The rise of the Internet has resulted in many important issues being raised. One of these major issues relates to privacy and security concerns.
These issues become important ones for organizations to consider for several reasons. Firstly, because private employee information is recorded on computers, secondly because organizations have their own important information recorded on computers, and thirdly because many organizations conduct business over the Internet via an informational home page or by Internet retailing.
The question of security will become an important one for organizations and will likely become the responsibility of the human resource department in many organizations, with the questions of security and privacy an extension of information systems generally handled by the human resource department (Bernardin & Russell).
In this paper, the privacy and security issues that arise from the Internet will be investigated. Recognizing that the Internet is relatively new and rapidly changing, the investigation will be completed with an eye for looking forward to the future.
Firstly, I will discuss the modern history of the Internet and how it relates to privacy and security concerns. I will then discuss several key security and privacy issues relevant to organizations. I will then briefly discuss the protection options available to deal with these issues.
THE INTERNET AND PRIVACY & SECURITY
Privacy is not a new concept, but one that has been of importance to people for centuries.
The advent of the Internet however, is taking privacy issues to a new level. Privacy is described as “the ability of individuals to determine for themselves when, how and to what extent information about them is communicated to others” (IBM).
Security also becomes of wider concern. With the importance of the Internet and information technology to society, it becomes a tool that can be used against national security, against individuals or against organizations.
As well as this, the mass of information available on the Internet can be misused.
The Internet has become a profound part of our society, impacting on every aspect of it. With this wide impact, security issues reach out across various topics and take on various forms.
Also relevant is the fact that the Internet remains in its infancy, with the Internet revolution described as “one that experts estimate is less than 10 percent complete” (IBM).
As the Internet grows and changes, new security and privacy issues will appear. As the environment changes, the privacy and security issues will be reconsidered.
There is no doubt that the issues the Internet creates are likely to change, as the Internet and society continue to adapt to each other. Even recognizing this, by assessing the issues now we can begin to see their current impact and also their future direction.
SECURITY AND PRIVACY ISSUES
Everyone is under threat from hackers, from the organization, to government information, and through to individuals. The reason for hacking varies as widely as those that become victims of hacking,
“crackers are not necessarily after secret files or valuable corporate data, many just want a machine – fast. Most victimized machines are merely launch pads for other attacks” (Tanase). Essentially, hackers hide themselves by operating through a chain of machines.
Reasons for hacking are extremely varied and can include accessing information, changing information records and launching viruses.
For the organization, information may be extracted to be used against the organization. This information could then be used in various way. Disgruntled employees may seek information to use against the organization.
The threat of misuse also depends on the nature of the organization. A university for example has a threat of students changing their results records, while an organization involved in controversial issues, such as a gun manufacturer may be threatened by anti-gun protesters. Hackers may also operate by damaging company web sites.
The reasons and form of Internet hacking crimes are just as varied as typical crimes.
As the Internet becomes more widespread, Internet crimes may come to mirror all crimes. For example, just as a disgruntled employee may vandalize their place of employment, a disgruntled employee may vandalize the organization’s web site.
Current Effect on Business
Hacker attacks are the largest threats for governments and businesses, with ninety percent of business and governments suffering hacker attacks each year (Krebs).
Of those businesses, only one third were willing to report the attacks to the FBI (Krebs).
Eighty percent reported financial losses as a result but the majority were not willing to quantify these financial losses (Krebs).
The majority of organizations and government departments do suffer from security breaches. Also noted is that this is not all from hackers, a major component is also from company staff. The fact that the majority are not willing to report or verify the problems, is an indication that this is a problem that is thought to be significant as well as damaging.
Organizations generally avoid reporting such problems to avoid alarming shareholders, while government departments avoid public concern. With shareholders and the public warranted in their right to know of these breaches, there is a future likely, where such breaches will be required to be reported.
