Internet Privacy Issues, Modified SSL to the Rescue

Internet Privacy issues, Modified SSL to the rescue Olalekan Habeeb Kadri [email protected]

Abstract This write up gives an insight into the This development has no doubt importance of internet privacy. Some improved the general well-being of all real-life internet privacy violations are and sundry, improving standard of life, highlighted to show where internet users comfort and ease at which day to day are vulnerable. A model based on the activities are done. The need to carry private/public key technology using SSL cash for example, has been reduced to is then proposed to solve vulnerability the barest minimum with the use of that might arise from attacks on credit/debit or bank cards. However, personal information stored on with all the opportunities that are bound public/companies’ databases. to be enjoyed with the deployment of ICT in businesses and other day to day Introduction operations, there is a major menace that is terrorising its safety. The fear of The rapid growth of Information and trading away our privacies for these Communication Technology (ICT) in the numerous advantages that are bound in last three decades has been revolutionary internet related activities can not be and remarkable. The gradual transition underrated. Related to this are issues of from telex to fax technology in the cyber-crime which are often used in 1980s on one hand, and sudden intruding to individual privacies on the acceptance of use of mobile phones and internet. This paper will therefore look the internet in the 1990s through the into the issue of privacy on the internet, present decade on the other hand has various privacy intrusion in recent times affected the general way of life and suggest how technology can help considerably. Business operation styles reduce if not eliminate internet privacy have equally moved from the traditional worries. bricks and mortars to electronic means of transaction. The uses of various 1. Background technological innovations have naturally Privacy can be literarily defined as the found their ways into the business right to be left alone. It is naturally one environment. The use of Software, of those personal attributes that man Hardware and the link with normally want to have, varying from one Telecommunication has catapulted the individual to the other. In the context of growth of businesses in the 21st century Internet, it can be seen as the right to in the sense that incorporating ICT into enjoy strictly personal space, to conduct today modern day businesses is no personal communications, without fear longer seen as a choice but an inevitable of being monitored or watched over the requirement for success. The advent of internet. It also include the right of technologies such as XML/EDI, determining which information is to be Electronic mail, Internet/web, ERP, BI, given, kept and used by other parties on CRM and a host of others have recorded the internet as a result of the various day great successes in businesses today. to day activities over the internet. As

1 there are no specific worldwide standards of privacy policies over the Attacks due to response to unsolicited e- internet, the major areas in which much mails or pop-up messages, regarded as concerns are drawn are disclosure of phishing are also common. A recent personal information, Accuracy of such survey by the European Commission information, ownership (property) and shows that around 80 per cent of accessibility of the information provided inbound email traffic is spam [1]. It is over the internet. It was also discovered reported that as much as 5 per cent of all that Individuals require different levels phishing succeeds: 1 in 20 recipients of of privacy values and such should be such emails respond with their bank identified and taken into account while details then find they have had their building websites in order to ensure such bank account depleted [10]. individual’s privacy values are not eroded [4]. 2.2 Hacking, Viruses, Trojan Horses and the likes 2. The Issues at hand Hacking can be described as The privacy battle as it is today is unauthorised use and access into probably a lost one for individuals computer and network resources [9]. against business owners and public Once Hackers gain access, to a computer corporations as far as internet is or a network, they can begin to plant all concerned. The models and style of sorts of programs to destroy or collect interaction clearly shows weather information on the network. They can directly on indirectly the vulnerability of even go ahead to over-work the individuals to loss of privacy in any of resources available on the the four categories already mentioned computer/networking leading to eventual before. A few of such incidents will be pack-up of such. Examples of programs discussed in order to identify how best that can be used to implement this intended solution can be designed and mission include viruses, Worms and implemented. Trojan horses. The ILOVEU virus in 2003 infected 45 million computers and 2.1 Identity theft and Spam Messages caused £7 billion pounds worth of Identity theft is Britain's fastest-growing damage [6]. white-collar crime, increasing at nearly 500% a year [7]. Criminals search public The replicating and clogging effect of databases for information about dates of Morris worm that eventually grounded birth, social security number and address the internet in 1988 [11]. The effect of a and then apply for credit cards, bank key-logging Trojan attack on Nordea accounts or mobile phones under false Bank in Sweden reporting a loss of $1.1 identities, run up debts and move on to million to Russian organised criminals another identity. There are two possible over a three-month period. This was reasons why such breach in privacy can reported to have been done in relatively result. It may either be as a result small amount within the three month inadequate security measure on servers period, with debits spread across the where such information are kept or that accounts of around 250 business and carelessly making personal information consumer customers. The available to hackers over the internet. implementation was via a custom Trojan

