NYT:The Nexus of Privacy and Security

[Anonymous]

By JOHN SCHWARTZ
 

EDMOND, Wash., Dec. 7 Q Trust us. Please? 
That is the message from leaders of high-technology businesses and advocacy groups at SafeNet 2000, a Microsoft-sponsored conference on computer security and privacy. 
The stated purpose of the conference, which opened here today, is to reach a consensus on issues like when and how to publicize vulnerabilities in a vendor's software Q like, say, Microsoft's Q that could compromise privacy or data security. 

But the freewheeling panel discussions today touched on all the major policy issues facing high technology companies. And it showed, as Microsoft's chairman, William H. Gates, said in a keynote address, that privacy and security "are tied together in a very deep way." 
Announcing a Microsoft initiative on consumer privacy, Mr. Gates said the next version of the company's Internet Explorer software for browsing the Internet would incorporate a technology that could make it easier to ascertain the privacy policies on Web sites. 

The conversation at the conference was remarkably frank, and sometimes quarrelsome. In a discussion of privacy issues, Nick Mansfield of Shell Services International, a computer services subsidiary of the Royal Dutch/Shell Group, praised consumer privacy rules passed by the European Union and said that in contrast, "I don't see anything intelligent in the privacy field in North America." 
The comment elicited a murmur of irritation in the packed meeting room, but a few minutes later, Microsoft's own chief privacy officer, Richard Purcell, said much the same thing. Consumers, he said, merely see an industry that is squabbling over position in the market, not one that is moving forward with any coherence on privacy issues. 

"How do we get to that vocabulary, that purpose and that channel of communication," he asked, "that assures consumers that we aren't a lot of evil-headed monsters?" 
It was notable, though little remarked by the attendees, that the conference's host has often been at the center of the privacy and security debate. Some of the most prominent computer virus attacks, including the "I Love You" program started early this year in the Philippines and the Melissa program last year, took advantage of the vulnerability of Microsoft's wares and their near- ubiquity around the globe. 
Some who did not attend the conference were not so gentle. "The irony of it is amazing," Jeff Bates, editor of the online technology news site known as Slashdot, said in an e- mail interview. He accused Microsoft of being "a company that leaves me vulnerable to security holes so that it can make my screen look prettier." 
Others at the conference noted that one of the meeting's goals Q to come up with standard procedures for reporting software flaws Q would serve Microsoft well, since it has long been the victim of "gotcha" announcements that describe bugs before the company has had a chance to fix them. 

A former hacker who goes solely by the name of Mudge, who now works as a security consultant, defended Microsoft for having changed since the days when he and his friends would gleefully publish examples of its software flaws on the Internet. "There was a time when they would treat an information release quite differently," he said, by trying to sweep the problem under a rug. In recent years, Microsoft has poured money and personnel into responding to bugs, and has improved its relations with those who publicize them, Mudge said. 

Describing the new privacy features in Internet Explorer, Mr. Gates said they would let consumers decide what level of privacy protection they need Q whether, for example, the machine should accept cookies, the software deposited in consumers' PC's by Web sites to track visitors. The system, known as Platform for Privacy Preferences Project, or P3P, has long been under independent development. 
But the announcement means that Microsoft is pulling back from a simpler approach to giving consumers more control over their cookies by letting them block all "third party" cookies, those originating from sites other than the one that the Web surfer is visiting. Such cookies irk many privacy advocates, who say that they expose consumers to scrutiny by advertising firms, for example, without their knowledge or consent. 
On the security side, Mr. Gates said Microsoft, which suffered an embarrassing series of hacker intrusions in October, had been trying to act as a model for other companies by instituting a pilot program using "smart cards" to restrict access to the inner workings of the company's computer networks. The project put the cards into the hands of about 1,000 system administrators, who must insert them into special readers on their computers to make any changes on the company's networks. 
Barry Steinhardt of the American Civil Liberties Union said the example showed the frequent tension between privacy and security, since the technology allows a person's movements to be tracked when a door is opened or a PC used. Smart cards, he said, "have value as security technology, but they are very destructive of privacy Q you're identified everywhere you go." 
Mr. Gates called for enhancing network security systems to help people get the information they want, block the mail they do not want and prevent computer intrusion. Moments after his speech, Microsoft's public relations firm sent out press releases announcing that the kinds of security software described by the Microsoft chairman were available from Microsoft.