Date post: | 27-Dec-2015 |
Category: |
Documents |
Upload: | evelyn-wells |
View: | 220 times |
Download: | 0 times |
Security and Other Policy Issuesin
Electronic Commerce
based on material written by Prof. Lance J. Hoffman
Computer Science DepartmentThe George Washington University
Washington DC 20052 USA202 994-4955
Government regulation responsibilities(All have security implications)
•Regulating E-Commerce•Maintaining citizen privacy rights
–Balancing anonymity vs. accountability•Managing intellectual property regime
–Guaranteeing freedom of speech•Facilitating computer system security•Protecting critical infrastructure•Recognize limits of regulation while …•Developing consistent regulatory framework that can be harmonized with other governments’
E-Commerce Policy IssuesSecurity Mechanisms Used to Attempt to Enforce Laws
•Product restrictions
•Tobacco
•What can be sold to children
•Acceptable food products
•Pharmaceuticals
•Alcoholic beverages
•Financial services
•Textile and Wool Products
•Taxation control (customs, sales taxes, double taxation, VAT)
•Societal values
•Language requirements (e.g., use French)
•Accessibility standards (www.w3.org/wai) [10-20%]
Some Possibly Fraudulent E-Commerce Schemes
•Pyramid Schemes
•“Miracle” health and diet products
•Gambling and International Lottery
•Investment, Credit and securities scams
•Online Auctions
•Erotic Services
PRIVACY• Different meanings in different cultures• Users (consumers) want anonymity
and benefits (convenience, efficiency) but may have to balance these
• "The right to be left alone -- the most comprehensive of rights, and the right most valued by a free people." - Justice Louis Brandeis, Olmstead v. U.S. (1928). See also Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193 (1891).
• “Privacy will be what civil rights and environmentalism was to the last half of the 20th century.” -- Austin Hill, CEO, Zero Knowledge Systems
• “When we moved from the agrarian to the industrial age, the environment’s degradation was a byproduct. We can’t let what happened to the environment happen to privacy. -- Christine Varney, former FTC Commissioner (Industry Standard, Nov. 13, 2000)
TIME Magazine, August 25, 1997
PRIVACY (DATA PROTECTION) COMMISSIONERS AND REGULATION WORLDWIDE
• 23 countries have data protection (privacy) commissioners– (See Canadian Privacy Commissioner’s Annual Report at
http://www.privcom.gc.ca/english/02_04_08_e.htm)
• European Union Data Directive has regulations: – No secondary use of data without an individual’s informed consent– No transfer of data to non-EU countries unless there is adequate privacy
protection (see, for example, www.export.gov/safeharbor)
• US still has no central regulation with respect to privacy. Sectoral regulation in U. S.:
Notice/Awareness
Choice/Consent
Access/Participation
Integrity/Security
Enforcement/Redress
Financial services Yes Yes Yes Yes Yes
Health Yes Yes Yes Yes Yes
Online profiling Yes Opt-out
Wireless Proposed Proposed Proposed Proposed
(John McCarthy, Forrester, Dec. 2000)(John McCarthy, Forrester, Dec. 2000)
Privacy in Record Systems
• 1960s: worried about government (vehicle tracking, land and tax records)– Governments have at least Code of Fair Information
Practices now • Today: worried about private sector (e.g., medical,
advertising) data bases (affinity cards, universal IDs [e.g., telemedicine])– (Only) Leading companies have privacy codes – Chief Privacy Officers:
• 1998 Zero• 1999 A few• 2000 A hundred• 2001 (December) A thousand predicted
EXAMPLES WHERE BUSINESS HAS INVADED PRIVACY
• Tracking down individuals (Switchboard)• Unsolicited e-mail (spam):
– DoubleClick (advertising agency) monitored surfing of net users
– Often by individual “companies” but sometimes by large companies that can’t get their act together
• Attempted fire sales of user data, reneging on past promises (Toysmart.com)
Surveillance by Private Sector
GOVERNMENT SURVEILLANCECarnivore: Net-tapping by FBI, 2000
Official FBI figure from http://www.fbi.gov/programs/carnivore/carnlrgmap.htm
Generic Code of Fair Information Practices1. Openness no secret databanks on individuals2. Data subject view and correction right to see and correct data on self3. Collection Limitation
limited data collection by lawful means and, where appropriate, with knowledge or consent of data subject4. Data Quality only relevant, accurate, complete, and timely data5. Finality limits to the uses and disclosure of personal data, used only for purposes specified at time of collection, unless data subject or appropriate authority allows6. Security reasonable security safeguards against such risks as loss, unauthorized access, destruction, use,modification or disclosure 7. Accountability
record keepers accountable for complying with fair information practices This formulation of a code of fair information practices is derived from several sources, including codes developed by the Department of Health, Education, and Welfare (1973); Organization for Economic Cooperation and Development (1981); and Council of Europe (1981). See http://www.cdt.org/privacy/guide/basic/generic.html for more detail.
