LIS 386.13
Information Technologies
and the
Information Professions
Privacy and the Internet
R. E. Wyllys
Copyright © 2002 by R. E. Wyllys
Last revised 2002 Nov 8
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
Lesson Objectives
• You will learn about
– Some of the threats to privacy stemming
from the growth of the Internet
– Tools with which to counter these threats
•
•
•
•
Filters
Virus-protection software
Firewalls
Cryptography
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
How the Internet Threatens Privacy
• The Internet has made it far easier than
ever before for others to find out much
about you.
– This is especially true of those of us who
use the Internet, but it holds even for those
who do not.
– Even non-users of the Internet are
vulnerable because information about them
is held by other people and institutions that
are Internet users.
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
How the Internet Threatens Privacy
• This vulnerability has the potential for
lessening the control each of us has
over what others know about us. That
is to say, this vulnerability is a threat to
the privacy of each of us.
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
A Definition of Privacy
• "Privacy . . . is the power to control what
others can come to know about you.
People gain knowledge about you in
only two ways—through monitoring or
searching (or by reports relying on the
results of monitoring and searching)."1
1 Lessig,
Lawrence. Code and Other Laws of Cyberspace. New
York, NY: Basic Books; 1999. ISBN:0-465-03913-8. Pp. 142-144.
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
Conceptions of Privacy
• Lawrence Lessig distinguishes three
conceptions of privacy1
– Utility: the minimization of intrusion
– Dignity: the individual's right to be left alone
– Governmental: constraints on the power of
the state to regulate behavior and thought
1 This
slide and the quotations on the next three slides are taken
from: Lessig, Lawrence. Code and Other Laws of Cyberspace. New
York, NY: Basic Books; 1999. ISBN:0-465-03913-8. Pp. 146-149.
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
Conceptions of Privacy (cont'd)
• Lessig's "first conception, . . . the utility
conception, seeks to minimize intrusion. We
want to be left alone, not interfered with, not
troubled. And so we want a protection that
minimizes the extent to which tranquility is
disturbed. Sometimes the state will have
reason to search us or to interfere with our
peace. But we want this interference kept at
a minimum. . . ."
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
Conceptions of Privacy (cont'd)
• "The second conception tracks dignity. Even if
a search does not bother you at all, or even if
you do not notice the search, this conception of
privacy holds that the very idea of a search of
your possessions is an offense to your dignity."
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
Conceptions of Privacy (cont'd)
• According to Lessig's third "conception, privacy
is a substantive limit on government's power.
As a restriction on the power of government to
enforce certain laws, it provides a substantive
limit on the kinds of regulation that government
can effectively impose. Understood this way,
privacy does more than protect dignity or limit
intrusion; privacy limits what government can
do."
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
Conceptions of Privacy (cont'd)
• Although Lessig phrases his three conceptions of
privacy in terms of constraints on government, it
is clear that the general concept of privacy
requires that individuals and organizations be
subject to the same kinds of constraints, in order
to restrict their possible intrusions against other
individuals and organizations.
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
Modes of Internet Attack on Privacy
• Some principal modes of attack on privacy via
the Internet include:
– Recording by Websites of visitors' IP addresses
– "Cookies," i.e., information placed on your computer by
Websites that you visit
– "Spam," i.e., unsolicited, undesired email messages
sent to large numbers of addressees
– Viruses, worms, Trojan horses, etc.; these are programs
designed to enter your computer as hidden portions of
files you receive, especially via downloads and email
– "Cracker" attacks on your computer made while it is
connected to the Internet
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
Modes of Internet Attack on Privacy (cont'd)
– Curious or malicious persons investigating you, using
• the services of professional investigators, who are easily
locatable via the Internet (in August 2001 a search in AltaVista
on the term "Private Investigator" yielded 13,432 hits)
• Internet sites such as PublicData.com, US Search.com, and
the "People Search" and "Public Records Research" options at
Yahoo!.
– Curious or malicious persons seeking personal
information about you through government resources,
e.g., the real-estate appraisal records provided by the
Travis Central Appraisal District of Travis County, Texas.
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
Modes of Internet Attack on Privacy (cont'd)
• Two important resources for information about these
and other Internet security problems are the Privacy
Rights Clearinghouse, and the CERT Coordination
Center at Carnegie Mellon University.
– CERT offers a very readable overview entitled Home
Network Security, which deals with privacy and other related
issues.
• A useful collection of hyperlinks to various matters
concerning privacy, copyright, intellectual property,
and other related issues is the Gigalaw.com Webpage
on Legal Information for Internet Professionals.
