Nets, Webs and the Information Infrastructure/Viruses, Privacy and Security

What is a virus?
PCWebopedia (http://www.webopedia.com) defines a computer virus as “a program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes. Viruses can also replicate themselves.”

The term virus has become a catch-all name for all malicious computer programs. Strictly speaking, a virus is a type of electronic infection. The most common forms of infection are the email virus, worm and trojan program.

An email virus moves around in email messages, and usually replicates by automatically mailing itself to the addresses in the victim’s email address book.

A worm infiltrates existing computer networks through security holes. It uses the network to scan for other computers where the worm can reside and replicate itself.

A trojan program is a computer program that claims to do one thing (e.g., it claims to be a game) while taking other actions that the user is not aware of (e.g., copying and sending files to another computer). Trojan programs usually do not replicate automatically. Their activities may range from erasing or modifying files, sending email, or sending private information through the Internet.

Why do virus outbreaks cost companies money?
The following are some of the ways that virus outbreaks increase company expenditures:

Computer breakdowns. Viruses are capable of crippling a computer by erasing or changing important files. They can clog networks, resulting in delays in legitimate computing tasks. This reduces productivity.

Virus cleanup required. When a computer is infected by a virus, the expertise of IT personnel is required to get rid of the virus. Some companies call in IT experts to remove viruses. Other companies choose to employ full time personnel to troubleshoot and guard their system against virus outbreaks.

Lost data / Data recovery. There are instances when data is lost due to a virus outbreak. This data will need to be rebuilt or gathered again.

Security measures. Companies devote a portion of their IT budgets to prevent virus contamination of their networks. This means investments in anti-virus and other security software or hardware.

How can technology prevent virus outbreaks?
Virus infections can be prevented through a combination of good anti-virus software and good user habits.

Virus scanning - Scanning refers to the inspection of computer data to check whether there are viruses. Some scanning software inspect data as they are being introduced to a computer.

Common sense - The most effective defense against viruses are a person’s habits in using the computer. For example, users shouldn’t download email attachments without scanning them for viruses.

Virus fix - A virus fix is run on an infected computer to repair any damage caused by a virus. Virus fixes are the result of studying the effects of a virus on a computer. Thus, by its very nature, a virus fix becomes available only after a new virus is reported.

What are cookies?
In the Internet realm, a cookie is a message stored by a Web site in a user’s computer. It contains information that a Web site can retrieve when the user re-visits the Web site. During the user’s subsequent visits, the appearance of the Web site is adjusted based on the information that is “remembered” by the cookie. (Strictly speaking, because the cookie is stored in the computer, the Web site “remembers” the computer and not the user.)

Cookies work like a doctor entering data into a patient’s card. When the patient returns to the doctor, information about the patient’s previous visits helps the doctor provide better service to the patient.

What information is stored in cookies?
Cookies can store login information so that users do not need to type in this information every time they return to a site. Cookies can also determine the interests of a particular user by the sequence of sites that the user visits, by the information the user submits, or by the topics that the user chooses to view. Cookies can also store data about an ongoing transaction in order to continue the transaction at a later time.

For example, an online shopper, Almira, goes to an online bookstore (like Amazon.com) to buy a book about Elvis Presley. Almira will have a virtual shopping cart where she can store books related to Elvis. Cookies are used to store data for the shopping cart. Using cookies, the Web site may also recommend a compact disc of Elvis’s songs or movies by Elvis. Almira may see advertisements about other popular 70’s record albums on sale or travel tours featuring a trip to an Elvis museum or Web sites selling Elvis memorabilia. These are all based on the cookies’ perception of Almira’s interest in Elvis as shown by her search for a book about Elvis. Lastly, if Almira chooses to postpone her purchase, the cookie will store data so that when she comes back to continue her shopping, the books or other items she had left in her virtual shopping cart will still be there.

How can cookies become a privacy breach?
Cookies gather information to help make things convenient for a user. But when information is directly identifiable to a particular person and is used for purposes other than a user’s convenience, there could be a privacy breach.

