FTC forum: No one easy way to protect privacy

Many technology solutions attack only part of the problem

WASHINGTON -- If enterprises are having problems protecting their customers' privacy, it's because of the same nagging issues facing IT security in general -- a lot of technology solutions attack only part of the problem, and few IT vendors build products with privacy in mind.

That was the conclusion of at least some of the privacy and technology experts at a U.S. Federal Trade Commission (FTC) workshop Wednesday on how enterprises can better protect consumer privacy. While many participants in the day-long workshop called for a combination of technology, training, and industry procedures to better protect privacy, a few rapped the technology community for selling "snake oil" privacy solutions or building products with an "enormous lack of accountability" for privacy and security problems.

High-priced privacy and security consultants often aren't solving the problem, said Franklin S. Reeder, chairman of the Center for Internet Security. Responding to others on his panel calling for enterprises to spend more money on security, Reeder agreed, but said most companies don't have the "vaguest idea" on how to measure what to spend on security.

"It's even more important that the money we're spending, we're spending badly," he added. "There are a lot of people making very good money who are selling the same snake oil over and over again rather than promoting the adoption of knowledge that is already in existence and is available relatively inexpensively."

Reeder's comments followed a morning discussion about business tools available for protecting consumer information, including IBM's Tivoli privacy software, Intel's LeGrande hardware-based security architecture, and the Liberty Alliance's identity management project.

Reeder and Peter G. Neumann, principal scientist at SRI International, didn't mention any names, but they faulted the IT industry for security breaches that lead to privacy problems at companies. Neumann noted that many panelists during the day called for an in-depth defense of consumer privacy, using multiple solutions.

"What we really have is weakness in depth," Neumann said. "We have flawed requirements to begin with, we have flawed evaluation procedures, we have flawed systems, we have flawed administrative procedures ... we have flawed procurement processes."

Neumann also took IT vendors to task for building those flawed systems, saying most have "zero accountability" for security, and he disagreed with panelists who suggested vendors who don't adequately protect privacy and security will face an unfriendly marketplace. "The standard free-enterprise version is that the marketplace will solve all these problems," he said. "I claim that the marketplace is not solving the problems that I have been working on for the past half century, meaning very survivable, very secure, very reliable systems."

The problem with relying on the marketplace to punish insecure vendors is that most software is designed for ease of functionality, not security, added Vic Winkler, principal security architect for Sun Microsystems. "If you want to continue to encourage the propagation of dangerous code, please continue buying stuff that probably causes the most problems," said Winkler, again not mentioning names.

The criticisms of the free market prompted protest from Howard A. Schmidt, vice president of security for eBay and a former special advisor for cybersecurity for President Bush. "I see a tremendous, true industry desire to do better," Schmidt said. "The problem is it's not going to happen overnight."

Even if a completely secure application or operating system were written today, it would take years for enterprises to switch over to the new product, Schmidt said. The technology industry is working on better privacy-protecting solutions, he said.

Others criticized the process of creating software, saying the original specifications are often vague, and developers sometimes are blind to security issues. Programmers sometimes build backdoors into software just because they can, said Richard Purcell, chief executive officer of Corporate Privacy Group, a privacy consultancy.

"A lot of developers that I know are not socially gifted and fully implemented human beings in a lot of ways," Purcell said. "So it is our job as individuals who have a policy framework, who have an ethical framework, to know what the long-term vision is, not just, 'Can I ship this code on time?' "

Enterprises may need a push to protect customer privacy, suggested Ari Schwartz, associate director of the Center for Democracy and Technology, who suggested privacy legislation may be needed, in addition to privacy technology and procedures. "Technology ... can't answer all of the problems," he said. "Technology can play a role, a very significant role, but it has to be teamed also with best practices, self action by industry including education and training, and lastly baseline legislation to protect individuals," Schwartz said. "Without all three working together, technology will not do enough."

This was the second FTC workshop on protecting consumer privacy since mid-May. The first focused on what steps individuals can take to protect their own privacy.


Copyright © 2003 IDG Communications, Inc.

How to choose a low-code development platform