Is “Copy” Still the Right Concept?
•Should access to data be controlled?
•Start from the basics: progress via incentive
•Does a use impact incentive?
•Why did the current intellectual property regime come about?
•Is it still useful?
•What can be done to have it work in the digital age?
•Good references on the current intellectual property regime:
•National Research Council, The Digital Dilemma: Intellectual Property in the Information Age, http://books.nap.edu/html/digital_dilemma/
•Digital Copy by Jessica Litman, Prometheus Books 2001,www.digital-copyright.com
Is “Copy” Still the Right Concept?• Access requires copying. Legitimate copies are routine today.• But, these days, copying is not a precise predictor of “piracy” or “fair use”.
– Who owns the (interior) link on web pages? (Is this still a constructive way to think about this? See James Gleick, “Patently Absurd”, New York Times Sunday Magazine, March 12, 2000)
• Start from the basics: progress via incentive. Does a use impact incentive?• What about sampling compositions from various works? Artist’s integrity
rights vs. consumer (new composer) rights ??• Can access to digital information be controlled?
– The DVD story – as told by a defiant Carnegie Mellon University professor: http://www.cs.cmu.edu/~dst/DeCSS/
• Points to descrambling algorithm (in violation of 17 USC 1201(a)(2) ?), code on T-shirt, software code, Power Point slides on Content Scrambling System (CSS), algorithm in haiku by an anonymous poet
– DVD/DeCSS FAQ from the Motion Picture Association of America point of view is at http://www.mpaa.org/Press/
See
1. National Research Council, The Digital Dilemma: Intellectual Property in the Information Age, http://books.nap.edu/html/digital_dilemma/
2. Digital Copyright by Jessica Litman, Prometheus Books 2001, www.digital-copyright.com
From gallery of DeCSS representations at CMU
• “C” source code•Nonexecutable picture of the source code• (speech? Protected in U.S. by First Amendment to Constitution?)
•Source code in new programming language• (like “C” for which a compiler does not yet exist. Is author liable once• compiler exists?
•Plain English description:•Haiku version•Lecture notes on • how the algorithm works•Algorithm on T-shirt: Is wearing it “trafficking”?•Dramatic reading•Code set to music•Code (coded) as music•JPEG file with concealed version of algorithm
ONE MODEL OF PAYING FOR INFORMATION IN THE FUTURE
Napster file sharing
Peer-to-Peer Won’t Go Away!This is NOT Napster:
•Publius, a censorship resistant, tamper evident, WWW-based publishing•system, already exists (see www.cs.nyu.edu/~waldman/publius.html).•Each server can’t tell type of content it is hosting, and any•modification can be detected.
•How about Napsters for•poetry?
•Real estate listings?
•Articles about law and cyberspace?
•Government efficiency and effectiveness tips?
•information about genetic sequences
•making up the human genome?
“Despite Napster's demise, P2P's legal struggle liveson -- certain to battle RIAA further in the comingmonths, as the industry continues to wage a war tocripple the technology it cannot control and attemptsto wrestle music distribution away from the peopleat the expense of freedom of speech andinnovation.” – Robin Gross, EFF Staff Attorney,March 5, 2001,http://www.eff.org/effector/HTML/effect14.04.html
Recommendations for Policymakers
• Aim for technology independence
• Keep it simple
• Keep it flexible
• Keep cool
National Research Council, The Digital Dilemma: Intellectual Property in the Information Age, National Research Council, The Digital Dilemma: Intellectual Property in the Information Age, http://books.nap.edu/html/digital_dilemma/http://books.nap.edu/html/digital_dilemma/
Freedom of speechContent control and access
• When is speech “chilled”?• Traditional areas of controversial or forbidden
speech– Sedition– Pornography
• Censorship vs. User Choice• Communications Decency Act and relatives• German anti-Nazi provisions• French terroristic provision
– Technological disclosure controls• Commercial speech and advertising get same
protections? Spam?
