As e-commerce grows, feds keep an eye on privacy concerns

As e-commerce grows, feds keep an eye on privacy concerns

Preserving freedom of access and communications while keeping systems secure is key, official says

By Kevin McCaney

GCN Staff

As security has moved to the center of the widening world of online government, privacy, like a persistent shadow, has followed. But while the two issues sometimes seem inseparable, information technology and privacy experts point out that they are not the same thing.

'Better security protects the privacy of information on government computers,' said Peter Swire, chief counselor for privacy at the Office of Management and Budget. 'Security and privacy are absolutely related when it comes to stopping unauthorized access.'

But although they cross paths in the implementation of personal protections, they generally follow their own paths. Security and privacy 'are completely different activities,' said Don Hagerling, information systems security program manager for the Treasury Department.

Hagerling said the fundamental difference he sees is that computer security is primarily a matter of technology whereas privacy is primarily a matter of politics. As a self-described technocrat, he added, he defines politics as anything that is not technical.

'Generally, in privacy issues it's about releasing information, not protecting information,' Hagerling said. 'It's a person making judgments, weighing different sides of the question. A privacy issue is health information.

'Does the Centers for Disease Control and Prevention have a valid need to know who's been infected, and how should that be released? How do you protect the identities of the individuals? If they need to interview somebody, does that person lose the right to protection?' he said.

Once those decisions have been made, security measures enter the picture to implement the decisions, he said.

Swire agreed. 'That's where security and privacy are completely aligned,' he said.

'The reality is they have the same goals,' said Alan Paller, director of research at the SANS Institute in Bethesda, Md. In fact, the road to better security'and, perhaps, to the funding for better security'is paved with concerns about privacy, he said.

'This is the one easy part of security,' Paller said. 'Not the easy technical part, the easy marketing part'because security is a hard sell.

'It turns out that when you decide you actually care about privacy of information, in terms of health care information, for example, the only solution is to implement security systems that actually protect, [ensuring] both security and privacy,' Paller said.

'Instead of running around telling people you want security, security, security, if you want to get senior management to understand the need for security, ask them whether they want people's health records to be protected, or if they want people's salaries to be protected, or their own e-mail to be protected,' he said. 'And if they do, then there's no discussion about whether or not you implement effective security.'

Paller said the more likely conflict exists not between security and privacy but between security and anonymity.

'If your biggest threat is denial of service, the only way to stop a denial-of-service attack is to know who's doing it. Anonymity is antithetical to protecting against denial of service,' he said.

Anonymity is a difficult question, Swire said. 'There are many great features in the open nature of the Internet,' he said, but the question is how to preserve the freedom of access and communications while keeping systems secure. Finding that balance is something government and industry will continue to wrestle with.

Swire said the Federal Intrusion Detection Network 'has been carefully designed to increase security with an eye toward protecting privacy.'

He cited three guiding features of FIDNet: It monitors only government systems, not those in the private sector; it requires that referrals of information to law enforcement agencies adhere to the same long-standing rules that predate the Internet; and it emphasizes strong security at the agency level, where information is kept.

'All agencies now have clearly posted privacy policies stating how information is to be used,' he said.

GCN associate editor Richard W. Walker contributed to this report.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.