The reality is that these threats cannot be ignored. A study by the National Institute of Standards and Technology recognized that “information and the systems that process it are among the most valuable assets of any organization. Adequate security of these assets is a fundamental management responsibility” (NIST).
The report by the National Institute of Standards and Technology provides a framework for determining a security system program. The needs of the programs are twofold:
“Agency programs must: 1) assure that systems and applications operate effectively and provide appropriate confidentiality, integrity, and availability; and 2) protect information commensurate with the level of risk and magnitude of harm resulting from loss, misuse, unauthorized access, or modification” (NIST).
This considered system and approach to determining may mirror how organizations will approach security considerations in the future.
It is also noted that “many organizations and consumers are only just beginning to realize the value of applied information technology and the increased efficiency and effectiveness of innovations in data collection and management” (IBM).
With increased realization will come increased use of information by organizations, and with this increased use will come a greater need for privacy and security considerations.
Information on the Internet
The Internet is also capable of infringing on a person’s privacy as a publisher of information.
We can see the Internet as a tool for communicating information, just as television, newspapers and other media are.
The difference with the Internet is that the information published is not as well controlled.
With television and newspapers, controls are in place to determine what will be communicated. It is generally not possible for a person to publish information without it being verified in some way.
However, with the Internet, a person can publish and communicate messages to people from all over the world with no requirement to have checks on the information.
Essentially, the Internet allows anyone to say anything, and to say that anything to a lot of people.
This leads to the Internet being capable of being used as a tool to defame others.
A recent court case shows that this does happen, where the case is described as follows:
“A state-court jury awarded $3-million Tuesday to a University of North Dakota physics professor who sued a former student for libel after she accused him in an online article of being a pedophile. The professor, John L. Wagner, 41, filed his lawsuit after an article titled “Kinky, Torrid Romance by Randy Physics Professor” was published on the Web site Undnews.com” (Bartlett).
This example shows how information on any subject can be widely published on the Internet. The guilty verdict indicates that the law does consider this to be a case of defamation.
The ease of publication on the Internet and the difficulty in controlling it is also evidenced by the fact that the article is now posted on another web site (Bartlett).
This situation is one that may find controls placed on it in the future, controls that act as a safeguard for what can and cannot be published on the Internet as fact.
The guilty verdict in this case also leads the way for other defamation claims to be made and defamation laws to be determined for the Internet.
While this is a case against a person, it is also possible that this same type of defamation could be carried out in regards to an organization, its products or its services. It is feasible that a disgruntled customer could publish damaging reports about the company.
The possibilities of using the Internet for illegal advantages include scams as new and ingenious as the Internet itself.
One opportunity that is not currently illegal, though is concerning, is using one piece of software as a means for distributing another.
One example that is causing universities concern is KaZaA, software that is used to store and swap video clips and MP3 files. This software is specifically targeted at students and is downloaded by large numbers of students. It has been reported that this software has “software attached to it that could allow the company to use student computers and university bandwidth for commercial ventures, such as serving Internet advertisements or selling computer storage space” (Carlson).
While this is not an illegal process, it is a misleading one for the user. It also shows how technology can be used for purposes other than that which we purchase them for. This is important because this is one way information can be hidden within programs and there is potential for this to be used illegally in the future. It is also said that universities are specifically targeted because they have a considerable amount of unused hard drive space (Carlson). This could apply equally to many organizations, so organizations may also become a target of these programs in the future.
SECURITY AND PRIVACY PROTECTION
Security programs currently consist of two main types. The first are virus programs that prevent damaging computer viruses from being received. One of the most interesting things about these programs is that they require constant updating.
These constant updates illustrate how quickly virus concerns change. Essentially, one group of people are constantly creating new viruses, while a second group remain alert to these viruses and create antidotes for the viruses.
The second type of security program is firewall software. Firewall software prevents hackers from accessing a computer. Just like viruses, these programs are under constant upgrading to keep up with hacker technology changes.
Security and Privacy Consultants
Security and privacy concerns have also created a new industry of consultants, who offer advice, personnel and systems to governments, organizations and also individuals.
