An overview of privacy and security basics
Life Without The Internet?
Can you imagine daily life without the Internet? It has revolutionized, on a global scale, how we work, shop and communicate with friends and family. OWDT has posted previous Insights articles about Internet privacy and security–but I’d like to begin the New Year with an overview of privacy and security basics that virtually everyone needs to understand.
Maintaining Privacy And Security
Privacy is the control and proper management of the person’s data to prevent accidental release of private information. Security entails the protection of data from unauthorized access. Both are related, critical issues not only for the Internet but also for all web-related business activities. The omission of either can lead to devastating consequences, as credit card and identity theft.
Organizational Responsibility
Internet privacy is contingent on the degree of consumer protection individual websites accord their users, their personal information in particular. This includes informing users about the specific personal data gathered and how this information will be used.
Research confirms that a significant number of sites gather information via a wide array of sources–among them surveys, mailing lists and online registration for the purpose of selling that information to other parties. Resulting problems have generated a solid consensus that organizations need to provide reasonable user security and privacy protection. Much depends, of course, on the level of sensitivity and currency of the information gathered. Another key variable is the cost of reducing security vulnerabilities.
Assessing Risk
Before launching a site, an organization needs to assess its potential vulnerability. This can be accomplished through risks analysis, reducing the amount of information gathered and stored, as well as exploring different security strategies. In addition, organizations need to train their employees on security maintenance tasks–with clearly defined accountability for individuals at different levels of management. Finally, organizations should only secure the services of reputable, high-quality service providers with demonstrated security maintenance capability and excellent customer support.
Cookies And Data Mining
Improvements in database technology, data mining, in particular, compound this overall challenge because user data submitted online can easily be combined with customer records. We are familiar with how sites use cookies to track users–requiring that we regularly schedule scans to remove cookies and potential malware. This kind of tracking is difficult to avoid when we’re asked so frequently to submit our email address, geographic location, personal demographic data (like age and gender) and product preferences. Cookies are sent to the hard drive for subsequent browser retrieval when websites are revisited. Servers can then use the data to create web pages that meet the interests and preferences of the user, potentially for malicious purposes.
Identity Theft
Unfortunately, many websites continue to do all this without our consent–in some cases tracking the movement of users from one location to another. A much more direct threat is the potential for hackers to gain illegal access to supposedly secure information like credit card numbers. This is the leading cause of online fraud. Identity theft is the worst nightmare of all…
Next, I’ll focus on general strategies for dealing with these challenges, with emphasis on privacy legislation, self-regulation, and message/browser encryption.
Large-scale solutions in the areas of privacy legislation, self-regulation, and message encryption.
The Big Picture
Thousands of pages have been written about myriad software options that offer businesses and private users security and privacy when online. Our Insights contributors will continue to update you on as new, proven protective options emerge against ever-evolving hacker threats in the coming year.
However, to put these developments in perspective, it’s important to understand the big picture, i.e., large-scale solutions in the areas of privacy legislation, self-regulation, and message encryption.
Solutions
Privacy Legislation
All levels of government need to devise legislation to help protect Internet users. At the same time, businesses require the transfer of customer information required for the sales of goods and services. The key is preventing unauthorized access to private/proprietary information. Unfortunately, self-regulation hasn’t adequately met this latter requirement. Some Private Sector proponents argue that compliance costs are too expensive. Ongoing research shows this is an unfounded concern. One example– in areas without protective legislation, credit card companies have for 20+ years born the burden of credit card theft without incurring any governmental expenditure.
Self-Regulation
Many reputable organizations are dedicated to self-regulation via message encryption and other safeguards. They are clearly doing what’s in the best interest of customers, as well as their own long-term ROI. Consider the hit taken by Target and other big-name corporations when they failed to protect their customers’ personal data from hackers. Clearly, what works best is a combination of self-regulation with carefully formulated legislation.
Encryption
Message encryption
PKI cryptography is one of two frequently used tools for protecting highly vulnerable in-transit data/messages. With this method, if a consumer or business wants to transmit sensitive information to another site or user, algorithms are applied to hide the message content until opened by the receiver with a private/secure key.
Browser Encryption
Browser encryption is a complementary, critical strategy for keeping critical data private. Vital banking, medical and other information is transmitted via browsers. Currently, the standard for browser/web information encryption is the Secure Socket layer (SSL) used primarily in email encryption. The method of encryption uses an electronic key, usually symmetric, that works in both the server and browser while the Internet connection is open. Upon the termination of the session, the encryption is disabled. This means that this encryption security tool is highly dependent on the length of the key and brief browsing time. To help ensure effectiveness, the use of SSl/TLS is recommended to help servers meet the requirements of secure browser encryption.
Conclusion
Billions of people globally are using the Internet for reasons ranging from shopping, payment of bills, banking, medical records access, and research. Websites often require user registration that requires the disclosure of demographic information such as gender, age, location and credit card information. This has opened the door to hackers who attempt to secure and use this information for criminal purposes. This vulnerability demands stringent privacy and security legislation to protect users.
Although government legislation can effectively address this at a given point in time, Internet threats are evolving more rapidly than protective legislation given the increasing pace of digital technology changes. Consequently, self-regulation can be used more effectively than legislation IF evolving threats are carefully monitored and responded to by an organization’s IT security staff. Users are fully justified in expecting this kind of vigilance from organizations.
On the user side, we individually have a responsibility to stay abreast of the latest, most effective private online security tools to do what we can to protect our data. Fortunately, many highly effective ones are free.
