The 1997 Mid-year Meeting of the American Society for Information Science (ASIS) was held in Scottsdale, Arizona, the first week of June. As the heat reached triple digits outside, 300 ASIS members and interested others inside held heated discussions on issues surrounding "Information Privacy, Security, and Data Integrity."
The timing was good -- just a week before the Federal Trade Commission hearings about online privacy. A poll released at the hearings showed that over half of the computer users in the U.S. support laws on computer privacy, and major companies such as Microsoft and Netscape are supporting technological safeguards to protect Web site visitors' privacy.
The ASIS meeting held sessions that discussed legal, technological, and ethical protections of online users' privacy. Privacy in the personal arena and privacy in the professional arena were both covered, although there may be inherent conflicts. As individuals, we may want stringent safeguards to protect our privacy, while in our information workplaces we may be charged with gathering as much information as possible about other companies or about individuals.
Anonymity and Self Regulation
A general session featuring an invited expert or experts began each of the three days of ASIS Mid-Year 1997. On day one, Janlori Goldman, deputy director and co-founder of the Center for Democracy and Technology, discussed personal information privacy in a digital age. She pointed out that regular models of law and protection don't work on the Web because the Web environment has evolved into an anonymous place where people can't be sure with whom they are interacting. Most don't want regulations imposed on the Net that would do away with anonymity because they want to be able to protect their personal privacy, even though privacy protection also shields criminals.
Goldman favors self regulation of privacy using technological solutions. (Goldman and other speakers did point out, however, that "people don't care about their privacy when confronted with convenience or great prices.") Automatic privacy protocols would allow individuals to set what information about themselves will be transmitted to Web sites they visit. A privacy message would precede each visit, and if a site does not want to abide by the settings, it can deny access. Legislation would be necessary to allow punishment for Web sites that do not abide by the protocols or that take unauthorized information. Since November 1996, the Privacy Working Group has been developing privacy protocols as part of Web browsers, such as those endorsed by Microsoft and Netscape after the ASIS meeting.
Threats to Information Security
On Tuesday morning, the discussion of privacy and security solutions was continued by Herb Lin, senior staff officer with the Computer Science and Telecommunications Board of the National Research Council. Lin sees two categories of threats to information security. Category one threats are recognized by all as problems, and category two threats are subject to interpretation.
Category one threats include such things as hackers looking for passwords, corrupt or careless medical records clerks, or foreign governments intercepting trade secrets. Category two threats include things such as insurance companies accessing your medical records, local police conducting electronic surveillance, or the FBI decoding encrypted disks of an alleged child pornographer. Technology provides solutions to category one threats, but there are no easy solutions to more subtle threats to privacy.
Lin recommends cryptography as a technological solution to many criminal and privacy threats. He believes the U.S. government should encourage rather than restrict the use of encryption for online messages.
On the last day, Michael Lesk of Bellcore and Bob Frankston of Microsoft led a discussion session on the present and future of privacy and security. …