front and back end systems and the financial networks they connect to, is paramount to global commerce. Firewalls, encryption, virtual private networks, and biometric authentication are just some of the tools in the arsenal that business deploy, collectively, to deter unauthorized activity.
For operators of websites, intrusion and attack by hackers, most recently of the Distributed Denial of Service, have created an environment where operating a successful commerce site requires more than a novice knowledge of security. Very few web-based businesses have experience in online attacks, especially from international hackers with very high skills at intrusion.
While there has been no validated loss of a credit card in transit in the five years of commerce on the Internet, there have been several widely publicized thefts of credit cards from web commerce sites where they were stored. One case involved the theft of 100,000 credit card numbers, and unsuccessful attempt to sell those to an undercover FBI agent. Theft of credit cards from servers is just one case where e-commerce sites have been attacked. The denial of service attacks launched against Yahoo, eBay, and Amazon earlier this year caused combined losses to e-commerce sites of hundreds of millions of dollars. The third area of attack, email viruses (worms) have caused over a billion dollars worth of damage in the last two major attacks alone.
How much of your life is on the Internet?
Today, half of 80 million American adults have purchases something online, and 8 million of those individuals use Amazon.com, which usually will store buyer preferences. Most of us don't think about the transaction histories and user preferences that are more frequently being mined, creating "personalized pages" and direct email offers announcing products and services that "individuals like us" are exploring.
But security on the Internet, visa vie Web commerce, is only the tip of the iceberg. Many security conscious organizations, starting with the Electronic Frontier Foundation (EFF), then TRUSTe (see this months feature story http://ecmgt.com/Sep2000/feature.htm), have been proponents of voluntary restrictions on information collection, storage and redistribution. The EFF, founded by (Lotus Founder Mitch Kapor) saw a time when merging of data from computer databases, public government records, retail purchases, medical records, and the "data wake" left by our web surfing can create a fairly accurate representation of our persona. By using common key fields, creating this master file would not be too difficult.
Who owns your Web data?
The Internet is driving awareness of a problem that is not new. While most web users feel that their surfing habits are personal and belong to them, they must remember that when they enter a website, there are terms and conditions of use. Packet tracking, used by sophisticated software to develop real time user profiles for personalization, product presentation, and special promotions, is a rapidly growing technique used by most large e-tailers to maximize sales and ROI. While physical stores may be anonymous, the digital engine of an e-commerce site lends itself to a much higher degree of customer shopping analysis. Most sites have no reason to share this data, and to the contrary should protect as a prized asset.
Who owns your other data?
The more disturbing question that citizens should ask is who owns our medical data, retail transaction history, banking and credit information, and public government records. In all cases the answer is - not us. As health insurance, government, and financial institutions use the Internet and electronic documents, rather than private networks and paper, our most personal information can be divulged to parties not known to us. There are no standards, state or national, that are in place, and the Internet is only accelerating the risk.
Most large websites encourage repeat spending by storing credit card information, user profiles, including address and billing information, on their servers. However, most e-commerce sites do not encrypt this information. Truste and BBBOnLine do not require "data safety" procedures, and audits of website logs for packet intrusion to back end servers are not required. As e-commerce grows, standards organizations will likely assemble best practices of sites to create a formal set of procedures, much as local ordinances require businesses to meet standards for health and safety.
A very hot topic of debate today is employer access to employee email messages. Many companies operate filters on email servers to screen for keywords that would indicate improper use of company email accounts. Most states currently consider that an employee's email messages are property of their employer, using the theory that the network infrastructure, computer workstation, and mail server all are company property. Civil rights advocates are arguing that employers can not eavesdrop of employee phone calls, and the same property issues exist for phone and email. One third of Fortune 500 firms have dismissed employees for improperly using Web browsing privileges, more for viewing adult material than for "surfing". Cookies, cached images, and URL history files all have been used by employers to validate misuse of computers, and sanction or dismiss employees.
Internet legal issues:
Currently the United States government drives the majority of legislation on the Internet, but is seen as only a "local ordinance". Constitutionally, state's rights supercede national laws, but a fragmented and political atmosphere has caused the legal environment of the Internet to fall ever behind the technology, and this applies to privacy rights. US Cryptography Export Controls have kept encryption technology from developing faster. Ironically, as SET (Secure Electronic Transactions) standard adoption grows, the ability to digitally sign and encrypt documents may have in issues of non-repudiation and authenticity, that ultimately protect privacy. (See section at end describing recent submission of legislation by Ernest Hollings for Consumer Privacy Protection Act.
