- Email: [email protected]
E for exponential growth
Computers
& Security,
18 (1999) 295-299
E for Exponential Growth Stephen Hinde IS Audit Editor
at a frenetic pace, Internet traffic growth continues doubling every 100 days and rapidly developing traffic load pressures on Internet Service Providers (ISPs) and Web sites. In the UK this growth has been further fuelled by the growth of subscription free services and must be further exacerbated by the current campaign of the government and the BBC to teach everyone the benefits of, and how to use, the Internet. Indeed, such has been the uptake of these services that, according to Internet benchmarking company Inverse Network Technology, connection failure rates have doubled in the last three months as Internet Service Providers struggle to cope with increased demand. In March, on average, call failure rates during business hours increased from 3% to 5%, while failure during evening hours more than doubled from 4% to 10%. One ISP was losing 25% of calls during the day through failed connections. Meanwhile, a new report by Datacomm Research Company and Techvest International (Povtals to Prqfit: E-commerce Business Models and Enabling Technologies) has concluded that Internet based E-commerce will skyrocket, but that only companies who develop and implement entirely new business models will succeed. A new Internet Traffic Management Report from Collaborative Research claims the first in-depth view of the growing market for traffic management, load balancing, and traffic distribution solutions. Over the last 25 years, we all grew up thinking that doubling semiconductor performance every 18 months (Moore’s Law) was pretty amazing. On the Internet, traffic at a successful site will grow by a factor of 20 in the time it takes for CPU speed to double! Clearly, it isn’t faster computers that make it all happen, and that is what traffic management is all about. Traffic management software products sit between the fabric of
0167-4048/99$20.00
0 1999 Elsevier Science
the network and the computer systems that deliver services to the Internet. They manage and route the ever-growing flood of traffic requests. Traffic management software turns relatively flaky Web server software into rock solid information systems.They let Fites scale to handle increasing load, and they manage the distribution and optimization of global traffic to multiple, distributed, replicated servers. The 150 page Internet Traffic Management report explains the problems created by increasing traffic loads, the causes of Internet tra6c delays and stalls. As acceptance and usage of the Internet spreads, the importance of knowing what people are doing online, what they are purchasing and what they are likely to do in the future, is of the utmost importance to organizations. To help them obtain such information, CommerceNet and Nielsen Media Research are to conduct a UK/US Internet usage comparison survey, with sponsorship from Microsoft and USWeb/CKS. The E-commerce Survey will form part of the most ambitious Internet demographic survey conducted to date, and will provide the demographic data needed by businesses to plan productive E-commerce development. The CommerceNet / Nielsen Internet Demographics Study has been conducted in the US since 1995, and has been established as the industry standard in terms of quality of methodology, sample size and constructive analysis.
Privacy and Free Speech Privacy has received a lot of attention in the news recently.The Internet has created an information highway creating the global village.The collection of information about a person, place, or thing has never been so quick and easy. As a result, people are becoming
Ltd. All rights reserved
295
E for Exponential Growth/Stephen Hinde
more concerned about their anonymity, and many are trying to discover just how much information collecting and privacy invasion is taking place. For the first time in history, last year saw the amount of data traffic on networks exceed voice traffic, indicative of the explosion in network computing and the increasing demands being placed on networking equipment. This growth is comprised of higher levels of data transfer within and between organizations and a massive increase in surfing the Net and buying over the Internet. Internet users face many new issues as a result of these increasing amounts of information being delivered on the World Wide Web. Some of these issues are technological, but other important new issues concern political and social forces. When politics and differing societal goals come into conflict with new media, the result is challenges to free speech and access to information on the Web. In addition, despite this dramatic increase in Internet activity, there is a perception that the Internet is an insecure place to do business and that this perception is detrimentally affecting the level of trade on the Internet. A trade that knows no national boundaries. A trade that favours those countries in the vanguard of the use of the technology Perhaps I am just an old cynic, but do I detect a Damascus like conversion for the need of security and privacy by companies and legislators is being driven by money? They are joined by individuals and organizations campaigning for privacy and anonymity on the Internet; by campaigners wanting to police and restrict the use of the Internet for pornography and other ‘antisocial’ purposes and by campaigners pleading the First Amendment of free speech. Several years ago Web users experienced the Communications Decency Act (CDA), passed by ‘the United States Congress. The ACLU successfully fought against the Act. More recently, the US Congress passed another bill named the Child Online Protection Act (COOP). ACLU has achieved a temporary injunction preventing enforcement of the new law. They argue that COOP does nothing to protect children and that it has the potential to devastate small online businessesThe CDA and COOP legislation are examples of what happens when new technologies collide with existing law and custom something that regularly occurs whenever new technologies are introduced. However, according to ACLU, “the Web should be entitled to greater (rather
296
than less) protection than other media free-speech enhancing characteristics.”
