Web Security and Privacy: An American Perspective

abdomendebonairΑσφάλεια

2 Νοε 2013 (πριν από 3 χρόνια και 11 μήνες)

93 εμφανίσεις

Web Security and Privacy:An American Perspective
L.Jean Camp
Kennedy School of Government,Cambridge,Massachusetts,USA
Browsingthe Webgivesone the heady feelingof walking without
footprints in cyberspace.Yet data surveillance can be both ubiqui-
tous and transparent to the user.Can those who browse the Web
protect their privacy?And does it matter if they cannot?I offer
answers to these questions fromthe Americanlegal tradition.The
American legal tradition focuses on a right to privacy,rather than
a need for data protection.
To answer these questions I begin by delineating the differences
among privacy,security,and anonymity.I then discuss what in-
formation is transferred during Web browsing.I describe some
of the available technology for privacy protection,including public
andprivate key cryptographyandWeb proxies.I then describe the
Americantraditionof privacy in common,statutory,and constitu-
tional law.With the support of this tradition,I close by arguing
that although privacy in Web browsing has no current legal pro-
tection in the United States,the right to privacy in the analogue
equivalents has been recognizedin the American legal tradition.
Keywords autonomy,law,privacy,Web
DEFINITIONS
In a seminal work on computer security,Prof.Denning
(Denning,1982) declared that “Security is privacy.” The
confusionbetweenprivacyandsecurity remains withmany
in the computer security community.Privacy requires se-
curity,because without the ability to control access and
distribution of information,privacy cannot be protected.
But security is not privacy.
Information is secure if the owner of information can
control that information.Information is private if the sub-
ject of that information can control distribution andaccess.
Received 2 September 1998;accepted 25 January 1999.
Address correspondenceto L.Jean Camp,PhD,KennedySchool of
Government,L 213,JFK Street,Cambridge,MA 02138 USA.Web
page
http://www.ksg.harvard.edu/people/jcamp/home.html.
E-mail:
Jean
Camp@harvard.edu
Anonymous information is information that cannot be
associated with a speci￿ c individual.Since anonymous in-
formation has no subject,anonymous information is pri-
vate.Anonymous records may contain detailed,personal
data and still create no threat to privacy.For example,
the Hite Report on human sexuality (Hite,1976) con-
tained information on private intimate practice.Yet be-
cause that information could not be linked with any indi-
vidual,there was no threat to privacy.Anonymity ensures
privacy.Anonymity requires security.
Security is often confusedwith privacybecause security
is concerned with con￿ dentiality.Con￿ dential informa-
tion is not disclosed to unauthorized parties.Contrast this
with private information,which is not disclosed without
consent of the subject.Security can beusedto limit privacy
by preventing the subject of information from knowing
about a compilation of information,or to violate privacy
byusingdata in ways that donot coincidewiththe subject’s
wishes.
Security has three goals:integrity,authentication,and
con￿ dentiality.Availability or survivability is also fre-
quentlya security goal,althoughin some systems,shutting
down is an appropriate response to an attack.
Integrity means that information is not altered.Infor-
mation has integrity during transmission if the recipient
can be certain that the information was not altered in tran-
sit.Integrity means that what is received is exactly what
was sent.
Integrity also means that information is not altered dur-
ing storage.Astored ￿ le that has integrity can be assumed
to have been unaltered by any but authorized users.
Authentication means establishing user identity or other
attributes of interest.Authentication is necessary for ac-
cess control.For example,on the Web the attribute may
be the user’s right to spend an electronic dollar or access
a controlled ￿ le.
Authentication enables access control.Access control
de￿ nes individual rights to viewor alter individual objects.
Files or ￿ elds can have different levels of access.Table 1
The Information Society,15:249–256,1999
Copyright
c
°
1999 Taylor &Francis
0197-2243/99 $12.00 +.00 249
250 L.J.CAMP
TABLE 1
Access control list
AIDS History of Medication Medication
Party status drug use prescribed administered
Patient Read Read/write Read Read
Doctor Read Read/write Write Write
Nurse None None Read Write
Laboratory Write None Read Read
offers an example of access control for a hypothetical med-
ical record.Note that access control can protect privacy
as well as integrity by limiting read access as well as write
access.
