An unchecked lust for IT security, surveillance and identity management by enterprises and governments could create bigger headaches than the ones they solve, former Privacy Commissioner Malcolm Crompton warned delegates at the 2004 AusCert Conference.
Crompton said assurances from big business and governments that the myriad technologies that harvest data about "customers"– ranging from biometrics to data mining to CRM – should just not be trusted.
"All these things [may well be] good in themselves…but how do you not connect the dots? We are seeing all these products and all these desires of governments coming together. Even if business and government say they won't connect the dots, eventually they will. Governments [typically] use the mantra of changed circumstances [to justify rolling back privacy and civil rights]," Crompton said.
While governments could legislate their way around privacy in the name of security (and were sometimes answerable to voters), Crompton said enterprises faced a very real danger of consumer backlash if they failed to ensure customer privacy. This could stem from failing to provide anonymity between transactional systems and RFID devices, a trend with real if unintended social consequences.
"They are now collecting credit card numbers to [monitor and assess] traffic patterns – so if you don't want a divorce use the coins [not the e-tag lane]. We are going to see negative and brand-destroying behaviour – if people knew how much information [retailers] collected, they would be very, very unhappy with those businesses," he said.
The burgeoning industries of biometrics and identity management need to be checked before they bring themselves unstuck, Crompton warned, adding both governments and enterprises need only the bare minimum of information to validate identity beyond repudiation.
Crompton said a lot of the banks and governments have moved the identity management risks from themselves onto the customer through concentrated rather than dispersed data sets.
He said it's a serious problem if a biometric test which is inextricably linked to an individual becomes compromised. "If it costs you $20,000 to re-establish your identity, then that's going to hurt like hell."
Privacy problems for honeypots
A leading criminal defence expert who has specialised in defending hackers under cybercrime legislation in the US backed former Privacy Commissioner Malcolm Crompton's comments.
Jennifer Stisa Grannick, director of Stanford University Law School's Centre for Internet and Society, said that, while many organizations were preoccupied with stamping out unauthorised access, identity fraud and thwarting hackers and phishers, laws in most jurisdictions were often very poorly drafted.
With little consideration for technical realities of garnering evidence for cyber cases, such laws left organizations open to litigation if they set-up security operations such as honeypots, Grannick said.
One privacy problem Grannick outlined included honeypot operators being in breach of privacy laws if they allowed hackers to hijack servers then used them to access Internet relay chat or instant messaging.
Grannick said real legal problems surrounded whether it was ethical or legal to observe or collect sessions which included associated third-parties that had no idea of the surveillance.
That is violating those people's rights, Grannick said.