because
of its
Ironically, much of the work on providing security, but not privacy, on the Internet has been provided by the pornography vendors, albeit not in terms of providing security over financial transactions or in protecting the privacy of the surfer, but in terms of protecting their databases from download. It has been reported that some ‘free’ sites do not permit you to exit the site until a credit card payment has been made.
Lies, Damn Lies and Computer Records Ironically, one of the organizations advertising on the Web is the UK based Alibi Agency. This organization aims to provide customers with alibis to “protect the privacy” of their extra marital affairs. For a fee they provide conference brochures, invitations, golf club competitions etc, all with appropriate logos, which are posted to the customer. They are entirely fictitious, apart from the telephone number, which is the ‘reception’ number of the event, and is answered as such to provide the ultimate alibi. I wonder how these fictitious computer records of ‘events’ attended comply with the Data Protection Act principles of data being accurate and lawful?
Chips Can Damage Your Privacy Just when you thought that effective steps were being taken to protect your privacy along comes a new threat to it. Intel’s new Pentium III chip comes equipped with a processor serial number that allows online merchants to identify users for more secure Internet commerce. (Remember when they could not put a physical identification number on chips to help reduce the high levels of chip thefts a few years ago when chips were worth their weight in gold.) Privacy advocacy groups are calling for a boycott of this new product, alleging that it invades and compromises the privacy of online consumers. In a separate, but linked issue, in response to speculation that privacy is compromised through software
Computers & Security, Vol. 78, No. 4
registration, (Microsoft’s Windows 98 registration process transmits information about users and their computers back to Microsoft without the user’s knowledge) Microsoft has stated that the Office 97 technology enabling the insertion of a unique identification number into documents so that they can be referenced on a network is unrelated to the Windows registration process and that the two numbering systems never converge. The unique identifier generated for Office 97 documents contains information that is derived in part from a network card, not from an individual user’s identity, and thus it is not possible to reliably determine the author of a document. Of course, for most of us, the PC identifier does identify us as the user. Microsoft has commented that the purpose of the unique identifier number was to help independent developers build tools to work with and reference Office 97 documents (e.g., applications that help repair hyperlinks between Office documents). But the unique identifier number has not been widely used by these third parties. So, in addition to offering patches to prevent the insertion of a unique identifier number in all new Office documents and to remove the unique identifier from previously created Office 97 documents, Microsoft has determined that the forthcoming release of Office 2000 will not include the ability to insert these numbers in documents. The courts have also added to this assault on our privacy. A recent US Supreme Court ruling determined that a bank customer’s transactions are not the private records of the customer, but instead are the private business records of the bank. And the Norwegian Supreme Court has ruled that anyone in that country can legally run a port scanner against a network to see what ports are listening.
