Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Privacy Expert Advises Colleges to Bar 2 Popular Internet Tools
- From: Paul Howell
- Date: Fri Jun 30 11:14:22 2000
At http://www.chronicle.com/free/2000/06/2000062701t.htm
Privacy Expert Advises Colleges to Bar 2 Popular Internet Tools
By FLORENCE OLSEN
Philadelphia
A computer-privacy expert warned colleges Sunday
against continuing to use two popular Internet tools
-- Telnet and File Transfer Protocol -- because they
offer easy routes for unauthorized people to gain
access to personal data on campus networks.
Simson L. Garfinkel, the author of Database
Nation: The Death of Privacy in the 21st
Century, offered the warning in a keynote address
at ResNet 2000, a symposium for
residential-network administrators that will continue
through Wednesday here at the University of
Pennsylvania. Mr. Garfinkel said the main lesson of
his new book, published by O'Reilly & Associates,
is that students and faculty members cannot rely on
themselves or on technology to protect their privacy
when they use computer networks.
Campus-network administrators and off-campus
Internet-service providers, or I.S.P.'s, vary widely in
their commitment to protecting personal information
stored in network log files and other databases
generated automatically when people use the
network, Mr. Garfinkel said.
Most network services, he said, create log files that
capture personal information, including user names,
network addresses, and the time and date those
services were used. But few colleges and I.S.P.'s
have enforceable policies to protect students or
others from the misuse of information in those
databases, Mr. Garfinkel said.
Log files, for example, are created on Web servers
whenever users click on the "search" button. Mr.
Garfinkel asked, Who has access to those log files?
What computers are capturing those log files? What
policies do institutions have for automatically deleting
those files on a regular basis?
Even institutions and I.S.P.'s that do have privacy
policies usually provide no way for people to control
how information about them is collected and used,
he said.
The amount of data that is now automatically
collected as people conduct network transactions is
minuscule compared with the amount that will be
collected in the future, Mr. Garfinkel said. "We're
moving into a regime in which far, far more
information is going to be collected -- and
frequently, that's going to be done over some sort of
campus network," he added.
Even a new privacy "preferences" technology that
the World Wide Web Consortium announced last
week could be meaningless, because it is not
backed by federal law or regulation, Mr. Garfinkel
said. The industry consortium, which develops new
protocols for the Web, has worked for several years
on the Platform for Privacy Preferences Project, or
P3P, a privacy-labeling system for Web sites.
"P3P is a great technology, but it's a technology that
[only] works hand-in-hand with regulation," he said.
Sites that claim to be P3P-compliant generate an
encoded document that tells users in a standard,
plain-language format how each site uses the
personal information it collects.
But P3P "doesn't go far enough," Mr. Garfinkel said.
The system's flexibility permits site owners to leave
unlabeled many of the elements that are the most
invasive of users' privacy -- such as the Common
Gateway Interface, or C.G.I., scripts that run on
Web servers. C.G.I. programs are easily exploited
by network attackers, who can use them to steal
personal data, experts say.
Mr. Garfinkel also urged the more than 300
residential-network managers and
student-coordinators attending the conference to
stop the common practice of using unencrypted
passwords to secure network-user accounts. "But
you won't," he chided. "And so you're going to keep
having accounts broken into."
|