Going back to the analogy of cookies acting like a patient’s card, if the doctor began to divulge information about the patient to a third party (e.g., to health insurance or pharmaceutical companies), the person’s privacy would be compromised. In Almira’s case, her privacy is breached when information gathered by the online bookstore is sold to other vendors.

There is a privacy breach when a Web site does not inform the user about the kind of information stored in a cookie and how this information is used.

Can a cookie “read” other files in a computer?
No, cookies do not have access to files in a person’s computer. Neither can cookies spread viruses. The only information available to cookies is information that has been divulged by the user such as his/her name, address, and credit card number. The privacy policy of a Web site is relevant here. In privacy statements, a Web site should state how they handle information exchanged between their Web site and a visitor’s computer.

What is a privacy policy? Why is it important?
A privacy policy is a declaration by Web sites or corporations that informs visitors about the kind of information gathered on the site and how this information is used. It states how the Web site protects the privacy of the visitor.

According to a study by Forrester Research, Inc., 90% of Web sites fail to comply with basic privacy principles. Also, the vast majority of such policies use vague terms and legal jargon that serve to protect companies and not individuals. The study showed that only about 10% of the companies studied adequately addressed the basic privacy of users.

How should governments handle online privacy problems?

There are four general approaches to privacy problems: laissez-faire, self-regulation, technology, and legislation/government.

Laissez-faire or “hands off” refers to the principle that governments need not regulate the marketplace, as the marketplace is guided by an “invisible hand” toward the most ideal balance of supply and demand. In the context of online privacy, the laissez-faire approach states that if people really feel concerned about their privacy, they will visit only Web sites with a clearly defined privacy policy. If the number of hits for Web sites with no or with inadequate privacy policy actually decreases as a consequence, this development would goad these Web sites to improve online privacy. In this scenario, consumer action defines the level of privacy protection that the consumers get.

Industry self-regulation is where there is cooperation and agreement between sectors in the industry regarding what is appropriate privacy policy. The policy will be based on recommendations of industry experts that balance the needs of businesses and consumers. Some tools for the implementation of industry self-regulation are seal programs, industry guidelines, and privacy organizations.

For example, the World Wide Web Consortium (W3C; www.w3c.org) has developed a privacy standard called Platform for Privacy Preferences Project (P3P). The W3C was created to help realize the Web’s full potential by developing common protocols that promote its evolution and ensure its interoperability. Simply stated, P3P lets a user declare a set of customized privacy rules. These rules will be used to determine whether or not a Web site has acceptable privacy policies. Software based on P3P will help a user determine the actions to be taken when a Web site’s privacy policies do not match the user’s privacy rules.

Technology is a solution that can be taken up by private individuals, enterprises and interest groups. Many of the technology solutions involve working with browsers which inform a user of the privacy levels upheld by the Web site being visited.


 * Box 3. Examples of P3P Tools

Technology and industry standards have become complimentary solutions to privacy issues. For example, there are tools developed based on P3P standards that automatically look up the privacy statement of the Web site. If the Web site’s privacy policies are within the specified standards of the user, navigation of the site is continued. Otherwise, the user is informed of the level of privacy protection afforded by the Web site. This is all done automatically, with minimal intervention of the user, by embedding machine-readable codes that are read by P3P tools. Tools are being developed by companies independent of W3C, which encourages private companies to develop software that will enable the use of P3P.

Governments sometimes play an active role in protecting privacy on the Internet. Korea, for example, has been vigilant in protecting citizen privacy, promulgating the “Information Infrastructure Protection Act” and “The Act on Promotion of Utilization of Information and Communication Network and Data Protection” in 2001.

What kinds of privacy legislation have been passed?
A study of the privacy laws of 15 jurisdictions reveals the following:


 * Eleven jurisdictions impose restrictions on the transfer of data across borders. Only Brazil, Russia and the United States do not. Chinese law does not address cross-border data transfers.


 * Twelve jurisdictions have existing or proposed laws that address both traditional privacy and data protection. The privacy laws in Japan and Sweden are focused primarily on data protection.