Clinton Favours Privacy The US, currently embroiled in a trade dispute with the EU over the security and privacy requirements of the European Data Protection Directive, is starting to talk about the need for security and privacy. As part of the continuing talks the US government has published draft ‘safe harbour’ principles under which US companies can comply with EU data privacy require-
ments. The two sides have agreed principles whereby companies within the safe harbour provide adequate data protection. Organizations will be permitted to use private sector programs to ensure compliance with the agreement. However, there are still EU concerns over onward transfers to US companies not complying with safe harbour, and other more detailed points.The problems of knowing what data are being held on employees, in which European country or the US, and whether the organization is legally entitled to hold such sensitive data, has led the International Commerce Exchange, a user group focusing on electronic commerce issues (www. icx.org) to decide to produce a code of conduct for privacy within six months.The intention is that organizations will be able to use the code as a checklist to ensure they are not going to face privacy restrictions across Europe.
Privacy Views And all this against a backdrop of a lack of concern by IT directors about individual privacy rights. Indeed, a recent poll of nearly 350 Chief Information Officers in the US revealed that 60% believed the ability to track customers’ preferences for their companies’ data outweighed individuals’ privacy rights. Elsewhere there have been suggestions that the problems of privacy, and compliance with the EU Data Protection Directives, as enacted by the EU nations, are of such magnitude that all of those IT professionals currently engaged on solving theYear 2000 problem should be transferred onto ensuring compliance with Data Protection requirements once the millennium is sorted. New initiatives and regulations governing information privacy are changing the face of networking and increasing the requirement for strong security. Concern for privacy is especially evident in the healthcare industry. As President Clinton stated in his State of the Union address earlier this year, “As more of our medical records are stored electronically, the threats to all our privacy increase. Because Congress has given me the authority to act if it does not do so by August [ 19991, one way or another, we can all say to the American people, we will protect the privacy of medical records and we will do it this year.“This presumably includes DNA testing.
297
E for Exponential Growth/Stephen Hide
Security requirements in the healthcare industry have already reached new levels with emerging standards from the US Department of Health and Human Services. The Health Insurance Portability and Accountability Act of 1996 raises the bar on security requirements as they relate to patient information, placing healthcare organizations responsible for ensuring privacy - including patient information traversing the networks.
After the Pioneers The nature of the Internet is changing. It is becoming de-skilled. It is no longer the province of academic techies. Now anyone can buy a computer at their local supermarket for under A500, take it home switch it on, plug it into the telephone socket and start surfing courtesy of GUIs. No skills are required other than the ability to switch the box on. Thus the Internet has changed from an academic / research background to one of entertainment; a source of information; a means of communication sans frontiers; and a means of remote purchasing. How ironic that the mechanism that is killing off snail mail is greatly increasing parcel mail as all these goods are delivered. Anarchy is giving away to order.The pioneers are being replaced by men in grey suits. Progress has always been thus. There is always a period of consolidation after the pioneers have moved on. A period of self regulation as the industry tries to put its own house in order. Failure to do so usually results in legislation and regulation. Public Eye, the largest aggregator of customer satisfaction data on small and medium sized Internet companies, has recently launched its consumer privacy practices program.The program is aimed at giving E-consumers more control over how their personal information is used. The program also gives Internet merchants a way to reduce consumer anxiety about submitting personal information online.The program was designed to be consistent with the principles of fair information practices approved by the Federal Trade Commission: the US Department of Commerce, and leading industry organizations.The goal is not to displace the other privacy programs on the Internet but to serve as a catalyst to boost the fledgling privacy practices movement. It is hoped the Public Eye
298
program will serve as a conduit to steer merchants toward more comprehensive privacy programs. Building on Public Eye’s established network of certified merchants, the program now requires its members to declare their privacy policy. Once declared, their ‘privacy statement’ is automatically published and available to online consumers. The company’s actual ‘Privacy Practices’ are monitored by continually surveying the experiences of the merchant’s customers who file reports. Any user of a Public Eye certified company can access the merchant’s file to report their experiences with the merchant’s privacy practices. All consumers may view a Public Eye member’s file to view the merchant’s privacy statement and privacy track record before executing a transaction. For consumers, determining how member merchants use their personal information is quick, easy and user friendly. Reporting a breach of privacy can be completed in less than two minutes.
