WASHINGTON -- If enterprises are having problems protecting their customers' privacy, it's because of the same nagging issues facing IT security in general -- a lot of technology solutions attack only part of the problem, and few IT vendors build products with privacy in mind.
That was the conclusion of at least some of the privacy and technology experts at a U.S. Federal Trade Commission (FTC) workshop Wednesday on how enterprises can better protect consumer privacy. While many participants in the day-long workshop called for a combination of technology, training, and industry procedures to better protect privacy, a few rapped the technology community for selling "snake oil" privacy solutions or building products with an "enormous lack of accountability" for privacy and security problems.
High-priced privacy and security consultants often aren't solving the problem, said Franklin S. Reeder, chairman of the Center for Internet Security. Responding to others on his panel calling for enterprises to spend more money on security, Reeder agreed, but said most companies don't have the "vaguest idea" on how to measure what to spend on security.
"It's even more important that the money we're spending, we're spending badly," he added. "There are a lot of people making very good money who are selling the same snake oil over and over again rather than promoting the adoption of knowledge that is already in existence and is available relatively inexpensively."
Reeder's comments followed a morning discussion about business tools available for protecting consumer information, including IBM's Tivoli privacy software, Intel's LeGrande hardware-based security architecture, and the Liberty Alliance's identity management project.
Reeder and Peter G. Neumann, principal scientist at SRI International, didn't mention any names, but they faulted the IT industry for security breaches that lead to privacy problems at companies. Neumann noted that many panelists during the day called for an in-depth defense of consumer privacy, using multiple solutions.
"What we really have is weakness in depth," Neumann said. "We have flawed requirements to begin with, we have flawed evaluation procedures, we have flawed systems, we have flawed administrative procedures ... we have flawed procurement processes."
Neumann also took IT vendors to task for building those flawed systems, saying most have "zero accountability" for security, and he disagreed with panelists who suggested vendors who don't adequately protect privacy and security will face an unfriendly marketplace. "The standard free-enterprise version is that the marketplace will solve all these problems," he said. "I claim that the marketplace is not solving the problems that I have been working on for the past half century, meaning very survivable, very secure, very reliable systems."
The problem with relying on the marketplace to punish insecure vendors is that most software is designed for ease of functionality, not security, added Vic Winkler, principal security architect for Sun Microsystems. "If you want to continue to encourage the propagation of dangerous code, please continue buying stuff that probably causes the most problems," said Winkler, again not mentioning names.