Please note that these materials are provided for historical purposes only. The information presented is out of date and may be neither accurate nor useful. External hyperlinks may no longer be valid. For current court technology information, please see the new Court Technology Bulletin.
Spring 1999
Security, Privacy, and Trust in the Information Age
Security, privacy, and trust are increasingly becoming determining factors in the growth of the information age, especially over the Internet. Since the use of electronic solutions to court information issues involves the transfer of valuable and potentially private information over public networks, individuals and courts must have confidence that using the Internet does not make them targets for electronic fraud, theft, privacy invasions, or extortion.
The traditional approach to computer security is to build a virtual "wall" around the assets of an institution. The main purpose is to give the administrators sufficient control over what is running on the computer systems and who is allowed to access the computer resources, as well as to provide records of who did what. All of these systems have earned their place in securing corporate and government data centers. But they are based on the assumptions that (1) there is a known set of pre-qualified users and (2) there is a trusted central administrator or set of administrators of the entire network and the computer systems involved in a transaction.
A number of problems arise when attempting to apply the traditional approach to security to electronic transactions over the Internet. First, the Internet violates the first assumption in that it is used by a vast number of people who are likely to be unknown to an institution prior to their first interaction with it. Second, the traditional approach is oriented toward controlling logons and the commands that can be executed from a logged-on session. The Web, however, does not implement a logon session concept. Third, the traditional approach is oriented to securing either a computer system, a tightly coupled set of systems, or a corporate network (in the case of firewalls). In electronic commerce, the "system" is a dynamically changing configuration of computers and networks interconnected with public and private Internets and intranets. Fourth, the traditional approach does not deal effectively with an individual’s privacy needs and preferences. There is no way to track an individual’s needs and preferences or to implement them on specific information transfers and accesses.
Fortunately, new technological solutions to these problems are emerging. In information security, the most promising new approach is to encrypt the stored and communicated information with powerful, inexpensive, and safe cryptographic systems. Cryptographic systems not only allow us to reliably identify institutions or people based on a secret key that only they have, but also allow the receiver of any message to ascertain that it came from the intended source and was not modified in transit.
The second piece of the solution is how to correctly identify the parties involved in the transaction. Using secret keys is an excellent approach for identifying an institution or business, but has obvious limitations for identifying individuals (think of your ATM PIN). A better approach is to identify individuals based on their appearance or a combination of something they have (a smartcard with encrypted keys on it), something they know (a PIN, password, or passphrase), and their appearance (iris or retina scan, facial recognition, fingerprint).
Recognizing that comprehensive solutions are needed for security, privacy, and trust, a group of 22 leading companies in the computer, banking, aircraft, accounting, communications, legal, and semiconductor industries met on April 15, 1999, and formed the International Security Trust and Privacy Alliance (ISTPA). The goal of ISTPA is to create the necessary frameworks and infrastructure that will allow free-market forces to solve these issues. ISTPA already has established itself as the source of expert information and advice on the technologies, tools, technical and business implications, minimum implementation criteria, and consumer needs and is issuing coordinated industry positions on appropriate technical approaches and standards.
The outcome of this work, combined with the work of other groups (W3C, CommerceNet, The Open Group, ANSI, ISO, etc.), should be that security, privacy, and trust are no longer gating factors in the growth of the information age, opening up the Internet for a host of new applications including court-related applications.
Reid Watts is vice president of Research and Advanced Technology at NCR. He can be reached by e-mail at Reid.Watts@ColumbiaSC.NCR.COM. This article is based on his upcoming presentation at the Sixth National Court Technology Conference (CTC6).
