- Email: [email protected]
US privacy organisations sink teeth into Carnivore
revise.qxd
9/25/00
3:39 PM
Page 6
reports the conception of an idea onwards. This fact is appreciated by Baltimore Technologies and IBM who are working in partnership in this area to couple software technology with a security infrastructure in order to enable a secure end-to-end solution. IBM said, “The success of electronic and wireless commerce depends on trust and we believe PKI is an essential building block towards establishing trusted transactions.” Further information can be obtained from [email protected] or www.ibm.com.
Sophos squashes seaside bugs The Australian Volunteer Coast Guard Association
(AVCGA) has made a contract with an anti-vius software provider Sophos. The AVCGA is responsible for protecting 20 000 km of coast and is staffed entirely by volunteers. A spokesman for the AVCGA said “The integrity of our computers is vital to the efficiency of our operation.” Part of their role is to monitor the marine distress frequencies and patrol the water in order to be able to respond to a distress signal as quickly as possible. The Association feels that it is essential that the computer systems are protected as they are the backbone of communications and thus of the ultimate safety of coast line users. By its very nature the operation must be available 24 hours a day. The round the
clock support offered by Sophos was one of the factors which attracted the Association. To find out more about Sophos Anti-virus visit www.sophos.com
TRUSTe breaches own privacy policy It has been stated in a technical report “A Failure to Communicate: When a Privacy Seal Doesn’t Help” that visitors to the TRUSTe website have had their behaviour tracked and then passed on to a thirdparty. The company in question is TheCounter.com who say that the data is jointly owned and that “we will use the data in
US privacy organizations sink teeth into Carnivore Elspeth Wales US privacy organisations, Congress and citizens are up in arms over the FBI’s controversial use of an E-mail surveillance system intended to intercept information in email of criminal suspects. They are concerned that this might infringe on the privacy of innocent E-mail users and are uncomfortable with the possibility that their activity could also be monitored. The Electronic Privacy Information Center (EPIC), sued the FBI under the Freedom of Information Act (FOIA) to obtain all the FBI’s documents describing the system. Attorney General Janet Reno promised a review of the system would be carried out by an external team assembled by a university, in order to ensure it was objective and independent. An internal review of the findings is then to be conducted by the FBI. 6
The deadline for tenders to be submitted by universities interested in undertaking the review has passed and EPIC said that those institutions approached by the Department of Justice to conduct the review have all pulled out. “The feeling in the academic community is that the deck has been stacked in favour of the Carnivore system so that an independent review can’t be carried out,” he said. What happens now is unclear. Originally an independent
compliance with our own security policy.” TheCounter. com is a free ‘hit logging’ service. But what of TRUSTe? As a company that invites others to come to them for advice about online security, it is odd that they are passing on data to anyone — especially when the information they can get back is already resident in their own web server logs. The company’s privacy policy states that IP addresses and browser types will be recorded, but makes no mention of information being available to a third-party. The report, released by the Internet Privacy Project, established by Interhack Corporation, says that the data was being collected using tiny ‘web bugs’, images of one pixel square, and cookie files. The web bugs have now been removed from the site.
reviewer was to report its findings by 1 December. Although EPIC has had some success in its lawsuit, now it is a question of how quickly the records are made available. The FBI seems to be dragging its heels. It plans to release several pages of the system’s description at a time. This is partly because, in accordance with the FOIA, outside commercial entities have supplied technology under contract and they must be notified and be given the opportunity to agree or disagree to any information disclosure. According to Mark Rotenberg, executive director of EPIC, the furore surrounding the Carnivore system — which he said was an ill-chosen name in the first place — is so strong that there have been public calls for the suspension of Carnivore until the review is completed. In July the FBI said it has used Carnivore 25 times — 17 times this year — and that court orders limit which Emails they can see. But privacy organizations say only the FBI knows what
revise.qxd
9/25/00
3:39 PM
Page 7
reports Carnivore can do and service providers are not allowed to enter the system. They ask why the FBI wants to retain remote control of Carnivore equipment rather than give it to the ISPs so they can comply with court orders. Meanwhile in the UK, the Government has passed the Regulation and Investigatory Powers Bill after a long parliamentary struggle which will allow police and security services to scan private E-mails. The government said that the Bill updates police powers to intercept and monitor communications, bringing them
up to speed with technologically savvy criminals. But civil rights groups have been worried about the Bill for fear that it will infringe on people’s civil liberties. Much of the concern centres around encryption keys, codes that are used to decipher data. Originally the bill would have let the authorities obtain these keys, but businesses were worried that this could lead to the release of the release of swathes of information that is irrelevant to any investigation, but sensitive to the company being accessed.