2 that was sent to unsuspecting customers system) worldwide. It is expected that as anti-spam application. The attack was more than 1 billion computers will run done with the intention of by passing IT Windows soon [5]. There are however security software since the Trojan was a security lapses associated with Windows customised one and the harm was done operating system thereby creating a good over relatively few customers over the avenue for hackers to delve into internet internet [11]. user’s privacy [3]. Though a lot has been done in windows service pack 2, there is A successful down loading of the still room for improvements [3]. perceived ‘anti-spam’ led to an infection of a modified version of the haxdoor.ki 3. Modified SSL as the way forward Trojan, ultimately triggering the key- It is important to acknowledge here how logging when users accessed their the existing Secured Socket Layer has Nordea bank accounts online. These helped in ensuring security and privacy details were then relayed to a group of during exchange of information over the servers in Russia, where an automated internet [2]. However, we are still faced routine started siphoning money from with unnecessary duplication of private the customer's accounts [11]. data around public and company databases. Our various private 2.3 The Caching Servers information are still vulnerable to attacks The latest terror that is unleashed on the on such servers. In order to guide against internet against privacy is the this, the following model based on the vulnerability of internet users to privacy Public/private key technology with loss due to attacks that may hidden on Secured Socket Layer. This model will caching servers of trusted companies base on the assumption that private like Google. Due to the need to provide information will only be stored in a efficient and effective information to centralised server with a Certification users of such sites, sites visited are Authority in conjunction with stored on the caching servers of such government agency for security reasons. companies and are used to either present Individual and corporate organisations faster information to individuals or make will then need to have private and public such web pages available in case the keys with which all transactions will be original site is no longer available [8]. based. However, in situations where the original site has been brought as a result Taking a case scenario of an order, there of breach of internet security, some of its has to be a two-way verification of a pages are still available through the use store’s identity and that of the of the caching servers by these reputable individual. Once this is done, a SSL is companies. Theses cached pages might established and transaction is initiated still contain malicious codes that violate only through the individuals’ public key. individual’s privacy rights. Signals can then be sent to the financial institution via another SSL. The 2.4 Windows challenge financial Institution then prompts the Microsoft is no doubt a leading software customer to authorise the transaction company with a substantial use of its with his private key by sending his pin products (most especially the operating encrypted using the private key.

3 Payments are then made to the store and against a particular public key. The the individual transaction is updated product is also coded with the public key against the person’s public key at so that a supply of private key at the financial institution’s end. Transactions delivery point will guarantee delivery. A that require delivery of product will be diagrammatic representation of this routed through CA/Government body model is as shown on figure 1 below. where detailed address can be found Products for delivery and CA/Govt. Registration and feedback Delivery

Transaction initiation and reply Supermarket Individual

Monetary Transaction claims and confirmation returns and authorisation Financial Institution

Figure 1 showing relationships between entities via Public/private keys and SSL

4. Challenges However, this model will only guarantee The model proposed could be costly on privacy against vulnerability of private the short run as individuals will have to information stored in companies’ generate their various private/public databases. Privacy violation from attacks keys. A lot of synchronisation and on individual’s systems will still exist. mutual understanding will have to be Proactive and careful practices will best reached between businesses and be a way to guide against this. CA/Government bodies in order to Maintaining the privacy of the private ensure faster delivery of products in key is individual’s responsibility. situations where such is needed. The Maintaining a very thin client (avoiding centralised database maintained by installation of unnecessary software) is CA/Government bodies will have to be also key towards preventing attacks that at the utmost security and will give up privacy. Other measures confidentiality. include updating the antivirus/anti

4 spyware as frequent as possible and non Page&c=Page&cid=1044901627149 response to unsolicited mails. (accessed on 26/09/2007)

Lastly, preventing businesses from [7] Penycate J. (2001) Identity Theft: keeping some personal information of Stealing your name available at customers will prevent some business http://news.bbc.co.uk/1/hi/business/1395 intelligence activities that are bound to 109.stm (accessed on 24/09/2007) be useful to both parties. Planning for better services which might depend on [8] Rabinovitch E. (2007) ‘Protect your the personal information will be Users against the latest Web-based impossible. threat: Malicious Code on Catching Servers’ in IEEE Communication REFERENCES Magazine March 2007

[1] Bech S. (2007) Punch your weight [9] Shabadash V. (2004) What is available at Hacking? available at http://www.bcs.org/server.php? http://www.crime- show=ConWebDoc.10577 (accessed on research.org/news/05.05.2004/241/ 25/09/2007) (accessed on 22/09/2007)

[2] Chesher M, Kaura R & Linton P [10] Scroggs C. (2007) Gone Phisin’? (2003) Electronic Business & available at Commerce, London: Springer-Verlag http://www.bcs.org/server.php? show=ConWebDoc.10316 (accessed on [3] Cheswick W. R. (2005) ‘My Dad’s 26/09/2007) Computer’ in IEEE Spectrum August 2005 [11] Woollacott P. (2007) Cybercrime comes of age available at [4] Earp J. B., Anton A. I., Aiman-Smith http://www.bcs.org/server.php? L. and Stufflebeam W. H. (2005) show=ConWebDoc.10571 (accessed on ‘Examining Internet Privacy Policies 26/09/2007) Within the Context of User Privacy Values’ in IEEE Transactions on Engineering Management Vol. 52 No. 2 pp 227-237

[5] Forbes.com (2006) The Forbes 400 available at http://finance.yahoo.com/personal- finance/article/103513/The-Forbes-400 (accessed on 27/09/2007)

[6] Foreign and commonwealth Office (2007) Drugs & Crime available at http://www.fco.gov.uk/servlet/Front? pagename=OpenMarket/Xcelerate/Show