Access control creates privacy con￿ icts.Access con-
trol can protect privacy by keeping records of who used
the data about a speci￿ c individual.Access control can
limit privacy by keeping track of data use by a speci￿ c in-
dividual.For example,if every record written by a nurse
were authenticated by that nurse,then it would be trivial
to track the nurse’s behavior in detail.Thus,patient pri-
vacy would increase,but the nurse’s workplace would be-
come a place of constant surveillance,reducing the nurse’s
privacy.
Availability is also an issue in access control.Availabil-
ity means the information and system are usable.Avail-
ability is limited by “denial of service” attacks.If an at-
tacker can change the access control list,that attacker can
denyaccess to critical data.For example,an attacker could
replace a password ￿ eld with randomdata,thereby deny-
ing access until the cause of the problemis determined and
new passwords issued to all.If the database so attacked
were used to violate privacy,privacy would be protected
while the security is compromised.
Asystem that maintains availability while under attack
exhibits survivability.Systems with survivability exhibit
graceful degradation in the face of attacks.An example of
a system with survivability is the Morris worm incident,
where the Internet slowly lost the ability to provide ser-
vice but was never completely destroyed.Compare this
to an incident on the West Coast,where on 2 July 1996
an outage that hit 4 million people was caused by a power
line that hit a tree—an isolated incident that cascaded to
cause a widespread blackout (Western Systems Coordi-
nating Council,1996).
Security has a set of tools that can be used to meet these
goals.Cryptographyin particular is a tool of computer se-
curity that is often itself confused with computer security.
A brief sketch of three types of cryptographic tools is
necessaryfor discussion of Webprivacyandsecurity:hash
values,public key cryptography,and private key cryptog-
raphy.Hash functions provide compression of informa-
tion.Secure hash functions compress information into an
unpredictable value.Collision-free hash functions com-
press data into a unique (and unpredictable) hash value.
Collision-free hash functions provide the ability to verify
information without exposing it.
In private key encryption there is one mathematical key
that both encrypts and decrypts.Thus,private key crypto-
graphy is also called symmetric cryptography.
Public key systems can provide authentication,access
control,andintegrity.Public keysystems provideintegrity
through the use of digital signatures.A digital signature
is simply an encryption with the secret key.It can be de-
crypted with the publicized key,so anyone can verify that
the message has not been changed.Anyone who alters the
document cannot then sign it with the secret key,so the
integrity and authentication of the initiator are ensured.
BROWSINGAND PRIVACY
There exist security tools andsecurity goals.Security tools
can be used to enhance privacy.Tools exist to protect pri-
vacy and con￿ dentiality.What is the state of Web privacy?
It is neither ideal nor improving.The technologyof privacy
violation moves more quickly than the policy or techno-
logical responses.
Consider the information transferred in the process of
browsing on the Web.Browsing information depends on
the policies,practices,and physical con￿ guration of the
user’s Internet Service Provider (ISP).The con￿ guration
of the browser’s system and other technical and business
services provided by the ISP affect what information is
made available when the person browsing connects to the
Web.
Technical services provided by the ISP may include
￿ ngerID and.plan generation.The.plan is the pro￿ le
that is returned when using ￿ nger.For example,￿ nger
bsy@cs.ucsd.edu and you will ￿ nd the name,professional
af￿ liation,contact information,and the URLs of the Web
pages of which bsy is the author.
An ISP business service that can affect user privacy
is the provision of aggregate pro￿ les of customers.An
ISP may sell ￿ nancial pro￿ les,history-of-use pro￿ les,or
customized analyses of its customer database.The exis-
tence of these services affects the informationthat is shared
when a person browsing accesses a Web server.
Whena browser client connects with a server,the server
can determine the Internet protocol (IP) address of the per-
son browsing.An IP address appears on the right hand
side of the @ sign in an e-mail address.This is the elec-
tronic equivalent of physical location information,and like
a physical street address,the IP address can imply other
information.
With an IP address,a server can obtain the customer’s
host name using the Domain Name System(DNS),which
WEB SECURITY AND PRIVACY:AN AMERICAN PERSPECTIVE 251
provides a mapping between domain names (e.g.,miami.
epp.cmu.edu.) and the corresponding network addresses
(e.g.,128.2.58.26).
If the user’s ISP requires a unique name for each user’s
machine,then the IP address can correspond exactly to
the user’s identity.For example,the IP address of Pro-
fessor Tygar while he was at Carnegie Mellon University
was tygar.trust.cmu.edu because this was the University
naming convention.Thus,this IP address uniquely identi-
￿ ed an individual.However,someone connecting through
AT&T’s access services would provide only att.comas an
IP address,thus providing very limited information.
