rights of individuals will be of little consequence if the data itself is readily available to ill-willed persons using surreptitious or unlawful means. It is clear that legislators are concerned about the question of rights of individual privacy. They are willing to support legislation that defines these rights and attempts to strike a harmonious balance between the rights of individuals and the rights of society as a whole acting through various institutions and agencies of government. Dr. Alan Westin, Professor of Public Law and Government, Columbia University, in an interesting review of the international aspects of the privacy question, identified three phases of awareness and action: a) Early Warning Phase the crying of public alarm and rising public b) Study Phase commissioning of studies to identify the problem. c) Regulatory Phase the development of administrative, legal and regu- He indicated that most of the Western industrialized nations have passed beyond the initial phase and have moved into the Study and Regulatory Phases, while at the same time the issue is just being recognized in nations with different cultural backgrounds, such as Japan. In commenting on some 7 - 10 studies performed in a variety of countries, he noted their remarkable similarity, taking into account the differences in terms of reference and cultures. The more significant common findings included: a) Computer technology increases the efficiency of recordkeeping. b) There is significant fear (of loss of privacy) on the part of the public. d) Use of computers intensifies problems (of policy, etc.) that existed in e) All of the reports recommended protective measures to protect individual Those countries having advanced to the regulatory phase appear to be evolving three patterns of approach to regulation. These were summarized as administrative self-regulation (the British approach), omnibus licensing and regulation (Swedish-German approach) and areaby-area provision of court enforceable citizen rights (the U.S. approach). 2.2. Separable Issues There is a tendency to confuse the respect to recordkeeping and computers. issues of privacy, confidentiality and security with Dr. Ruth Davis, Director, Institute for Computer Sciences and Technology, National Bureau of Standards, outlined the essential differences between these issues and established a framework for unambiguous discussion and solution of these problems. Privacy is a concept which applies to individuals. In essence, it defines the degree to which an individual wishes to interact with his social environment and manifests itself in the willingness with which an individual will share information about himself with others. This concept conflicts with the trend toward collecting and storing personal information in support of social programs of various importance. The government's role often makes the supplying of this information mandatory--thus, creating a direct and acute compromise of the individual's privacy. Under this circumstance, the burden of protecting personal data is all the more important. Confidentiality is a concept that applies to data. It describes the status accorded to data and the degree of protection that must be provided for it. It is the protection of data confidentiality that is one of the objects of Security. Data confidentiality applies not only to data about individuals but to any proprietary or sensitive data that must be treated in confidence. Security is the realization of protection for the data, the mechanisms and resources used in processing data, and the security mechanism(s) themselves. Data Security is the protection of data against accidental or unauthorized destruction, modification or disclosure using both physical security measures and controlled accessibility techniques. Physical Security is the protection of all computer facilities against all physical threats (e.g., damage or loss from accident, theft, malicious action, fire and other environmental hazards). Physical security techniques involve the use of locks, badges (for personnel identification), guards, personnel security clearances and administrative measures to control the ability and means to approach, communicate with, or otherwise make use of, any material or component of a data processing system. Controlled Accessibility is the term applied to the protection provided to data and computational resources by hardware and software mechanisms of the computer itself. From these definitions, it is possible to see that there is no direct relationship between privacy (a desire by individuals, groups or organizations to control the collection, use or dissemination of information about them) and security (the realization of the protection of resources), although they are interrelated. Several speakers pointed out that a perfectly secure computer could be used in such a way as to violate individual privacy. However, this should not be construed as an excuse for not creating secure computer systems since the thrust of earlier remarks was to the effect that legislatively defined rules for assuring privacy are now levying a security-oriented environment on government (and possibly private) data systems. 