Security Controls Should Maintain CIA(Confidentiality, Integrity, Availability)
SOME TYPICAL SECURITY MECHANISMS
• Authentication– Something you know (examples: password,
encryption key)– Something you have (examples: token, capability)– Something you are (picture, fingerprint)
• Cryptography (Example [very simple]: ( HFRPPHUFH ecommerce)– Traditional, single key (DES, PGP, AES)– Public key (two keys,public and private: RSA)
• Digital signatures• Risk Analysis
– Expected value– Worst case– Insurance
Critical Infrastructure Sectors (President’s Commission on Critical Infrastructure Protection)
• Information and communications• Physical distribution• Energy• Banking and finance• Vital human services
Critical Infrastructure Sectors (President’s Commission on Critical Infrastructure Protection)
• Information and communications– Local and long-distance telephone carriers– Cellular networks– Satellite services– Internet– Computers used for home, commercial,
academic, and government use
• Physical distribution• Energy• Banking and finance• Vital human services
CONTROL MECHANISMS www.ciao.gov
• Entitywide security: Plan for emergencies, create security procedures
• Access controls to critical info, systems, and people• Segregation of duties: no single person has control over all
essential info or operations• Continuity: have plans to restore service and to not lose critical
information• Change control and life cycle management: be able to make
changes without significant service interruptions• System software controls: critical software only can be accessed
by certain people and their uses should be monitored and logged.A number of excellent presentations on this are at
http://www.ciao.gov/Audit/SummitLibrary/SummitLibrary.htm
ANTI-SPAM EFFORTSin light of Washington State court deeming state law unconstitutional
Mar 24 2000: House Subcommittee on Telecommunications, Trade, and Consumer Protection approved HR 3113; now goes to Committee on Commerce; still a torturous path
1. Outlaws forged headers, invalid return addresses2. Business relationship allows you to send commercial email (my
Microstrategy case)3. Spammers required to abide by ISP anti-spam policies4. FTC to prescribe identifiers like “ADV” to allow filtering5. ISPs must maintain opt-out lists (escept free and ad-supported ISPs
whose policies require accepting ads)6. ISPs protected from lawsuits if they make good faith protection
efforts7. Civil damages: actual or $500/msg to $50K max, trebled sometimes,
includes atty fees. Loser pays fees to discourage frivolous lawsuits.8. See http://thomas.loc.gov, search for HR 31139. No Senate version yet
See www.junkbusters.com for anti-spam tools.Monitor www.cdt.org and www.epic.org for more information on this and similar legislation
Think ahead: what happens when spam goes wireless?
Forces driving governments’ expanded Internet economy role
Consumers’ need for online security
Internet economy
Y
YY
Y
John McCarthy, Forrester
Forces driving governments’ expanded Internet economy role
Consumers’ need for online security
Businesses’ desire for stability
Internet economy
Y
YY
Y
John McCarthy, Forrester
Forces driving governments’ expanded Internet economy role
Consumers’ need for online security
Businesses’ desire for stability
Net winners call for regulation
Internet economy
Y
YY
Y
John McCarthy, Forrester
Forces driving governments’ expanded Internet economy role
Consumers’ need for online security
Businesses’ desire for stability
Net winners call for regulation
Net losers look for relief
Internet economy
Y
YY
Y
John McCarthy, Forrester
Forces driving governments’ expanded Internet economy role
Consumers’ need for online security
Businesses’ desire for stability
Net winners call for regulation
Net losers look for relief
Net as an official government channel
Internet economy
Y
YY
Y
John McCarthy, Forrester
REGULATIONLessig, L., Code and Other Laws of
Cyberspace, Basic Books, 1999
Architecture, law, market, normsArchitecture, law, market, norms