An observer can also detect that there is traf￿ c between
machines,that is,watch the person’s browsing habits.If
browsing information is unencrypted,a well-placed ob-
server can also read the contents of the traf￿ c.
Information availability depends upon the type and ver-
sion of the customer’s browser.Every browser sends its
type and version to the server,e.g.,type
=
Communica-
tor,version
=
4.0.Browsers also send information about
the machines on which they reside—the operating system,
computer type,and helper applications.The primary pur-
pose of this data exchange is to obtain information about
the helper functions and capacities of the client machine
to accept various images.This illustrates the interaction
between privacy and service.
As newer browser versions become more complex,the
ability to control all the elements of the browser and to un-
derstand the privacy implications of the design decreases.
For example,removing a cookies ￿ le in the latest version
of the Microsoft browser is quite dif￿ cult since it is not
as clearly labeled and placed as in the previous version.
Cookie Commando is not available for this reason for the
latest Microsoft browser.
For a person browsing to effectively hide identity,the
browser must also use an anonymity-providing service to
prevent browser-based network information from provid-
ing identity information.For an illustration,visit
http://
www.anonymizer.com/.
Even with protection from dis-
closure of browsing information,if the person browsing
is using a single-user machine that supports ￿ nger dae-
mons,then the server can still obtain the browsingperson’s
identity.
For more effective communications,browser software
can send information on available helper applications to
servers.Helper applications offer probabilistic informa-
tion about the consumer’s machine and even about in-
terests.For example,the number and variety of helper
applications,the presence of shareware or freeware appli-
cations,and the presence of advanced helper applications
together imply a level of user technical sophistication.
After sending a request command to the Web server,
the customer’s client will send an accept command.This
command can include information on monitor quality,in-
cluding size and identi￿ cation of color monitors,help-
er applications available,and the quality of the connec-
tion.Alternatively,the accept command may just request
“send what you have” and let the client machine sort the
data.
When usinganonymous￿ le transfer protocol (ftp) it has
been the polite tradition for the client to log in as anony-
mous and then offer his or her e-mail address as the pass-
word.This tradition is incorporated into most browsers as
a preference.However,this means that any anonymousftp
request would include the email address of the user.
1
Any
server can initiate an ftp request without the knowledge of
the client simply by preceding the images to be shown in
the page with ftp instead of http.For example,the anchors
A Href
=
http://www.cs.cmu.edu/afs/cs/user/jeanc/www/
Addie
Walter.gif andAHref
=
ftp://www.cs.cmu.edu/afs/
cs/user/jeanc/www/Addie
Walter.gif would both result in
the exact same image’s being sent to the browser—how-
ever,the latter would send the browser’s e-mail address to
the server.
Browsers have capabilities beyond the requests and re-
sponses just described.These capabilities include cookies,
javascript,applets,common gateway interface scripts,and
ActiveX.These are dual-edged technologies:They can
protect or subvert privacy.
Cookies are effectively commandsinitiated bytheserver
and accepted by the browser that return text back to them.
A cookie can be used to store browser preferences,or
even to make the Web less annoying by ensuring that no
site sends the same advertisement to the browser twice.
Cookies can also provide tracking of Web use.Text sent
to the initiator can include previous pages visited (from
the cache) or bookmarks.Cookies can stay resident and
send updates to the server,at subsequent visits,of all a
browser’s selected sites.
Javascript,CGI,Java,and ActiveX enable proxy at-
tacks.In a proxy attack,the browser thinks it is visit-
ing a server directly,but in fact all commands are sent
through a third machine.This third machine is invisible to
the person browsing,and can make the browser’s machine
invisible to the server.Thus,a proxy can be a security
and privacy problem,or a proxy can serve to protect user
information.Figure 1 shows a proxy.The same diagram
illustrates the use of a friendly,anonymizing proxy,as
found at
http://www.anonymizer.com,
and a proxy attack,
anexampleof whichcan befoundat
http://ww.cs.cmu.edu/
￿
alma.
WEB PRIVACY:WHO CHOOSES?
The privacy that a person has when browsing the Web de-
pends on the choices of many people.The designer of the
Web browser determines what information is available
through requests.The designers of computer languages
252 L.J.CAMP
FIG.1.A Web proxy.
determine what information is available by query.The In-
ternet Service Provider (ISP) determines what information
is available by technical con￿ guration and business deci-
sions.Finally,Web privacy depends on the users’ choices
of preferences,technologies,and proxies.
