Computer Security,
Privacy, and Politics:
Current Issues, Challenges,
and Solutions
Ramesh Subramanian
Quinnipiac University, USA
Hershey • New York
IRM Press
Publisher of innovative scholarly and professional
information technology titles in the cyberage
Acquisition Editor: Kristin Klinger
Development Editor: Kristin Roth
Senior Managing Editor: Jennifer Neidig
Managing Editor: Jamie Snavely
Assistant Managing Editor: Carole Coulson
Copy Editor: Jennifer Young
Typesetter: Larissa Vinci
Cover Design: Lisa Tosheff
Printed at: Yurchak Printing Inc.
Published in the United States of America by
IRM Press (an imprint of IGI Global)
701 E. Chocolate Avenue, Suite 200
Hershey PA 17033-1240
Tel: 717-533-8845
Fax: 717-533-8661
E-mail:
Web site:
and in the United Kingdom by
IRM Press (an imprint of IGI Global)
3 Henrietta Street

Covent Garden
London WC2E 8LU
Tel: 44 20 7240 0856
Fax: 44 20 7379 0609
Web site:
Copyright © 2008 by IGI Global. All rights reserved. No part of this book may be reproduced in any form or
by any means, electronic or mechanical, including photocopying, without written permission from the publisher.
Product or company names used in this book are for identication purposes only. Inclusion of the names of
the products or companies does not indicate a claim of ownership by IGI Global of the trademark or registered
trademark.
Library of Congress Cataloging-in-Publication Data
Computer security, privacy, and politics : current issues, challenges and solutions / Ramesh Subramanian, editor.
p. cm.
Summary: “This book offers a review of recent developments of computer security, focusing on the relevance
and implications of global privacy, law, and politics for society, individuals, and corporations.It compiles timely
content on such topics as reverse engineering of software, understanding emerging computer exploits, emerg-
ing lawsuits and cases, global and societal implications, and protection from attacks on privacy” Provided by
publisher.
Includes bibliographical references and index.
ISBN-13: 978-1-59904-804-8 (hardcover)
ISBN-13: 978-1-59904-806-2 (e-book)
1. Computer security. 2. Computer networks Security measures. 3. Computer security Government policy.
I. Subramanian, Ramesh.
QA76.9.A25C6557 2008
005.8 dc22
2007037717
British Cataloguing in Publication Data
A Cataloguing in Publication record for this book is available from the British Library.
All work contributed to this book is original material. The views expressed in this book are those of the authors,
but not necessarily of the publisher.

Computer Security,
Privacy, and Politics:
Current Issues, Challenges,
and Solutions
Table of Contents
Preface vi
Section I
Security and Privacy: Global Concepts
Chapter I
Web Privacy: Issues, Legislations and Technological Challenges 1
Alok Mishra, Atilim University, Turkey

Section II
Privacy, Nations, and Laws
Chapter II
Is It Safe to Talk, Yet? The Evolution of Electronic Privacy Law 23
John Thomas, Quinnipiac University School of Law, USA


Chapter III
Assessing the Impact of Governmental Regulations on the IT Industry:
A Neo Institutional Theory Perspective 36
Sushma Mishra, Virginia Commonwealth University, USA
Amita Goyal Chin, Virginia Commonwealth University, USA
Chapter IV
The Impact of the UK Human Rights Act 1998 on Privacy
Protection in the Workplace 55
Bernd Carsten Stahl, De Montfort University, UK

Section III

Privacy and Technology
Chapter V
Privacy Preserving Data Mining: Taxonomy of Existing Techniques 70
Madhu V. Ahluwalia, University of Maryland, Baltimore County (UMBC),
USA
Aryya Gangopadyay, University of Maryland, Baltimore County (UMBC),
USA
Chapter VI
Rational Concerns about Biometric Technology:
Security and Privacy 94
Yue Liu, University of Oslo, Norway

Chapter VII
Business Cases for Privacy-Enhancing Technologies 135
Roger Clarke, Xamax Consultancy Pty Ltd., Australia, University
of New South Wales, Australia, Australian National University,
Australia, and University of Hong Kong, Hong Kong
Section IV
Privacy and Organizations

Chapter VIII
Privacy through Security: Policy and Practice in a
Small-Medium Enterprise 157
Ian Allison, The Robert Gordon University, UK
Craig Strangwick, ABC Awards Ltd, UK
Chapter IX
Privacy and Security: Where do they t into the Enterprise
Architecture Framework? 180
Richard V. McCarthy, Quinnipiac University, USA
Martin Grossman, Bridgewater State College, USA

Chapter X
Information Systems Security: A Survey of Canadian Executives 195
Frederick Ip, Queen’s University, Canada
Yolande E. Chan, Queen’s University, Canada
Section V
Security and Privacy: Emerging Issues
Chapter XI
Emerging Technologies, Emerging Privacy Issues 232
Sue Conger, University of Dallas, USA

Chapter XII
Digital Democracy: Democracy in the Light of Information and
Communication Technology 271
Anza Akram A., Management Consultant, USA,

