The Best of Creative Computing Volume 1 (published 1976)
Industry Leaders Testify at Government Privacy Hearings (computer privacy in 1974)
Industry Leaders Testify at
Government Privacy Hearings
by Susan Hastings
In an era in which technology constantly provides
people with newer and more useful tools, a decision must
be reached on how the information provided by technology
should be used by society. In hearings before the U. S.
House of Representatives last winter, business leaders in the
computer field attempted first to define the issues of
computer security and privacy, and then to demonstrate
the roles government and industry must play in their efforts
to make the new technology beneficial to all of society.
There is a great difference between the terms "privacy"
and "security". Privacy is - or should be - the inherent
and legal right of individuals, groups or institutions to
determine for themselves when, how, and what information
about them is communicated to others. In relation to
computers, security is the means taken to ensure that
privacy. Privacy is a legal, political and philosophical
concept, and properly belongs in the domain of
government. Computer security deals with technique, and is
the province of the manufacturer. Law and technology
must cooperate in their efforts to make the benefits of
modern electronics available to everyone.
Rapid progress in electronics has raised the processes of
data collection, storage, retrieval and dissemination to the
point where it will be easier to invade the privacy of
citizens. Although continuing progress makes it possible to
develop systems designs and controlling software that
provide much better protection against man or machine
failure, business must take upon itself the task of
developing even newer systems to protect the rights of the
individual.
Separate computer privacy studies in the United States,
England, and Canada have agreed upon four recommendations
for legal and technological control over systems as
they relate to sensitive information about people:
1) An individual should be given right of access to
information about him contained in record keeping
systems and a way to find out how the information
is used;
2) There should be a way for an individual to correct
or amend a record of identifiable information about
him;
3) There should be a way for an individual to prevent
information about him that he provided for one
purpose from being used for another without his
consent;
4) The custodian of data files containing sensitive
information has a responsibility for endeavoring to
maintain the reliability of the data and to take
precautions to prevent misuse of data.
The manufacturer is faced with the technological
problem of implementing these recommendations. His chief
responsibility is to provide the hardware and software that
will enable computer users to achieve the degree of security
necessary to insure the accuracy and pertinence of personal
information held in data files. Although all manufacturers
recognize that technology alone cannot prevent the abuse
of information by authorized persons, it can provide for
journaling and auditing techniques which may serve as
effective deterrents. IBM's policy on data security would no
doubt hold for the entire industry:
"Although the customer has overall responsibility for
the protection of data, IBM has a responsibility to
assist our customers in achieving the data security
they require. In this regard, lBM will offer systems,
products, services, and counsel that clearly contribute
to the solution of data security problems."
The objective of any data security program is to cut the
risk and probability of loss to the lowest affordable level
and to implement a full recovery program if a loss occurs.
Lewis M. Branscomb of IBM and Robert P. Henderson of
Honeywell believe that their companies have recognized
their responsibilities for providing better safeguards for
computer security. In 1972 IBM committed itself to an
investment of some $40 million over a five year period to
study the requirements of data security and to make
further developments of appropriate safeguards of their
products. Like Honeywell and other manufacturers, they
are working on devices in the hardware and software areas
that will provide protection in the security area.
Despite ever more sophisticated technology to increase
the security of computer systems, there is no such thing as
perfect security. Beyond legal action, there is a great deal
that users can do, however, to promote their own security.
Users must be educated to take the responsibility of
determining their own security needs and selecting the right
combination of operating procedures, physical security
measures, hardware devices, and programming tools that
will fill those needs. Historically, the security of any
information system depends on normal procedures of
business and accounting control and traditional physical
security measures. A computer installed behind showplace
plate glass windows may be good for a company's public
image, but it renders the computer vulnerable to people
with malicious designs. Likewise, users should exercise a
special sensitivity in selecting the personnel who have access
to data banks, for no matter how secure the system, there is
always the danger of people being compromised. Trained,
dependable people are an absolute necessity. No matter
what the level of hardware and software security, one must
always remember that people run (and break) the system,
not technology.