 * Most of the jurisdictions require notice to the data-subject that data is being collected and its use, some form of consent by the subject for the data to be collected and used, protection of the subject’s right to access the data, and maintenance of data security by the data controller.


 * In all but three jurisdictions-Australia, Hong Kong and Japan-a data-subject may go to court to enforce privacy laws.


 * In 13 jurisdictions in the survey, violations of privacy law can be criminal.


 * Box 4. Fair Information Practices of the United States and the OECD

Sources: Jared Straus and Ken Rogerson, “Policies for Online Privacy in the United States and the European Union,” Regulating the Internet: EU & US Perspectives [home page online]; available from http://jsis.artsci.washington.edu/ programs/europe/Netconference/Strauss-RogersonPaper.htm; accessed 4 September 2002.

James S. Huggins, “OECD Privacy-D-Personal Data Privacy Goes International,” James S. Huggins’ Refrigerator Door [home page online]; available from http://www.jamesshuggins.com/h/bas1/oecd_privacy_d.htm; accessed 4 September 2002.

What are the security issues on the Internet?
The CERT Coordination Center (CERT/CC; http://www.cert.org), a center for Internet security expertise, has suggested that the increasing speed and sophistication of attack tools, faster discovery of vulnerabilities, and increasing permeability of firewalls are important trends related to Internet security.

Notably, there is an increasing threat from infrastructure attacks. There are four types of infrastructure attacks. The first type is Denial of Service (DoS) where excessive network traffic caused by malicious attacks crowd out legitimate users from using the network. The second type of attack is through worms, which are self-propagating malicious code such as “Code Red”, “Nimda” and “Klez”. The Code Red worm infected more than 250,000 systems in just nine hours. Third, attacks on the Internet domain name systems (DNS) can render Web sites inaccessible, vandalize legitimate Web sites or re-direct Web site traffic to the attacker’s Web site. Government and military Web sites are common targets of this kind of attacks. The fourth type consists of attacks against or using routers. Attacks on routers can result in interception of information or a slowing down of information delivery.

What measures can be taken to prevent computer cracking and other security breaches?
There are three countermeasures to threats of cracking: technology, people and policy.

Advances in technology continue to improve the security of computer systems. Software and hardware are being developed to guard against computer break-ins. Among the countermeasures that can be implemented are a secure DSL connection, installation of a personal firewall, installation of anti-virus software, safe email practices, and regular backups.

But technology is effective only until the next cracker discovers another security hole. Thus, it is important for people (security experts, programmers, administrators) to be able to effectively monitor a system. Especially when computers, networks or servers contain sensitive information, it is imperative that experts can protect the security of the system.

Lastly, policies for punishing crackers are important. Recently, new laws in cybercrime have been put to the test. Legislators are learning whether or not the laws effectively address cybercrimes. Read more about this in the primer on cyberlaw.


 * Definition


 * Box 5. Korea Information Security Agency

Korea Information Security Agency, “About Korea Information Security Agency,” KISA [home page online]; available from http://www.kisa.or.kr/english/about_kisa_01.html; accessed 18 September 2002.

Is there a conflict between national security and privacy of the citizen in the online world?
The challenge is to protect the privacy of citizens online without impairing the State’s right to examine documents and transmissions that threaten national security. The September 11 terrorist attacks in the USA introduced a new perspective into the Security of the State vs. Privacy of the Citizen debate. On the one hand, there is a continued campaign for the protection of personal privacy. On the other hand, governments (particularly the US government) have turned to information technology as a tool to combat terrorism.

In the years prior to the September 11 attack, financial institutions developed systems for securing direct mail, credit card offers and other kinds of targeted marketing. Other systems specifically targeted the detection of money-laundering activities. This involved the collection of millions of transactions from various financial institutions and identifying trends that appear suspicious. This sharing of information between financial institutions was dropped as it was considered by many as an encroachment of privacy. After September 11, however, “some specialists believe the scrutiny of consumers on the government’s behalf is going even deeper”.