Butterfly Nets to the Rescue? That august body, the International Federation of Butterfly Enthusiasts Inc. has entered the fray over Internet privacy with its announcement that it plans to actively promote the Internet Declaration of Independence, The document originally drafted by ‘The Butterfly Guy’, is presently being reviewed by government officials around the world. The purple prose of the Declaration, which is derived from the US Declaration of Independence, gives way in Article II to a call for “A well regulated Internet Security Force, being necessary for the protection of the free flow of information, the Right of the Children to keep themselves from information that has been determined by the Majority of People to be declared as offensive material by the Parents of said Children, shall not be infringed.”
Beware the Ides of March There are other cultural dates and events that may cause problems for your network. Traditionally there has been a tremendous surge in paper based mail for specific cultural and religious events. In the West, this has been primarily Christmas,Thanks Giving andvalentine’s Day. To
Computers & Security, Vol. 18, No. 4
these in recent years has seen added a host of religious festivals, National days (St. Patrick’s Day, St. Andrew’s Day etc), Mothering Sunday, Mother’s Day, Father’s Day, Campaign Days (International Day of the Child etc.) and so forth.The advent of E-mails with their ease of use and speed of delivery has led to an explosion in the sending of E-cards.And of course they need not be static.They can include video files, sound files and animated cartoons. Simple three to five-megabyte files, when passed around an office or spread throughout a division, can have a multiplier effect - monopolizing bandwidth and crippling productivity. E-cards and graphic images can also get corporations into legal trouble because of their potential to distribute discriminatory or offensive material over corporate networks. Over the past couple of years, the volume of E-mail traffic has grown to the point where there are now more E-mails daily than ordinary cards and letters sent via traditional mail. E-mail has become one of the primary means of communication for business and personal users alike. According to recent research by Frost & Sullivan, by 1998 E-mail had surpassed the telephone as the most frequently used tool for business communications. The total number of Email boxes installed worldwide reached approximately 112.4 million in 1998 (corporate 68.4 million, ISP 44.0 million), up from 48.7 million in 1997 (corporate 36.7 million, ISP 12.0 million). In the beginning E-mail did not pose a network threat, but special events like Valentine’s l1ay are presenting significant problems for network personnel. One of the ironies of the electronic age is that it has led to a renaissance of snail mail. Last year saw a 5% rise in the demand for envelopes to 440 billion. Consumption per head is highest in the US with 660 envelopes per annum. Western Europe manages an average of over 300 per annum with Italy, Spain and Portugal down at about 100 per annum. The delivery of goods ordered electronically over the Internet; confirmation of Emails (because the delivery of the E-mail is not trusted); increased junk mail from data mining marketing exercises and the additional 5 billion envelopes needed to send out bills to users of mobile telephones have all contributed to this renaissance.
users are not.An exercise expert at a US university has calculated the physiological effects of excessive Emailing. His research found that people who spend just two minutes an hour of each working day sending E-mails to of&e colleagues rather than walking down the corridor to talk with them via “facE-mail” will accumulate the calorific equivalent of 11 pounds (5 kilos) of body fat over a period of ten years. Sadly some of this use of E-mails instead of speaking to colleagues is nothing to do with laziness but the hiding from colleagues syndrome. E-mails and Voice Mail do seem to be used by some to avoid conflict and interface with other humans in any direct form of contact.
But What Can We Do? All too often usage of the Internet by staff has grown in a vacuum with no policies and guidance as to permitted usage and consequences for unacceptable activity. Similarly, the exploitation of Internet technology by organizations has also tended to be done on the fly; to bypass system development methodologies and controls in the race to be first. Controls, security and privacy seem to be casualties in the stampede. 11oes your organization have policies on Internet usage! Is there continuous active monitoring! Is it acted upon? l)o you use technology to restrict and protect? Does it have a published privacy policy for customers and for employees? If the answer to any of these questions is no, then you need to act quickly to protect your organization and its staff.
