IU Research and Creative Activity Magazine
Indiana University Research & Creative Activity

Democracy

Volume XXVIII Number 1
Fall 2005

<< Table of Contents



Jean Camp
Jean Camp
Photo courtesy Indiana University

Fred Cate
Fred Cate
Photo © Tyagan Miller

Markus Jakobsson
Markus Jakobsson
Photo courtesy Indiana University

Cyberinsecurity

by David Bricker

The Internet these days might seem a forbidding place to a time traveler from, say, way back in 1985. Computer viruses and e-mail worms run rampant. “Phishers,” would-be thieves of our personal information, spam us with dozens of messages each day hoping we will slip, revealing sensitive data. Microsoft, Apple, and other software manufacturers send us notices weekly requesting we install updates for security’s sake.

And that’s just the stuff we see.

Amid this hide-and-seek binary battle of security-busting measures and countermeasures, there is a devoted corps of the innocent bystanders: us. We are, by and large, not computer experts. We use the Internet because it’s fun, or because it helps us keep in touch with friends and loved ones. We also use it—oh, how we use it—to shop.

No matter how dangerous the Internet is, we can’t stay away. Most computer users say they’re worried about their privacy and the security of their personal information, yet every year they do a little more shopping online, something that requires them to spill their names, their addresses, their credit and bank card numbers, and other personal information. The Washington Post and ABC News conducted a poll earlier this year in which nearly three-quarters of American Internet users said they were either “very” or “somewhat” concerned about their personal information being stolen over the Internet. A little more than half of American Internet users (53 percent, according to a Princeton Survey) said they no longer trust e-mail, thanks, no doubt, to all the bogus solicitations in their inboxes every day.

Americans continue to use e-mail, however, and they certainly haven’t stopped shopping or paying their bills online. Harris Interactive estimates at least 65 percent of Americans now do their shopping and bill-paying online at least some of the time. “In 2002 only 2 percent of all purchases were made on the ‘Net,” says Informatics Associate Professor L. Jean Camp, who specializes in online trust issues. “I can’t believe 2 percent is where we’ll hit our plateau.”

“Today, the majority of consumer banking transactions, stock trades, and airline ticket purchases happen online. We say we don’t trust the Internet, but we’re flocking to it,” says Fred Cate, a Distinguished Professor at the Indiana University School of Law—Bloomington and an expert on Internet law and regulatory policy. Cate is also director of IU’s Center for Applied Cybersecurity Research, a group that draws on IU scholars and University Information Technology Services staff to study and improve information security (see http://cacr.iu.edu).

Today’s Internet has us in its grip. But what about the Internet’s future? Will people ever feel certain their personal information is safe and secure? Are more regulations necessary to keep miscreants from victimizing Internet users? Will the hyper-speed technological arms race between hackers and system administrators ever end?

The power of law?

It’s tempting to examine the Internet by analogy, likening it to another American invention, the private automobile. In the beginning, safety wasn’t job one for car manufacturers. Getting the thing to work was. Cushions were included not for safety but for comfort. Seat belts and airbags were nowhere in sight.

The first cars were much loved and coveted, but they were also vicious maimers, their casualties widespread. Soon after the car became a common commodity, the federal government instituted regulations improving the safety of driving practices and the cars themselves.

Likewise, consumer-oriented regulation of the Internet didn’t begin until a decade or so after its exposure to the general public. It was only when problems became widespread that Congress began to take an interest. But Congress’s role is important, Cate believes. “Law is incredibly important to creating the context in which the technology operates,” he says. “Law also moves incredibly slow compared with technology. Even now, there are almost no federal laws out there.”

Among the few federal laws are the Digital Millennium Copyright Act of 2000, which turned the Recording Industry Association of America and the Motion Picture Association of America into vengeful forces bent on suing 13-year-olds for blatant copyright violations. The CAN-SPAM Act of 2003, a law that was meant to reduce spamming, turned out to be virtually unenforceable. Certain provisions of the USA PATRIOT Act apply to Internet communications (and privacy). The Children’s Internet Protection Act of 2001 made it illegal for school-aged hackers to use public school computers to break into the Pentagon’s mainframe. The act was intended to protect children from the Internet as much as to protect the Internet from children.

