Privacy Issues – Business Disabler or Enabler?

Published: May 14, 2008

By Aloysius Cheang, CISA, CISSP, GCIH, and Microsoft MVP – Security

See other Security MVP Article of the Month columns.

Stolen credit card numbers, leaked user information, merciless spamming of e-mail accounts… Issues of privacy have become a greater concern as more and more people go online to perform transactions such as purchases or banking, or to use certain online Web services. Over the past few years, the information security industry has realized the need to handle privacy issues properly, especially since leaked personal information can be disabling for both the organization conducting business over the Internet and the consumer.

What is the definition of “privacy” within the information security industry? In ISO/IEC 18028-2, “privacy” is defined as the “right of individuals to control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed.” Internet users will likely agree that the Web sites they visit often do not give them the means to control how their personal information is used or managed by the service provider.

Organizations (acting as service providers) that operate a Web site and offer some form of online service tend to collect certain information about their users. For example, an online news portal will require the reader to create an account and provide some personal information before being allowed to access the news articles. Web stores may require customers to input credit card numbers and billing addresses so they can complete their online purchases. Collecting such information is a common business activity, as it allows the service providers to understand their users better, and helps them assess their users’ activities in order to provide better services. Most users will certainly have no issue with these service providers collecting their information when this information is being put to good use. However, recent breaches in privacy and personal online security have led users to be concerned that their personal information is being leaked or otherwise abused. Why is this happening?

Many organizations tend to blur the distinction between confidentiality and privacy. The administrator password to a database server is a piece of confidential information. The combination of a user name and an e-mail address is usually not confidential by nature; however, the disclosure of such information to certain third parties may cause issues. Most organizations had the perception that as long as all personal information collected over the network is protected by SSL encryption, and stored on a database server that is locked securely on the rack, their obligation to protect their users’ information stopped there. They tend to take a technology-based approach to protect such information, which is certainly not taking a holistic risk assessment point of view.

To provide an online service, organizations have to determine what kind of user information is actually helpful for improving their services. There are instances in which a user has to provide his/her name, social security number, passport number, gender, birth date, home address, contact number, and e-mail address to perform, for example, an online currency exchange conversion. This is clearly a case of requesting too much information for the service provided to users. Most Web sites may not make it mandatory to collect all of the pieces of information mentioned above; although, many registration forms indirectly request such information. Non-savvy IT users will dutifully submit such personal information without understanding whether it is necessary to use a particular online service. Savvy users will be alarmed if they find that submitting such personal information is required to use the online service; these users will certainly turn to service providers that require minimal personal information to use a site. When online organizations minimize the amount of personal information that must be entered by users, and limit requests to what is only truly necessary, they take steps toward protecting their users.

While the amount of personal information collected is one issue; the way online organizations store such information is another. For example, an online store will also require the authenticated user to provide credit card information. Once this information is provided, the online store validates the credit card information with the bank to ensure that the credit card is valid and the customer has the necessary credit to make the purchase. When such validation process is completed, most online stores will, out of convenience, store the user information, credit card number, and transaction information in the database. From a security process point of view, storing the credit card number is not necessary as it is just a means to validate if the user has the necessary means to pay. Once that is ascertained, and the purchase is complete, the online store does not need to store such sensitive information. Furthermore, there is a legal liability in storing such sensitive information. Instead, what it could store much more safely is the authorization number, which provides a unique audit trail.

Another area that should be considered by online organizations is that of information segregation. Because it helps organizations to maintain just one database system, it is common practice to store users’ personal information and transactional information in one database repository. However, such a practice is usually not ideal for two reasons:

  1. If the database system is accessed in an unauthorized manner, all information can be easily stolen.

  2. If the database repository is stored on a backup tape without encryption, the loss of such backup media can result in significant information loss.

One way to improve on such design is to store the user authentication information (user name and password) on one database system and the personal information and transactional history on another. In this manner, even if one database is compromised, only a certain set of information will be leaked. A leak or loss of partial information would help protect users’ personal informational and their transactional activities.

This article briefly covers a few aspects of how privacy information can be better protected. If organizations engage in a comprehensive risk assessment in regard to how they protect users’ information, and they take action to minimize risks, users will be reassured. In turn, current users will be likely to use the site more frequently and new users will be more readily attracted to the site. Today, the most popular service provider is one that can adequately address its users’ concerns. By handling privacy issues effectively and protecting users’ personal information, organizations will be able to increase user satisfaction while at the same time, enable their business.