Web designers decide what technologies to include,the
default preferences,and what practices to follow.Here are
some well-known examples of each case.
First,designers of Web browsers decideto include func-
tionality that can violate privacy.Cookies are an excellent
example of functionality that can violate privacy.Acookie
is effectively a command from the server to the client to
send an arbitrary string of text.Often the cookie stores in-
formation about the site that placed the cookies:Are you
a ￿ rst-time user,what are your common viewing prefer-
ences,etc.A cookie can also be used to send ￿ les,includ-
ing the user’s bookmarks and history.
Second,not only do designers decide which technolo-
gies are included,but they also determine the user’s set
of possible preferences and select those preferences that
are chosen by default.As the population of the Internet
becomes increasingly demographically similar to the pop-
ulation at large,it seems safe to predict that fewer and
fewer people will alter the preset preferences (excluding
mail and identity,of course).
Third,browser designers may choose to imbed features
that harmprivacy.In particular,the power to choosewhich
queries are transparent to the user is a power to choose
information exposure.
Language designers of particular interest are those de-
veloping languages for use with mobile code,especially
ActiveXand Java.The designers determine what functions
to include to ease the complex task of sending code across
the Web.The commands to include and the information
that can be obtained using these commands (even in the
absence of unforeseen security failures) are powerful de-
terminants of Web privacy.
Simple functions,such as the ability to get the IP ad-
dress of the client,make code portability easier and more
powerful.Like ZIP codes,IP addresses provide informa-
tion about the economic and educational status of the user.
The Internet service provider determines howmuch in-
formationis providedabout theuser bythe Webclient.The
ISPcan providepro￿ les of users andcan provideaggregate
statistics.The recent case of the unfortunately named Tim
McVeigh,who was out as a gay man as a pseudonymous
America Online (AOL) user,found to his dismay that the
privacy provided by AOL was not suf￿ cient to protect his
orientation information fromthe Navy,his employer.
Of course,the user determines privacy as well,not only
by choice of browser,machine,and ISP,but also by using
a proxy or by obtaining an anonymous account.A user’s
selecting preferences also enable languages.
LEGAL ISSUES AND SOCIETAL IMPLICATIONS
Americans have long been concernedwith privacy,yet pri-
vacy concerns trail the introduction of new technologies.
By de￿ nition,the law must respond to what technology
de￿ nes as possible.
The American tradition of concern for privacy varies
from the European approach.The European Community
and Canada have principles of data protection,whereas
the American tradition revolves around privacy.American
considerations are based on common law tradition and
a constitutional right,rather than on the more practical
approach implied by data protection.
Privacy law,as opposedto data protection,has been im-
plemented piecemeal.Privacy protection views each sub-
ject area of data as separate and requires action for each
subject area as necessary.The data protection approach
offers blanket guidelines for all data with an identi￿ able
subject.In the United States there is privacy protection
for federal records (Privacy Act of 1974),￿ nancial records
WEB SECURITY AND PRIVACY:AN AMERICAN PERSPECTIVE 253
(Right to Financial Privacy Act,Fair Debt Collection Prac-
tices Act),educational records (Family Education Rights
and Privacy Act),and video rental records (Video Privacy
Protection Act).There are no such controls on medical
records,as this had not been identi￿ ed as a problemarea.
The American right to privacy is actually two sets of
rights:rights of autonomy and rights of seclusion.Auton-
omyis the right to act freely;autonomous actions are taken
without coercion.Surveillance is a formof coercion.
The rights of seclusion can be seen in the original def-
inition of the right to privacy by Warren and Brandies as
“the right to be let alone.” The right to be let alone was
de￿ ned (Prosser,1941) as consisting of four types of pri-
vacy rights:absence of intrusion upon seclusion,absence
appropriation of name and likeness,absence of false light,
and absence of public disclosure of private facts.
The original de￿ nition of privacy clearly singled out
the press for intrusion into private affairs:“Gossip is no
longer the resource of the idle and of the vicious,but has
become a trade which is pursued with industry as well as
effrontery” (Warren & Brandeis,1890).But what is elec-
tronic seclusion?Is it one’s own electronic mailbox where
particular messages are unwelcome?The law has not an-
swered these questions—or rather,the law has answered,
but so inconsistently that there is no coherent answer.
Appropriation of name and likeness is the use of a per-
son’s name,reputation,or image without his or her consent.
