Electronic Business: Concepts, Methodologies, Tools, and Applications (4-Volumes) P218

E-Services Privacy self regulations are enough to protect individual’s PII. The European Union has a set of directives UHODWHGWRHSULYDF\FDOOHG³7KH`DWD3URWHFWLRQ Directive” (e.g., Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic (a) The collecting organization would provide information regarding its management of the collected PII to concerned individuals, and (b) Concerned individuals shall be able to access their PII and challenge the appropriateness of the PII. communications sector [Directive on privacy and electronic communications]) (The European Commission, 2002). While e-privacy laws and acts may differ according to the political structure and local cultures, they share the objective of protecting 3,,WKDWXQLTXHO\LGHQWL¿HVDXVHUHJIXOOQDPH social security number, e-mail address), or data WKDWXQLTXHO\LGHQWL¿HVDSDUWLFXODUGHYLFHRUD location used by a user (e.g., IP address). A standard e-privacy policy would state: Questions that arise here are whether e-ser-vices providers really adopt clear e-privacy poli-cies and whether e-privacy laws and acts really protect an individual’s e-privacy. An answer may EHSURYLGHGLQWKHRQOLQHUHSRUW³6XSHU%HZDUH Personal Privacy and the Internet” by the Elec-tronic Privacy Information Center (1997). The UHSRUWVWDWHV³7KH(OHFWURQLF3ULYDF\,QIRUPDWLRQ Center (EPIC) reviewed 100 of the most frequently visited Web sites on the Internet. We checked whether sites collected personal information, had established privacy policies, made use of cookies, (a) The purpose for which PII needs to be col-lected, and that this purpose shall be made clear to individuals before the collecting process begins, (b) Whether collecting PII will be automatic, RUZRXOGLQGLYLGXDOVEHQRWL¿HGEHIRUHWKH collecting process begins, (c) What PII is collected, (d) How the collected PII will be used, (e) If and how cookies are used, (f) That the collecting organization is respon-sible for protecting the PII collected, (g) What security policies are used, with refer-ences to them, (h) The conditions under which the PII may be released, (i) For how long will the collected PII be re-tained, and (j) The privacy act and principles that the policy is based on. and allowed people to visit without disclosing their actual identity. We found that few Web sites today have explicit privacy policies (only 17 of our sample) and none of the top 100 Web sites meet basic standards for privacy protection.” While laws and acts are meant to force e-ser-vices providers to adopt clear e-privacy policies, they differ from one country to another accord-ing to culture and political structure. Robert Lee (1997) was involved in research to focus on and compare how personal privacy related regulations in two countries with close ideas of personal freedom and governmental structures — the United States of America and Australia — would affect Internet applications collecting 3,,5REHUWVVWDWHVWKDW³`HVSLWHWKHVLPL-larities in culture and aspirations for individual freedom from bureaucracy in the United States and Australia, this limited research demonstrated that access to private information on individuals was more freely available in the United States A few policies will state more enhanced stan-dards such as: than Australia. The difference in individual pri-vacy protection resulted from the extension of Australian federal privacy regulations to cover 2104 E-Services Privacy commercial businesses in addition to government databases.” Section vii will identify some challenges that may be encountered when adopting and coping with an e-policy. CHALLENGES E-privacy policies consider e-privacy in two dimensions: also to thousands of individuals across the globe, may not be bound by similar laws. 7KLVJDYHULVHWR³6DIH+DUERXU´DJUHHPHQWV such as the safe harbour agreement between the U.S. and the EU (U.S. Department of Commerce, 2000). In such an agreement, U.S. organizations may voluntarily partici-pate in the safe harbour and be committed to cooperate and comply with the European Data Protection Authorities. This will ease WKHÀRZRILQIRUPDWLRQIURP(8RUJDQL]D- 1. Providing the protection for individuals’ PII against unauthorized collection and usage when using e-services, and 2. Providing the protection for individuals’ PII, when collected with consent, against electronic theft or reproduction by a third party. tions to participating U.S. organizations. • Diversity of sectors. There are differences between public (gov-ernment) and private sectors. The public sector often accepts committing to higher e-privacy standards better than the private sector. For example, the public sector does not look to share collected PII outside its departments, while private sector organiza- :HKDYHIRFXVHGRXUGLVFXVVLRQRQWKH¿UVW dimension since we believe that the second dimen-sion would be more related to electronic security rather than to e-privacy. However, maintaining the second dimension faces many challenges, hence it will be included in our discussion in this section. Adopting and coping with e-privacy policies face several challenges. We list some of them below and classify them into policy and security challenges: Policy Challenges WLRQVPD\¿QGLWQHFHVVDU\WRWUDGHFROOHFWHG PII with other private sector organizations for commercial purposes, competition, and so on. • Diversity of laws and legislations. When a multi-national organization has several branches with several Web sites in different jurisdictions, to which e-privacy law would it be subject? • Diversity