Chapter XIII
Trust Modeling and Management: From Social Trust to
Digital Trust 290
Zheng Yan, Nokia Research Center, Finland
Silke Holtmanns, Nokia Research Center, Finland
Chapter XIV
Security, Privacy, and Politics in Higher Education 324
Dan Manson, California State Polytechnic University, USA
About the Contributors 334
Index 340
vi
Preface
The last decade of the 20th century was the decade of the Internet. The invention
of the World Wide Web (Web) by Tim Berners-Lee, who built the rst Web site in
1991 while working at the European Organization for Nuclear Research (or CERN)

in Geneva, Switzerland, started a world-wide trend in developing Web sites not only
for personal and research purposes, but for disseminating governmental information
and for engaging in global electronic commerce. Thus the Internet, with its “killer
application,” the Web, heralded the furious pace of globalization in the 1990s.
Today, as the Internet and the Web continue their furious growth and global spread,
they have ltered down to encompass every aspect of society. Nowadays it is rare to
see an aspect of domestic or public life that is not in some way touched by the Inter-
net. This situation is not restricted only to the technologically developed countries,
but is becoming increasingly prevalent in developing countries too. As a result, new
terms and phrases such as “virtual world,” “cybercrime,” “computer virus,” “data
privacy,” “identity theft,” and “data mining” have entered the everyday vocabulary.
Debates have ensued on the virtues and vices of the Web and the consequent large
scale digitization that it has heralded.
While many have argued that the pace of the growth of the Internet, the Web, e-
commerce, and digitization should continue without any curbs or governmental
restrictions, others have argued the exact opposite—that these should be actively
regulated and controlled through laws both domestic and international. The latter
group has argued that unregulated and unmitigated growth of the Web coupled with
the current pace of digitization of almost all data belonging to individuals could cause
vii
an erosion of privacy and cause them to become exposed to malware and identity
theft. This would, they argue, curb e-commerce and seriously affect global economic
development and growth. Indeed, in the 1990s the Internet was considered to be a
virtual world that was ungovernable and thus could not fall under the purview of
any government. Proponents of this view felt that the users of the Internet would
somehow govern themselves and make it into a global vehicle of commerce and
information outside of any governmental inuence. However, in recent years, real-
izing the importance of the Internet, governments also have stepped in to ex their
muscles in an attempt to gain control of the Internet through regulations and laws.
Predictably, increasing government regulation of the Internet has its detractors who

believe that certain fundamental rights such as the freedom of expression may be
lost if the government controls the Internet.
These developments and trends have, inevitably, led to a four-way tussle: between
the public, governmental policy makers, the technology industry, and the businesses
that use the technologies. This intersection of politics, law, privacy, and security in
the context of computer technology is both sensitive and complex.
As we are all aware, computer viruses, worms, Trojan horses, spy-ware, computer
exploits, poorly designed software, inadequate technology laws, politics, and terror-
ism all have a profound effect on our daily computing operations and habits. Further,
new technological innovations such as le-sharing software and location-based
tracking tools also have major privacy-related, political, and social implications. In
such an environment, various questions arise, such as: Can there be global laws to
preserve security? How will such laws affect privacy? What are the politics of secu-
rity and privacy? What is the role of legal systems in the way privacy is addressed
in various nations? What is the connection between privacy and democratization in
various countries? How do organizations tackle the issue of privacy? What are the
implications of le-sharing software, peer-to-peer systems and instant messaging in
autocratic societies? What are the global effects of le sharing? Are there cultural
differences that account for differences in perceptions of security and privacy? Does
national or regional culture play a role in shaping the political arguments pertaining
to security and privacy? If yes, to what extent?
Unfortunately, basic knowledge and understanding of computer security, especially
the legal, political and social underpinnings concerning the use of security tech-
nologies within organizations and in the society at large is generally lax. There is
a general sense that while security has not improved, privacy has been lost. There
is concern about the misuse of information by companies and governments. There
also is a general sense that the problems are only getting worse—new develop-
ments including electronic voting, Radio Frequency Identication (RFID) tags,
location-based tracking technologies, and the Digital Millennium Copyright Act
(DMCA) only add to the confusion and concern about security and privacy. In ad-

viii
dition, national and international politics play a very important role in shaping the
discourse on privacy and security.
This book aims to provide a window to academics and practitioners to view and
understand the ties that bind computer technology, security, privacy, and politics.
In addition to chapters on the above topics, the book will also include chapters that
delve into emerging lawsuits and cases, global and societal implications, and how
an individual can protect herself from attacks on privacy.
The 14 chapters of this book offer:
• A point-in-time review of the new developments and thought in the eld of
computer security, with a special focus on privacy, law, and politics in a global
context
• Its implications on people, business, and law
• The evolution of security and privacy laws and their relevance to society,
individuals, and corporations
• An examination of security and privacy communities: the practitioners of the
art
• Provide a vision for the future of security and privacy in the context of global
politics.
The audience for the book would be anyone from advanced-novice to expert in the
elds of security, privacy, law, and politics; academics, technology managers, social,
and political scientists, CIOs, and information security ofcers.
Organization.of.the.Book
The book is organized into ve sections, with a total of 14 chapters. The rst section
briey introduces the notions of security and privacy in a global context, setting the
tone for the rest of the book. In the only chapter (Chapter.I) in this section, Alok
Mishra gives a nice overview of the theme of the book by assessing various issues
related to individual privacy on the Web, growing concerns among the Web users,
technologies employed for collecting and protecting information on the Web, pri-
vacy-enhancing technologies and the legal provisions to curb the Web privacy. This

