But First, the Bill of RightsThe issue of privacy is a great concern for everyone. A survey sponsored by Dell Computer, conducted in August 2000 by Harris Interactive, revealed that even in the more sanguine days of Internet optimism, loss of personal privacy ranked as an issue of higher concern for Americans than the issues of crime, health care, or the environment. Internet-connected PCs, however, are an ongoing threat to individual privacy. We'll categorize and identify the major threats in the pages that follow and offer solutions.
The United States Constitution does not expressly list a right to privacy. However, several of the rights that are specifically guaranteed in the "Bill of Rights," inherently assume that a privacy right exists. For example; the Fourth Amendment's guarantee that citizens will be "secure in their persons, houses, papers, and effects, against unreasonable searches and seizures" implies that privacy is a matter of right. The Fifth Amendment's guarantee that a citizen shall not "be compelled in any criminal case to be a witness against himself" indisputably suggests that the right to keep information private was obvious to all. Two drafters of the U.S. Constitution, Alexander Hamilton and James Madison, affirmatively demonstrated their right to privacy by publishing The Federalist Papers anonymously (as cited in Crispo & Grosso, 1998). In recent times, this foundational principle of American law was referred to by the United States Supreme Court as "privacy guaranteed by the Fourth Amendment" (Scalia, 2001). The Privacy Act of 1974, as well as laws banning tampering with U.S. Mail, and stalking, are all expressions of the belief that privacy is a citizen's right and violation of that right produces unfavorable consequences for the individual and for society as a whole.
These laws exist for good reasons.
Privacy Threats Everywhere
Many different kinds of individuals and agencies seek personal information, each using differing methods. These groups, and the methods they employ, will be examined below.
One of the most well known home computer monitoring programs, called Spector from http://www.spectorsoft.com/, sells for under $70. Hundreds of password cracking and Trojan programs are freely available on Internet on sites such as http://www.infosyssec.net/infosyssec/tools2.htm. In recent years, password cracking tools have evolved from tools that required you to have an intricate understanding of computer systems into more simplified tools that are very user friendly. The freeware password cracking tool called Cain from http://www.oxid.it/ is an example of this simplified type. Within minutes of installation, Cain can reveal passwords for screensavers, Internet dial-up logons, internal networks, and other passwords that have been used on a Windows based computer system. When I first tested Cain, it correctly identified the password that would allow access to make changes on my personal web page.
Note that as various forms of spyware become known or tracking subterfuges are exposed, companies modify or eliminate their data-gathering techniques. Some of the products listed above have recently removed or modified their spyware aspects, while others, such as Kazaa, have only recently been announced. The underlying ability remains, however, and the temptation is strong.
In addition to data gathering for dubious purposes, businesses can also constitute a threat to individual privacy by mishandling information they control. Two recent examples of this were the disclosure of the names of 600 Prozac users by pharmaceutical company Eli Lilly, and the disclosure of 400 organ donor names by the University of Minnesota.
The IRS and CIA have both had highly publicized incidents where they failed to safeguard the private information within their possession. According to Iowa Representative Greg Ganske, IRS employees have been repeatedly caught improperly using information in the custody of the agency, but the General Accounting Office found that only 2.3% of those caught were actually fired. As recently as March of 2002, the CIA was embarrassed by having its network mapped and the names, phone numbers and e-mail addresses of numerous agents posted on the Internet. The situation with the CIA was further exacerbated by the fact that this occurred after the September 11th terrorist attacks, and was accomplished in merely two days using freely accessible and unclassified information found on the Internet.
While the IRS and CIA may cause privacy concerns by mishandling information, it is the information gathering methods of the NSA and FBI that sometimes places those agencies at odds with individual privacy. Agencies of the U.S. Federal Government have long used technology to gather information on citizens. The first telephone wiretap in the United States occurred in 1885 – only four years after the introduction of the telephone. According to Justice John Paul Stevens of the U.S. Supreme Court, the FBI had amassed records on 24 million people as of 1989. In comparison, the 1999 CNN special report "Cold War" disclosed that the former East Germany's Stasi, or secret police, amassed records on only 6 million people.
The FBI's use of secretly installed keystroke logging software was recently made public by the case of Nicodemo S. Scarfo (United States v. Scarfo, 2002). In that case, the FBI obtained court approval to covertly enter Mr. Scarfo's premises and install software that recorded every keystroke made on Mr. Scarfo's computer including his typed passwords. The FBI also uses another information-gathering tool, DCS-1000, formerly called CARNIVORE. This system consists of hardware connected to an Internet service provider's equipment that allows the FBI to intercept all e-mail traffic sent or received by a specific individual without their knowledge. Unlike traditional telephone wiretaps, which must be narrowly focused, to intercept specific targeted conversations, DCS-1000 searches and intercepts all communications of an individual. Title 18, section 2518(4) of the United States Code gives Internet service providers no choice in cooperating with electronic surveillance. In November of 2001, an FBI response to a Freedom of Information Act request, admitted the existence of "an enhanced CARNIVORE project" called "Magic Lantern" - a remotely installable key logger that can be sent to a computer via e-mail.
The NSA uses a much larger system for interception of communications data. It is called ECHELON, and consists of a global network of satellites and monitoring stations that screen all telephonic, e-mail, and facsimile transmissions. Obviously, processing all such data would be impossible; however, the system does not process all of the data, but rather carefully screens it for specific keywords and phrases, and captures only transmissions that meet pre-defined criteria. All of the captured data is then analyzed to extract pertinent information. Both CARNIVORE and ECHELON have evoked grass-roots protest movements.
Another method of government information gathering that could possibly pose a privacy risk is monitoring of TEMPEST emanations. These electronic signals are created by a computer monitor, and can be intercepted and used to re-create the screen image. This technology requires sensitive reception equipment that must be in close physical proximity to the computer being observed. Such reception equipment is illegal for individuals to possess, use, or sell in the United States.
This concludes Part
One of Privacy and Security on your PC. The second installment covers a layered approach
to computer security. As we go through the six levels, we'll give you
links to tools that can help you secure your system and keep your personal
data private. Click here to continue on to Part II.