Criminals and other stalkers:
Websites that offer personal classifieds, escort services, and chat rooms at the largest portals all over the Internet have been plagued by criminals and other stalkers that prey on naivete of teenagers, especially younger girls, that don't know the identity of individuals that are having personal dialogue with. High tech crime units, including San Jose, California, are working closely with portal and community sites to investigate cases of stalking and other crimes by sex offenders.
Viruses, DDNOS, and Internet security:
Computer viruses are not new to the Web. The Internet worm in 1987 shut down a significant fraction of government sites. More recently, two computer viruses that propagated through email caused over a billion dollars in damage to companies whose email systems and networks were partially disabled by the rapidly propagating virus. As such, computer viruses represent a security risk to e-commerce, as they can disable the entire technical e-commerce infrastructure. The distributed Denial of Service attacks in early 2000 halted commerce at Amazon.com, eBay, and Yahoo. In a 1998 survey, over 80% of Fortune 5000 forms reported break-ins into corporate networks that caused at least 1 million dollars in damage. Internet security is now a $14 billion dollar industry.
Senator Unveils Net Privacy Bill:
Senate Commerce Committee member Ernest Hollings (D-S.C) introduced the "Consumer Privacy Protection Act", in May 2000, which aims to require consumer consent for information use and offers "limited protections in the offline world". Websites that collect and use personal consumer data would be required to gain those consumers' consent under the new privacy bill introduced in May 2000. In addition to requiring "opt-in" consent, the bill also calls for websites to clearly display their privacy policies, access to identifiable information and the ability to modify it, and specific procedures for data.
The proposed "Consumer Privacy Protection Act" has the ambitious goal not only of requiring consumer consent for information use, but it also offers "limited protections in the offline world. The bill's introduction comes as the Federal Trade Commission (FTC) plans to outline its proposal for asking Congress to give the agency broader power to regulate online privacy.
The bill also calls on the FTC to undertake further privacy studies and offer more recommendations on improving privacy. The measure also would direct the National Institute of Standards and Technology to launch a research and development program on computer security issues that would "complement private sector research." Hollings' bill joins a growing list of legislation tackling online privacy, as well as financial and medical data protection.
What to do about Internet criminals?
How can Internet criminals be punished? One difficulty is that these crimes are often committed by individuals who are minors, or prosecuted as misdemeanors, not assessing the monetary damage incurred. And the more difficult issue is that, here to for, these crimes have been conducted by individuals, rather than organized groups, such as terrorist organizations, or even rogue elements of terrorist states. Security issues on the Internet, both to individuals and corporations, will take time to resolve in legislation that lags behind the rapid pace of technology. In the mean time, participation in organizations such as the Electronic Frontier Foundation (http://www.eff.org), Truste (http://www.truste.org), and Better Business Bureau Online (http://www.bbbonline.org) are the best means for Netizens to engage and expedite the privacy issues on the Internet.
The bigger picture:
The early moments of the War in Iraq were not fought with physical missiles, but instead with an attack on the computer network supporting Iraqi air defenses. With that compromised, the "traditional" war could start. Today, the assets of any sovereign nation may be only as good as the computer infrastructure that supports it.
Just as taxation on the Internet has pushed legislators to examine the larger issue of taxation in the United States, "security" issues on the Internet are really about security issues in a digital and networked economy. Personal issues of anonymity really are about privacy, e-commerce infrastructure is the same as a physical premises business, and the foundation of society, our security based on infrastructure, will soon be as strong as the IT infrastructure that supports our digital and networked economy. Y2K taught us that the foundation of our 21st century civilization is threaded by the digital networks that integrate (power, telephone service, banking, transportation, and) virtually every networked business computer in the modern world. Internet security affects all of what is digital commerce.
Let me leave you with a few of my favorite quotes this month:
believe the privacy issue will always be a problem with e-commerce simply because
there are continuing efforts to learn more and more about us as consumers. E-commerce
can not thrive without having the knowledge and ability to attract business. Further,
most consumers are legitimately concerned about personal data being used for unintended
personal data is personal property, people should be empowered to control and
benefit from its use. The technology is available. Giving privacy power to the
people builds confidence in e-commerce, and gives e-marketers valuable insights.
Vendors realize that if they can develop relationships with consumers who want
to share information with them, consumers will be more loyal to them, and will
give more accurate information.
Whether privacy concerns will increase
or decrease will depend on the level of media coverage and on whether or not significant
new technologies relating to privacy (either protecting it or defeating it) are
introduced. Another factor may be marketing -- companies that vigilantly protect
the privacy of their customers may create enough of a groundswell to bring about
de facto standards for privacy protection.
I hope you enjoy this eZine.
See you in cyberspace,
Producer, ECMgt.com <http://ECMgt.com>
ECMgt.com is produced by