Privacy and Security
PRIVACY AND SECURITY
The use of computers by business, industry, health care, education, and government enhances their ability to collect, analyze, and communicate information quickly and efficiently. The availability and access of this information, however, significantly affects individual privacy and security. Personal information is transmitted and stored every time a credit card is used, a telephone call is made, or an electronic mail (e-mail) message is sent or received. Personal information regarding health care, insurance, and Social Security records is digitized, stored, and maintained in easily accessible computer files. Although computer technology makes data easier to compile, combine, and circulate, it dramatically increases potential violations of personal privacy and security.
Privacy is an individual's ability to be anonymous. It is not a constitutional right; unsanctioned intrusion of privacy, however, is legislated against at various federal and state levels. Once personal information is shared—whether in electronic, written, or oral form—the individual's privacy cannot be assured. Security implies confidentiality, integrity, and the assurance that personal information will remain private. In the information age of the twenty-first century, privacy and security are difficult to maintain. Identity theft is a continuous threat.
During 2004 more than 9.3 million Americans were victims of identity theft. This activity resulted in $52.6 billion in damages. On average, victims of identity theft spent 600 hours repairing their credit. As victims of identity theft, individuals reported a temporary loss of credit as well as significant mental anguish. Although personal identities may be stolen by computerized methods, the majority (62.8%) of identity theft occurred by more traditional means (stolen wallets, mail removed from household mailboxes, dumpster diving, and employee theft).
Employee theft occurs in places such as medical offices and human resource departments where confidential personal information is routinely recorded and distributed. Although many people are more comfortable providing their credit cards in face-to-face transactions (e.g., at stores or restaurants) rather than electronically (e.g., online shopping), a level of personal trust is assumed in both cases. Online transactions, however, are often processed without human intervention. The potential risk is the security of the database of customer information stored online. Security engineering attempts to protect customer information from corporate hacking.
Privacy advocates assert that electronic record keeping and transmittal of information threatens basic American liberties and rights to privacy. In reaction to the growing use of computerized databases, several groups were formed in the early 1990s in an effort to support efforts to protect social and legal privacy issues in cyberspace.
- Electronic Frontier Foundation—established in 1990 to focus on civil liberties (http://www.eff.org)
- Privacy International—in 1990 emerged as a global watchdog for a wide variety of privacy issues, including data matching and medical privacy
- Internet Society—begun in 1992 as an international organization to develop and implement standards for the Internet, as well as to maintain historical and statistical databases of Internet usage (http://www.isoc.org)
- Privacy Rights Clearinghouse—founded in 1992 as a nonprofit consumer information and advocacy organization (http://www.privacyrights.org)
- Electronic Privacy Information Center (EPIC)—established in 1994 to address civil liberties and privacy issues (http://www.epic.org)
- Privacy.org—A joint project of EPIC and Privacy International, which serves as an outlet for privacy and security news and information
SOCIAL ENGINEERING SCAMS
These privacy organizations seek ways to combat social engineering scams that use the Internet and e-mail. The most popular scams are phishing, pharming, and crimeware.
Phishing (pronounced "fishing"), which is also know as spoofing or carding, is a fraudulent method of stealing personal information. The term phishing is used because the perpetrators in effect "throw out bait" to unsuspecting individuals. The scam artists create e-mail messages that appear to come from a bank, credit card company, or other trusted entity. Oftentimes, the scammers will create very convincing e-mail messages that include logos or graphics copied from the real institution's Internet site. The message requests that the recipients confirm their personal information (e.g., credit card numbers and account information) by either replying to the message, or more typically, following the provided link to the "company's" Internet site. The link, of course, is not to the company's site, but to a counterfeit site, which also uses appropriate graphics and text in an attempt to appear official. Some phishing scams indicate that because of recent suspicious activity, the user's account will be suspended until the personal information is confirmed.
Pharming (pronounced "farming") is related to phishing in that users are misdirected to fraudulent Internet sites where they are asked to provide personal information such as usernames, passwords, and Social Security numbers.