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
Modes of Internet Attack on Privacy (cont'd)
• An encounter with malicious use of personal information
– During the spring of 2001, an unauthorized person obtained access
to hundreds of thousands of credit-card numbers stored by
Bibliofind, an Internet used-book locator service that has since
been acquired by Amazon.com. I had used a Visa account to
purchase books through Bibliofind. In June 2001 my Visa bill
showed two charges, totaling $41, that I had not made.
– I have no doubt that these charges were a result of the illegal
access at Bibliofind, for two reasons:
• The charges were placed shortly after the theft.
• The charges fitted a common pattern of the use of such stolen
accounts. Specifically, the thief initially uses the account for relatively
small amounts in the hope that the owner will turn out to be one of the
many people who fail to check their credit-card statements carefully. If
the thief gets away with small charges, he or she will then place a
substantial charge against the account.
– I immediately closed the account, and I disputed the charges—
successfully, I am happy to be able to say.
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
Websites and Records on Visitors
• Some Websites—no one knows how many—
keep records of those who visit them.
• What do such Websites do with this
information?
– The answer is undoubtedly, "Many different
things."
– Some of these things may strike many people as
undesirable: for examples, see the following two
slides.
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
Websites and Records on Visitors (cont'd)
• Recently the Senate Governmental Affairs
Committee reported that at least 7 U.S.
Government Websites have been keeping
records on their visitors. As reported by the
Associated Press1 on 2001 April 16, the following
Federal agencies, operating a total of 64
Websites, were involved:
– "Transportation Department: 23 Web sites, including
three contractor Web sites that collected personal data.
...
– "General Services Administration: 15 sites, including
one in which a contractor was given ownership of all
the data collected.
1From:
"Several agencies keep tabs on Web visitors."
Austin American-Statesman, 2001 Apr 17, p. A4.
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
Websites and Records on Visitors (cont'd)
– "Energy Department: 11 sites, prompting agency Inspector
General Gregory Friedman to say the department 'cannot
provide reasonable assurance' that the privacy of Web site
visitors will be protected.
– "Treasury Department: six sites. . . .
– "Education Department: four sites, three of which officials said
they were unaware information was being collected on.
– "NASA: three sites, but the space agency's inspector general
said NASA hasn't determined how many Web sites it operates,
so officials don't know how many might be gathering the
information.
– "Interior Department: two sites."
• If this is what U.S. Government Websites are doing, one
can only wonder who in the private sector is collecting
what kind of information on those of us who visit nongovernmental Websites.
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
Websites and Records on Visitors (cont'd)
• Information on the behavior of Websites with
respect to privacy is available from certain sites
dedicated to privacy concerns, including
– BBBOnLine, "a wholly owned subsidiary of the
Council of Better Business Bureaus [whose] mission
is to promote trust and confidence on the Internet
through the BBBOnLine Reliability and BBBOnLine
Privacy programs"
– TRUSTe.com, "an independent, non-profit privacy
initiative dedicated to building users' trust and
confidence on the Internet and accelerating growth of
the Internet industry [through] a third-party oversight
'seal' program that alleviates users' concerns about
online privacy"
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
"Cookies" and Privacy
• Many Websites, when you visit them,
place on your computer small files of
information, called "cookies".
– Cookies serve to identify you to the
Website upon subsequent visits by you.
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
"Cookies" and Privacy (cont'd)
• Most cookies are harmless, but there is
nothing to prevent a malevolent person or
organization from placing cookies that could
cause damage.
• You can set your browser so that it will refuse
cookies, but if you do that, you forego
whatever convenience there may be in your
being quickly identified to the Website without
additional input from you.
• Cookies also have the potential of being used
to identify (e.g., to "crackers") many of the
Websites that you visit.
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
"Spam" and Privacy
• "Spam" consists of email messages
sent out in large numbers to addressees
who have not sought them or indicated
their willingness to receive them.
– Spam does not include advertising that you
have indicated a willingness to accept
• For example, when you register a piece of
software, you are often asked to indicate
whether you would like to receive information
about upgrades and new products from that
vendor.
• If you answer "yes," then announcements from
that vendor will not constitute spam.
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
"Spam" and Privacy (cont'd)
• Spam usually advertises products or
services that you might not learn about
otherwise, and thus it can sometimes be
useful to you.
• Spam has become a major problem
because it costs advertisers very little to
send out enormous numbers of emails,
in sharp contrast to high costs of
advertising by other means, such as
junk mail.
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
"Spam" and Privacy (cont'd)
• Not much can be done about the generation
and dissemination of spam.
– In a few egregious cases, Internet Service
Providers have denied their facilities to spammers.
– In certain other cases, spammers have been
ordered by courts to desist. Unfortunately, such
spammers have been known to dissolve the
company to which the court order applied, and
form a new company with which they resumed
spamming.
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
"Spam" and Privacy (cont'd)
• For individuals, the most effective defense
against spam is the use of filters in your email
program to delete messages of types that you
know you are not interested in receiving.
