To: Matthew Gaylor <[EMAIL PROTECTED]>
cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Majority Leader's Statement vs. GOP.COM [ PRIVACY Forum Bulletin ]
Date: Thu, 22 Jun 2000 18:17:21 PDT
From: PRIVACY Forum <[EMAIL PROTECTED]>
PRIVACY Forum Bulletin
----------------------
June 22, 2000
House Majority Leader Criticizes Federal Government
Web Sites' Privacy, but Apparently Failed to Check GOP.COM!
-----------------------------
Greetings. Republican House Majority Leader Dick Armey today issued a
statement (http://freedom.gov/library/technology/lostprivacy.asp) strongly
condemning federal government Web site privacy practices, particularly
relating to the revelation regarding the use of cookies and outside banner ad
servers, and related information collection, by companies working with the
Office of National Drug Control Policy. While that office contends that no
privacy violations took place, it is certainly true that if nothing else the
appearance of privacy problems caused by mixing cookies and banner ads with
such agencies would best be avoided.
The Majority Leader ended his statement with the words:
"People with glass websites shouldn't throw stones."
I agree. That's why it was with some surprise that I discovered
that the Republican National Committees' own Web site,
http://www.gop.com
has a major privacy problem of its own. While it turns out that their site
uses cookies, that's not necessarily a problem in and of itself. Much more
serious is the situation on their linked GOPnet.com ("MyGOP") page:
http://www.gopnet.com/MemberLogin.asp?Call=/mygop/mygop.asp
This page includes both a member login form and further down a form for new
members to register, where it collects personal information such as names,
e-mail addresses, credit card numbers, card expiration dates, billing
addresses, phone numbers, and so forth.
The page displays the VeriSign banner and claims that it is secure.
It is *not*. At the time of this writing, the page security status shows
that the page is entirely unencrypted and that all data that
users provide via that page are subject to potential interception and
abuse at any point along their travels through the Internet.
At least one other page that collects credit card data at the GOP site does
have proper (Secure Sockets Layer) security enabled, and it certainly seems
reasonable to assume that the insecure page is the result of a configuration
error, not purposeful intent.
However, this points out most vividly the complexity of these systems, and
how easily they can be misconfigured in ways that negatively impact security
and privacy, even including such sensitive financial information as credit
card numbers and related data. This also highlights the dangers in rushing
towards the implementation of broad electronic signature and document
systems, as described in:
http://www.pfir.org/statements/2000-06-17
when it's so easy to have such serious problems with relatively well-known
credit card security systems.
As the House Leader stated, it's certainly true that "People with glass
websites shouldn't throw stones."
That of course should apply regardless of whose sites are involved.
--Lauren--
Lauren Weinstein
[EMAIL PROTECTED] or [EMAIL PROTECTED]
Co-Founder, PFIR: People for Internet Responsibility - http://www.pfir.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
**************************************************************************
Subscribe to Freematt's Alerts: Pro-Individual Rights Issues
Send a blank message to: [EMAIL PROTECTED] with the words subscribe FA
on the subject line. List is private and moderated (7-30 messages per month)
Matthew Gaylor,1933 E. Dublin-Granville Rd., PMB 176, Columbus, OH 43229
Archived at http://www.egroups.com/list/fa/
**************************************************************************
