HostedDB - Dedicated UNIX Servers

-->
Handbook of Information Security Management:Access Control

Previous Table of Contents Next


PRIVACY RIGHTS

In short, the rapid advances in computer and communications technology have brought a new dimension to the individual’s right to privacy. The power of today’s computers, especially as it relates to record keeping, has the potential to destroy individual privacy rights.

Whereas most data are originally gathered for legitimate and appropriate reasons, “the mere existence of this vast reservoir of personal information constitutes a covert invitation to misuse.”1


1Sloan, I.J., Ed., Law of Privacy Rights in a Technological Society, Oceans Publications, Dobbs Ferry, NY, 1986.

Personal liberty includes not only the freedom from physical restraint, but also the right to be left alone and to manage one’s own affairs in a manner that may be most agreeable to that person, as long as the rights of others or of the public are respected. The word privacy does not even appear in the Constitution. When the founders drafted the Bill of Rights, they realized that no document could possibly include all the rights that were granted to the American people.

After listing the specific rights in the first eight Amendments, the founders drafted the Ninth Amendment, which declares, “The enumeration in this Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.” These retained rights are not specifically defined in the Constitution. The courts have pointed out that many rights are not specifically mentioned in the Constitution, but are derived from specific provisions. The Supreme Court held that several amendments already extended privacy rights. The Ninth Amendment, then, could be interpreted to encompass a right to privacy.

Federal Communications Act of 1934

The federal laws that protect telephone and telegraphs from eavesdroppers are primarily derived from the Federal Communications Act of 1934. The Act prohibits any party involved in sending such communications from divulging or publishing anything having to do with its contents. It makes an exception and permits disclosure if the court has issued a legitimate subpoena. Any materials gathered through an illegal wiretap is inadmissible and may not be introduced as evidence in federal courts.

DATA ENCRYPTION STANDARD

The National Bureau of Standards’ Data Encryption Standard (DES), which specifies encryption procedures for computer data protection, has been a federal standard since 1977. The use of the DES algorithm was made mandatory for all financial transactions of the U.S. government involving electronic funds transfer, including those conducted by member banks of the Federal Reserve System.

The DES is a complex nonlinear ciphering algorithm that operates at high speeds when implemented in hardware. The DES algorithm converts 64 bits of plain text to 64 bits of cipher text under the action of a 56-bit keying parameter. The key is generated so that each of the 56 bits used directly by the algorithm is random. Each member of a group of authorized users of encrypted data must have the key that was used to encipher the data to use it. This technique strengthens the algorithm and makes it resistant to analysis.

Loopholes in the Traditional Methods of Data Encryption

The DES uses a 64-bit key that controls the transformation and converts information to ciphered code. There are a virtually infinite number of possible keys, so even the fastest computers would need centuries to try all possible keys.

Traditional encryption methods have an obvious loophole: their reliance on a single key to encode and decode messages. The privacy of coded messages is always a function of how carefully the decoder key is kept. When people exchange messages, however, they must find a way to exchange the key. This immediately makes the key vulnerable to interception. The problem is more complex when encryption is used on a large scale.

Diffle’s Solution

This problem was theoretically solved approximately 20 years ago, when an MIT student named Whitfield Diffle set out to plug this loophole. Diffle’s solution was to give each user two separate keys, a public key and a private one. The public key could be widely distributed and the private key was known only to the user. A message encoded with either key could be decoded with the other. If an individual sends a message scrambled with someone’s public key, it can be decoded only with that person’s private key.


Previous Table of Contents Next