An early and well-known case is that of a young woman
who found her image distributed throughout the city on
bags of ￿ our without consent or compensation.The mak-
ers of the ￿ our thought she deserved no compensation for
havinga lovelycountenance.The NewYorkcourts agreed.
Despite this early failure,appropriation of name and like-
ness is nowrecognized across America.Violations of pri-
vacy are most likely to be prohibited when the motivation
is ￿ nancial gain.
False light is the publication of un￿ attering informa-
tion anduntrue information.False light is prohibitedbased
uponwhether the subject is a private or public person.Pri-
vate persons need to show falsehood,while public ￿ gures
must showmalice in addition.Yet who is a public ￿ gure on
the Internet?Does having a Web page make me a public
￿ gure?How much Internet posting is necessary to create
a public persona?
Action for public disclosure of private facts is limited,
since constraint on public disclosure is in direct con￿ ict
with the First Amendment.Information deemedas “news-
worthy” can be printed even if it is a violation of privacy.
Jurisdictions vary,from the most serious constraints in
New York and South Carolina,to complete permission
to publicly disclose private facts in North Carolina and
Texas (Alderman & Kennedy,1995).This is in part be-
cause public disclosure has traditionally been the purview
of the press.Nowanyone can publish information.Are all
persons then subject to the shield of the First Amendment
as if we were all reporters?What new balance might be
struck between speech and privacy?
In contrast,the Constitutional right to privacy is based
on rights of autonomy.If all action has to be taken under
surveillance of the government,even if the government
plans toprosecute,theactions arenot trulyfreeandautono-
mous.In1969the SupremeCourt madetheright toprivacy
explicit in Griswold v.Connecticut.The Court found the
right to privacy implied in the Constitution in the First,
Third,Fourth,Fifth,Ninth,and Fourteenth Amendments
(Compaine,1988;Trublow et al.,1991).The Constitu-
tional right to privacy continues to be recognized by the
courts in accordance with the tradition of the particular
class of information.
The First Amendment states:
Congress shall make no law respecting an establishment
of religion,or prohibitingthe free exercisethereof;or abridg-
ing the freedomof speech,or of the press;or the right of the
peoplepeaceablyto assemble,andto petitionthe government
for a redress of grievances.
The privacy implications are that people under surveil-
lance are not likely to express views or go to assemblies
or religious meetings with which the agencies of surveil-
lance are likely to disagree.The freedom to read is actu-
ally the freedomto read without fear of surveillance.The
Court has ruled that the right to privacy covers the right to
read—unobserved—material that the federal government
￿ nds objectionable.Speci￿ cally,in Lamont v.Postmaster
General the Court stated that “any addressee is likely to
feel some inhibition in sendingfor literature whichFederal
of￿ cials have condemned.”
2
The Court has found a right
to privacy in association and political activities.The Court
has ruled that the right to privacy covers memberships and
personal associations (NAACP (National Association for
the Advancement of Colored People) v.Alabama,1958),
con￿ rming the “right of members to pursue their law-
ful private interests privately and to associate freely with
others.”
The Third Amendment states:“No soldier shall,in time
of peace,be quartered in any house,without the consent
of the owner,nor in time of war,but in a manner to be
prescribed by law.”
The Fourth Amendment states:“The right of the people
to be secure in their persons,houses,papers,and effects,
against unreasonable searches and seizures,shall not be
violated,and no warrants shall issue,but upon probable
cause,supported by oath or af￿ rmation,and particularly
describing the place to be searched,and the persons or
things to be seized.”
Together,the Third and Fourth Amendments create a
region of privacy,a space inviolate by the government
except in constrained circumstances.These amendments
254 L.J.CAMP
suggest that what one does in one’s own home is not the
business of the government.Note that members of the
NAACPwere foundto have not only the First Amendment
right to associate,but also the right to “pursue private
interest privately,” as one might in one’s own home.
The Fifth Amendment states:
No person shall be held to answer for a capital,or other-
wise infamous crime,unless on a presentment or indictment
of a grand jury,except in cases arising in the land or naval
forces,or in the militia,when in actual servicein time of war
or publicdanger;nor shall any personbe subject for the same
offense to be twice put in jeopardy of life or limb;nor shall
be compelled in any criminal case to be a witness against
himself,nor be deprived of life,liberty,or property,without
due process of law;nor shall private property be taken for
public use,without just compensation.