So whilst the postman is getting more exercise humping all that additional mail around, it seems that E-mail
299
& Security,
18 (1999) 295-299
E for Exponential Growth Stephen Hinde IS Audit Editor
at a frenetic pace, Internet traffic growth continues doubling every 100 days and rapidly developing traffic load pressures on Internet Service Providers (ISPs) and Web sites. In the UK this growth has been further fuelled by the growth of subscription free services and must be further exacerbated by the current campaign of the government and the BBC to teach everyone the benefits of, and how to use, the Internet. Indeed, such has been the uptake of these services that, according to Internet benchmarking company Inverse Network Technology, connection failure rates have doubled in the last three months as Internet Service Providers struggle to cope with increased demand. In March, on average, call failure rates during business hours increased from 3% to 5%, while failure during evening hours more than doubled from 4% to 10%. One ISP was losing 25% of calls during the day through failed connections. Meanwhile, a new report by Datacomm Research Company and Techvest International (Povtals to Prqfit: E-commerce Business Models and Enabling Technologies) has concluded that Internet based E-commerce will skyrocket, but that only companies who develop and implement entirely new business models will succeed. A new Internet Traffic Management Report from Collaborative Research claims the first in-depth view of the growing market for traffic management, load balancing, and traffic distribution solutions. Over the last 25 years, we all grew up thinking that doubling semiconductor performance every 18 months (Moore’s Law) was pretty amazing. On the Internet, traffic at a successful site will grow by a factor of 20 in the time it takes for CPU speed to double! Clearly, it isn’t faster computers that make it all happen, and that is what traffic management is all about. Traffic management software products sit between the fabric of
0167-4048/99$20.00
0 1999 Elsevier Science
the network and the computer systems that deliver services to the Internet. They manage and route the ever-growing flood of traffic requests. Traffic management software turns relatively flaky Web server software into rock solid information systems.They let Fites scale to handle increasing load, and they manage the distribution and optimization of global traffic to multiple, distributed, replicated servers. The 150 page Internet Traffic Management report explains the problems created by increasing traffic loads, the causes of Internet tra6c delays and stalls. As acceptance and usage of the Internet spreads, the importance of knowing what people are doing online, what they are purchasing and what they are likely to do in the future, is of the utmost importance to organizations. To help them obtain such information, CommerceNet and Nielsen Media Research are to conduct a UK/US Internet usage comparison survey, with sponsorship from Microsoft and USWeb/CKS. The E-commerce Survey will form part of the most ambitious Internet demographic survey conducted to date, and will provide the demographic data needed by businesses to plan productive E-commerce development. The CommerceNet / Nielsen Internet Demographics Study has been conducted in the US since 1995, and has been established as the industry standard in terms of quality of methodology, sample size and constructive analysis.
Privacy and Free Speech Privacy has received a lot of attention in the news recently.The Internet has created an information highway creating the global village.The collection of information about a person, place, or thing has never been so quick and easy. As a result, people are becoming
Ltd. All rights reserved
295
E for Exponential Growth/Stephen Hinde
more concerned about their anonymity, and many are trying to discover just how much information collecting and privacy invasion is taking place. For the first time in history, last year saw the amount of data traffic on networks exceed voice traffic, indicative of the explosion in network computing and the increasing demands being placed on networking equipment. This growth is comprised of higher levels of data transfer within and between organizations and a massive increase in surfing the Net and buying over the Internet. Internet users face many new issues as a result of these increasing amounts of information being delivered on the World Wide Web. Some of these issues are technological, but other important new issues concern political and social forces. When politics and differing societal goals come into conflict with new media, the result is challenges to free speech and access to information on the Web. In addition, despite this dramatic increase in Internet activity, there is a perception that the Internet is an insecure place to do business and that this perception is detrimentally affecting the level of trade on the Internet. A trade that knows no national boundaries. A trade that favours those countries in the vanguard of the use of the technology Perhaps I am just an old cynic, but do I detect a Damascus like conversion for the need of security and privacy by companies and legislators is being driven by money? They are joined by individuals and organizations campaigning for privacy and anonymity on the Internet; by campaigners wanting to police and restrict the use of the Internet for pornography and other ‘antisocial’ purposes and by campaigners pleading the First Amendment of free speech. Several years ago Web users experienced the Communications Decency Act (CDA), passed by ‘the United States Congress. The ACLU successfully fought against the Act. More recently, the US Congress passed another bill named the Child Online Protection Act (COOP). ACLU has achieved a temporary injunction preventing enforcement of the new law. They argue that COOP does nothing to protect children and that it has the potential to devastate small online businessesThe CDA and COOP legislation are examples of what happens when new technologies collide with existing law and custom something that regularly occurs whenever new technologies are introduced. However, according to ACLU, “the Web should be entitled to greater (rather
296
than less) protection than other media free-speech enhancing characteristics.”
