But First, the Bill
of Rights”> The issue of privacy is a great concern for everyone. A survey sponsored by Dell Computer, conducted in August 2000 by Harris Interactive, revealed that even in the more sanguine days of Internet optimism, loss of personal privacy ranked as an issue of higher concern for Americans than the issues of crime, health care, or the environment. Internet-connected PCs, however, are an ongoing threat to individual privacy. Well categorize and identify the major threats in the pages that follow and offer solutions.
The United States Constitution does not expressly list a right to privacy. However, several of the rights that are specifically guaranteed in the “Bill of Rights,” inherently assume that a privacy right exists. For example; the Fourth Amendments guarantee that citizens will be “secure in their persons, houses, papers, and effects, against unreasonable searches and seizures” implies that privacy is a matter of right. The Fifth Amendments guarantee that a citizen shall not “be compelled in any criminal case to be a witness against himself” indisputably suggests that the right to keep information private was obvious to all. Two drafters of the U.S. Constitution, Alexander Hamilton and James Madison, affirmatively demonstrated their right to privacy by publishing The Federalist Papers anonymously (as cited in Crispo & Grosso, 1998). In recent times, this foundational principle of American law was referred to by the United States Supreme Court as “privacy guaranteed by the Fourth Amendment” (Scalia, 2001). The Privacy Act of 1974, as well as laws banning tampering with U.S. Mail, and stalking, are all expressions of the belief that privacy is a citizens right and violation of that right produces unfavorable consequences for the individual and for society as a whole.
These laws exist for good reasons.
- Psychologically, humans have a fundamental need for personal space, and “peace of mind” that their privacy in that space will not be interfered with. One of the most frequent comments heard from burglary victims is how violated they feel that someone was going through their belongings. Even people who do not consider privacy to be a significant concern and feel that they have nothing to hide typically use curtains on their bedroom windows and send mail sealed in envelopes rather than postal cards.
- Sociologically, people can function better together if boundaries protecting privacy exist. Without privacy, individuals are far less likely to report organized crimes because of the fear of reprisal. Without privacy, individuals are far less likely to pursue AIDS testing, or treatment for other medical conditions that would make them unable to purchase insurance or subject them to ostracism.
- Philosophically, privacy is an assertion of human individuality. It is a statement that I have the right to control “this” and to decide if it is disclosed to others or not. It is an assertion of ownership that states, “This belongs to me.”
- Politically, privacy serves as catalyst for free expression. Few, if any, citizens would wish to attend any political rally where their car license plate numbers would be recorded and they would be subjected to suspicion or investigation.
- Legally, privacy is a matter of necessity to avoid the consequences of abuse or mishandling of personal information. The spectrum of potential consequences ranges from identity theft and ruined credit to being a victim of stalking and murder
Privacy Threats Everywhere
Many different kinds of individuals and agencies seek personal information, each using differing methods. These groups, and the methods they employ, will be examined below.
This group includes co-workers, family members, and hackers/crackers. Their motivation for accessing personal information could range from professional jealousy, curiosity, to mistrust or malicious/criminal intent. The methods employed by individuals are primarily exploitation of inherent system weaknesses, “social engineering” tactics–such as simply asking for information that allows access, or use of specialized software tools such as monitoring programs, password cracking programs or Trojan horse programs.
One of the most well known home computer monitoring programs, called Spector from www.spectorsoft.com, sells for under $70. Hundreds of password cracking and Trojan programs are freely available on Internet on sites such as www.infosyssec.net. In recent years, password cracking tools have evolved from tools that required you to have an intricate understanding of computer systems into more simplified tools that are very user friendly. The freeware password cracking tool called Cain from www.oxid.it is an example of this simplified type. Within minutes of installation, Cain can reveal passwords for screensavers, Internet dial-up logons, internal networks, and other passwords that have been used on a Windows based computer system. When I first tested Cain, it correctly identified the password that would allow access to make changes on my personal web page.
This group includes any commercial organizations that utilize tools to gather, analyze, and maintain personal information about individuals without the individuals knowledge or consent. The techniques used include data mining to correlate data and deduce previously unknown facts about individuals, using web page cookies to gather data surreptitiously, and offering software spyware programs to the public which contain hidden functions to send information secretly back to the manufacturer. Programs classified as spyware are too numerous to list, but include such popular programs as: RealPlayer, Download Accelerator, Comet Cursor, PKZip, Cute FTP, GoZilla, and Kazaa. One extensive list of spyware infested programs can be viewed at: www.fcenter.ru. Microsoft uses a tracking device called a Globally Unique Identifier (GUID) in its Windows Media Player application and many other Microsoft-owned properties. Alternatively referred to as a “super cookie”, it can be used to secretly track the Web surfing habits of a particular user across MSN, Hotmail, and Microsoft.com.
