quite dangerous to be a Sunni at a Shiite checkpoint (and vice versa). Now, to its credit, the Defense Science Board, an independent board advising the DoD, recommended that the military “engage responsible advocates of privacy early in the design and application of identity management systems,” ¹ yet somehow this database system was developed for use in a place in which a name of the wrong ethnicity can lead to being murdered. Technologists did not stop to consider “once the rockets are up, where will they come down?”

One reason for our failure of cyber privacy and security is that these problems are difficult to resolve. Yes, over 30 years ago we had the ideas of Multics and the Orange Book, but such solutions have little traction in the current environment, especially when (almost) all users seek to mount their newest untrusted device on their (less than fully protected) systems. In the rush toward releasing a product, there is little economic incentive to spend the time properly designing privacy and security into systems.

We don’t ask: What system design for highway toll collection gives appropriate privacy protections? Do we really need to store the toll records any longer than a month after billing? Should we passively collect any data on a user as he or she visits an e-government site? How sensitive is an IP address? (Does it reveal any information about the user?) Is our organization’s system for managing passwords usable? (Or are users finding an insecure workaround?) Is there a way that the digital-rights system can find cheating users without compromising everyone else’s privacy? What are the security risks of that CCTV surveillance system? Can this database system really help us find the bad guys, or does it risk the safety of ordinary citizens? As technologists, we have a responsibility to investigate such issues before we build—not after.

No company wants to appear on the front page of the New York Times or in front of the Article 29 Data Protection Working Party of the EU Commission explaining how its system failed to protect important health care/financial/ personal data. But while there may be breach laws that require notification in the case of data exposure, there have

solutions for computer
privacy and security
are not mathematical
theorems, but instead
lie in the complexity
of human behavior.

been precious few liability suits against the companies whose technologies allowed the problem to occur in the first place. Legal and policy systems simply haven’t kept up with technology. Meanwhile our technology keeps evolving at an ever-increasing pace. Our networked, interconnected systems pose new threats and present new challenges; we need to find new ways of working.

The right technical answers are not always obvious; because the problems involve societal concerns, often the solutions are less than clear-cut. What is the way out of this mess? The sorry state of computer privacy and security is a state for which technologists bear part of the responsibility. We can—and must—be part of the solution. Yet there is another part of this story, namely that computer privacy and security are both technical concerns and social ones.

Solutions for computer privacy and security are not mathematical theorems, but instead lie in the complexities of human behavior. One person’s good identity management scheme may violate another person’s view of adequate control of personal data; another person’s method for securing a network may be simply too restrictive to permit appropriately private access by the network’s users. It is not just science that will enable us to solve these problems, or engineering, or business acumen, or even anthropologic studies of what makes users tick. It will be a combination of all of these, and more.

Communications will publish articles on computer privacy and security in the Practice, Contributed, and Research sections of the magazine. This column will present peoples’ opinions on privacy and security concerns—and their possible solutions. Because the

problems are not only technical, this column will present a diversity of viewpoints on the issues, soliciting responses from lawyers, economists, political scientists—and computer scientists.

We will also seek geographic diversity. The Internet knows no physical boundaries. As we know, its privacy and security breaches don’t either— consider the ILUVU virus that apparently originated in the Philippines, the Nigerian 419 scam^c that can as easily originate in Russia as Nigeria, and a breach in a system designed in Mountain View, CA can cause serious problems in Melbourne, Australia. People are as concerned about data retention in Korea as they are in Europe (and apparently more so than they are in the U.S.). To solve the problems of computer privacy and security, we must look at the issues globally.

Protecting the privacy and security of data in networked computer systems is a major challenge of our age. The challenge of this column is to present ideas that stimulate the critical thinking needed to develop solutions to this multifaceted problem. Yours is to read, ruminate, and change the system—and systems—that currently harbor such poor protections of privacy and security. Change is slow, and changes of this order of magnitude are very difficult. If this column has even a minor impact on improving the privacy and security of computer systems, it will have succeeded in its mission.

 

References

1. defense science board, office of the under secretary of defense for acquisition, technology, and logistics. Report of the Defense Science Board Task Force on Defense Biometrics, march 2007, 71.

2. frank, t. u.s. is building database on iraqis. USA Today, (July 21, 2007); www.usatoday.com/news/ world/iraq/ 2007-07-12-iraq-database_n.htm.

3. lehrer, t. Too Many Songs by Tom Lehrer. pantheon books, new york, 1981, 124–125.

Susan Landau ( susan.landau@sun.com) is a distinguished engineer at sun microsystems laboratories in burlington, ma.

c This is a scam in which victims are offered large amounts of money from someone who has unexpectedly died (typically in a plane crash) leaving no will or known next of kin. In order to participate, the victims must first demonstrate their seriousness by funding efforts to access the money. It is called a “419” scam after the part of the Nigerian Criminal Code that deals with obtaining property through false pretenses.