Crimeware is defined as any instance of malware (malicious software), adware (advertising software), and spyware (spying/tracking software). For example, a Trojan keylogger (spyware) can be used to either capture personal information as it is keyed in or redirect users when they attempt to login to their Internet banking sites. Both phishing and pharming are the focus of the Anti-Phishing Working Group (http://www.anti-phishing.org), which is "committed to wiping out Internet scams and fraud."
Computer crime-related legislation is growing. Several laws have been enacted to protect privacy and security. For example, the Privacy Protection Act of 1996 (42 USC 2000) imposes controls on the databanks owned by federal agencies. Any database maintaining personal information cannot be distributed to other federal agencies without going through proper legal channels. In addition, the Family Education Rights and Privacy Act protects the dissemination of student information. The proposed Identity Theft Protection Act attempts to limit the use of Social Security numbers as identifying data and ensure individuals are notified when their personal data are compromised.
In addition to "taking" information through database access, security issues also include deleting information from databases. Improper use and invasion of privacy through harmful access occurs when people knowingly damage or destroy computer programs by deleting information or installing computer viruses (programs designed to run in the background of a computer's memory, silently destroying data). This improper use is addressed under the Computer Fraud and Abuse Act of 1986 (18 USC 1030), which prohibits the improper use of "federal interest" computers—computers that communicate and share information across state lines or internationally.
Any computer that is connected to the Internet (even through a local network provider) is considered a federal interest computer and subject to the Computer Fraud and Abuse Act. In addition, the Electronic Communications Privacy Act (18 USC 2510) makes it a crime to use a computer system to view or tamper with other people's private messages (e.g., e-mail and data files) stored in an online system.
The Health Insurance Portability and Accountability Act of 1996 ensures health insurance coverage during changes in employment as well as establishes national standards for electronic health-care transactions. This second emphasis addresses the privacy and security of health-care information. Additional privacy requirements were added in 1999 and approved in 2001; compliance was required in 2003.
In response to the increase in phishing and pharming scams, the Anti-Phishing Act of 2005 was proposed. This bill, if enacted, proposes a $25,000 fine and/or a five-year prison sentence for individuals who are found guilty of fraudulently obtaining personal information using corporate Internet sites or e-mails.
It is apparent that cyberspace has become and will continue to be a major concern to both individual and organizational privacy and security. Although legislation is becoming more substantial, it severely lags behind the pace of technology, forcing the burden of responsibility onto the individual. To maintain personal privacy and security, experts suggest following certain guidelines when using credit cards and communication devices (including telephones and computers):
- When conducting business online (e.g., paying bills and shopping), provide only the necessary information to process the transaction. Optional information would be kept in a database and potentially connected to an account for identification purposes.
- Create unique passwords and personal identification numbers that are not easily determined or based on such obvious information as home address, phone number, or date of birth or anniversary.
- To surf the Internet without leaving behind a personal trail, use an anonymous connection such as an open computer lab at a school, university, or library. When using a personal computer system, delete cookies and regularly run virus, spyware, and adware tools.
- Although many consumers are wary of paying routine bills online, research indicates that paper bills and statements are stolen more easily from mailboxes. Online statements are more easily monitored and should be routinely checked on a weekly basis.
- Everyone is entitled to request a free credit report each year from each of the three credit reporting agencies: Equifax (http://www.equifax.com), Experian (http://www.experian.com), and TransUnion (http://www.transunion.com). This process may be initiated at http://www.AnnualCreditReport.com.
Legislation and organizations make every effort to protect privacy and security, but computerized databases will continue to be the most efficient method of storing and retrieving information. Personal privacy and security are best ensured when individuals take personal responsibility to protect themselves. Being aware of how identities may be stolen, precautions to take when providing sensitive information, and procedures to repair credit will best ensure personal privacy and security.
see also Consumer Advocacy and Protection ; Cyber Crime ; Identity Theft
Lisa E. Gueldenzoph
Mark J. Snyder