Privacy

"Computers and networks also promise to make George Orwell's Big Brother look like an amatuer." [CCD_A15]

Anonymity

Anonymity is something many users of the Internet believe is a right they do and should have. Although many 'net users are perfectly happy to have people know who they are, and how to contact them, there are others who do not wish such information to be disclosed.
Anonymous remailers that allow people to send electronic mail and post to newsgroups are one of the methods by which people maintain their anonymity. They work by removing the user's e-mail address and replacing it with an address at the remailer site which redirects to the account of the anonymous user. This means that although the user can be replied to through the remailer, they cannot be identified, as the redirection addresses are kept secret.

The anon.penet.fi Case

The most well-known remailer on the Internet was anon.penet.fi. It was in action for years before it was recently shut down by its owner and administrator, Johan Helsingius. He closed down the service due to legal problems with the service that were affecting his job and home life.
The English newspaper the Observer made claims that child pornography was being sent through the penet service. Police sergeant Kaj Malmberg from the Helsinki Police Crime Squad, a specialist in computer crimes, confirms that the Observer's claims were found to be groundless, and that Helsingius had restricted the operations of his remailer so that pictures could not be sent through it over a year before [PE1].
"These remailers have made it possible for people to discuss very sensitive matters, such as domestic violence, school bullying or human rights issues anonymously with confidentiality on the Internet. To them the closing of the remailer is a serious problem," says Helsingius [PE1]. The penet service had over half a million users. They will have to find alternate remailers to use from now.
Johan Helsingius and his company, Oy Penetic Ab, as owner of the anon.penet.fi service, became involved in a legal battle with the Church of Scientology over copyright material. The Church of Scientology claims that a user of the penet service posted copyright material, and demanded the real address of the offending user, supported by a Finnish court order after Helsingius refused to reveal the address on the basis that the confidentiality of an e-mail message is protected by law.
Helsingius appealed the judgement of the District Court of Helsinki that he must reveal the address based on the fact that the Finnish Constitution and the European Convention on Human Rights protect the information he is being asked to reveal. He believes that the confidentiality is similar to the confidentiality of information sources of the press.
The Court of Appeal issued a temporary injunction on the enforcement of the District Court of Helsinki judgement on September 20 1996 [PE2].

Encryption

Encryption is often used by 'net users who wish to make sure that their e-mail is secure from being read by anybody who might intercept it on its journey from their computer to its destination.
The most commonly used, and most secure, encryption forms use one-way encryption algorithms. These utilise certain properties of large prime numbers.

PGP

PGP, or Pretty Good Privacy, is a one-way encryption routine and piece of encryption software written by Philip Zimmerman, founder, chairman and Chief Technology Officer of PGP Inc. Zimmerman was under investigation by the FBI for several years for publishing PGP on the 'net where it was downloadable easily across national borders, contravening US law [CRN_A5].
PGP is said to have saved lives, where it has prevented police in totalitarian countries from collecting evidence on political dissidents. Zimmerman receives many letters of thanks from human rights organisations for making his software publicly available [CRN_A5].
The idea behind this is that a user who wishes to be sent encrypted mail generates a 'public key' and a 'private key'. The public key, they can give out freely without risk. This is what others use to encrypt messages or data destined for them. The public key is useless in attempting to decrypt the message. The private key, from which the public key is derived, is the only key which can be used to decrypt data encoded using the public key.
PGP is widely used by Internet users for encoding e-mail messages to keep them from being read by anyone other than the intended recipient.

US Export Law

The USA has laws in place which govern the export of encryption software, methods, or routines. These rules mean that the US version of a software product which utilises encryption (if it uses a key longer than 40 bits), may not be exported. An export version must be created, or the software may not be exported.

Clipper

The US government proposed a chip, known as the Clipper chip, last year, which would allow safe, easy encryption for all users of the Internet in the USA. The Clipper chip was going to include a 'back door' to allow law enforcement to gain access to users' e-mail for the purpose of criminal investigation. The suggestion that this would be a mandatory addition outraged 'net users both in America and the rest of the world where users were afraid that similar policies might follow in their countries if the US pioneered it. Clipper is on hold at the moment.