Cate says the laws most needed to protect Internet users and the Internet itself have already been enacted. “The laws are about as good as they need to be. We might yet see bills that are focused on protecting the Internet-accessible information and computer systems of specific industries, like the military or universities, with the goal of preventing terrorists from taking control of these systems.

“But one law I’d really like to see passed would require all commercial and governmental entities with an Internet presence to make their privacy policies clear,” continues Cate, who was recently named by the National Academy of Sciences as a founding member of the Committee on Information for Terrorism Prevention: Balancing Privacy and National Security. “That includes everyone from IU to America Online and other Internet service providers.”

So far, institutions of higher education, and IU in particular, have been models for how Internet service providers can adapt to an ever-changing security environment while still abiding by the law. “To protect their networks and users and to comply with state and federal laws that implicate computer privacy and security, colleges and universities are increasingly approaching network security holistically, looking for best practices that appreciate and make sense in an academic environment,” said IU Associate University Counsel Beth Cate, who is married to Fred, in a presentation at a recent meeting of the National Association of College and University Attorneys. “Key measures will include conducting ongoing security assessments, responding promptly to identified problems, eliminating unnecessary use or storage of sensitive data, and obligating third parties who access or receive sensitive data from the school, to adequately secure it.”

“We need data protection,” says Camp. “I’d like to see all businesses telling you if they are using your personal information for their own purposes, whether they plan to sell it to other businesses, or what. And this doesn’t just go for online businesses.”

The word combinations entered into Google.com’s input box are catalogued alongside our IP addresses, information that may be used by Google in one way or another, or never used at all. The popular search engine’s privacy policies are clear, but buried. As Fred Cate envisions it, a law would require such Web sites to link to privacy policy documents more prominently.

But even Cate, surely a supporter of the power of law, sees limits to what law can accomplish. The rest, he says, is cultural. “What we really need is more discussion, more reporting in newspapers and on TV and radio about these issues. I’d also like to see education for adults, perhaps informal sessions that show them how to manage their personal information more responsibly. This could be part of workforce training. One of the things IU has done really well is give disks to students, faculty, and staff that include free virus protection software.”

Reinventing trust

Law and trust go hand in hand, at least where the Internet is concerned. If the RIAA and MPAA trusted Internet users to leave copyrighted material alone, those organizations would surely have fewer lawyers on retainer. If we, consumers of information and products, believed our personal information safe and secure from Internet theft, consumer groups like the Internet Education Foundation (www.neted.org) would surely be spending less time advocating and more time downloading movie trailers.

But that is not the case, of course. It’s not always clear whether information typed into Web pages—e-mail addresses, postal addresses, and telephone numbers, for example—will stay on the Web site owner’s hard drive or be sold to companies that specialize in trading and buying consumer information. Currently, Web sites and e-mail messages are not vetted for legitimacy by a single agency. Some Internet Service Providers, such as Indiana University, screen incoming e-mail messages for keywords and odious practices that save faculty, staff, and students some time and consternation. But no government entity is in charge of quashing the fraudulent, the disgusting, and the annoying.

The onus is mostly on us, ordinary citizens, to figure out what’s good and what’s bad, and the tools available to help us achieve this end are limited. Spam filters in our e-mail sometimes screen out legitimate messages. Likewise, spammers and miscreants who ‘phish’ for our personal information are getting increasingly adept at making their messages appear legit. If Informatics Associate Professor Markus Jakobsson and others are right, we may soon receive fake messages, apparently signed by loved ones or friends, that drop key personal information to get us to lower our guards. “These messages might then ask the recipient to install some software or go to a clandestine Web address as part of the attack,” he says.

Personal data and information about our shopping habits, Jakobsson has shown, is readily accessible online. At a recent Rutgers University workshop, Jakobsson and research assistant Virgil Griffith demonstrated how easily mothers’ maiden names—personal information commonly used to confirm one’s online identity—could be derived and used by anybody with access to the Internet. By law, mothers’ maiden names are publicly available, and many states make the records containing this information accessible online. That is a good reason, Jakobsson says, why we should stop using mothers’ maiden names and other easily ascertained personal information as online authenticators.