The government cannot imprison people without charge
or require that they speak.The implication is that the gov-
ernment has no right to hear all that you might say,thereby
intruding into your thoughts.Just as the government has
no right to search your papers by the Fourth Amendment,
the government has no right to search your thoughts by the
Fifth.Nor does the government have the right to arbitrarily
limit your movements.
The Ninth Amendment states:“The enumeration in the
Constitution,of certain rights,shall not be construed to
deny or disparage others retained by the people.” Without
the Ninth Amendment,the right to privacy could not be
found in the Constitution.The right to privacy is nowhere
speci￿ cally identi￿ ed in the Constitution.Thus,without
the Ninth Amendment’s speci￿ c identi￿ cation of the list of
rights mentionedas not beingexclusive,theright toprivacy
as implied by the other amendments could not exist.
Section 1 of the Fourteenth Amendment states:
All persons born or naturalized in the United States,and
subject to the jurisdiction thereof,are citizens of the United
States and of the state wherein they reside.No state shall
make or enforceany lawwhichshall abridgethe privilegesor
immunitiesof citizensof the UnitedStates;nor shall anystate
deprive any person of life,liberty,or property,without due
process of law;nor deny to any person within its jurisdiction
the equal protectionof the laws.
None of the rights set forth in the Constitution can be
abridged by the states.If the federal government has no
right to your home,speech,or papers,neither do the state
governments.Therights that together provideprivacyfrom
the federal government provide privacy fromstate and lo-
cal governments as well.
The Constitutional right to privacy allows individuals to
take certain actions without fear of retribution,rather than
preventing the publication of information as with tort law.
In fact,privacy rights prohibiting intrusion into seclusion
and publication of private information have been limited
at the federal level precisely because of First Amendment
protection of speech rights.
The protection of records is topical,and the growth of
information systems covers all businesses and data.Thus,
the privacy approach used in the United States has not
proven to be less effective in protecting the comprehen-
sive interests of information subjects with respect to au-
tonomy or seclusion than the data protection approach.
To illustrate how autonomy in particular is currently not
well protected,an analysis of a data trail left by a browser
follows.
WHAT ARE YOU DOING ON THE WEB?
In this section I argue that browsing on the Web actually
consists of many different actions.Many of the analogue
equivalents of these actions have found privacy protection
in the United States,but when performed electronically,
they fall under the general rubric of browsing.
When on the Web a person is likely to be obtaining free
information,purchasing information,making friends and
contacts,and is certainly communicating electronically.
The analogue practice of obtaining free information is
often done through the mails or through libraries.The
American tradition has maintained not only the right to
print and speak freely,but also the right to read anony-
mously.Thus,obtaining free information has been found
to have the highest level of protection,as free access to
information is a fundamental democratic right.
One most famous case of the right to read anonymously
is Lamont v.Postmaster General (1965).In this case the
Congress had instructed the Postmaster General to remove
from the general mail all information pertaining to Com-
munism.The recipient of any such mail then had to request
the mail and sign his or her name declaring that the infor-
mation was wanted.The Supreme Court found this to be
unreasonable,stating that “any addressee is likely to feel
some inhibition in sending for literature which Federal
of￿ cials have condemned.”
Web browsers may also purchase information.In the
United States the Right to Financial Privacy Act limits
government access to ￿ nancial information.The Right to
Financial Privacy Act was a response to United States v.
Miller (1976),in which the court determined that a ￿ nan-
cial transaction is inherently a public act.The Right to
Financial Privacy Act limits government access to ￿ nan-
cial records,thereby applying the Fourth Amendment to
￿ nancial records in the wake of Miller.
However,there is no expectation of privacy from the
provider of ￿ nancial services or the merchant.United
States v.Miller determined that all ￿ nancial records are
owned by the ￿ nancial services institution,and that the
customer has no privacy interests in these records.Thus,
other than Fourth Amendment limitations on supplying
WEB SECURITY AND PRIVACY:AN AMERICAN PERSPECTIVE 255
information to the government,￿ nancial data have no pro-
tection.
This is in contrast to what one might assume—that in
paying for information some contractual rights,such as
data protection,are assumed.
Many people browse the Web to ￿ nds groups and peo-
ple with whomthey sympathize.So while browsing,many
peopleare makingfriends andcontacts,joiningchat rooms,
￿ nding mailing lists,and in general,associating and as-
sembling electronically.