Dissemination of Private Information


UCC

UCC Students complained to the Irish Times about privacy questions raised by a new database on the Web for finding e-mail addresses of staff and students earlier this year. When given a specific surname, for example, the search engine would return a list of all matching students with their e-mail addresses. Since usernames are the same as ID numbers at UCC, this meant anybody could obtain students' ID numbers and use them to obtain other information about them. For example, the UCC library's online database allows you to view personal details from home and term addresses to library fines, provided you know the student's name and ID number [ITC_O7_b].

Internet Eireann & Indigo

In late June this year, Indigo and failed Service Provider Internet Eireann (not to be confused with the relatively new Irish ISP, Internet Ireland) were at the centre of great controversy. When Internet Eireann went out of business, both Ireland Online (IOL) and Indigo offered to honour the subscriptions of Internet Eireann customers left without an account part-way through their subscription.
Indigo was, it turned out, given the password file containing all the usernames and passwords (encrypted) of the users of Internet Eireann. Indigo used this password file to add Internet Eireann users' accounts to their system. The file was found in a publicly accessible area of Indigo's system (in a directory accessible using Indigo's anonymous ftp server). Indigo said the file was inadvertently moved there during system maintenance in April, but later said it had been copied there in February, shortly after Internet Eireann's collapse, a fact supported by the timestamp (suggesting the last time the file was copied or moved) on the file which was picked up from the server by the Irish Times.
This file contained username/password pairs which were still in use on Indigo's system. Some of these passwords were easily cracked using a program very easily found on the Internet, called Crack.
Colm Grealy of IOL said, "When we made the offer .. we took this all in good faith ... and presumed that people wouldn't abuse it ... We issued them with new user names and passwords." He said IOL "were certainly not offered" Internet Eireann's user database or any information contained within it. "We took a view at the time when Internet Eireann went into difficulties that its major asset was its customer database, so it was no longer up to the company itself to dispose of that asset once it went into liquidation." [ITC_J1].
Obviously, such a security breach should never have happened. Having someone's password would allow anybody to access their account, read their e-mail, send e-mail in their name, perhaps gain access to sensitive data, and change their web pages.

State Records

Some state and local governments in the US are coming under fire for selling databases of information on residents. The county of Los Angeles has been involved in legal controversy regarding its plans to sell electronic access to court records, offering access for a one-time fee of $49,000 and 20-40 cents per access thereafter. Some groups such as the IAA (Information Industry Association) are for the dissemination of all public records. INK [INK] offers access to several thousand state databases, mostly free, and some for a fee [COW_A19].

Unlisted Numbers

In April, Yahoo! [YAH] and Database America Co. caused uproar when they provided electronic access to a database of 90 million private US telephone numbers online through the web. The list included unlisted home numbers, among which were home telephone numbers of people such as police officers, judges, and prosecutors who's lives might be in danger if it was discovered where they lived [COW_A29].

Social Security Numbers

Lexis-Nexis caused huge controversy in the USA in September when it became known that it was electronically publishing individuals' Social Security numbers and maiden names on a new proprietary online service, P-Trak. The list actually sells people's names, current and previous addresses and phone numbers, and previous names (such as maiden names). This information is easily available elsewhere according to company spokeswoman Judi Schultz. In fact, the service did distribute social security numbers for 11 days during June, however this has been removed from the service [COW_S23]. "Because it's the bullwark of legal identity in the U.S., a Social Security number can gain a snooper access to credit-card numbers, securities data the works," said Joseph Seanor, president of investigation firm Cibir Corp. In Alexandria, Virginia in [COW_A12].