It is possible a government agency may some day insert itself into our interaction with the Internet, screening the Web for fraud and other illegal activities. But trust expert Jean Camp thinks that’s a bad idea, in part because she does not trust government to make those decisions for her. For one, Camp says, trustworthiness isn’t always clear-cut.

“How are you going to estimate that a source of information is trustworthy? And what do we mean by trust? Do you trust Prada?” Camp asks, referring to the couture clothier . “It depends on your economic orientation. Do you trust Prada to give you shoes that will make people look at your feet? Do you trust they will give you good prices? That’s the problem. Trust is subjective and controversial.”

And there’s the matter of government dictating what is OK for its citizens, which is, in the minds of many Americans, not OK or, at least, worrisome. “I am concerned about a future in which a third party, whether it be government or something else, is in control. That third party may not be trustworthy themselves.”

The key to improving trust, Camp says, is to “reinvent” the way in which Internet users evaluate Web sites and e-mails, without resorting to centralizing personal information or creating a special government agency responsible for online security. Instead of focusing on the identity of a Web site or its maintainers, Camp thinks we need to think about the site’s attributes. “Are they authorized to do what they’re doing? Where are they located? Do I know what to do if something—a purchase or other transaction—goes wrong?”

That goes for little-known Web sites but also ones representing widely known businesses. Ultimately, Camp would like to see a shift in the balance of information exchange. “We need to make it so we are getting more information and giving out less.” Like Cate, Camp advocates education, not necessarily regulation. “We want to empower people to make rational trust decisions,” she says. “We don’t want people to be put in a position where they trust for the wrong reasons.”

Camp would like to see the creation of what some scholars call “communities of trust,” networks of individuals who share information about businesses, individual vendors, and other subjects of interest. “It’s very much related to The Wisdom of Crowds,” says Camp, referring to the Random House (2004) book by James Surowiecki. “If you get partial information from lots of different people, you tend to fare better than if you get all your information from one person. I have a great hope that the future of trust on the Internet will involve individuals helping each other figure out what’s good and bad.”

Phishing and the future

“We want to be able to trust people,” Jakobsson says. “Our society is based on trusting other people. Even though we have locks on our doors, we have windows. We assume people are good, for the most part. But none of us forgets there are bad people out there, too.”

Jakobsson’s research and work with CACR requires him to think like the bad people, like a hacker. He looks for flaws in software and hardware that hackers and identity thieves might use to dupe us. Then Jakobsson publishes articles in scholarly and trade publications explaining how to ameliorate the flaw. He has become, in recent years, a world expert on certain kinds of identity theft, and was recently commissioned to write a book on phishing with Informatics Assistant Professor Steve Myers.

When asked whether he thinks anything can be done to eliminate Internet shenanigans, once and for all, Jakobsson says no. “You can figure out a way to protect yourself, but hackers can and will figure out a way to remove that protection.”

The Internet tug-of-war between bad guys and good guys has actually been going on for decades. As technology changes and improves, new methods for abuse become apparent to the maliciously inclined. And no matter how well written software is, some hacker, somewhere, will figure out how to circumvent the security measures or abuse the format to serve his or her interests.

It would appear there is no panacea that would eliminate the Internet’s various trust and security issues. Cate, Camp, and Jakobsson agree that what is required to keep the Internet navigable and useful—and reasonably safe—is a combination of two things. First, researchers and business staff must remain vigilant against new security threats, preferably ahead of them. Second, the researchers agree that at least some level of awareness of these threats and education about how to protect personal information is critical.

Cate also stresses that we shouldn’t lose sight of the fact that although the Internet can be a scary place, evil does not run rampant. “ID theft is falling,” he says. “And the numbers of actual reported cases of ID theft never got that high to begin with. As we look to the future, it’s important for us to keep some perspective.”

David Bricker is a media relations specialist in the IU Office of Media Relations and a freelance writer in Bloomington.