Perspective: The new urgency to fix online privacy

A decade ago, I started writing about online privacy issues. At the time, legal colleagues told me that while they found the topic interesting from an academic standpoint, it had no real world applications. They encouraged me instead to focus on "real" upcoming problems, like Y2K.

Undeterred, I explained that there would come a time when good privacy translated into good business, and bad privacy meant horrible business. That time has arrived.

Y2K came and went without much lasting effect. But privacy protection has become a real world industry of its own. Unfortunately, privacy and security breaches regularly occur these days. Indeed, the recently concluded meeting of the International Association of Privacy Professionals in San Francisco bore witness to just how important privacy issues have become to businesses, government, educational institutions, and of course, individuals.

With hundreds of privacy and security professionals in attendance, the sponsor list included the expected roster of companies from the technology sector. But you also found companies from outside the tech world, like Chevron, and Deloitte, Ernst & Young, and PriceWaterhouseCoopers. The common theme: it's high time to find privacy solutions that really work.

Privacy is like oxygen. You don't normally pay attention but when it is gone, the problem is immediate and real. So it was that the conference hosted numerous breakout sessions over the course of three days, ranging across issues that arise in financial services, marketing, health care, retail, government, human resources, children, higher education, international, and technology.

As technology has advanced, the world has become smaller, and, frankly, more invasive, when it comes to the potential for revealing personally identifiable information without permission.

When I first started writing about privacy issues, the world was familiar with the titles CEO and CFO, but there was no such thing as a "CPO." Here we are in 2007, and I found myself bumping into chief privacy officers all over the conference. These are the folks charged with developing workable privacy policies and practices for their respective companies.

They have their work cut out. We all have read about security breaches that led to the disclosure of private details of thousands of people. This not only impacts the affected individuals, but it hurts the reputation, brand, and share price of the companies subject to the breaches. That's not to mention the possibility of government investigations, big penalties, and lousy press down the road.

Biography
Eric J. Sinrod is a partner in the San Francisco office of Duane Morris. His focus includes information technology and intellectual-property disputes. To receive his weekly columns, send an e-mail to ejsinrod@duanemorris.com with "Subscribe" in the subject line. This column is prepared and published for informational purposes only, and it should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.

More Perspectives

[RicRicho]

Voice of reason

Well put... my name is Ric Richardson an inventor and pioneer of machine locking authentication and activation 5,490,216. When I first locked a software license to a Mac back in 1992, I knew that the need for surrogate identity reaches far beyond software licenses. I missed the seminar you attended but can see two focuses of possible solutions.

1. Surrogate identities - identities that are made from things that are valuable but allow the person to restart their identity if they are compromised (I am experimenting with machine locking i.e. using a PC hardware fingerprint as an identifier). A car key was such

2. Onetime hashes - these one time numbers can be calculated from private data, but allow 2nd and third parties to deal with a person without obtaining their true private information.

In my mind, the worse thing to do is use biometric data as once this is in the wild, anyone can use it for any reason and you have given up the most personal of data.

The area is a ticking bomb.
Cheers on the excellent article.
Ric

[MyRightEye]

This is exactly why I am voting for Ron Paul

He will campion our civil liberties like no other.

Please check him out without the help of the mainstream media
and you may also find you'll be voting for him.

Just Google Ron Paul.

[Marc Myers]

Y2K a "nonevent"?

Just to keep things honest, Y2K was a "nonevent" only because
thousands and thousands of IT professionals all around the
world spent years of their lives analyzing and fixing all the
programs that would have failed when the year rolled over. I
was one of them. Businesses took the threat seriously and made
the effort to protect themselves. If Homeland Security prevents
a terrorist attack, would that be a "nonevent"?

I was in charge of the Y2K project for a major corporation. I
worked for two and a half years prior to October 1999,
designing software to analyze 6,000 application programs,
writing specs for programmers to fix 2,400 of them, unit
testing, and system testing. As a result, there were only two
Y2K-related problems that occurred in 2000, instead of the
thousands that would have occurred without the millions of
dollars and years of effort invested to prevent them.

[TJ McDonald]

Breaches versus Legalized Data Sharing

Breaches = some privacy lost and potential identity theft to the consumer.

Don?t these privacy breaches pale compared to all the data/information collection and distribution that goes on legally today?

Why is it that breaches get the 'privacy violation' headlines when it is really a small part of personal privacy violations? What data/information gets illegally obtained in a breach compared to what is already available?

Spam..is an irritant. Junk mail...is an irritant. Telemarketing...is an irritant. They are not violations of privacy. What is a violation of privacy is all the information sold, rented, shared, collected, assimilated and stored about each person spammed, junk mailed and telemarketed before the breach occurred.

Or am I missing something?

[wbenton]

Who's Branches are you trying to Yank?

There IS NO SUCH THING AS ONLINE-PRIVACY... unless of course it's between two parties whom have the utmost security in mind.