because
of its
Ironically, much of the work on providing security, but not privacy, on the Internet has been provided by the pornography vendors, albeit not in terms of providing security over financial transactions or in protecting the privacy of the surfer, but in terms of protecting their databases from download. It has been reported that some ‘free’ sites do not permit you to exit the site until a credit card payment has been made.
Lies, Damn Lies and Computer Records Ironically, one of the organizations advertising on the Web is the UK based Alibi Agency. This organization aims to provide customers with alibis to “protect the privacy” of their extra marital affairs. For a fee they provide conference brochures, invitations, golf club competitions etc, all with appropriate logos, which are posted to the customer. They are entirely fictitious, apart from the telephone number, which is the ‘reception’ number of the event, and is answered as such to provide the ultimate alibi. I wonder how these fictitious computer records of ‘events’ attended comply with the Data Protection Act principles of data being accurate and lawful?
Chips Can Damage Your Privacy Just when you thought that effective steps were being taken to protect your privacy along comes a new threat to it. Intel’s new Pentium III chip comes equipped with a processor serial number that allows online merchants to identify users for more secure Internet commerce. (Remember when they could not put a physical identification number on chips to help reduce the high levels of chip thefts a few years ago when chips were worth their weight in gold.) Privacy advocacy groups are calling for a boycott of this new product, alleging that it invades and compromises the privacy of online consumers. In a separate, but linked issue, in response to speculation that privacy is compromised through software
Computers & Security, Vol. 78, No. 4
registration, (Microsoft’s Windows 98 registration process transmits information about users and their computers back to Microsoft without the user’s knowledge) Microsoft has stated that the Office 97 technology enabling the insertion of a unique identification number into documents so that they can be referenced on a network is unrelated to the Windows registration process and that the two numbering systems never converge. The unique identifier generated for Office 97 documents contains information that is derived in part from a network card, not from an individual user’s identity, and thus it is not possible to reliably determine the author of a document. Of course, for most of us, the PC identifier does identify us as the user. Microsoft has commented that the purpose of the unique identifier number was to help independent developers build tools to work with and reference Office 97 documents (e.g., applications that help repair hyperlinks between Office documents). But the unique identifier number has not been widely used by these third parties. So, in addition to offering patches to prevent the insertion of a unique identifier number in all new Office documents and to remove the unique identifier from previously created Office 97 documents, Microsoft has determined that the forthcoming release of Office 2000 will not include the ability to insert these numbers in documents. The courts have also added to this assault on our privacy. A recent US Supreme Court ruling determined that a bank customer’s transactions are not the private records of the customer, but instead are the private business records of the bank. And the Norwegian Supreme Court has ruled that anyone in that country can legally run a port scanner against a network to see what ports are listening.
