Rights
learning + networked society + dossiers + extra
home + what's new + index + comments + rss feed

CECUA and ICT Round Table#2 present a draft paper on

Privacy and Security
Issues and Recommendations

Introduction

The essence of problems related to privacy and security lies not so much in the nature of the information itself but in our perception of it, the use it is put to and the value we or others may hope to get out of it. Your photo might be something quite private that you don't want anyone to see. On the other hand, you might sent it by e-mail to a trusted friend. You might publish it on your Web pages or you might even sell it to a magazine. Much depends on the status you and others give it. Certain categories of "information" are collectively recognised as "sensitive", generally those that define your person and that of your family, things that concern your financial and working status, your health, your habits, your preferences, your acquaintances.
[We have chosen not to approach the question of security from the point of view of the reliability of systems also this quite clearly is an issue.] [Unfinished]

The rules of the game

All information provided in an on-line transaction - whether it be sending e-mail, filling in a form, paying for something or publishing Web pages - is accompanied by a series of conditions concerning what the Recipient may or may not do with this information. In many cases, there are no hard and fast rules concerning such conditions. They are more or less tacit, rather like the conventions governing the non-disclosure of the contents of a personal letter. Such rights and obligations depend very much on the perception of the Owner of the value of the information he or she is providing and what he or she thinks should or should not be done with it. They also depend on the awareness of the Recipient of the conditions and his or her readiness to comply with these conditions and/or the ability of the Owner to impose them. This situation is not clearly understood by the general public and this lack of clarity is to the detriment of secure on-line exchange that respects privacy.


Conventions concerning behaviour related to security and privacy on the network should be made more explicit by openly developing and publicising codes of practice.

The actors

A number of actors are directly involved with issues of privacy and security.

  • The Owner
    The person the information belongs to, either because it is personal information about him or her, because he or she created it or because he or she has acquired the rights to use it.
  • The Recipient
    The one the information is made available to. It could be a customer interested in receiving a document, a company receiving credit card information to finalise a sale or a government body requesting personal information as part of an on-line service.
  • The Carriers
    Those that transport the information from the Owner to the Recipient. Types of Carriers include access providers and telecoms.
  • The Providers
    The intermediary who makes Owner information publically available as in the case of Web Sites. [What is their liability?]
  • The Trespasser
    The person or the software that listens in intentionally or by accident on Carrier lines to messages not addressed to him, her or it, or who enters the Owner's private space or that of the Provider and takes or modifies material, whether the Owner is aware of it or not.
  • The Legislator
    Those that set the rules governing some aspects of information supply and its abuse; rules generally applicable to everybody, rather than specific "local" conditions dictated by the Owner. [There is clearly a very tricky problem here of dictating limits to access to information and consequent censorship!]
  • The Police
    Those whose job - in certain circumstances - is to intervene, if the rules of the game are not respected.

Carriers should have no right to access information they transport.
Carriers should not be liable for the contents of information they transport.
[A recommendation about respecting Owner's rights on his or her information even in the case of "accidental" trespassing.]

The "goods"

There are two general categories of information:

  • Exchangeable material
    All information "goods" are governed by a set of conditions for the Recipient. Although these conditions are not always clear, they can be conveniently used to categorise the "goods":
    • No strings attached
      The Recipient is free to do what he likes with it. Rather like "freeware", you can take it and use it as you like.
    • [... more to come...]
    • Personal
      The information is for the Recipient only and should go no further. Most personal e-mail falls into this category although it is not always clear whether you can forward it on to someone else or not.
    • Personal ID material
      Personal material generally about the identity of the person - possibly including perhaps personal preferences - that is made available to a specific person or company as a necessary part of a transaction like electronic payments or the use of forms.
  • Private material
    Private material that is not accessible to anybody but the person him or herself. Most of this material may well not be of any strategical importance to the person and of seemingly no interest to most other people.

The "packaging"

  • The envelope
    For the vast majority of transactions some form of low level encryption - comparable to the envelope - is needed as a dissuasion to unwanted intrusion.
  • Strong encryption
    Clearly strong encryption is an essential ingredient of on-line commerce as well as many services. Individuals should be free to encrypt their information should they chose to do so.
  • Watermarking
    [To be completed]

Generalised use of strong encryption for all on-line transactions is neither necessary nor desirable.
A form of standard low-level encryption aimed at initial dissuasion of intruders should be made widely available.
The decision to use strong encryption or not should be up to the individual.
An effort needs to be made to make the general public aware of the possible risks incurred in supplying personal information over the Net. [confidence also necessary|
In transactions involving the provision of information over the Net - whether it be personal or published - conditions governing the use of that information by the receiver need to be made more explicit.
A general framework for the above mentioned conditions might be laid out in codes of practice to which commercial actors could adhere. A similar framework, taking the form of "best practices" might be introduced for transactions between individuals.

Disclosing personal information

Currently, providing personal information over the network is at your own risk. Yet certain transactions would be impossible without it: electronic payment for example. Two risks are involved in commercial transactions:

  • The information be intercepted during transport and used by the unlawful recipient
  • The information be used by the Recipient for something other than the transaction underway, i.e. creating a data base of customer preferences to be subsequently sold to others.

When a person is obliged to provide personal information during an on-line transaction, the security of such a transaction should be guaranteed.
The person providing personal information in an on-line transaction should have the right to refuse to provide information not essential to the transaction.
The person providing personal information during an on-line transaction should have the right to refuse that that information be used for anything other than that transaction.

Compulsory disclosure of personal information is generally the case when dealing with administrations. The Owner is required to provide information about herself which is often not necessary for the current transaction. Until recently, it was tacitly accepted that administrations had the right to gather such personal information for statistical purposes. In most European countries guidelines have been laid down governing how such information may be used. Attitudes are changing however as are the role of governments. More and more public services are being privatised and such information is increasingly seen as a potential source of income.

Incursion into your private sphere

What happens when software like Java has access to information from within your "private sphere" and makes it available to others over the Net?

Share or comment
| More

learning + networked society + dossiers + extra
home + what's new + index + comments + rss feed


ISSN: 1664-834X Copyright © , Alan McCluskey, info@connected.org
Artwork & Novels: Secret Paths & PhotoBlog - LinkedIn: Portfolio - DIIGO: Links
Created: May 23rd, 1996 - Last up-dated: May 23rd, 1996