There are numerous ways to prevent leaks of your personal information, but there's NO WAY to guarantee online-privacy... especially across the internet unless it's strictly strong VPN encryption and authentication between two parties.

Other than that... This story is a Hoax at best... a VERY WET dream otherwise!

FWIW

[johndawson66]

Online Privacy

Online privacy IS important. Services like Ultimate Anonymity ( www.ultimate-anonymity.com ) who have been around for over 10 years are a good place to start. Its never to late to take control of your online privacy.

[Warren Hicks]

Hope others understand. Microsoft and Scriptlogic do

That's normal. As an administrator I probably may give you a different look at the things that you may already know, but from a different angle. I felt it on my own back when I first joined the company I am currently working in. It's drastically hard to a implement a comprehensive security and auditing plan if you?re working within a domain network. Usual Windows' auditing functionality works great when you need to set in on a few computers within a small network. That's why it basically worked fine for us when we worked with NT4 domains. But when it comes to auditing your network with hundreds and thousands of computers which sometimes are located in different separated network areas, it's impossible to manage everything effectively. Remote access to the event log though the snap-in works fire for a couple of machines but doesn't suit well when you need to look what happens to permissions on that network printer we have in our remote site in Houston. Of course there are tools like dumpel.exe from Windows 2000 Resource Kit Tools for administrative tasks http://support.microsoft.com/kb/927229 that allows you to dump remote event logs into a tab-separated file or the EventCombMT tool http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en which is great for locating locked out accounts http://support.microsoft.com/kb/824209 which just gathers event logs from several remote computers and dumps them into a single place. For the first time it looks better than nothing but when it comes you to reveal breaches that may be located on different sites and nooks within your network you realize you should've known better. Basically what I need to do is to make as scan to see if some of us in IT team has unintentionally left some holes or we are protected and may go drink some coffee. But the problem is that I don't usually known in which place which kind of breaches in need to look for. I just want the system to show me which breaches I have and nothing more. But the key moment when you work with security auditing using the default functionality is that you should determine that *before* you start to get any results. And the most difficult thing is to configure it so that you'd get that information that you need to get for this particular audit or report. You know, with a simple file and folder audit you have to pass at least a two-step procedure to start collecting auditing information from remote computers. You first create a special GPO or change your default domain policy and then you have to define specifically which file objects you want to monitor either via editing the ACL for the file system object within Explorer http://support.microsoft.com/kb/301640 or by editing the GPO explicitly adding the file object to the audit list. http://support.microsoft.com/kb/325898. Of course there's again a fancy auditpol http://support.microsoft.com/kb/921469 tool that eliminates some of this routine- but taking a look at the article says it all. It just solves one part of a problem while potentially leaving the other one open. You still have to script additional functionality yourself adapting the basic use of a tool to your own needs. But any scripting is a matter of time. All in all its better than nothing but most of us I bet do prefer to use something else and get results quicker with less pain. Why spend a lot of time building this in-house when you can use a tool to do most of the work for you? Unfortunately, considering all of the work required using native tools, some just choose not to deal with security auditing at all. They think that they're saving time by not fussing with it. But, from my own experience, those issues will pop up exactly when you don't wait them. Finally I decided that I just need something that would allow me to define any securable object that I want to gather security audit information from and be able to receive a security report. That wasn't an easy task as I spent nights testing various approaches that implement what I want to get and I found that the tool that tailors most of the tasks I defined is Scriptlogic's Enterprise Security Reporter http://www.scriptlogic.com/products/enterprisesecurityreporter/ . It implements the functionality which is very close to what I was dreaming of. I can create any number of auditing tasks and defined there various criteria based on the information I want to collect for this operation. This allows me to create general thorough scan of my domain security by collecting information about which shares I have on every file server within my domain. Or I can just narrow down the scope to just a single site to see which holes are open there, do we have say some registry settings that may lessen our security. Sometimes even a single one settings made on one computer for a single user may lead to a problem for the whole enterprise network. I find it very easy to check how long ago we last changed the password for that user and which security settings it has for access to that folder on that file server that we use to store our private data. It's way easier to collect audit information and make a report there in Enterprise Security Reporter. The tool collects its info into an SQL server database where I then can get the data feeded from to print it in paper or save as a PDF document. I'd like to note that I'd add that privacy also has the same properties it has no color and you can't sense it. But it's that kind of nitty-gritty features that you usually don't notice but that make a big sense are vital. Add here the fact that I mentioned just one part of it because sometimes you have to audit registry settings http://support.microsoft.com/kb/324739 , the state of active directory objects http://support.microsoft.com/kb/814595 and you'll understand why we should operate globally by combining several methods and using centralized approaches such as that available within Scriptlogic's Enterprise Security Reporter. There's a clean evidence that number of processes that happen within your enterprise you are simply physically impossible to track. That's why me it looks reasonable to control security centralized using approach implemented by Scriptlogic. So for me I learned how important is to think about your privacy in a more integral manner to keep all the information about the private data under your fingertips.