SAN FRANCISCO (08/17/2000) - From personal digital assistants to pagers and Internet-enabled phones that support the wireless application protocol, you'll find a plethora of wireless devices to access Internet sites and services.
Despite the benefits of anytime, anywhere access, the wireless Internet also raises new questions of personal security. We recently spoke to Dennis Lee, director of training and research at information security consulting firm, IFSec, about privacy in a world where personal information travels over the airwaves.
PCW: What are the major issues of wireless security and privacy?
LEE: Privacy issues do carry over here in the wireless world. Most phone devices don't necessarily carry cookies. Instead, they're being left on things like the WAP gateway--normally operated by the service provider--but still attached to the individual user's account.
It brings up issues of who controls the WAP gateway, who's responsible for it, and who collects and clears the information on it. Will service providers collect and sell that information?
PCW: Could wireless Web sites, particularly commerce sites, get or use personal information like users' mobile phone numbers?
LEE: From the programming side, applications can be designed to take in information; the unique identification of the handset or Palm can be pulled in by the Web site operator or application designer. They can also call in other information used as an ID link, like the mobile phone number. It means that application developers are left to use their best judgment, which goes back to the ethics of a business.
LEE: The WAP protocol is constantly being evolved to include new features. As things like push and pull are enhanced, they bring in privacy implications. To add extra cream on top, there are businesses working on the ability to track geographic location using global positioning system or other technologies. The incentive is that a person with a WAP phone can find the closest ATM, but when it calls up that geographic location, a Web operator could conceivably track your movements. In the extreme case, the information could be used to cyberstalk.
PCW: What other kinds of dangers do you foresee?
LEE: Down the road, issues like denial of service will come up. Already we've seen at least three types of viruses that impacted mobile phone users. With Timofonica in Spain, someone was able to launch a program similar to the Love Letter virus that sent out a message to WAP-enabled cell numbers chosen at random. Another similar virus, the SMS Flooder, was a massive spam mail over SMS service in Europe. It was like getting paged indefinitely. A third attack in Japan initiated a series of programs that were addressed to I-Mode cell phones. If you hit the prompt at the end of the message, you dialed the Japanese equivalent to 911.
PCW: How can we stop these kinds of attacks? Most wireless devices lack the computing power for firewalls.
LEE: If the folks in charge can control the network gateways and devices that act as points of distribution, we can reduce the impact of these attacks. As the number of wireless operators increases, they will have to work together to quell these things.
PCW: Speaking of operators, do you think the large, national operators being created by mergers, like Verizon, will improve security?
LEE: Things could improve in that something like a Verizon becomes a one-stop shop that can handle programming, transmission, and infrastructure. One entity could control the security issue. The bad part is that like any company that gets a lot of requests and demand, they're going to rush to put out applications and may not put security into them.