TORONTO (04/06/2000) - Just how wide open to the world is your computer when you use your lightening-fast cable modem? The always-on aspect of broadband poses a threat that is real, panelists at the Computers, Freedom and Privacy conference held here this week agreed, but they disagreed on the nature of that threat and on how best to neutralize it.
"There's all kinds of problems," said John Denker, division manager of the information services research department at AT&T Laboratories. "Most of the threats out there are fairly sophisticated threats aimed at unsophisticated users."
Users' security and privacy can be compromised by government intrusion, hackers and trojan horse software programs, to name a few ways, but users may themselves participate in the most egregious compromise of all, according to Denker. Users may periodically elect to give up a small bit of personal information to obtain some product or access online, in what seem to be unconnected actions, not understanding that companies can swap those respective small bits and compile a substantial profile of them, according to Denker.
"The biggest threat to privacy is unrestricted data mining," he said.
Another panelist singled out specific data gatherers such as service providers as posing the central threat to privacy from broadband access of the Internet.
Precisely because broadband is so fast, people tend to use it for a range of reference activities previously consulted offline, ranging from online maps to phone books, according to Simson Garfinkel, an author and consultant. Service providers have the capability to track that usage, as well as read customer's e-mail and track their Web surfing, and most do not have policies about whether they do so or what they do with the information they gather, he maintained.
Strong regulation is required to spell out what providers can -- and cannot -- do, he said.
A panelist from a Canadian cable company cited user behavior as the biggest problem. As awareness of security issues grows, modem manufacturers and others will build better firewalls and security features into their products, but unless users are educated about security, their unwitting actions will confound those efforts, according to Rogers Cable Inc.'s Dermot O'Carroll.
"Security on the Internet is not just about being hacked. It's about leaving private information" at public terminals, O'Carroll said.
For example, some users think nothing of using a PC at a library to do home banking, unaware that they may be leaving account information and password on the machine that can be accessed by a subsequent user, O'Carroll said. "You should never log on to a private data source" from a public computer, he said.
For O'Carroll, the best defense against invasion of privacy is user education.
Service providers can deliver some technical assistance, such as blocking netBIOS protocols or filtering different levels of access through proxy servers, but "the biggest assistance is providing information" to customers, he said.
Users should also be made aware of relatively simple ways in which they can test the security of their system, such as logging on to Shields UP, O'Carroll said. Shields UP is at http://grc.com/shieldsup.
Other panelists said that building better security into hardware, software and services was the solution, and that marketplace demand would help that get done. Even now, there is an emerging market of devices that come with a high level of security built in, and service providers who can offer different levels of access -- for example, to a customer's children -- will win customers, according to Bell Canada's Jacques Desroches.
AT&T Labs' Denker agreed. "Security already is a product differentiator," Denker said. For many product lines, including VPNs (virtual private networks), "it's already a requirement," he said.
But consultant Garfinkel, who serves as an Internet service provider for his local community, said that lack of sophistication among users makes it problematic to leave security wholly up to the marketplace. One of his customers had repeated trouble logging on, and the culprit turned out to be some security software the customer had installed, Garfinkel said. The software -- the maker of which naturally had a major interest in exaggerating security threats -- interpreted the network's request for a password as an attack and cut the user off, according to Garfinkel.
Denker countered that not all users had to be sophisticated in order for market forces to work. "Even if consumers don't know enough to demand it, the chief information officers do," Denker said.
Nonetheless, when it comes to balancing privacy and Internet access, there is no perfect solution, according to Denker.
"Security is almost always a trade off between functionality and privacy," Denker said.