|
|
We are reprinting this article for your information. CDR does not necessarily endorse any of the groups mentioned in this article. Carnivore vs. Corporate Confidentiality
By Martin Goslar, Ph.D. The FBI's Carnivore cyber-snooping software could be a headache for conscientious security professionals. What's at stake? For corporations it's trade secrets, confidential business interactions, and the ability to conduct e-commerce without the threat of governmental, non-governmental organization, or international snooping. The IIT Research Institute, a private organization, recently conducted an independent technical review of the Carnivore software. According to the report, which was commissioned by the Attorney General, Carnivore does not include significant safeguards to prevent misuse. For instance, the system doesn't keep track of individual users -- instead, any operator defaults to "administrator," leaving no audit trail -- and there is no feature that requires users to confirm that an e-mail tap is court-ordered. All this leaves the FBI conveniently unaccountable The Carnivore controversy spotlights corporate online confidentiality instead of the more common discussion of consumer privacy. And the accidental way in which news of the system surfaced -- complete with both government and private claims and counterclaims, and duels between elected officials and law enforcement -- further underscores the dilemma of business privacy versus the public good. While security vendors continually enhance their products to strengthen corporate protection against unauthorized access and other threats, the government-developed Carnivore comes without safeguards to guarantee that only "legal" packet snooping occurs. This means it's time for industry to work toward the same privacy assurances that are guaranteed by law to those on the consumer side. And who's watching out for industry? Up to now, no group has come out strongly on the side of corporate communication privacy. The latest IIT Research Institute findings and reactions to the Institute's conclusions emphasize that controls are lacking. And at this point, new versions of Carnivore are not currently scheduled to include independent external oversight. Your firm can, however, take productive steps toward increasing corporate privacy, even if little appears to be happening from the government side. One way is to work with one of the several independent organizations that are already making efforts to help establish an appropriate balance between privacy and public safety. The Electronic Privacy Information Center, a public interest research center established in 1994, focuses on emerging civil liberty issues including privacy protection. The organization has been a watchdog in defending cyberspace rights during the Carnivore investigations. The Privacy Foundation exists "to educate the public, in part by conducting research into communications technologies and services that may pose a threat to personal privacy." The Center for Democracy and Technology seeks to find practical solutions for global privacy in communications technologies. The Personalization Consortium's key objective is to establish leading practices for online privacy on the Internet. Consider contacting these organizations to find out what steps they are taking to protect corporate privacy. Their voices will have significantly more impact that just your firm, and their activities can bolster protection for your company's online communications and for the industry as a whole. There are several other actions you can take to increase your company's communications security.
Dr. Goslar is principal security analyst and founder of E-PHD, LLC - a security industry research and analysis firm. He is also on the editorial board of the International Journal of Electronic Commerce and can be reached at comments@e-phd.com.
|