Note that as various forms of spyware become known or tracking subterfuges are exposed, companies modify or eliminate their data-gathering techniques. Some of the products listed above have recently removed or modified their spyware aspects, while others, such as Kazaa, have only recently been announced. The underlying ability remains, however, and the temptation is strong.
In addition to data gathering for dubious purposes, businesses can also constitute a threat to individual privacy by mishandling information they control. Two recent examples of this were the disclosure of the names of 600 Prozac users by pharmaceutical company Eli Lilly, and the disclosure of 400 organ donor names by the University of Minnesota.
This group could include any state or federal agency which does not take its information management responsibilities seriously, however, the majority of privacy issues stem from just four federal agencies; the Internal Revenue Service (IRS), Central Intelligence Agency (CIA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI).
The IRS and CIA have both had highly publicized incidents where they failed to safeguard the private information within their possession. According to Iowa Representative Greg Ganske, IRS employees have been repeatedly caught improperly using information in the custody of the agency, but the General Accounting Office found that only 2.3% of those caught were actually fired. As recently as March of 2002, the CIA was embarrassed by having its network mapped and the names, phone numbers and e-mail addresses of numerous agents posted on the Internet. The situation with the CIA was further exacerbated by the fact that this occurred after the September 11th terrorist attacks, and was accomplished in merely two days using freely accessible and unclassified information found on the Internet.
While the IRS and CIA may cause privacy concerns by mishandling information, it is the information gathering methods of the NSA and FBI that sometimes places those agencies at odds with individual privacy. Agencies of the U.S. Federal Government have long used technology to gather information on citizens. The first telephone wiretap in the United States occurred in 1885 – only four years after the introduction of the telephone. According to Justice John Paul Stevens of the U.S. Supreme Court, the FBI had amassed records on 24 million people as of 1989. In comparison, the 1999 CNN special report “Cold War” disclosed that the former East Germanys Stasi, or secret police, amassed records on only 6 million people.
The FBIs use of secretly installed keystroke logging software was recently made public by the case of Nicodemo S. Scarfo (United States v. Scarfo, 2002). In that case, the FBI obtained court approval to covertly enter Mr. Scarfos premises and install software that recorded every keystroke made on Mr. Scarfos computer including his typed passwords. The FBI also uses another information-gathering tool, DCS-1000, formerly called CARNIVORE. This system consists of hardware connected to an Internet service providers equipment that allows the FBI to intercept all e-mail traffic sent or received by a specific individual without their knowledge. Unlike traditional telephone wiretaps, which must be narrowly focused, to intercept specific targeted conversations, DCS-1000 searches and intercepts all communications of an individual. Title 18, section 2518(4) of the United States Code gives Internet service providers no choice in cooperating with electronic surveillance. In November of 2001, an FBI response to a Freedom of Information Act request, admitted the existence of “an enhanced CARNIVORE project” called “Magic Lantern” – a remotely installable key logger that can be sent to a computer via e-mail.
The NSA uses a much larger system for interception of communications data. It is called ECHELON, and consists of a global network of satellites and monitoring stations that screen all telephonic, e-mail, and facsimile transmissions. Obviously, processing all such data would be impossible; however, the system does not process all of the data, but rather carefully screens it for specific keywords and phrases, and captures only transmissions that meet pre-defined criteria. All of the captured data is then analyzed to extract pertinent information. Both CARNIVORE and ECHELON have evoked grass-roots protest movements.
Another method of government information gathering that could possibly pose a privacy risk is monitoring of TEMPEST emanations. These electronic signals are created by a computer monitor, and can be intercepted and used to re-create the screen image. This technology requires sensitive reception equipment that must be in close physical proximity to the computer being observed. Such reception equipment is illegal for individuals to possess, use, or sell in the United States.
This concludes Part One of Privacy and Security on your PC. The second installment covers a layered approach to computer security. As we go through the six levels, well give you links to tools that can help you secure your system and keep your personal data private. Click here to continue on to Part II.