'Snake oil' solutions fail to protect privacy

If enterprises are having problems protecting their customers' privacy, it is because of the same nagging issues facing IT...

If enterprises are having problems protecting their customers' privacy, it is because of the same nagging issues facing IT security in general. Many technology solutions attack only part of the problem, and few IT companies build products with privacy in mind.

That was the conclusion of at least some of the privacy and technology experts at a US Federal Trade Commission (FTC) workshop yesterday on how enterprises can do a better job of protecting consumer privacy.

While many participants called for a combination of technology, training and industry procedures for better privacy protection, a few rapped the technology community for selling "snake oil" privacy solutions or building products with an "enormous lack of accountability" for privacy and security problems.

High-priced privacy and security consultants are not solving the problem either, said Franklin Reeder, chairman of the Center for Internet Security. Responding to others on his panel calling for enterprises to spend more money on security, Reeder agreed, but said most companies don't have the "vaguest idea" on how to measure what to spend on security.

"It's even more important that the money we're spending, we're spending badly," he added. "There are a lot of people making very good money who are selling the same snake oil over and over again rather than promoting the adoption of knowledge that is already in existence and is available relatively inexpensively."

Reeder and Peter Neumann, principal scientist at SRI International, faulted the IT industry for security breaches that lead to privacy problems at companies. Neumann noted that many panellists during the day called for an in-depth defense of consumer privacy, using multiple solutions.

Neumann also took IT supplierrs to task for building those flawed systems, saying most have "zero accountability" for security. "The standard free-enterprise version is that the marketplace will solve all these problems," he said. "I claim that the marketplace is not solving the problems that I have been working on for the past half century, meaning very survivable, very secure, very reliable systems."

The problem with relying on the market to punish insecure suppliers is that most software is designed for ease of functionality, not security, added Vic Winkler, principal security architect for Sun Microsystems.

The criticisms of the free market prompted protest from Howard Schmidt, vice president of security for eBay and a former special advisor for cybersecurity for President Bush.

"I see a tremendous, true industry desire to do better," he said. "The problem is it's not going to happen overnight."

Even if a completely secure application or operating system were written today, it would take years for enterprises to switch over to the new product, Schmidt added. The technology industry is working on better privacy-protecting solutions, he said.

Others criticised the process of creating software, saying the original specifications are often vague, and developers sometimes are blind to security issues. Programmers sometimes build backdoors into software just because they can, said Richard Purcell, chief executive officer of Corporate Privacy Group, a privacy consultancy.

Enterprises may need a push to protect customer privacy, said Ari Schwartz, associate director of the Center for Democracy and Technology, who suggested privacy legislation may be needed, in addition to privacy technology and procedures.

"Technology ... can't answer all of the problems," he said. "Technology can play a role, a very significant role, but it has to be teamed also with best practices, self-action by industry including education and training, and lastly baseline legislation to protect individuals. Without all three working together, technology will not do enough."

Grant Gross writes for IDG News Service

Read more on Privacy and data protection