chapter also provides a detailed discussion on the Platform for Privacy Preferences
(P3P), its structure, present scenario of its implementation, and its future success.
The second.section quickly takes the reader into a major aspect of the implement-
ing computer security and personal privacy across various nations—namely pri-
ix
vacy and security laws. In Chapter.II, John Thomas traces the development in the
United States of legal protections of the right to privacy. The chapter begins with
the common law “right to be let alone” in the early 1900s and proceeds through the
enactment of the U.S. Patriot Act in 2001 and the National Security Administration’s
warrant-less wire tapping program revealed to the public in 2005. It concludes with
a discussion of emerging electronic threats to the security of privacy of the public
and concomitant challenges to law makers and law enforcers.
In Chapter.III,.Sushma Mishra and Amita Goyal Chin discuss some of the most
signicant of the governmental regulations recently mandated of the IT industry
and their considerable impact and implications on information technology, both
from a technical and managerial perspective. Employing neo institutional theory
as the guiding framework for analysis, they suggest that the plethora of regulations
being imposed on the IT industry are migrating organizations in the IT industry
to conform and implement standardized processes and practices, resulting in the
industry wide commoditization of IT.
In Chapter.IV,.Bernd Carsten Stahl presents the current state of legal protection
of privacy in the United Kingdom. He argues that there are different philosophical
concepts of privacy that underpin different pieces of legislation and explores what
this may mean for the justication of privacy protection. He then speculates on
where the future development in this eld may be heading.
The third.section focuses on emerging privacy technologies, their uses, and im-
plications.
This section starts with Chapter.V, discussing a taxonomy of existing data mining
techniques, by Madhu Ahluwalia and Aryya Gangopadyay. Their chapter gives a
synopsis of the techniques that exist in the area of privacy preserving data mining.

Privacy preserving data mining is important because there is a need to develop ac-
curate data mining models without using condential data items in individual records.
In providing a neat categorization of the current algorithms that preserve privacy for
major data mining tasks, the authors hope that students, teachers, and researchers
can gain an understanding of this vast area and apply the knowledge gained to nd
new ways of simultaneously preserving privacy and conducting mining.
In Chapter.VI,.Yue Liu discusses some rational security and privacy concerns
about biometric technology. The author.gives a critical analysis of the complexities
involved in using this technology through rational discussions, technology assess-
ment and case examples.
In Chapter.VII,.Roger Clarke addresses the multiple issues of threats to privacy
through privacy-intrusive technologies, which have led to a widespread distrust
of technology, causing e-businesses to under achieve. He then discusses privacy
enhancing technologies (PETs), their technical effectiveness and ways by which
x
several constituencies can harness PETs. Clarke’s chapter thus examines PETs, their
application to business needs, and the preparation of a business case for investment
in PETs.
The fourth.section focuses on how privacy and security are handled in the organi-
zational context. In Chapter.VIII,.Ian Allison and Craig Strangwick discuss how
one small business planned for, and implemented, the security of its data in a new
enterprise-wide system. The company’s data was perceived as sensitive and any
breach of privacy as commercially critical. From this perspective, the chapter out-
lines the organizational and technical facets of the policies and practices evidenced.
Lessons for other businesses can be drawn from the case by recognizing the need
for investments to be made that will address threats in business critical areas.
In Chapter.IX,.Richard McCarthy and Martin Grossman examine the connection
between Privacy, Security and the Enterprise Architecture Framework. Enterprise
Architecture is a relatively new concept that has been adopted by large organizations
for legal, economic and strategic reasons. It has become a critical component of an

overall IT governance program to provide structure and documentation to describe
the business processes, information ows, technical infrastructure and organizational
management of an information technology organization. The chapter describes two
of the most widely used enterprise architecture frameworks (the Zachman Frame-
work and the Federal Enterprise Architecture Framework) and their ability to meet
the security and privacy needs of an organization.
In Chapter.X,.Frederick Ip and Yolande Chan turn to the ever-important busi-
ness issue of information security in organizations by researching these issues in
the context of Canadian nancial rms and educational organizations. Taking a
resource-based view of the rm, they examine relationships between the following
organizational variables. The organization’s appreciation of the strategic value of
its knowledge bases, the information systems security resources, the number and
nature of security breaches experienced, and the organization’s customer capital
and human capital are studied. Relationships between various variables are tested
and a managerially-friendly information security model is validated.
The fth section discusses some important, interesting, emerging topics and issues
in the arena of security, privacy and politics. In Chapter.XI, Sue Conger com-
prehensively discusses emerging technologies and emerging privacy issues. With
each new technology, new ethical issues emerge that threaten both individual and
household privacy. Conger’s chapter investigates issues relating to three emerging
technologies—RFID chips, GPS, and smart motes—and the current and future
impacts these technologies will have on society.
In Chapter.XII, Anza Akram provides a window into the emerging world of tele-
democracy in developing countries. Her chapter discusses the effects of informa-
xi
tion and communication technologies on democracy and focuses on the driving
forces, citizen and technology, to understand the effects and future implications.
The research is based on literature review and uses informative approach to analyze
the existing practices in electronic democracy. It inquires the relationship between
the theories in communications and democracy, and analyzes the interaction with