An example of one of these firms is Rent-A-Hacker, whose company profile reads as follows:
“Rent-A-Hacker was formed to afford anyone the means to protect their valuable information assets. Unlike most Cybersecurity firms whose goal is to sell you security products, our focus is on auditing, detection and proactive prevention” (Rent-A-Hacker).
To achieve these goals, the organizations makes use of experts in Internet security and in hacking. This organization is an example of where the future of Internet security may lead.
With experts developing new ways to breach Internet security, software programs may no longer be enough. A defence system of equally effective experts may be the only way to combat hackers and other breachers of both security and privacy.
The Government plays an important role in effecting privacy and security concerns and does this on two levels. The first is in their role in setting the rules for the private sector. The second is in establishing guidelines for the government’s own use of information (IBM).
With the broad implications of the Internet it is also recognized that government control becomes essential, “the growing interconnectedness of society underscores the need for government officials to understand the broad implications of the Internet and the information technology revolution (IBM).
The government meets this challenge by producing a set of internationally-accepted principles, with these principles developed by the Organization for Economic Cooperation and Development and are known as the OECD guidelines (IBM).
These guidelines include ‘fair information practices’ for organizations that outline appropriate security of data and disclosure of data practices (IBM).
IBM describes the US security and privacy measures, saying:
“The US has legislatively-required protections in focus areas: government, credit reporting, banking and finance, health, and children’s information. In other commercial areas, such as retail and online marketing, the US relies on its common-law traditions coupled with industry responsibility and leadership to chart the way” (IBM).
The legal component of the Internet is handled largely by the Computer Crime and Intellectual Property Section of the Department of Justice. The actions of the section are described, saying:
“Section attorneys advise federal prosecutors and law enforcement agents; comment upon and propose legislation; coordinate international efforts to combat computer crime; litigate cases; and train all law enforcement groups. Other areas of expertise possessed by CCIPS attorneys include encryption, electronic privacy laws, search and seizure of computers, e-commerce, hacker investigations, and intellectual property crimes” (CCIPS).
Legal protection in the US is wide and varied, covering a variety of issues that the Internet relates to.
This includes the considerations of e-commerce, covering topics including Internet gambling, online sales of healthcare products and consumer protection (CCIPS).
Laws are also existent relating to computer crimes. These crimes include cyberstalking, Internet fraud, child pornography and identity theft (CCIPS).
Another industry that reflects the rising importance of Internet security is the insurance industry.
Policies purchased for 2001 were just under $100 million in 2001, with it expected to rise to at least $1 billion by the year 2007 (Salkever).
The policies available for organizations include protection from “virus attacks, denial-of-service assaults, cracking into company systems, and Web-site defacements. Some companies even write policies that cover cyber-extortion, where an online intruder or an insider steals crucial data such as customer credit-card files and demands a payoff. The rising tide of lawsuits against companies whose employees have used corporate e-mail inappropriately has also caught the attention of e-insurers” (Salkever).
It is also noted that with the insurance industry becoming a major part of Internet security, they will have the opportunity to shape the computer security business.
This will occur by insurance companies def
ining what types of security products and practices are acceptable. Following this, premiums will differ based on what software protection systems are used, effectively rating product systems and influencing the business consumers choice.
This is also expected to effect business, with e-insurance becoming a requirement, “as cyber-insurance goes from exotica to a business necessity, the computer-security industry will have to adapt to keep the insurers happy” (Salkever).
There is certainly potential for insurance companies to influence both the coverage required by organizations and the products and actions required to attain this coverage, “that’s the wave of the future, as insurers exert even more pressure on the technology practices of any company wishing to insure this increasingly important facet of business” (Salkever).
Also recognized is the possible relationship between insurance companies and security products with it being argued “that insurers will demand responsibility from software companies for flaws in their products — and that they’ll have the legal firepower to hold the software outfits accountable” (Salkever).