2.3. Social Implications Dr. James Rule, Professor of Sociology, State University of New York at Stony Brook, presented a sociologist's view of the privacy question. He observed that the issues of privacy are social-political-human rather than technological and that the question of how far to go in computer-based recordkeeping on people is a political/social question in which the rights/needs/interests of the individual must be weighted against the rights/needs/ interests of "institutions" (social, political, commercial, etc.). In his view, determining the proper balance between individual privacy and institutional needs and interests will involve even more agonizing choices in the future than it does now. To illustrate his point, he described a hypothetical situation revolving around the use of computerized recordkeeping control of crime. In the hypothetical (but potentially feasible) situation, statistical methods of behavior analysis are used to predict individual criminality before it occurs. Assuming that such a system could be assured of evenhanded administration, would such a system be desirable and would it justify the extensive recordkeeping on all individuals necessary to make it work? 2.4. Legislative Actions As a result of the early warnings and studies of the privacy issue that have taken place in this country over the past 7 - 8 years, a number of legislative actions have taken place or are contemplated. For example, three Federal Acts have been passed in recent years relating to the issue of privacy. These are the Freedom of Information Act, which provides for making information held by Federal agencies available to the public unless it comes within a category exempted by the Act; the Federal Reports Act, which establishes procedures for the collection of information by Federal agencies and the transfer of confidential information from one agency to another; and the Fair Credit Reporting Act, which requires consumer credit reporting agencies to adopt procedures which are fair and equitable to the consumer with regard to confidentiality, accuracy, relevancy and proper use of such information. The Fair Credit Reporting Act also established the right of the individual to be informed of what information is maintained about him by a credit bureau or investigatory reporting agency. In addition to these pieces of legislation, numerous bills have been introduced in Congress which propose to strengthen the rights of individuals with respect to confidentiality of data, prevent invasion of privacy, establish standards for the collection, maintenance and use of personal data, or limit the uses to which personal data can be put without written consent of the affected individual. It was also reported at the Conference that the Department of Health, Education and Welfare (DHEW) is implementing (internally) the recommendations contained in the Report of the Secretary's Advisory Committee on Automated Personal Data Systems. (See Appendix B, Ref. 1) The 50 State governments have pending numerous bills concerned with protection of individual privacy and data confidentiality. Massachusetts and Iowa have already passed significant legislation in these areas, providing higher standards of personal privacy protection than the Federal Government. Still other States have extensive legislative proposals that would impose extensive regulatory and technological constraints on the operation of personal data systems. At the local level, a number of municipalities have passed ordinances to provide protection of computerized personal data. While all of this legislative activity is not completed, it is indicative of the political response to the aforementioned public awareness and concern over individual rights and privacy. 2.5. Threats Threats to individual privacy and technological threats to computer-based information systems were the two themes repeatedly stressed by the various speakers. While the threat to individual privacy and liberty was predominant and seen to be mostly associated with the unregulated collection and use of personal data, a number of the speakers cited the technological threats as being those most bothersome to the operators of information systems. Most of the speakers agreed that the threat to privacy was one that required legal and regulatory remedies and was not basically a technological problem. All speakers agreed, however, that technology was required to help enforce the legal and regulatory steps. Furthermore, a number of speakers noted that unless there were sound technological foundations for controlled access to computer systems, the legal and regulatory actions would be largely wasted. In addition to the basic and somewhat diffused threat to individual privacy posed by the collection and use of personal data, several speakers cited an additional problem of misappropriation and misuse of data by people who are authorized access in connection with their jobs. While the problem of misuse of data would appear to be one solved by legal measures providing stiff penalties for violators, several speakers indicated that it was in part technological since the contemporary systems have so little in the way of controlled access mechanisms that it is difficult to restrict access within a data base and to account for its access and usage. The degree of difficulty and the costs associated with providing security and controlled access to computer-based recordkeeping systems is a function of the type of access being 37-583 74 - pt. 2 - 50 permitted, the capabilities of those performing the access, and the type of computer system (whether dedicated, shared, local or remote access, etc.) on which the recordkeeping system is based. In order to put some of the later discussions of approaches to solving the problem into perspective, the classes of individuals who may access a computer system and/or its information products could be categorized as follows: Consumers a term applied to the authorized recipients of information Producers a term applied to the analysts and applications programmers The Servicers a term applied to the computer operations staff; includes Intruders a term applied to individuals or organizations who have no The threat to data confidentiality or system security is related to the capabilities of each class of individuals in dealing with a system and the existence of an asset (data or system) that is supposed to be protected from some or all members of one or more classes. As an example, any system and its data should be protected from intruders. Some (shared) systems may contain data that is meant to be protected from different (organizational) groups of consumers, etc. A simplified view of the degree of threat and the problems faced in protecting data confidentiality and information processing resources is shown in the table and the comments following. The sixteen possible entries in the table have been grouped into ten threat classes. |