Like reading,the right of association extends to the right
to associate without surveillance.A case that illustrates
this is NAACP v.Alabama,1958.The year 1958 was
some 6 years before the murder of activists during Free-
dom Summer required federal intervention.At that time
the senior of￿ cial of the NAACP in neighboring Missis-
sippi,Medgar Evers,was under constant threat of death for
his activities.(He was eventually shot at his home in 1963;
the murderer remained free until 1994.) It was in this en-
vironment of fear that the state of Alabama requested the
membership list of the NAACP.The NAACP appealed to
the Supreme Court,which stated that the First Amend-
ment right to associate is also the right to “pursue private
interest privately,” as one might in one’s own home.
Today the Web is the meeting place of marginal groups.
Gay rights advocates,feminists,and abortion rights ad-
vocates have all been subjected to violent attacks.All
of these groups have found safe places to associate on
the Web.However,due to the lack of authentication and
encryption,their associations can be tracked by invisible
observers.
Electronic communications are subject to the protection
of the Electronic Communications Privacy Act (ECPA).
The ECPAprotects users fromobservers but not frompar-
ticipants or employers.There is an assumption of equal
bargaining power in one-to-one communications that does
not hold in client/server relationships as on the Web.
The failure of the ECPAto protect Web browsingoccurs
becauseit is based ona telephonymodel,involvingone-to-
one communication,rather than on the publishing model
of the Web.
IN CLOSING
Have I proventhat modern Americans have no concern for
privacy?American legal tradition shows that Americans
do have concern for privacy,yet their daily habits show
disregard.Is this an area in whichAmericans expect others
to live up to standards that they would never tolerate?I
think not.I have instead shown that privacy is dif￿ cult to
evaluate,in￿ uenced by many players,and not necessarily
subject to consumer in￿ uence.
I would argue that privacy threats are hard to detect
and subtle,whereas privacy protection requires explicit
action.Privacy is analogous to security in that it requires
expensive and dif￿ cult-to-implement technology,which
has positive network externalities.That is,for a consumer
to use a privacy-protectingcurrency,it has to beacceptedat
the shops.Toset upcon￿ dential connections,the receiving
site has to provide the complementary software.
There is no evidence that programmers are uniformly
opposedto privacyor that they are moreopposedtoprivacy
than any in the American mainstream.Yet personal oppo-
sition and the ethical standards of individual programmers
have proven insuf￿ cient to protect privacy as the Internet
becomes an increasingly popular mechanism for speech,
information dispersion,and assembly.The driveto release
code early creates security hazards and seems to push the
complex issues of privacy out of the design frame.
Often a delay exists between the introduction of new
technologies and the extension of privacy rights to the
users of that technology.Technology can outrun ethics.
Consider the case of telephony.In 1928the Supreme Court
determined that no person has a right to privacy in tele-
phone conversations (Olmstead v.United States,1928).
The Supreme Court ruled that recording telephone con-
versations was not a search under the Fourth Amend-
ment because the conversation left the defendant’s home
on lines that could not be secured.The Court stated that
since the technology was inherently without security,peo-
ple knowinglysacri￿ ced privacywhentheycommunicated
usingthe telephone.TheSupremeCourt reasonedthat tele-
phone correspondents knew that the signals went outside
their homes and only the most naive would expect pri-
vacy.Olmstead reads:“There was nosearching.There was
no seizure.The evidence was secured by the use of the
sense of hearing and that only.There was no entry of the
houses or of￿ ces of the defendants.
...
The languageof the
amendment cannot be extended and expanded to include
telephone wires,reaching to the whole world fromthe de-
fendant’s home or of￿ ce.The intervening wires are not
part of his house or of￿ ce,any more than are the highways
along which they are stretched.”
The reasoning in Olmstead applies to the Internet to-
day.(Of course,this reasoning remains true for the tele-
phone network as well.) In 1967,in Katz v.United States,
the court found that a person had “reasonable expecta-
tion” of privacy in telephone conversations.In legal terms
this meant a warrant,and thus the information to support
suspicion of criminal activity,was necessary to for po-
lice to legally tap a phone line.For the decades between
Olmstead v.United States and Katz v.United States the
lawof access to telephone conversations essentially stated
that because the systemwas open,privacywas not to be ex-
pected.In 1928 there were operators rather than switches,
but the logical reasoningabout the wire remainedthe same.