of individuals. Some individuals may accept (reasonable) risks in giving up their PII for getting an e-service (e.g., have free access to software). For example, Yahoo uses Web Beacons to • Enforcing standards among all collectors of PII. $VZHFODUL¿HGLQDQHDUOLHUVHFWLRQODZVDQG acts differ from one country to another based on culture, beliefs, and political structure. An organization may provide an e-service to thousands of individuals across the globe and may be subject to some e-privacy laws. This organization’s competitors, based in other countries and providing the same service track Yahoo users (Yahoo). How would an e-privacy policy balance between those and other individuals who prefer (total) protec-tion? • Internal resistance from organizations that have to adopt an e-privacy policy, since violating the policy may have un-pleasant legal consequences. • Exceptions. Almost every e-privacy law or act has some 2105 E-Services Privacy exceptions that affect the proper implemen-tation of the e-privacy policies that refer to that law or act. While one may understand releasing or hiding PII for legal or security reasons, other exceptions may be confus-ing. For example, the Canadian Personal Information Protection and Electronic Docu-ments Act (Government of Canada) notes that an individual may inquire about the existence, use, or disclosure of his or her PII and can have access to it. However, the DFWDOVRVWDWHVWKDW³,QFHUWDLQVLWXDWLRQV an organization may not be able to provide access to all the personal information it holds DERXWDQLQGLYLGXDO´$QG³([FHSWLRQVPD\ include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons….” But, Among other concerns, there is the concern that this law may be misused by some parties to violate individuals’ e-privacy. A copyright holder may use the DMCA subpoena to force an Internet service provider (ISP) to release PII of an Internet user based on a claim of copyright infringement. What if there is no actual copyright infringement? What if an irrelevant IP address was released by mis-take? Could misuse or abuse be involved? Security Challenges (Related to Providing Enough Security for Collected PII) All e-privacy policies state that a collecting orga-nization is responsible for protecting PII collected. 7KHLVVXHKHUHLVWKDWWKHUHDUHQRXQL¿HGVHFXULW\ measures. This raises several questions: who determines that the information is prohibitively costly to provide? Why did providing it become costly, while collecting it was affordable? Also, who determines the commercial proprietary reasons? • &RQÀLFWZLWKRWKHUODZV. $QHSULYDF\ODZLQRQHFRXQWU\PD\FRQÀLFW with another law in another country, or even in the same country. For example, in 2004, British Columbia’s Information and Privacy Commissioner released a report warning that Canadians’ privacy was at risk and that the USA PATRIOT Act violates British Colum-bian privacy laws (Information and Privacy Commissioner for British Columbia, 2004). 7KHUHSRUWFODUL¿HVWKDWQHFHVVDU\FKDQJHV • Would senior management in all collecting organizations equally appreciate and under-stand the issue of security and be committed to spending for high security techniques and skills? • What security techniques are enough to SURWHFWWKHFROOHFWHG3,,¿UHZDOOVDXWKHQWL-cation, anti-virus software, data encryption, etc.)? • Would adopting high security measures FRQÀLFWZLWKLQGLYLGXDOV¶ULJKWVWRDFFHVV their stored PII? • Would adopting some security techniques (e.g., authentication) undermine e-pri-vacy? to the British Columbian privacy laws are needed to protect British Columbians’ per-sonal information from being seized under the controversial American law. A second H[DPSOHRIFRQÀLFWVRIODZVLVWKHSRWHQWLDO misuse of the Digital Millennium Copyright Act (DMCA), passed in the United States in 1998 by Congress (U.S. Government, 1998). Authenticationrefers to a set of techniques that may be used to verify that the user of a system is really who he or she claims to be (e.g., using a password known only to the person logging in). However, there are experts in breaking down (simple) passwords; also, there are software pro-grams that assist in this task. The need for more secure authentication systems would require col- 2106 E-Services Privacy lecting more data from the user (e.g., answers for SULYDWHDQGFRQ¿GHQWLDOTXHVWLRQVRUIRUXVLQJ cookies that assist in identifying the computer machine used. While authentication can help protect e-privacy by making sure that those who access PII stored electronically are authorized to do so, it may also undermine e-privacy, as argued by Kent and Millett (2003), since it could result in authentication systems that: spend generously on technology and skills to put e-privacy in place. E-privacy must be seen as an additional value to the organization’s business and not as a barrier to it. Hence, the development of the e-privacy policy, its requirements, and resources must be integrated within the organization’s overall business plan. The implications of the e-privacy policy and its implementation on the organization must be considered at the early stages • ³,QFUHDVHUHTXHVWVIRULGHQWL¿FDWLRQ • Increase the collection of personal informa-tion, • Decrease the ability of individuals to un-derstand and participate in data collection decisions, • )DFLOLWDWH UHFRUG OLQNDJH DQG SUR¿OLQJ and • Decrease the likelihood that individuals will receive notice of or have the right to object to third-party access to personal informa-tion.” of designing and developing the organization’s RYHUDOOEXVLQHVVSODQVRWKDWSURSHULGHQWL¿FDWLRQ of the needed