Clinton Favours Privacy The US, currently embroiled in a trade dispute with the EU over the security and privacy requirements of the European Data Protection Directive, is starting to talk about the need for security and privacy. As part of the continuing talks the US government has published draft ‘safe harbour’ principles under which US companies can comply with EU data privacy require-
ments. The two sides have agreed principles whereby companies within the safe harbour provide adequate data protection. Organizations will be permitted to use private sector programs to ensure compliance with the agreement. However, there are still EU concerns over onward transfers to US companies not complying with safe harbour, and other more detailed points.The problems of knowing what data are being held on employees, in which European country or the US, and whether the organization is legally entitled to hold such sensitive data, has led the International Commerce Exchange, a user group focusing on electronic commerce issues (www. icx.org) to decide to produce a code of conduct for privacy within six months.The intention is that organizations will be able to use the code as a checklist to ensure they are not going to face privacy restrictions across Europe.
Privacy Views And all this against a backdrop of a lack of concern by IT directors about individual privacy rights. Indeed, a recent poll of nearly 350 Chief Information Officers in the US revealed that 60% believed the ability to track customers’ preferences for their companies’ data outweighed individuals’ privacy rights. Elsewhere there have been suggestions that the problems of privacy, and compliance with the EU Data Protection Directives, as enacted by the EU nations, are of such magnitude that all of those IT professionals currently engaged on solving theYear 2000 problem should be transferred onto ensuring compliance with Data Protection requirements once the millennium is sorted. New initiatives and regulations governing information privacy are changing the face of networking and increasing the requirement for strong security. Concern for privacy is especially evident in the healthcare industry. As President Clinton stated in his State of the Union address earlier this year, “As more of our medical records are stored electronically, the threats to all our privacy increase. Because Congress has given me the authority to act if it does not do so by August [ 19991, one way or another, we can all say to the American people, we will protect the privacy of medical records and we will do it this year.“This presumably includes DNA testing.
297
E for Exponential Growth/Stephen Hide
Security requirements in the healthcare industry have already reached new levels with emerging standards from the US Department of Health and Human Services. The Health Insurance Portability and Accountability Act of 1996 raises the bar on security requirements as they relate to patient information, placing healthcare organizations responsible for ensuring privacy - including patient information traversing the networks.
After the Pioneers The nature of the Internet is changing. It is becoming de-skilled. It is no longer the province of academic techies. Now anyone can buy a computer at their local supermarket for under A500, take it home switch it on, plug it into the telephone socket and start surfing courtesy of GUIs. No skills are required other than the ability to switch the box on. Thus the Internet has changed from an academic / research background to one of entertainment; a source of information; a means of communication sans frontiers; and a means of remote purchasing. How ironic that the mechanism that is killing off snail mail is greatly increasing parcel mail as all these goods are delivered. Anarchy is giving away to order.The pioneers are being replaced by men in grey suits. Progress has always been thus. There is always a period of consolidation after the pioneers have moved on. A period of self regulation as the industry tries to put its own house in order. Failure to do so usually results in legislation and regulation. Public Eye, the largest aggregator of customer satisfaction data on small and medium sized Internet companies, has recently launched its consumer privacy practices program.The program is aimed at giving E-consumers more control over how their personal information is used. The program also gives Internet merchants a way to reduce consumer anxiety about submitting personal information online.The program was designed to be consistent with the principles of fair information practices approved by the Federal Trade Commission: the US Department of Commerce, and leading industry organizations.The goal is not to displace the other privacy programs on the Internet but to serve as a catalyst to boost the fledgling privacy practices movement. It is hoped the Public Eye
298
program will serve as a conduit to steer merchants toward more comprehensive privacy programs. Building on Public Eye’s established network of certified merchants, the program now requires its members to declare their privacy policy. Once declared, their ‘privacy statement’ is automatically published and available to online consumers. The company’s actual ‘Privacy Practices’ are monitored by continually surveying the experiences of the merchant’s customers who file reports. Any user of a Public Eye certified company can access the merchant’s file to report their experiences with the merchant’s privacy practices. All consumers may view a Public Eye member’s file to view the merchant’s privacy statement and privacy track record before executing a transaction. For consumers, determining how member merchants use their personal information is quick, easy and user friendly. Reporting a breach of privacy can be completed in less than two minutes.