Mastercard delves into digital ID Ed Wehde MasterCard International has formed a group to develop digital identifications that will protect cardholders from fraud when making purchases over cellular phones or the Internet. The company has expanded its Chip Vendor Services Program (CVSP) by forming a new subgroup focused on the development and global deployment of digital ID-based smart card applications to authenticate cardholders in mobile and electronic commerce transactions. According to Gail Francolini, vice president, Global Chip Relationship Management at MasterCard International, 22 industry members, including SecureNet Limited, ACI Worldwide Bull Smart Cards & Terminals, Schlumberger and Unisys have joined the new programme. “It authenticates you as the card holder of your card,” Francolini said of the IDs, which would essentially be a string of numbers. Francolini said that everyone involved in mobile and electronic commerce wants more secure ways to conduct transactions. “There is tons of demand for new security from banks, vendors, merchants and customers,” she said. Those concerns seem to be well-founded. Internet-based credit card fraud is at
least 10 times the rate for the physical world, according to Avivah Litner, analyst with the Gartner Group. A Gartner sur-
“everyone involved in mobile and electronic commerce wants more secure ways to conduct transactions” vey of 11 web retailers found that card fraud is the number one problem in Ecommerce, Litner said. MasterCard aims to provide a whole spectrum of options to both cardholders and member banks by providing multidimensional cards. “A huge component of our overall chip strategy is to have a variety of offerings so that, as a bank, given your market dynamics, we can help you find a solution that best fits your needs,” Francolini said. According to Francolini, each of the partners in the programme brings different technology to the table with some
The Confederation of British Industry (CBI) has been instrumental in lobbying amendments, particularly to do with encryption, but the process still has some way to go. “We welcome the fact that the Government listened to businesses on particular aspects of the Bill but we are now looking to ensure the draft regulations meet business requirements and make sure that businesses remain competitive when the Act comes into force,” said a CBI spokeswoman. The regulations are significant because they will shape the way in which the Act is adhered to.
working on highly secure PKI technology while others work on more cost-effective technologies.
“Internet-based credit card fraud is at least 10 times the rate for the physical world” SecureNet Limited, for example, has developed solutions that feature MULTOS smart cards as core components. “Structured properly, multi-application cards give cardholders a secure, portable way of identifying themselves while also enabling them to initiate payment with their credit or debit cards, or take advantage of other applications such as loyalty programmes. To do all of this, they only need to carry a single smart card,” Art Kranzley, senior vice president of Electronic Commerce and Emerging Technologies for MasterCard International, said. Francolini said that the company is just starting to launch chip cards with digital IDs in Hong Kong and will start in Brazil shortly. In the UK, banks are now in the process of converting from magnetic strip cards to chip cards but could not say when the digital ID cards would be launched there. More announcements about further launches are expected in the coming weeks. 7
9/25/00
3:39 PM
Page 6
reports the conception of an idea onwards. This fact is appreciated by Baltimore Technologies and IBM who are working in partnership in this area to couple software technology with a security infrastructure in order to enable a secure end-to-end solution. IBM said, “The success of electronic and wireless commerce depends on trust and we believe PKI is an essential building block towards establishing trusted transactions.” Further information can be obtained from [email protected] or www.ibm.com.
Sophos squashes seaside bugs The Australian Volunteer Coast Guard Association
(AVCGA) has made a contract with an anti-vius software provider Sophos. The AVCGA is responsible for protecting 20 000 km of coast and is staffed entirely by volunteers. A spokesman for the AVCGA said “The integrity of our computers is vital to the efficiency of our operation.” Part of their role is to monitor the marine distress frequencies and patrol the water in order to be able to respond to a distress signal as quickly as possible. The Association feels that it is essential that the computer systems are protected as they are the backbone of communications and thus of the ultimate safety of coast line users. By its very nature the operation must be available 24 hours a day. The round the
clock support offered by Sophos was one of the factors which attracted the Association. To find out more about Sophos Anti-virus visit www.sophos.com
TRUSTe breaches own privacy policy It has been stated in a technical report “A Failure to Communicate: When a Privacy Seal Doesn’t Help” that visitors to the TRUSTe website have had their behaviour tracked and then passed on to a thirdparty. The company in question is TheCounter.com who say that the data is jointly owned and that “we will use the data in
US privacy organizations sink teeth into Carnivore Elspeth Wales US privacy organisations, Congress and citizens are up in arms over the FBI’s controversial use of an E-mail surveillance system intended to intercept information in email of criminal suspects. They are concerned that this might infringe on the privacy of innocent E-mail users and are uncomfortable with the possibility that their activity could also be monitored. The Electronic Privacy Information Center (EPIC), sued the FBI under the Freedom of Information Act (FOIA) to obtain all the FBI’s documents describing the system. Attorney General Janet Reno promised a review of the system would be carried out by an external team assembled by a university, in order to ensure it was objective and independent. An internal review of the findings is then to be conducted by the FBI. 6
The deadline for tenders to be submitted by universities interested in undertaking the review has passed and EPIC said that those institutions approached by the Department of Justice to conduct the review have all pulled out. “The feeling in the academic community is that the deck has been stacked in favour of the Carnivore system so that an independent review can’t be carried out,” he said. What happens now is unclear. Originally an independent
compliance with our own security policy.” TheCounter. com is a free ‘hit logging’ service. But what of TRUSTe? As a company that invites others to come to them for advice about online security, it is odd that they are passing on data to anyone — especially when the information they can get back is already resident in their own web server logs. The company’s privacy policy states that IP addresses and browser types will be recorded, but makes no mention of information being available to a third-party. The report, released by the Internet Privacy Project, established by Interhack Corporation, says that the data was being collected using tiny ‘web bugs’, images of one pixel square, and cookie files. The web bugs have now been removed from the site.