Cookies

Cookies are used to store information about you, your web usage, preferences and so on locally on your machine. When you visit a site, it may send details about anything you have entered in a form, or where you have been in the site, or whatever the owner of the site pleases, to your machine to be stored in a 'cookie'. When you visit the site again, it may check to see if it has previously stored a cookie, and, if so, access and make use of this information. The browser is allowed to pass a cookie only to the site that created it, fortunately.
Some search engine sites are utilising cookies to personalise what they return when you make searches based on previous searches showing what you are likely to be interested in. Other sites use cookies to attain much better measures of how many different users have visited their sites than were previously possible by means of storing a cookie assigning each user a unique identification and checking this when a user visits the site.
Privacy issues have been raised about the storage of such data without the knowledge of the user, however, any information stored can only be information volunteered by the user (and not made available to any other sites), or information about their usage. This cannot logically be considered an invasion of privacy, especially as the user can remove cookies on their system with relative ease if they wish [DTC_J30_b].

Advertising


Unsolicited E-mail

Junk e-mail is the bane of many 'net users' lives. Long-time Internet users who were online reading newsgroups, using IRC, role-playing in MUDs, MUCKs, MOOs, MUSHs and other online games (like the old "go north", "get lamp" text adventures of old, but with other real people in the game), and using UNIX 'ftp' to retrieve files long before advertisers hit the online media find the change to huge commercialisation highly irritating when it forces its way into their private e-mail boxes.
Unsolicited junk e-mail is actually illegal in America, however this does not seem to stop the occurrence of this plague of the 'net. It is understandable, and reasonable, that you can expect ad banners on web pages which are offering content.
Internet users world-wide were shocked recently when they received junk e-mail which seemed to be offering child pornography for sale [DTC_O29_b]. It turned out that this was a hoax, however it caused uproar. Interestingly, "Under the American Communications Decency Act, struck down by a Philadelphia court this summer but awaiting review by the Supreme Court, it would have been illegal to receive such a message in America" [DTC_O29_b].

Web Advertising

"Advertising revenue on the World Wide Web soared 83 percent in the first half of the year, and the Internet is set to become a $5-billion-a-year commercial medium by the year 2000..." [ITC_S9].
It is the advertising that funds the content being brought to you. If not for the advertising funding the plethora of free 'net services, you would have to pay to subscribe to a service such as, say Alta Vista [ATV] in order to search the 'net for information. Considering this, the advertising now rife on the 'net is bearable and understandable. It is also not shoved in you face the way that unsolicited e-mail is. If you don't want to see it, you don't have to view pages that have ads on them, however unrealistic that may be.

Biometrics

Barclays bank has been investing in research into the use of 'biometrics', the measurement of physical or behavioural patterns unique to each individual, for use in making its banking facilities more secure. The preferred method is finger scanning, which involves placing the finger on a camera lens and fingerprint characteristics being compared to stored information. Security issues of fingerprint details being available electronically, Barclays insist, are non-issues. They claim the information cannot be used to reconstruct a fingerprint usable for fraud, and also propose to encode the information on a personal card rather than storing it on a mainframe, so the customer is in control of their own information. This would seem to bring up issues of fraud being carried out by altering the information on the card.

Reference: [DTC_M28]

Caller ID

Caller ID: the transmission of the number of the caller so enabling the person being called either to check what number was the source of the last call they received (whether they picked up or not), or, with some systems, to have the number displayed on the phone at the time of the call.
British Telecom's 'Calling Line Identification' (CLI), is a Caller ID system which allows anyone using their service to dial 1471 to get the number of the last call made to their line. It gets 8 million calls per day. They also have a system by which the number can be displayed as the phone rings, but this involves buying a piece of equipment for about 50, which few have availed of. Privacy issues are associated with the system. Some people are unhappy about their numbers being transmitted.
This issue has been tackled by some services allowing users to block transmission of their numbers, however, this may cause problems for them in future as a facility is being introduced to allow people to block 'anonymous' calls unilaterally.

Reference: [DTC_J30]


[Main Page]

[Privacy]

[Censorship]

[IP]

[References]

[Acknowledgements]


© Stephen Jacob stjacob@tcd.ie, 1996. All rights reserved.