– For example, one of my email accounts seems
especially susceptible to spam. In this account I
have had to set up over a dozen filters that
automatically delete messages containing words
like "adult site," "teen girls," and certain
obscenities.
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
Viruses and Privacy
• Viruses, worms, and Trojan horses are programs that get
stored on your computer by stealth, e.g., by being a
disguised part of an email attachment or a downloaded file.
• The Webopedia defines a virus as: "A program or piece of
code that is loaded onto your computer without your
knowledge and [that] runs against your wishes. Most
viruses can also replicate themselves. All computer
viruses are manmade. A simple virus that can make a
copy of itself over and over again is relatively easy to
produce. Even such a simple virus is dangerous because
it will quickly use all available memory and bring the
system to a halt. An even more dangerous type of virus is
one capable of transmitting itself across networks and
bypassing security systems."
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
Viruses and Privacy (cont'd)
• The Webopedia defines a worm by saying: "Some
people distinguish between general viruses and
worms. A worm is a special type of virus that can
replicate itself and use memory, but cannot attach
itself to other programs."
– Worms pose much the same kinds of problems as do
other viruses.
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
Viruses and Privacy (cont'd)
• The Webopedia defines a Trojan horse as: "A
destructive program that masquerades as a
benign application. Unlike viruses, Trojan horses
do not replicate themselves, but they can be just
as destructive. One of the most insidious types of
Trojan horse is a program that claims to rid your
computer of viruses but instead introduces viruses
onto your computer."
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
Viruses and Privacy (cont'd)
• Once on your computer, viruses, worms, and
Trojan horses can act in various ways, from
prankish to vicious, even to the extent of
destroying all files on your computer.
• You can best defend yourself against viruses,
worms, and Trojan horses by
– Acquiring a good anti-virus program (e.g., from
McAfee, Network Associates, or Symantec)
– Installing it in such a way that it runs constantly on
your system
– Updating it with new data files at least once every
week (this step is especially important)
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
"Cracker" Attacks on Privacy
• In a cracker attack, someone (the "cracker") tries to
gain access to some or all of the files on your
computer, thus potentially becoming able to
– Run programs (yours or his) on your computer
– Read and copy files containing information that may be
valuable to you and/or harmful if in the possession of
others (e.g., passwords, your financial data)
– Destroy and/or modify files on your computer
• "Crackers" are often called "hackers," but the latter
term properly refers to expert programmers in
general, not just to those—the "crackers"—who
use their skills unethically to break into computers
belonging to other people.
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
"Cracker" Attacks on Privacy (cont'd)
• You are especially vulnerable to cracker attacks if
your computer is connected to the internet for
extended periods of time, for example, via
– Cablemodems
– DSL (digital subscriber line) telephone connections
– Corporate or academic direct connections to the
Internet
• With these types of long-period connections, you
use a given Internet address long enough to give
crackers the opportunity to employ "trial and error"
tools against your computer.
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
"Cracker" Attacks on Privacy (cont'd)
• You can best defend yourself against
cracker attacks by using a "firewall," i.e., a
program that
– Runs constantly on your computer
– Monitors signals coming into your computer for
indications of illicit intent or activity
– Can completely prohibit the receiving of signals
from specific Internet addresses
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
"Cracker" Attacks on Privacy (cont'd)
• Examples of firewall programs are "Black
Ice," "McAfee Firewall," "Symantec
Personal Firewall," and "ZoneAlarm."
– Firewall programs change frequently to meet
changes in crackers' methods. Hence,
before acquiring a firewall, you should locate
some recent comparative evaluations of
available firewalls, and study them.
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
Cryptography and Privacy
• By using methods drawn from the field of
cryptography, you can prevent others from
reading
– Files on your computer
– Messages and files that you send to, or receive
from, friends and colleagues via the Internet,
provided that these friends and colleagues
cooperate with you in using cryptographic
methods
• The word "cryptography" comes from Greek
roots meaning "secret writing."
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
Cryptography and Privacy (cont'd)
• As employed today in computers, cryptography
consists of a sender's
– Adding, to the ASCII value of each letter in a message, a
number called a "key," thereby yielding a sequence of sums,
and
– Sending this sequence of sums to the recipient, who
– Subtracts the key from each sum in the sequence, thereby
yielding the original sequences of ASCII values, i.e., letters.
