Information Security News mailing list archives
Privacy Expert Advises Colleges to Bar 2 Popular Internet Tools
From: William Knowles <wk () C4I ORG>
Date: Fri, 30 Jun 2000 07:28:24 -0500
http://www.chronicle.com/free/2000/06/2000062701t.htm Tuesday, June 27, 2000 A computer-privacy expert warned colleges Sunday against continuing to use two popular Internet tools -- Telnet and File Transfer Protocol -- because they offer easy routes for unauthorized people to gain access to personal data on campus networks. Simson L. Garfinkel, the author of Database Nation: The Death of Privacy in the 21st Century, offered the warning in a keynote address at ResNet 2000, a symposium for residential-network administrators that will continue through Wednesday here at the University of Pennsylvania. Mr. Garfinkel said the main lesson of his new book, published by O'Reilly & Associates, is that students and faculty members cannot rely on themselves or on technology to protect their privacy when they use computer networks. Campus-network administrators and off-campus Internet-service providers, or I.S.P.'s, vary widely in their commitment to protecting personal information stored in network log files and other databases generated automatically when people use the network, Mr. Garfinkel said. Most network services, he said, create log files that capture personal information, including user names, network addresses, and the time and date those services were used. But few colleges and I.S.P.'s have enforceable policies to protect students or others from the misuse of information in those databases, Mr. Garfinkel said. Log files, for example, are created on Web servers whenever users click on the "search" button. Mr. Garfinkel asked, Who has access to those log files? What computers are capturing those log files? What policies do institutions have for automatically deleting those files on a regular basis? Even institutions and I.S.P.'s that do have privacy policies usually provide no way for people to control how information about them is collected and used, he said. The amount of data that is now automatically collected as people conduct network transactions is minuscule compared with the amount that will be collected in the future, Mr. Garfinkel said. "We're moving into a regime in which far, far more information is going to be collected -- and frequently, that's going to be done over some sort of campus network," he added. Even a new privacy "preferences" technology that the World Wide Web Consortium announced last week could be meaningless, because it is not backed by federal law or regulation, Mr. Garfinkel said. The industry consortium, which develops new protocols for the Web, has worked for several years on the Platform for Privacy Preferences Project, or P3P, a privacy-labeling system for Web sites. "P3P is a great technology, but it's a technology that [only] works hand-in-hand with regulation," he said. Sites that claim to be P3P-compliant generate an encoded document that tells users in a standard, plain-language format how each site uses the personal information it collects. But P3P "doesn't go far enough," Mr. Garfinkel said. The system's flexibility permits site owners to leave unlabeled many of the elements that are the most invasive of users' privacy -- such as the Common Gateway Interface, or C.G.I., scripts that run on Web servers. C.G.I. programs are easily exploited by network attackers, who can use them to steal personal data, experts say. Mr. Garfinkel also urged the more than 300 residential-network managers and student-coordinators attending the conference to stop the common practice of using unencrypted passwords to secure network-user accounts. "But you won't," he chided. "And so you're going to keep having accounts broken into." *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Privacy Expert Advises Colleges to Bar 2 Popular Internet Tools William Knowles (Jul 01)