Content

Privacy in an Internet World?

Anonymity is a circumstance that many everyday web surfers believe they enjoy while hopping from one online store to the next.

However, privacy-invasive marketing tactics are not at all foreign to the World Wide Web.

For example, around February of 2000, various privacy groups in the United States, including the Electronic Privacy Information Center (EPIC), complained to the Federal Trade Commission about DoubleClick's tracking techniques of users. DoubleClick used cookies and web-bugs to do so much tracking of users that they developed some of the most talked about and comprehensive profiles of web surfers' habits, purchases and preferences. DoubleClick, as a result, quickly became recognized for being one of the most overt e-businesses to invade customers' assumed privacy. This case was officially closed in January of last year when the company agreed to follow self-regulatory rules for online profiling.

In a recent and seemingly unexpected announcement late last year the company reported that it would discontinue these profiling services all together. According to EPIC, the DoubleClick no longer offers the targeted marketing that made it so infamous.

The freedom to remain anonymous is one of the biggest liberties citizens from America to the U.K. enjoy. Yet, as the Internet enters homes and offices through an intricate web of PCs all over the globe, anonymity is a state difficult to hold on to. Indeed, governmental bodies in various countries have acknowledged this fact by drafting and passing laws in an attempt to protect their citizens' privacy, their anonymity. Whether or not this will truly be realized is questionable. However, there is no doubting that those companies which fail to take steps to protect client and customer data will be punished.

"In an age where more and more of our personal data is stored and processed on systems connected to the Internet, privacy policies and the effective use of organizational processes and security technology to maintain privacy are increasingly important," states SystemExperts Corporation in its white paper Privacy: Our Two Cents. "Medical organizations, financial and insurance companies, and federal agencies need to process confidential information and protect the data they manage."

Considering the likes of such legislation as the U.S.'s Gramm Leach Bliley Act and HIPAA being passed, there are still other fundamental issues to consider when looking to protect proprietary customer details.

Protection, notes SystemExperts, must encompass more than that which is in transit. Organizations store tons of juicy customer and company details on servers. It is with great frequency, as a result, that news item upon news item reports some savvy cracker obtaining credit card numbers or medical information about people like you and me.

Because some companies fail to protect data in storage, crackers can steal identities with ease. Access and authentication controls are integral to any security plan, especially when a company has mined tons of information that is pivotal to its business and that of its customers.

The U.K. government started tackling these issues some time before the U.S. As such, it has taken a broad-brush approach to privacy legislation, whereas the U.S. has introduced legislative guidelines for specific vertical markets, points out SystemExperts. "While this makes the regulations more pertinent and perhaps better for the consumer, it leads to inconsistency."

Noting further that U.S. citizens are leery of "Big Brother" approaches to such issues, SystemExperts states that the consequent limited involvement of U.S. government may have led to a bigger problem. "While this cultural fear of excessive governmental involvement has limited the federal government's role, most Americans don't realize that the weakness and inconsistency of domestic privacy regulation overall has created a situation where their private data becomes the property of the data collector. The collector has very limited responsibilities for stewardship. This is different from the European approach where the individual retains ownership and control over his personal data, and the collecting entities, by law, have a stewardship duty."

Certainly, the governmental and cultural approaches to the questions of privacy protection are different, yet the basic ideals behind them are similar. No consumer wants to have his or her private details stolen by Joe Hacker. No company wants the bad press, resulting sluggish business traffic and consumer distrust, possible fines after breaking certain countries' laws, or any impending lawsuit filed by angry customers, partners or investors to follow. So, what's the answer?

In the U.K., citizens are willing to sacrifice personal privacy to support government initiatives that lead to privacy laws. For instance, cites SystemExperts, ISPs must retain 'traffic data' related to their customers for up to seven years in case police need the information for possible investigation. In the U.S., such a mandate would probably never pass.

Really though, whatever role government plays is minor to those parts performed by companies and their customers. As customers, we must know our rights. If we don't want personal details sold to other organizations, we must make this clear. As citizens, we can be very finicky, taking our business to a competitor at the drop of a hat. This is something companies should realize and respect. It's up to consumers to know this power and readily act on it when necessary.

For their part, organizations must truly and strongly step up to the challenges that the Internet presents. If they want to do business on the web, then they must ensure they have security mechanisms in place. This is becoming an important brick in laying a strong foundation for successful e-business. VISA, for instance, has made it very clear to associated merchants through recent infosecurity initiatives that if they don't take certain steps to secure their consumer data, then they no longer can have a relationship with the credit card company.

In the same way that VISA can impact the flow of merchants' online money-making endeavors, consumers can rely on the litigious society into which we have so easily evolved: If my identity is stolen because ACME, Inc. failed to safeguard my personal details stored on their database, I'll just sue. As a result of such action, ACME, Inc. could surely fold and, hopefully, its surviving competitors would learn the lesson that doing business on the web requires infosecurity plans and tools (firewalls, anti-virus, IDS, access controls, authentication devices, etc.). Without such protective measures, hackers will win, e-business will continue to be looked at skeptically and consumers will just drive up the street to shop at the old and reliable mall.

Illena Armstrong is U.S. editor of SC Magazine ( www.scmagazine.com).

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.