• PC World
• » Security

A year after the September 11 terrorist attacks, average Americans are subject to more surveillance when they go online, and their Internet-connected PCs may not be any safer from intruders, some experts say.

On the other hand, some of the laws that opponents and privacy advocates claimed would compromise privacy were quashed. For example, Congress rejected measures restricting the distribution of encryption software and implementing federal ID cards.

And while passage of the Patriot Act has reduced privacy expectations, early reports don't indicate that the U.S. government is abusing its new powers to eavesdrop on its citizens' online conversations.

Then again, says Jennifer Granick, the director of Stanford's Center for Internet and Society, "it's too soon for horror stories."

Privacy 'Body Blows'

There is little debate, even from vociferous privacy advocates, that online investigations are an important part of the war on terror. Yet there remains plenty of concern that an overzealous online hunt for Al Qaeda threatens the privacy rights of law-abiding Americans.

"The idea that the average citizen doesn't need privacy is really antithetical to the American way of life," Granick says. "One isn't really free if one is always watched."

But ordinary Americans are being watched more carefully--in more public places, by more people--than they were 12 months ago. In the year since the attacks on New York and the Pentagon, "there's a renewed interest in new surveillance technologies, even when it's not required," says Lee Tien, a senior staff attorney with the Electronic Frontier Foundation. For example, biometric security is drawing increased interest. But "biometrics is at the end of the security continuum that is the most damaging to privacy," Tien says, and he worries that the technology is "not ready for prime time in a high-security environment."

"Privacy has taken some body blows," Tien says. But he says data-gathering alone won't bring greater security unless investigators properly evaluate and share the information.

Diverse Allies

Peter Swire, a law professor at Ohio State University who was chief counselor for privacy issues in the Clinton administration, has concerns about the Bush administration's proposed cybersecurity program. "There are early reports [that say] they will collect large amounts of traffic data, such as who calls whom, what's in your e-mail, and where you surf," Swire says.

The Bush administration has declined to comment on the proposal until its scheduled release later in September. Congress is expected to continue work on its Cyber Security Enhancement Act, as well.

The concern isn't limited to advisors who worked for Clinton. Conservative think tanks, which traditionally tend to favor Republican adminstrations, are also edgy about increased surveillance.

"We have lost a lot with the government's ability to sift through e-mail" under the Patriot Act, says Clyde Wayne Crews Jr., the Cato Institute's Director of Technology Policy.

"Ordinary individuals can get caught in that net if it's cast too widely," Crews says. Still, he notes, "two key areas of interest--encryption and privacy--have gone pretty much in the tech community's favor; we retained the use of encryption, and we don't have a national ID card."

And while the Department of Justice doesn't take privacy concerns lightly, it also says the Patriot Act doesn't damage civil rights.

"I don't view security versus privacy as a zero-sum game," says Christopher Painter, the deputy chief of the Justice Department's Computer Crime and Intellectual Property Section. "You don't have to choose one over the other, and I don't think they're necessarily in conflict."

Security: Room to Improve

Overall, computer security hasn't improved much in the past year. The continued nuisance of persistent worms and viruses such as Klez is punctuated with almost-weekly news alerts about dangerous network-security vulnerabilities involving Microsoft Windows and its applications.

So far this year, Microsoft has issued 50 "security bulletin" warnings about vulnerabilities in its applications and operating systems. These bulletins, intended for systems administrators and security professionals, give details for fixing serious security-related flaws. Microsoft issued only 60 such alerts in all of 2001. Because Microsoft's products are so widely used, its security problems are everyone's problem, Tien notes.

"Security is an easy thing to do badly," Tien says. "The problems in this one product [Windows] cause problems across an entire industry. Real security doesn't have these kinds of cascading interdependencies between systems."

Even though Microsoft and other companies are becoming more diligent about quickly patching security holes, the sheer volume of announcements about flaws is reaching a fever pitch. The problem now is keeping up with the flood, Crews says.

"You've got sys admins who don't have firewalls in place; you've got sys admins running servers without downloading the latest security patches," Crews says. "These problems don't come from terrorists."

Nevertheless, the Justice Department's Painter believes that the Internet may actually be safer overall, although not necessarily thanks to the laws passed after September 11. Painter says people are simply paying more attention to keeping their PCs secure.

"There are still vulnerabilities, and some people still don't apply patches, but it's safer overall from the standpoint of raised awareness," Painter says.

Dual Defense

Protecting cyberspace requires guarding both physical and virtual assets, Crews notes.

"The Internet is different from every other kind of critical infrastructure we want to protect," he says. "You can keep bad guys off the property if you're protecting a building, but you can't keep people off the Internet."

He also worries about the U.S. government leading the effort. "If we depend on the government to protect cyberspace, we may be disappointed. Its networks are notoriously insecure," Crews says.

The biggest danger is terrorist hackers coordinating a cyberattack with an attack against a physical target, Crews says. That scenario has been considered by government and private-industry security experts.

"Imagine if hackers had taken down the air-traffic control system [at the same time as the September 11 attacks]. Key sectors would be taken down in conjunction with a 'meatspace' [real-world] attack," Crews says.

The Justice Department's Painter argues that computer security is better today. He cites more-stringent federal law enforcement efforts, and an invigorated industry-FBI computer crime-fighting partnership called InfraGard.

"There's a stronger law enforcement response [to computer crime]," Painter says. "Our sections have grown in manpower, and the Secret Service and other federal law enforcement agencies are taking these kinds of cases more seriously."

Staying on Alert

But the threat of coordinated attacks isn't the only cause for concern. Privacy advocates caution against granting wide powers, especially involving surveillance, without also imposing oversight.

"Most of us do our job better if we're held accountable for how we do it," Swire says. "Any suspected attack on any computer on the Internet now constitutes an emergency" under the Patriot Act. Government can trace first and ask questions later, he says.

The legal standards required to justify some kinds of surveillance are lower in the post-September 11 world. For instance, the Patriot Act leaves e-mail less protected from surveillance than a phone call.

"You might say this pay phone I'm standing at right now might be used anonymously [by a terrorist]," says Tien, "but that doesn't mean you should monitor all pay phones. 'It might happen' is a recipe to do away with civil liberties entirely."

Adds Stanford's Granick, "Abuse of power really harms our security and our privacy. We have legal standards in place to have a check and balance to law enforcement," she says. "Under that power balance, we can be fairly sure those abuses won't happen."

• See more like this:
• privacy,
• security,
• Patriot Act,
• 9-11,
• September 11,
• sept.11,
• terrorist,
• terrorism,
• terrorist