the citizens from Athenian and the Orwellian perspectives in Politics. It proposes
a framework to identify and analyze the driving forces and the issues related to the
digital democracy.
In Chapter.XIII, Zheng Yan and Silke Holtmanns introduce trust modeling and
trust management as a means of managing trust in digital systems. They state that
trust has evolved from a social concept to a digital concept, and discuss how trust
modeling and management help in designing and implementing a trustworthy digital
system, especially in emerging distributed systems.
Finally, in Chapter.XIV, Dan Manson brings a pedagogical focus to the theme
of the book. His chapter introduces the interrelationships of security, privacy and
politics in higher education. University curriculum politics are ingrained through
organizational structures that control faculty hiring, retention, tenure, and promotion,
and self-governance policy bodies such as academic senates and faculty curriculum
committees that control curriculum approval and implementation. Compounding
the politics of curriculum are different constructs of security and privacy, with
security viewed as a technical issue versus privacy as a legal and organizational is-
sue. Manson believes that multiple disciplines must learn to work together to teach
the constantly changing technical, scientic, legal, and administrative security and
privacy landscape. While university “ownership” of security and privacy curriculum
may create new political challenges, it has the potential to help limit competing
faculty, department and program politics.
Editing this book has been an enlightening and thought-provoking experience to
me. I hope that you enjoy reading this book, and that your interest in the eld of
security, privacy and politics are further aroused through reading the varied perspec-
tives presented by the authors of the various chapters.
Ramesh Subramanian
Hamden, Connecticut, USA
December 2007
xii
Acknowledgment

Two years ago I was searching the Web, looking for teaching materials in the inter-
section of computer security, policy, and privacy. To my pleasant surprise, I came
across Ming Chow’s course on Security, Privacy, and Politics in the Computer
Age, an experimental course he was teaching at Tufts University, Boston. Thrilled
by this coincidence, I wrote to Ming and soon an exchange of e-mails followed. I
sounded the idea of jointly editing a book on the topic with him. Unfortunately, time
constraints precluded Ming from co-editing this book, and I ended up working on
this project alone. I would like to use this opportunity to acknowledge and thank
Ming. This book was inspired by his course at Tufts.
This project began in early 2006 in Connecticut, USA, and moved to Chennai,
India in early 2007—a change that caused many logistical challenges and required
tremendous personal adjustment. I was fortunate in having a great set of authors,
reviewers, and colleagues, for without their active and prompt participation this
book would not have been possible. My sincere thanks to all of them.
I would also like to thank Mehdi Khosrow-Pour, DBA, Information Resources
Management Association, and Jan Travers, vice president editorial of IGI Global for
inviting me to develop this book; Kristin Klinger for handling the contract details;
Kristin Roth for overseeing the development process of the book; Deborah Yahnke,
the editorial assistant;.and nally, the two development editors of the project, Meg
Stocking and Jessica Thompson—whose unstinting and cheerful assistance through-
out the project made it an enjoyable experience.
And last but not least, I would like to thank my wife Ramya for her constant en-
couragement and understanding during the various stages of development of this
book.
Ramesh Subramanian
Chennai, India
December 2007

Section I
Security and Privacy:

Global Concepts
Web Privacy 1
Copyright © 2008, IGI Global. Copying or distributing in print or electronic forms without written permission of
IGI Global is prohibited.
Chapter.I
Web.Privacy:
Issues,.Legislations,.and.
Technological.Challenges
Alok Mishra, Atilim University, Turkey
Deepti Mishra, Atilim University, Turkey
Abstract
People all over the world increasingly are concerned about the privacy issues sur-
rounding the personal information collected by private organizations, governments
and employers. Privacy relates to issues regarding collection, secure transmission,
storage, authorized access, usage, and disclosure of personal information. This
information is used for commercial gain by many organizations Individual privacy
concerns signicantly affects consumer willingness to engage in electronic com-
merce over the Internet. The increased use of the Internet and Web for everyday
activities is bringing new threats to personal privacy. This chapter assessed various
issues related to individual privacy on the Web, growing concerns among the Web
users, technologies employed for collecting and protecting information on the Web,
privacy-enhancing technologies and the legal provisions to curb the Web privacy.
This chapter also reported detailed discussion about Platform for Privacy Prefer-
ences (P3P), its structure, present scenario of its implementation and its future
success. Global consistency on Internet privacy protection is important to promote
the growth of electronic commerce. To protect consumers in a globally consistent
manner, legislation, self-regulation, technical solutions and combination solutions
are different ways that can be implemented
2 Mishra
Copyright © 2008, IGI Global. Copying or distributing in print or electronic forms without written permission of