PII and techniques for collecting, storing, processing, controlling, and transferring PII are properly implemented. A clerk responsible for managing the e-privacy policy must be under-standing to concerned individuals and accept that a concerned individual is entitled to have access to his or her PII record at his or her chosen time. The clerk must help the individual to the largest extent authorized by the applicable law or act. On the legal level, a deep understanding of the applicable laws on e-privacy is needed. Legal advisors must frequently revise the e-privacy policy. CRITICAL ISSUES IN MANAGING E-PRIVACY Adopting an e-privacy policy is not a matter of choice in some countries; it is a must. There is no question that more countries will pass laws that ask e-services providers to adopt clear e-privacy policies. However, establishing an effective e-pri-vacy policy that is in compliance with applicable laws and acts to protect e-privacy requires the integration of the following guidelines at three levels: organizational, legal, and technical. On the organizational level, a deep under-standing from senior management is needed to On the technical level, proper measures and technologies for data security must be adopted to protect PII from improper access while it is being collected, stored, used, processed, and transferred between servers and sites. Some guidelines that may help for data security and protecting e-privacy are listed next. Some of these guidelines may help e-services providers that collect, store and transfer data electronically; others could be help-ful to individuals to protect their e-privacy while XVLQJDQHVHUYLFHRUVXU¿QJWKH:HEWKHOLVWRI guidelines is not intended to be comprehensive or to guarantee full protection, but suggestions to consider): appreciate that having a proper e-privacy policy ZRXOGDFWXDOO\EHQH¿WLWVHVHUYLFHEXVLQHVV,IDQ e-service provider is publicly recognized as not protecting users’ privacy, then this would have a dramatic, damaging effect on its reputation and business. Management must be willing to • Use public key encryption (PKE) to collect sensitive data from individuals (by their FRQVHQWDQGIRUGDWDÀRZEHWZHHQVLWHV and servers. Encryption is a technique used to encode data 2107 E-Services Privacy so that it may not be understood by others, only by the encoder. Public key encryption has recently become a cornerstone in online business and e-services concerned with providing a high level of protection to data collected and transmitted electronically. • Use encryption when storing data. • Use authentication and authorization techniques for accessing stored data. • $XWKRUL]DWLRQLV¿QGLQJRXWLIDQDXWKHQ-ticated person has the privileges to access VRPHFODVVL¿HGGDWD. • Use antivirus software, and update it frequently. Frequently use antivirus software to scan and clean computer disks and memory from viruses, worms, and Trojan horses that can cause serious damage to data and computer functioning. • 8VH¿UHZDOOV. 8VHD¿UHZDOOV\VWHPFRXOGEHKDUGZDUH software) to enforce an access control policy. Use it to protect networked computers from possible intrusion that may compromise e-privacy by restricting communication between the internet and a networked com-puter that contains data to be protected. • Prevent/control cookies. Always check for cookies, block them, or at least be alert when a cookie will be placed on a computer hard disk, and delete unwanted ones. Many e-services Web sites place cookies on an individual’s machine to recognize those who revisit their sites. ies (third-party-cookies) can compromise e-privacy. Third-party-cookies may track an individual’s online activities and send information about him/her to Web sites that the individual knows nothing about. Cookies can easily be blocked, removed, or protected against by using opt-out cookies. • &RQVLGHUDQRQ\PRXV:HEVXU¿QJ. $QRQ\PRXVVXU¿QJKHOSVWRSURWHFWHSUL-YDF\E\PDNLQJLWGLI¿FXOWIRU:HEVLWHV visited to collect PII (e.g., IP address) or to track an individual’s online activities. The idea depends on not contacting the intended Web site directly but through a second site WKDWXVHVDQDQRQ\PRXVVXU¿QJSUR[\WKDW will not allow the individual’s particulars to be passed to the intended site. But can an individual really trust the second site? • Consider secure e-mail. Some tools can help an individual to ac-cess, store, and send e-mail in an encrypted environment. • 8VHSURSHUWRROVWREORFNVSDPDQG¿OWHU incoming e-mail. • Secure online communication. Encrypt TCP/IP communication such as instant messaging, HTTP, FTP, voicemail faxes, and streaming audio/video. • Frequently run privacy/security risk assessments to identify the greatest risk associated with unauthorized intrusion to sensitive stored data. &RRNLHVDUHVPDOOWH[W¿OHVWKDWFRQWDLQ some information (e.g., preferences of an in-dividual when he or she visits that Web site). In principle, cookies do not automatically collect PII, but they can save PII provided by an individual with consent. While cookies were originally meant to exchange informa-tion (PII) with the Web site that sent them and for which the individual has given PII E\FRQVHQW¿UVWSDUW\FRRNLHRWKHUFRRN- APPROACHES FOR E-PRIVACY MANAGEMENT The increased concerns of individuals accessing e-services exposing their e-privacy led researchers to investigate approaches for managing e-privacy. Specially, individuals are of limited experience and resources when compared to e-services pro-viders. The later have enough resources to develop and enforce their e-privacy policies compared 2108 ... - tailieumienphi.vn