INTRODUCTION 3CONCEPTS OF PRIVACYTECHNOLOGICAL THREATSOffice softwareMalware and spywareSUMMARYABOUT PESTPATROLFURTHER READINGREFERENCESProtecting computers from hidden threats Personal Privacy for Computer Users M. E. Kabay, PhD, CISSP Associate Professor of Information Assurance Dept. of Computer Information Systems Norwich University, Northfield, VT April 15, 2002 Privacy White PaperPage 2 © PestPatrol, Inc., 2002 Privacy White PaperTABLE OF CONTENTS INTRODUCTION 3 CONCEPTS OF PRIVACY 4 TECHNOLOGICAL THREATS 7 OFFICE SOFTWARE 7 MALWARE AND SPYWARE 7 SUMMARY 9 ABOUT PESTPATROL 9 FURTHER READING 10 REFERENCES 11Page 3 © PestPatrol, Inc., 2002 Privacy White PaperINTRODUCTION Computer users all over the world have consistently indicated that privacy is one of the key elements in their willingness or reluctance to using information technology1. Collecting information about users has become a lucrative business, with some companies funding their activities primarily through the sale of marketing data or lists of potential customers with details that allow targeted contacts. Unsolicited commercial e-mail, or spam, has become a daily annoyance for millions of e-mail users. Telemarketing phone calls generate enormous resistance, especially when unscrupulous businesspeople call your home during the dinner hour or refuse to take victims off their calling lists. Grocery store loyalty cards not only provide discounts, they also track individual purchases; in some stores, customers' information allows specialized, targeted coupons to be printed at the cash register so that a competitor's product can be purchased at a discount on the next shopping trip. On the interpersonal level, some people use Web-based services to look into the personal background of individuals on the Internet; employers use search engines and archives to read public postings by potential employees; and criminals sift through personal details to construct forged identities in the furtherance of identity theft. All these activities are possible without the use of computers, but they are greatly facilitated by the availability of large-scale databases online and of efficient search engines for collating data from different sources. Research that might have taken months of legwork, perhaps requiring personal visits to government offices to copy data laboriously by hand, can now be completed in minutes. As a result, finding out about people's lives has changed from one-by-one investigation into massive collation of data about millions of people at a time. Personal computers have provided fertile ground for data collection about individuals. Many Web sites store information about individual users' browsing patterns in files called cookies, which reside on the user's hard disk. Cookies allow personalized views of a Web site; for example, an online bookstore can keep track of all the books that a user has searched for or requested additional information on. This information then allows the bookstore software to suggest additional titles that might interest that specific user. On a less friendly note, some users of particular software programs have been surprised to discover that their programs are placing unauthorized calls to data collection sites on the Internet to upload information about their systems or system usage. All of these phenomena raise issues of privacy in the age of cyberspace. In this short paper, ordinary, non-technical users can get a sense of the fundamental issues that face all of us as we try to strike a balance between efficient commerce and our concerns about personal privacy.Page 4 © PestPatrol, Inc., 2002 Privacy White PaperCONCEPTS OF PRIVACY Privacy can be thought of as the power to hide parts of the truth about oneself, or sometimes the power to control the use of truths about one that other people know. For example, many people would consider that the books they read or what they say in private to each other ought to remain private. In addition, the concept of informational privacy covers truths they may have revealed to others for specific purposes but that ought nonetheless to be controlled. Medical records, for instance, would seem to be semi-private under this view; a patient could reasonably approve having her gynecological data shared with doctors and nurses without wanting the details to be published in a newspaper or on the Web. Simson Garfinkel eloquently addresses the fluidity of privacy as follows: “Privacy isn’t just about hiding things. It’s about self-possession, autonomy, and integrity . . . . It’s the right of people to control what details about their lives stay inside their own houses and what leaks to the outside.” 2 In United States legal theory, a statement by Justice Louis Brandeis sums up the American attitude towards privacy3: “The makers of our Constitution . . . Sought to protect Americans in their beliefs, their thoughts, their emotions and their sensations. They conferred as against the Government, the right to be let alone – the most comprehensive of the rights of man and the right most valued by civilized men.” Under common law, invasion of privacy can consist of • Intrusion upon a person’s seclusion in a substantial manner that would offend a reasonable person, such as pointing telephoto lenses at a bedroom window; • Appropriation of a person’s name or likeness – of concern primarily to celebrities who object to unauthorized use of their name or image in advertising campaigns; • Publicity given to someone’s private life such as details of sexual conduct, medical or psychiatric history; and • Publicity placing a person in a false light, such as insinuating that individuals support a particular political view when they don’t. One of the best definitions is as follows: “Privacy: 1 The right of an entity (normally a person), acting in its own behalf, to determine the degree to which it will interact with its environment, including the degree to which the entity is willing to share information about itself with others . . . . 2 The right of individuals to control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed . . . . .”4Page 5 © PestPatrol, Inc., 2002 Privacy White PaperAnother key concept is that “There are two kinds of truth that the law might try to protect: 1 Truths about you that you