IGI Global is prohibited.
Introduction
The Internet is proliferating in an exponential way all over the world. It has the
potential to change the way people live. With only a few mouse clicks, people can
follow the news, look up facts, buy goods and services, and communicate with others
from around the world (Chung & Paynter, 2002). People can provide information
about themselves if they are not careful. This raises concerns regarding threats to
their personal privacy whilst online. Information privacy has been recognized as an
important issue in management, and its signicance will continue to escalate as the
value of information continues to grow (Mason, 1986; Raul, 2002; Rust, Kannan,
& Peng, 2002). Therefore personal privacy in information systems is becoming
increasingly critical with widespread use of networked systems and the Internet
(Earp, Anton, Aiman-Smith, & Stufebeam, 2005). These technologies provide
opportunities to collect large amounts of personal information about online users,
potentialy violating those users’ personal privacy (Bellotti, 1997; Clarke, 1999).
Web users are becoming increasingly concerned about what personal information
they may reveal when they go online and where that information might end up. It’s
common to hear about organizations that derive revenue from personal information
collected on their Web sites. Information you provide to register for a Web site might
later be used for telemarketing or sold to another company. Seemingly anonymous
information about your Web-surng habits might be merged with your personal in-
formation. Web sites might e-mail you to say that their privacy policies are changing,
but most of us nd it difcult and time-consuming to read and understand privacy
policies or to gure out how to request that the use of our personal information be
restricted. Privacy concerns are making consumers nervous about going online, but
current privacy policies for Web sites tend to be so long and difcult to understand
that consumers rarely read them.
Although there is no universally accepted denition, privacy can be articulated as
the need to secure for the individual “the right to be left alone” or as the “state or
condition of limited access to a person” (Schoemann, 1984; Warren, & Brandeis,

1980). Alan Westin’s well known denition of privacy describes privacy as the claim
of individuals, groups, or institutions to determine for themselves when, how, and
to what extent information about them is communicated to others (Westin, 1967).
While Warren and Brandeis (1980) dened privacy as the “right to be left alone.”
Information privacy exits when the usage, release and circulation of personal in-
formation can be controlled (Culnam, 1993). Three key elements of information
privacy includes separateness, restricted access, and benecal use. Separateness
is dened as the ability to describe the boundaries and ownership or access rights
to information. Restricted access refers to the ability to protect the identied data,
Web Privacy 3
Copyright © 2008, IGI Global. Copying or distributing in print or electronic forms without written permission of
IGI Global is prohibited.
and benecial use implies that only data owners or parties explicitly authorized to
receive the information are able to benet from its use (Toscana, 2001).
There are three technical barriers to the continued widespread adoption of electronic
commerce on the Internet, including ease of use, access to the hardware needed to
participate, and privacy (Chaum & Chaum, 1997). Privacy concerns remain a signi-
cant inhibitor preventing more extensive use of the Internet for conducting business-
to-consumer (B2C) e-commerce. Privacy pertains to the protection of information
about individuals, transactions, or organizations. Web user information is a valued
commodity that provides business organizations with a means to more effectively
target and segment its market. Sellers of information goods nd it advantageous to
segment their markets based on observable characteristics or revealed consumer
behaviour that can be used to increase prots (Bakos & Brynjolfsson, 1999).
U.S. Congressional hearings in the 1970s, where privacy advocates sought to ban
credit bureaus from using centralized computer databases, lead to the recoginition
that organizations have certain responsibilities and individuals have certain rights,
regarding information collecton and use. Since 1973, the Fair Information Practice
(FIP) principles (The code of FIP, 1973) have served as the basis for establishing
and evaluating U.S. privacy laws and practices. The FIP principles consist of : 1)

notice/awareness; 2) choice/consent; 3) access/participation; 4) integrity/security; and
5) enforcement/redress (The code of FIP, 1973). U.S. government agencies, Internet
users, and industry leaders all agree that organizational privacy policies—particularly
those belonging to organizations using electronic transactions—should reect the
FIPs [18-20]. Several studies, however, have found that often they do not (Anton,
Earp, & Reese, 2002; Culnan, 1999; Electronic Privacy Information Center, 1999).
In 1980 the Organization for Economic Cooperation and Development (OECD), an
international organization, issued Guidelines on the protection of privacy and trans-
border ows of personal data (OECD, 1980). The OECD guidelines are the current
best-practice global standard for privacy protection and are the recommended model
for legislation in member countries. Although not legally binding, the guidelines
are recognized by all OECD members, including the European Union (EU) and the
U.S. They are implemented differently among individual nations, suggesting privacy
views differ between countries (Baumer et al., 2005). The US FIPs do not include
all of the OECD guidelines, but reect a subset of them. The EU directives are even
more comprehensive with respect to privacy, and provide the legal foundation for
those countries. In making online consumer privacy recommendations to the U.S.
Congress, the Federal Trade Commission (FTC) has relied on four studies assessing
organizational awareness of and adherence to the U.S. FIP principles (Adkinson et
al. 2002; Culnan, 1999; FTC, 1998; FTC, 2000). FTC conducted a study in March
1999 (Anton, Earp, Potts, & Alspaugh, 2001) which discovered that 92.8 percent
of Web sites were gathering at least one type of identifying information (name, e-
4 Mishra
Copyright © 2008, IGI Global. Copying or distributing in print or electronic forms without written permission of
IGI Global is prohibited.
mail address, postal address) while 56.8 percent were collecting at least one type
of demographic information (gender and preferences). The monetary value of this
information explains why so many Web sites gather personal information. This
raises consumers’ concern about their privacy rights. Consumers worry about the
security of their personal information and fear that it might be misused (Chung and