Butterfly Nets to the Rescue? That august body, the International Federation of Butterfly Enthusiasts Inc. has entered the fray over Internet privacy with its announcement that it plans to actively promote the Internet Declaration of Independence, The document originally drafted by ‘The Butterfly Guy’, is presently being reviewed by government officials around the world. The purple prose of the Declaration, which is derived from the US Declaration of Independence, gives way in Article II to a call for “A well regulated Internet Security Force, being necessary for the protection of the free flow of information, the Right of the Children to keep themselves from information that has been determined by the Majority of People to be declared as offensive material by the Parents of said Children, shall not be infringed.”
Beware the Ides of March There are other cultural dates and events that may cause problems for your network. Traditionally there has been a tremendous surge in paper based mail for specific cultural and religious events. In the West, this has been primarily Christmas,Thanks Giving andvalentine’s Day. To
Computers & Security, Vol. 18, No. 4
these in recent years has seen added a host of religious festivals, National days (St. Patrick’s Day, St. Andrew’s Day etc), Mothering Sunday, Mother’s Day, Father’s Day, Campaign Days (International Day of the Child etc.) and so forth.The advent of E-mails with their ease of use and speed of delivery has led to an explosion in the sending of E-cards.And of course they need not be static.They can include video files, sound files and animated cartoons. Simple three to five-megabyte files, when passed around an office or spread throughout a division, can have a multiplier effect - monopolizing bandwidth and crippling productivity. E-cards and graphic images can also get corporations into legal trouble because of their potential to distribute discriminatory or offensive material over corporate networks. Over the past couple of years, the volume of E-mail traffic has grown to the point where there are now more E-mails daily than ordinary cards and letters sent via traditional mail. E-mail has become one of the primary means of communication for business and personal users alike. According to recent research by Frost & Sullivan, by 1998 E-mail had surpassed the telephone as the most frequently used tool for business communications. The total number of Email boxes installed worldwide reached approximately 112.4 million in 1998 (corporate 68.4 million, ISP 44.0 million), up from 48.7 million in 1997 (corporate 36.7 million, ISP 12.0 million). In the beginning E-mail did not pose a network threat, but special events like Valentine’s l1ay are presenting significant problems for network personnel. One of the ironies of the electronic age is that it has led to a renaissance of snail mail. Last year saw a 5% rise in the demand for envelopes to 440 billion. Consumption per head is highest in the US with 660 envelopes per annum. Western Europe manages an average of over 300 per annum with Italy, Spain and Portugal down at about 100 per annum. The delivery of goods ordered electronically over the Internet; confirmation of Emails (because the delivery of the E-mail is not trusted); increased junk mail from data mining marketing exercises and the additional 5 billion envelopes needed to send out bills to users of mobile telephones have all contributed to this renaissance.
users are not.An exercise expert at a US university has calculated the physiological effects of excessive Emailing. His research found that people who spend just two minutes an hour of each working day sending E-mails to of&e colleagues rather than walking down the corridor to talk with them via “facE-mail” will accumulate the calorific equivalent of 11 pounds (5 kilos) of body fat over a period of ten years. Sadly some of this use of E-mails instead of speaking to colleagues is nothing to do with laziness but the hiding from colleagues syndrome. E-mails and Voice Mail do seem to be used by some to avoid conflict and interface with other humans in any direct form of contact.
But What Can We Do? All too often usage of the Internet by staff has grown in a vacuum with no policies and guidance as to permitted usage and consequences for unacceptable activity. Similarly, the exploitation of Internet technology by organizations has also tended to be done on the fly; to bypass system development methodologies and controls in the race to be first. Controls, security and privacy seem to be casualties in the stampede. 11oes your organization have policies on Internet usage! Is there continuous active monitoring! Is it acted upon? l)o you use technology to restrict and protect? Does it have a published privacy policy for customers and for employees? If the answer to any of these questions is no, then you need to act quickly to protect your organization and its staff.
So whilst the postman is getting more exercise humping all that additional mail around, it seems that E-mail
299