COLUMN • LOGOFF

Privacy, Please
Online services need to realize that possession of customer information does not imply permission to do with it what they want.
BY SIMSON L. GARFINKEL

"PRIVACY" is a word that tends to get misused a lot by Internet security professionals. Just look at the RFCs, the closest thing the Internet has to a set of standards. The word privacy appears in 282 RFCs—but rarely do the RFC authors use the word privacy the same way that it's used by the majority of computer users.

SIMSON L. GARFINKEL

In the technical documents of the Internet, the word privacy is most often used as a synonym for the word "secrecy"—or even better, the word "encryption." Information is private if it can be transported over the Internet without being intercepted and decoded by an intermediary. Indeed, the word privacy is used so often in this context that it has become a technical term, along with the words "authenticity" and "integrity." Consider this sentence from RFC 2291, an informational RFC on the WEBDAV: "These protocols should insure the authenticity of messages and the privacy and integrity of messages in transit."

Users of the Internet have a more conventional notion of privacy. For the great majority of Internet users, privacy is the right to be alone. It's also the right to be free of intrusion. Increasingly, people believe that a key aspect of their personal privacy is the right to control how their name, image, reputation and personal information are used.

More than 100 years ago, Samuel Warren and Louis Brandeis prosaically called this right of privacy "the right to be let alone." But nearly 30 years ago, a special commission appointed by the Department of Health, Education and Welfare came up with a better definition for privacy in the computer age: the Code of Fair Information Practices (see http://www.epic.org/privacy/consumer/code_%20fair_info.html). Unfortunately, while the Code still makes good sense today, it has largely been forgotten: Today's universities do not teach it, and most companies do not abide by it.

As the Internet RFCs demonstrate, many security professionals believe that technologies such as encryption can improve the privacy of Internet users. But delivering on this privacy promise will require far more than mere protection for data in flight—it will require a commitment to control the flow of information at the endpoints.

System security is an important tool for protecting personal information—as the recent problems at online services such as HotMail and CD Universe made abundantly clear. But equally important is a commitment on the part of service providers and Internet operators to safeguard information. Online services need to realize that the possession of information does not confer the moral authority to do whatever they wish with that information.

For example, Internet retailer Amazon. com caused a stir last year when it unveiled its "Purchase Circles"—basically, a customized bestseller list for each company that buys books through Amazon.com's Web site. Purchase Circles are a neat idea—I got a chuckle when I learned that "High-Yield Bonds" was the number-one book being purchased at Bank Boston… and that a book on passing the GMAT standardized test was number two. But these purchase circles also violate privacy, because they are a great way to look behind the closed doors of a corporation and see what its employees are reading and working on.

It's important to realize that these privacy violations took place even though Amazon.com uses SSL to protect orders and credit card numbers as they are sent over the Internet. Traditional computer-science definitions of privacy and security can't explain the outrage that many people felt when Amazon.com unveiled its Purchase Circles technology. But the Code of Fair Information Practices does. Information collected by Amazon.com—the titles of books being purchased and the names of companies where those books were being shipped—was compiled and used for a purpose other than for which it was intended, and without the consent of the individuals involved.

Simply allowing people to "opt out" does not remedy this transgression. If Amazon.com is so convinced that companies enjoy the publicity they receive from having the buying habits of their employees known, then Amazon.com should have no problem getting permission from these companies to compile the statistics and display the results.

Privacy may be an illusive quality to define, but the Code of Fair Information Practices is crystal clear. The sooner we start applying the Code in our day-to-day professional careers, the sooner the Internet will become a place in which privacy technology and privacy policy work hand-in-hand.

SIMSON L. GARFINKEL, CISSP, is the chief technology officer of Sandstorm Enterprises and the author of Database Nation: The Death of Privacy in the 21st Century (O'Reilly, 2000).

[RETURN TO ARTICLE INDEX]