Paynter, 2002).
In 1999, DoubleClick Inc. became a target of privacy advocates and lawsuits for
collecting and selling information on individual Web surng habits merged with
information from other databases to identify users by name and create online cus-
tomer preference proles (Straub & Collins, 1990). In 2002, U.S. Bancorp paid
a $7.5 million ne to settle one lawsuit, agreed to stop sharing customer account
information, including credit card numbers, account balances, and Social Security
numbers with unafliated, nonnancial third parties to settle yet another suit, and
still has other privacy lawsuits pending (Joss, 2001). Users of the Internet are getting
lots of unwanted e-mails from even those companies with whom they have not had
a previous business relationship. A year 2000 poll shows that 63 percent of U.S.
online users who have never made a purchase were very concerned about the use of
personal information and 92 perecent were not very comfortable with having their
information shared with other organizations (Business Week-Harris Poll, 2000).
With references to public concerns various countries have implemented varying de-
grees of privacy legislations designed to regulate how companies access and utilize
information on potential customers. The United States to date has had a relatively
business-friendly, minimal intervention approach encouraging organizationas to
provide self-regulated privacy protections. By contrast, the European Union (EU)
has taken a pro consumer approach with stringent regulations banning the use of
personal information until consent is received (Turner & Dasgupta, 2003). The
effective mitigation of privacy issues will improve consumer willingness to shop
on the Web, thus improving revenue for online business initiatives and facilitating
future growth in the international e-commerce market place. Information technology
will continue to redene organizational practices and business models with respect
to privacy (Payton, 2001). Research conducted by Straub and Collins provides a
comprehensive discussion of the privacy implications of unauthorized access to
personal information resulting from a security breach (Straub & Collins, 1990).
Web Privacy 5
Copyright © 2008, IGI Global. Copying or distributing in print or electronic forms without written permission of

IGI Global is prohibited.
Privacy.Transition.Stages.
The advent of mainframe data processing in the 1960s provided mostly large or-
ganizations with a means to obtain, store, and manipulate information in a central-
ized manner that up until that time was not possible (Westin, 1967). As mainframe
computer technology was assimilated into mainstream business and governmental
organizations, users of the technology began exploiting the massive computing
and storage capabilities to create databases of information on individuals, much
of it considered personal. The explosive growth of the multibillion dollar direct
marketing industry, for example, was facilitated by the availability of large com-
mercial databases compiled from the public information, including motor vehicle
and real estate records, telephone and other directories, or from responses supplied
by consumers on warranty cards and other surveys (Turner & Dasgupta, 2003). The
new capabilities also allowed proles of individuals to be created to assist rms in
credit decisions. The resultant public anxiety led to the passage of the Fair Credit
Reporting Act in 1970 and the Privacy act of 1974, which dened the rights of in-
dividual citizens and outlined the U.S. Government’s responsibility for protecting
the personal information it maintains (Davis, 2000).
Continued technological evolvements in the mid-to-late 1980s, including the per-
sonal computer, workstations, and communications networks, enabled even broader
diffusion of database management, marketing, and telemarketing tools. Individuals
and small organizations now had the computing capability to manipulate and store
information that before required access to a mainframe. Further, new networking
capabilities provided the ability to more easily distribute and share information with
other organizations and individuals (Turner & Dasgupta, 2003). The Electronic
Communications Privacy Act (ECP) of 1986 prohibited unauthorized interception
and alteration of electronic communications and made it illegal for online services
to disclose personal information without a warrant. The Computer Matching and
Privacy Protection (CMPP) Act of 1988 regulated the use of computer matching
of fedral records subject to the Privacy Act except for legitimate statistical reason

(Davis, 2000). A 1992 survey indicated that 76 percent of the public felt they had
lost control over how information about them was circulated and used by business
organizations (Louis, 1992).
6 Mishra
Copyright © 2008, IGI Global. Copying or distributing in print or electronic forms without written permission of
IGI Global is prohibited.
Web.User.Privacy.Concerns.
Practically all nations are now monitoring their respective citizens’ individual In-
ternet usage, including:
• What they write in e-mail and to whom (the equivalent of opening the envel
-
poes of conventional private mail),
• What sites they browse on the Web (the equivalent of looking over shoulders
at the book store ), and often
• What they type on their “personal” computers—even if it is never sent over
the Internet (the equivalent of standing behind us all the time, taking notes on
our every act).
Unlike law enforcement investigations (as opposed to secret police monitoring),
launched only after crimes have been committed, wholesale monitoring of Internet
usage is done before any illegal act occurs (Caloyannides, 2003).
Continued advances in information technology in general, and the growth of
Internetworking technologies specically, further facilitate the collection, distribution,
and use of personal information. Due to increasing Web users day by day people
have also started raising concerns while doing online transactions over the Internet.
A 1998 survey examining scenarios and privacy preferences suggests that Web users
can be statistically clustered into three primary groups based on their attitudes and
privacy (Ackerman, Cranor, & Reagle, 1999). Privacy fundamentalists (17 percent) are
described as unwilling to provide any data to Web sites and are very concerned about
any use of data. The pragmatic majority (56 percent) are concerned about data use
but could be made comfortable by the presence of privacy protection measures such