• The key comes from some process that generates
such numbers in an apparently random fashion
• The recipient of the encrypted message must have
access to the key (as will be explained later)
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
Cryptography and Privacy (cont'd)
• As an example, to encrypt "THE FOX" we
begin with the decimal ASCII values of the
letters:
T H E [space] F O X
84 72 69
32 70 79 88
• Next, we obtain a sequence of key numbers,
from some process that generates them in an
apparently random fashion. (This is called
"pseudo-random" generation.) Here is an
example of such a sequence:
10 48 01 77 15 66 41
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
Cryptography and Privacy (cont'd)
• Then we add the key numbers to the original
sequence of ASCII numbers (the example
uses the abbreviations PT for Plain Text [the
original text], K for Key, and CT for Cipher
Text):
PT:84 72 69 32 70 79 88
K:10 48 01 77 15 66 41
CT:94 10 60 09 85 35 29
• Note that the addition is done column by
column without carrying numbers from one
column to another. This is called "modular
addition."
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
Cryptography and Privacy (cont'd)
• The cipher text, 94 10 60 09 85 35 29, is sent
to the recipient, who decrypts the message by
subtracting the key from the cipher text (using
column-by-column, i.e., modular, subtraction)
CT:94 10 60 09 85 35 29
K:10 48 01 77 15 66 41
PT:84 72 69 32 70 79 88
• The result is the original sequence of ASCII
values of the letters, THE FOX
• A major virtue of this process is that computers
can, of course, carry out such arithmetic
operations at enormously high speeds.
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
Cryptography and Privacy (cont'd)
• In traditional encryption and decryption, both the
sender and the recipient had to have a copy of the
stream of values of the key.
• Historically, this was often accomplished by providing
both sender and recipient with a copy of a page from a
"one-time pad," i.e., both sender and recipient would
have a copy of the same set of random numbers to be
used for encipherment and decipherment.
• Alternatively, both sender and recipient would be
provided with a a machine that could be set, by prearrangement, so as to generate the same "pseudorandom" key with which to process a given message.
Such machines are widely used by military and
diplomatic organizations.
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
Public-Key Encryption and
Decryption (PKED)
• Today, the invention in the 1970s of public-key
encryption and decryption (PKED) has provided a
brilliant step up from traditional cryptographic
methods.
• PKED works with pairs of keys, each pair being
related to each other in a special way, for which the
following situation serves as a model:
– Imagine a box with a special fastener that can be opened
and closed by two tools, which we can call the "righthanded" and the "left-handed" tools. The right-handed tool
turns the fastener to the right; the left-handed tool turns it to
the left.
– If the box is closed with the right-handed tool, it can be
opened only with the left-handed tool; and vice versa.
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
PKED (cont'd)
• In PKED, keys come in pairs that work in a fashion analogous to
the left-handed and right-handed tools.
– In each pair one key is called the "public" key; the other, the
"private" key.
– If a message is encrypted with a public key, then it can be decrypted
only with the corresponding private key, and vice versa.
• These public and private keys are not used directly as keys in
the way shown in the earlier slides entitled "Cryptography and
Privacy."
• Instead, the public and private keys are used to generate
sequences, of any length needed, of apparently random key
values. The public key and the private key in a pair will generate
the same sequence of apparently random key values, which are
used in the way sketched earlier; i.e., these sequences of key
values are added modularly to plain text to yield cipher text, or
subtracted modularly from cipher text to yield plain text.
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
PKED (cont'd)
• A popular method of implementing PKED is a program
called "Pretty Good Privacy," or "PGP."
– PGP is available as freeware and in commercial versions from
PGP Security.
• To see how this works, we can suppose that two
people, Alice and Bob, want to exchange messages
and/or files with each other over the Internet, using the
protection of PKED.
– Each of them must use PGP (or a similar program) to establish
a pair of keys for himself or herself.
– Each then publishes his or her public key, e.g., by providing it
on his or her Website, but keeps his or her private key a
secret.
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
PKED (cont'd)
• To send a message to Bob, Alice uses Bob's
public key to encrypt the message.
– To put it another way, Alice uses Bob's public key as a means of
producing a particular sequence of pseudo-random values with
which she encrypts the message, by adding the sequence of
values to the ASCII values of the letters in the message using
modular addition.
• When Bob receives the encrypted message, he
uses his private key to decrypt it.
– To put it another way, when Bob receives the encrypted
message, he uses his private key as a means of producing the
same sequence of pseudo-random values that Alice used, so
that he can decrypt the message by subtracting the sequence of
values from the ASCII values of the letters in the encrypted text,
using modular subtraction.
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
PKED (cont'd)
• To send a message to Alice, Bob uses
Alice's public key in the analogous fashion.
• This kind of procedure can be further
elaborated so as to provide a "digital
signature" that can be guaranteed to be
from the person from whom it purports to
come.
– For details, see "Cryptography and Pretty
Good Privacy."
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions
The Internet Can Threaten Your Privacy–
But You CAN Defend Yourself!
School of Information - The University of Texas at Austin
LIS 386.13, Information Technologies & the Information Professions