reviewer was to report its findings by 1 December. Although EPIC has had some success in its lawsuit, now it is a question of how quickly the records are made available. The FBI seems to be dragging its heels. It plans to release several pages of the system’s description at a time. This is partly because, in accordance with the FOIA, outside commercial entities have supplied technology under contract and they must be notified and be given the opportunity to agree or disagree to any information disclosure. According to Mark Rotenberg, executive director of EPIC, the furore surrounding the Carnivore system — which he said was an ill-chosen name in the first place — is so strong that there have been public calls for the suspension of Carnivore until the review is completed. In July the FBI said it has used Carnivore 25 times — 17 times this year — and that court orders limit which Emails they can see. But privacy organizations say only the FBI knows what
revise.qxd
9/25/00
3:39 PM
Page 7
reports Carnivore can do and service providers are not allowed to enter the system. They ask why the FBI wants to retain remote control of Carnivore equipment rather than give it to the ISPs so they can comply with court orders. Meanwhile in the UK, the Government has passed the Regulation and Investigatory Powers Bill after a long parliamentary struggle which will allow police and security services to scan private E-mails. The government said that the Bill updates police powers to intercept and monitor communications, bringing them
up to speed with technologically savvy criminals. But civil rights groups have been worried about the Bill for fear that it will infringe on people’s civil liberties. Much of the concern centres around encryption keys, codes that are used to decipher data. Originally the bill would have let the authorities obtain these keys, but businesses were worried that this could lead to the release of the release of swathes of information that is irrelevant to any investigation, but sensitive to the company being accessed.
Mastercard delves into digital ID Ed Wehde MasterCard International has formed a group to develop digital identifications that will protect cardholders from fraud when making purchases over cellular phones or the Internet. The company has expanded its Chip Vendor Services Program (CVSP) by forming a new subgroup focused on the development and global deployment of digital ID-based smart card applications to authenticate cardholders in mobile and electronic commerce transactions. According to Gail Francolini, vice president, Global Chip Relationship Management at MasterCard International, 22 industry members, including SecureNet Limited, ACI Worldwide Bull Smart Cards & Terminals, Schlumberger and Unisys have joined the new programme. “It authenticates you as the card holder of your card,” Francolini said of the IDs, which would essentially be a string of numbers. Francolini said that everyone involved in mobile and electronic commerce wants more secure ways to conduct transactions. “There is tons of demand for new security from banks, vendors, merchants and customers,” she said. Those concerns seem to be well-founded. Internet-based credit card fraud is at
least 10 times the rate for the physical world, according to Avivah Litner, analyst with the Gartner Group. A Gartner sur-
“everyone involved in mobile and electronic commerce wants more secure ways to conduct transactions” vey of 11 web retailers found that card fraud is the number one problem in Ecommerce, Litner said. MasterCard aims to provide a whole spectrum of options to both cardholders and member banks by providing multidimensional cards. “A huge component of our overall chip strategy is to have a variety of offerings so that, as a bank, given your market dynamics, we can help you find a solution that best fits your needs,” Francolini said. According to Francolini, each of the partners in the programme brings different technology to the table with some
The Confederation of British Industry (CBI) has been instrumental in lobbying amendments, particularly to do with encryption, but the process still has some way to go. “We welcome the fact that the Government listened to businesses on particular aspects of the Bill but we are now looking to ensure the draft regulations meet business requirements and make sure that businesses remain competitive when the Act comes into force,” said a CBI spokeswoman. The regulations are significant because they will shape the way in which the Act is adhered to.
working on highly secure PKI technology while others work on more cost-effective technologies.
“Internet-based credit card fraud is at least 10 times the rate for the physical world” SecureNet Limited, for example, has developed solutions that feature MULTOS smart cards as core components. “Structured properly, multi-application cards give cardholders a secure, portable way of identifying themselves while also enabling them to initiate payment with their credit or debit cards, or take advantage of other applications such as loyalty programmes. To do all of this, they only need to carry a single smart card,” Art Kranzley, senior vice president of Electronic Commerce and Emerging Technologies for MasterCard International, said. Francolini said that the company is just starting to launch chip cards with digital IDs in Hong Kong and will start in Brazil shortly. In the UK, banks are now in the process of converting from magnetic strip cards to chip cards but could not say when the digital ID cards would be launched there. More announcements about further launches are expected in the coming weeks. 7