as laws and privacy policy statements, and the remaining respondents (27 percent)
are categorized as marginally concerned (Turner & Dasgupta, 2003). Similar results
from a separate study conducted in Germany in 2000 not only identify the privacy
fundamentalists (30 percent) and the marginally concerned (24 percent), but also
describe two distinct subgroups within the middle tier delineated as identity concerned
(20 percent) and proling averse (25 percent) (Grimm & Rossnagel, 2000).
The most pervasive individual Web privacy concerns stems from secondary use of
information, dened as personal information collected for one purpose and used,
subsequently, for a different purpose (Culnan, 1993). Studies suggests that (a) users
are more willing to provide personal information when they are not identied, (b)
some information is more sensitive than other, and (c) the most important factor is
whether or not the information will be shared with other companies. Further, users
Web Privacy 7
Copyright © 2008, IGI Global. Copying or distributing in print or electronic forms without written permission of
IGI Global is prohibited.
overwhelmingly disliked unsolicited communications and any form of automatic
data transfer. Most consumers want to be informed about what information is be-
ing collected from them, how the data will be used, and whether their information
will only be used in an aggregate form. Users are less likely to perceive business
practices as privacy invasive when they perceive that information is collected in
the context of an existing relationship, is relevant to the transaction, will be used
to draw reliable and valid inferences, and they have the ability to control its future
use (Baker, 1999; Culnan, 1993).
Privacy.Protection.Laws.
In many countries, governments have discussed and proposed laws to regulate
privacy protection and mechanisms to punish people and organizations that break
the rules. Until privacy laws are really enforced, however, companies will nd few
incentives to protect and respect user privacy, mainly because most users don’t even
realize that their privacy can be violated. A central problem is that behavior on the
Web can’t be controlled. To regulate the Web, governments would have to regulate

code writing or how Web applications (browsers, Java, e-mail systems, and so on )
function (Lessig, 1999). Also it is difcult to reach international consensus on Web
privacy because the privacy concept is heavily dependent on widely variable cultural
and political issues. Despite this, however, there is a set of common activities that
are undoubtedly privacy invasion:
• Collecting and analyzing user data without the user’s knowledge/consent or
authorization,
• Employing user data in a way other than was authorized, and
• Disclosing or sending user data to others without the user’s knowledge and
authorization.
Even if international privacy laws existed, some countries and companies would still
be likely to operate in an opprobrious way. Consequently, users can’t rely on laws
to protect their privacy. Mechanisms must exist to let users improve the protection
of their data (Ishitani, 2003).
In 1991, the President of the Association for Computing Machinery (ACM)
expressed support for fair information practices; a doctrine including the principles
of notice, choice, access, and security; and urged observance by all organizations
8 Mishra
Copyright © 2008, IGI Global. Copying or distributing in print or electronic forms without written permission of
IGI Global is prohibited.
that collect personal information (White, 1991). Later on U.S. government asked
the Commerce Department to work with the Federal Trade Commission (FTC) to
encourage organizations to implement self-regulatory practices. An FTC report in
2000, however concluded that U.S. self-regulatory approaches were ineffective
in safeguarding consumer information, marketing techniques employed to prole
customers were increasingly intrusive, and congressional legislative action was
warranted to protect consumer privacy online (Electronic Privacy Information Center,
2000). The self-regulatory approach adopted by the U.S. is in direct contrast with the
government-mandated approach adopted by the European Union (EU). Under the
EU’s 1995, and subsequent 1997, Directive on Data Privacy, the burden is placed

on companies and organizations—not individuals—to seek permission before using
personal information for any purpose (Consumer International, 2003).
The EU member countries have agreed to stringent controls on personal information,
much stronger than exists in the USA, which took effect on October 25, 1998. The
EU is restricting the operation of American companies unless they fall in line with
the EU guidelines and it is estimated that 90 percent of US companies have not
addressed the EU directive. An example of one of the directives is that companies
are required to inform customers when they plan to sell their personal information
to other rms (Kruck, Gottovi, Moghadami, Broom, & Forcht, 2002).
In July 2000, however, the United States negotiated a safe harbor agreement with the
EU commission, wherein U.S. companies can voluntarily self-certify to adhere to a
set of privacy principles loosely based on the fair information practices developed
by the commerce department and the EU Commission. The primary difference under
safe harbor is the ability of U.S. companies to administer self-enforcement by the
European Commissioner or other agencies for compliance with the explicit rules
of the EU directive (Consumer International, 2003). Although the United States
recently passed new online privacy legislation, including the Childerns Online
Privacy Protection Act (COPPA), Provisions in the Gramm-Leach-Bliley Financial
Modernization Act (GLB) and the Health Insurance Portability and Accountability
Act (HIPAA), these laws are applicable to relatively narrow types of information
and particular industry sectors (Turner & Dasgupta, 2003).
Privacy legislation came into existence in Australia in 1988. The Commonwealth
Privacy Act 1988 laid down strict privacy safeguards which Commonwealth (federal)
and ACT Government agencies must observe when collecting, storing, using, and
disclosing personal information. This act also gave individuals access and correc-
tion rights in relation to their own personal information. Later on Australian Federal
Parliament passed the Privacy Amendment (Private Sector) Act 2000 on December
6, 2000 to come into effect on December 21, 2001. This Act has empowered Aus-
tralians for the rst time; giving individuals the right to know what information
Web Privacy 9

