[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Privacy Expert Advises Colleges to Bar 2 Popular Internet
From:       William Knowles <wk () C4I ! ORG>
Date:       2000-06-30 12:28:24
[Download RAW message or body]

http://www.chronicle.com/free/2000/06/2000062701t.htm

Tuesday, June 27, 2000

A computer-privacy expert warned colleges Sunday against continuing to
use two popular Internet tools -- Telnet and File Transfer Protocol --
because they offer easy routes for unauthorized people to gain access
to personal data on campus networks.

Simson L. Garfinkel, the author of Database Nation: The Death of
Privacy in the 21st Century, offered the warning in a keynote address
at ResNet 2000, a symposium for residential-network administrators
that will continue through Wednesday here at the University of
Pennsylvania. Mr. Garfinkel said the main lesson of his new book,
published by O'Reilly & Associates, is that students and faculty
members cannot rely on themselves or on technology to protect their
privacy when they use computer networks.

Campus-network administrators and off-campus Internet-service
providers, or I.S.P.'s, vary widely in their commitment to protecting
personal information stored in network log files and other databases
generated automatically when people use the network, Mr. Garfinkel
said.

Most network services, he said, create log files that capture personal
information, including user names, network addresses, and the time and
date those services were used. But few colleges and I.S.P.'s have
enforceable policies to protect students or others from the misuse of
information in those databases, Mr. Garfinkel said.

Log files, for example, are created on Web servers whenever users
click on the "search" button. Mr. Garfinkel asked, Who has access to
those log files? What computers are capturing those log files? What
policies do institutions have for automatically deleting those files
on a regular basis?

Even institutions and I.S.P.'s that do have privacy policies usually
provide no way for people to control how information about them is
collected and used, he said.

The amount of data that is now automatically collected as people
conduct network transactions is minuscule compared with the amount
that will be collected in the future, Mr. Garfinkel said. "We're
moving into a regime in which far, far more information is going to be
collected -- and frequently, that's going to be done over some sort of
campus network," he added.

Even a new privacy "preferences" technology that the World Wide Web
Consortium announced last week could be meaningless, because it is not
backed by federal law or regulation, Mr. Garfinkel said. The industry
consortium, which develops new protocols for the Web, has worked for
several years on the Platform for Privacy Preferences Project, or P3P,
a privacy-labeling system for Web sites.

"P3P is a great technology, but it's a technology that [only] works
hand-in-hand with regulation," he said. Sites that claim to be
P3P-compliant generate an encoded document that tells users in a
standard, plain-language format how each site uses the personal
information it collects.

But P3P "doesn't go far enough," Mr. Garfinkel said. The system's
flexibility permits site owners to leave unlabeled many of the
elements that are the most invasive of users' privacy -- such as the
Common Gateway Interface, or C.G.I., scripts that run on Web servers.
C.G.I. programs are easily exploited by network attackers, who can use
them to steal personal data, experts say.

Mr. Garfinkel also urged the more than 300 residential-network
managers and student-coordinators attending the conference to stop the
common practice of using unencrypted passwords to secure network-user
accounts. "But you won't," he chided. "And so you're going to keep
having accounts broken into."


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".

[prev in list] [next in list] [prev in thread] [next in thread]