The signals still traveled outside the home and telephones
were trivially easy to tap in 1967.The major technical
256 L.J.CAMP
changes in the telephone system were in switching tech-
nology and market penetration.By 1967 telephones were
no longer business instruments,but were in the majority of
American homes.Privacy was receiving renewed recogni-
tion as a Constitutional issue.Right-to-privacy laws were
being passed,and the potential for abuse of wiretaps was
illustrated by Watergate.The argument that the wires went
across the globewas,if anything,strengthenedbythe inter-
vening decades.Thus,although there were technological
advances in telephony between 1928and 1967,the change
in the law arguably re￿ ected changes in social awareness
rather thantechnical practices.Similarly,social awareness,
at least at the judicial and legislative levels,has not caught
up with information technologies,including the Internet
and the electronic compilation of data.Thus,decisions
about privacyare beingdrivenbymarket forces andtechni-
cal ￿ at rather than by consideredethical or legal reasoning.
Why is this?Does this prove that Americans have no
concern for privacy?I argue through an examination of
American legal tradition that Americans do have concern
for privacy.Yet privacy threats are invisible,while privacy
protections are not.Use of privacy-protecting technology
requires time and skills that many users of the Web do not
have.Information technology is moving swiftly ahead;
privacy law and ethics need to gain ground as well.
ONLINE RESOURCES
Organizations that are leading the effort to bring privacy
to the Web include those that support market-based ￿ xes
(TRUSTe at
www.etrust.com)
and supporters of technical
standards (World Wide Web Consortiumat www.wc3.org
andtheInternet Privacy Coalitionat
www.privacy.org/ipc).
There are those working for legal change (Electronic Pri-
vacy Information Center at
www.epic.org,
the Center for
Democracy and Technology at
www.cdt.org,
and Ameri-
can for Computer Privacy
www.computerprivacy.org).
To get information about court rulings and judicial
thought on issues of Internet privacy,excellent Web re-
sources are Perkins Coie Internet Case Digest (www.
perkinscoie.com/resource/ecomm/netcase/index.html ),
the UCLAOnline Institute for Cyberspace Lawand Policy
(www.gse.ucla.edu/iclp/hp.html),andBerkmanCenter for
the Internet and Society (cyber.harvard.edu).
In each Congressional session new laws are brought
forwardthat offer to protect privacy.Trackinglaws is made
simpler with the use of Thomas at thomas.loc.gov and
for tracking the politics around the laws,Cloakroom at
www.cloakroom.com.
NOTES
1.This problemwas ￿ rst notedin the releaseof Netscape2.0,which
had e-mail as ftp login as a default that was not easily changed.
2.The United States Postal Service was required by
x
305 76 USC
840 (the Postal Service and Federal Employees Salary Act) to detain
mail considered“communist political propaganda”and release it only
upon the request of the recipient.
REFERENCES
Public laws:12 USC
x
552 Privacy Act,15 USC
x
1691 Equal Credit
OpportunityAct,115 USC
x
1694 Electronic Funds Transfer Act,18
USC
x
1029 Computer Fraud and Abuse Act,335 USC
x
3401 Right
to Financial Privacy Act,42 USCS
x
3608,15 USC
x
1681,12 USCS
x
1708 Fair Credit Reporting Act.
Alderman,E.,and Kennedy,C.1995.
The right to privacy
.New York:
Alfred A.Knopf.
Compaine,B.J.1988.
Issuesin newinformationtechnology
.Norwood,
NJ:Ablex.
Denning,D.1982.
Cryptography and data security
.Reading,MA:
Addison-Wesley.
Hite,S.1976.
The Hite report on female sexuality
.New York:
Macmillan and Bertelsmann.
Katz v.United States.1967.389 US 351,369 F2d 130 (9th Cir.).
Lamont v.Postmaster General.1965.381 U.S.301,301.
NAACP(NationalAssociationfor theAdvancementof ColoredPeople)
v.Alabama.1958.357 US.449.
Olmstead v.United States.1928.277 US 438,48 SCt 564,72 LEd2d
944.
Prosser,W.L.1941.
Handbook of the lawof torts
.St.Paul,MN:West.
Rubin and Cooder.1994.The payment system:Cases,materials &
issues.St.Paul,MN:West Publishing.
Trublow,G.1991.
Privacy law and practice
.NewYork:Times Mirror
Books.
Warren,S.,and Brandeis,L.1890.The right to privacy.
Harvard Law
Review
4:193–220.
Western Systems Coordinating Council.1996.WSCC technical
experts discover the cause of western U.S.electrical outage.
Press release,July 21.Available at http://www.spectrum.ieee.org/
publicaccess/9608teaser/whatsn56.html as of 7 April 1997.