Copyright © 2008, IGI Global. Copying or distributing in print or electronic forms without written permission of
IGI Global is prohibited.
private sector organizations hold about them and a right to correct that information
if it is wrong (Moghe, 2003).
New Zeland’s Privacy Act 1993 does not create a right of privacy nor is its rec-
ognition of privacy interests absolute (Slane, 2000). Its coverage includes both
electronic and paper information. Any business based in New Zeland wishing to
engage in electronic commerce with consumers must ensure its activities comply
with the Privacy Act, to the extent that they involve personal information about their
consumers. Personal includes any information about an identiable living person,
whether it is on a computer, in a paper le or in someone’s head (Slane, 2000). The
Privacy Act applies to the handling of all personal information collected or held by
agencies, whether in the public or private sectors (Slane, 2000).
In New Zeland, consumers’ privacy concerns can largely be met through business
complying with the Privacy Act. To comply with information privacy principle 3
of section 6 of the Privacy Act 1993, New Zeland Web sites that collect personal
information should include a privacy statement that sets out the purpose of the col-
lection the uses and any disclosures that may be made of that information (Ministry
of Economic Developement, 2000).
Privacy.and.Technology
The issue of who has control over personal data and how this data is used needs
to be addressed at a global level in order for the Internet to develop into a trusted,
widely acceptable international marketplace for the exchange of goods and services.
The primary technology for collecting information on an individual’s activities over
the Internet has been the Web “Cookie.” Cookies are digital information sent from a
Web server and stored on the hard drive of an individual’s computer by the browser
software or network application. Cookies were designed to address the problem of
statelessness inherent in the Hypertext Transfer Protocol (HTTP) (Kristol, 2002).
Because a browser does not stay connected to a server, but instead makes a connec-
tion, sends its request, downloads the response, and makes a new connection to send

another request, it severely limited the functionality of Web services and complicated
application development. Web cookies provide a solution to this statelessness by
allowing for continuity in the interaction between the browser and the Web server.
The cookie has proven to be the most reliable, robust, and network friendly means
to provide needed state functionality on the Web, although this functionality can
also be provided by embedding state information in URLs, using hidden elds in
HTML forms, or using the client’s IP address (Kristol, 2002).
10 Mishra
Copyright © 2008, IGI Global. Copying or distributing in print or electronic forms without written permission of
IGI Global is prohibited.
Web cookies can be classied into two general types: Session and Persistent (Berghel,
2001). The session cookies last only as long as the browser session with the server.
However, persistent cookies remain stored on the hard drive of the client computer
until they reach an expiration date or are deleted. Persistent cookies can be used to
store information useful to both the user and the Web site, including account names,
passwords, and past navigation streams. This cookie information is exchanged
using the packet header and can be used by the Website to eliminate the need for
users to log-in, set user preferences based on past behaviour, and to customize or
personalize user experience (Harding, 2001). The persistent cookie also has more
signicant privacy implications because storage of navigational streams and log-in
information could be used to monitor and track user browsing behaviour and linked
to any other personal information provided. Persistent cookies can also be shared
by a third party Web host and used to track activities at a particular Web-site or as
a user moves from site to site (Turner & Dasgupta, 2003).
Web bugs are hidden images that can be covertly added to any Web page; e-mail,
or Microsoft Word, Excel, or PowerPoint le and used to collect information about
user bahaviour. Web bugs send messages back to a server indicating its location,
including the IP address of the computer, the URL of the page, the time the Web page
or document was viewed, the type of browser used, and the previously set cookie
value. Web bugs can also be used to determine if and when a Web page, e-mail

message, or document is opened, the IP address of the recipient, and how often and
to whom information is forwarded and opened (Harding, 2001). Web bugs can also
be used to associate a Web browser cookie to a particular e-mail address and read
previously set cookie values. Thus, a source server with a very small or invisible
window could be added to any Web site or Web-enabled le and used serendipitously
for a variety of tracking, surveillance, and monitoring activities (Berghel, 2001).
Monitoring browsing activities in and of itself is not considered by most Web users
to be privacy invasive; however it is the ability to then link these activities back to
an individual that has most consumers and privacy advocates alarmed (Turner &
Dasgupta, 2003).
Registration and billing, and observation are two main ways for a company to gather
personally identifying consumer information (Shapiro & Varian, 1999). A 1999
study found that more than half of surveyed Web sites were collecting personal
identifying information and demographic information on users that connected to
that site (Culnan, 1999).
Identifying information can also been obtained without permission by exploiting
security holes in browsers, operating systems, or other software, including the
creative use of ActiveX controls, Java, JavaScript, and VBScript code to retrieve
information from the user’s computer (McGraw & Morrisett, 2000). Sophisticated