[iwar] PRIVACY Forum Bulletin: Privacy Problems at GOP.COM (fwd)
From: Fred Cohen
From: fc@all.net
To: iwar@egroups.com
Thu, 22 Jun 2000 21:06:46 -0700 (PDT)
fc Thu Jun 22 21:07:14 2000
Received: from 207.222.214.225
by localhost with POP3 (fetchmail-5.1.0)
for fc@localhost (single-drop); Thu, 22 Jun 2000 21:07:14 -0700 (PDT)
Received: by multi33.netcomi.com for fc
(with Netcom Interactive pop3d (v1.21.1 1998/05/07) Fri Jun 23 04:07:08 2000)
X-From_: sentto-279987-432-961733208-fc=all.net@returns.onelist.com Thu Jun 22 23:06:45 2000
Received: from mq.egroups.com (mq.egroups.com [207.138.41.138]) by multi33.netcomi.com (8.8.5/8.7.4) with SMTP id XAA15872 for ; Thu, 22 Jun 2000 23:06:45 -0500
X-eGroups-Return: sentto-279987-432-961733208-fc=all.net@returns.onelist.com
Received: from [10.1.10.35] by mq.egroups.com with NNFMP; 23 Jun 2000 04:06:37 -0000
Received: (qmail 17953 invoked from network); 23 Jun 2000 04:06:47 -0000
Received: from unknown (10.1.10.142) by m1.onelist.org with QMQP; 23 Jun 2000 04:06:47 -0000
Received: from unknown (HELO all.net) (24.1.84.100) by mta3 with SMTP; 23 Jun 2000 04:06:47 -0000
Received: (from fc@localhost) by all.net (8.9.3/8.7.3) id VAA09789 for iwar@onelist.com; Thu, 22 Jun 2000 21:06:46 -0700
Message-Id: <200006230406.VAA09789@all.net>
To: iwar@egroups.com
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen
MIME-Version: 1.0
Mailing-List: list iwar@egroups.com; contact iwar-owner@egroups.com
Delivered-To: mailing list iwar@egroups.com
Precedence: bulk
List-Unsubscribe:
Date: Thu, 22 Jun 2000 21:06:46 -0700 (PDT)
Reply-To: iwar@egroups.com
Subject: [iwar] PRIVACY Forum Bulletin: Privacy Problems at GOP.COM (fwd)
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
I thought the list members would be interested in this one...
PRIVACY Forum Bulletin
----------------------
June 22, 2000
House Majority Leader Criticizes Federal Government
Web Sites' Privacy, but Apparently Failed to Check GOP.COM!
-----------------------------
Greetings. Republican House Majority Leader Dick Armey today issued a
statement (http://freedom.gov/library/technology/lostprivacy.asp) strongly
condemning federal government Web site privacy practices, particularly
relating to the revelation regarding the use of cookies and outside banner ad
servers, and related information collection, by companies working with the
Office of National Drug Control Policy. While that office contends that no
privacy violations took place, it is certainly true that if nothing else the
appearance of privacy problems caused by mixing cookies and banner ads with
such agencies would best be avoided.
The Majority Leader ended his statement with the words:
"People with glass websites shouldn't throw stones."
I agree. That's why it was with some surprise that I discovered
that the Republican National Committees' own Web site,
http://www.gop.com
has a major privacy problem of its own. While it turns out that their site
uses cookies, that's not necessarily a problem in and of itself. Much more
serious is the situation on their linked GOPnet.com ("MyGOP") page:
http://www.gopnet.com/MemberLogin.asp?Call=/mygop/mygop.asp
This page includes both a member login form and further down a form for new
members to register, where it collects personal information such as names,
e-mail addresses, credit card numbers, card expiration dates, billing
addresses, phone numbers, and so forth.
The page displays the VeriSign banner and claims that it is secure.
It is *not*. At the time of this writing, the page security status shows
that the page is entirely unencrypted and that all data that
users provide via that page are subject to potential interception and
abuse at any point along their travels through the Internet.
At least one other page that collects credit card data at the GOP site does
have proper (Secure Sockets Layer) security enabled, and it certainly seems
reasonable to assume that the insecure page is the result of a configuration
error, not purposeful intent.
However, this points out most vividly the complexity of these systems, and
how easily they can be misconfigured in ways that negatively impact security
and privacy, even including such sensitive financial information as credit
card numbers and related data. This also highlights the dangers in rushing
towards the implementation of broad electronic signature and document
systems, as described in:
http://www.pfir.org/statements/2000-06-17
when it's so easy to have such serious problems with relatively well-known
credit card security systems.
As the House Leader stated, it's certainly true that "People with glass
websites shouldn't throw stones."
That of course should apply regardless of whose sites are involved.
[FC - original posting by: ...--Lauren--
Lauren Weinstein
lauren@pfir.org or lauren@vortex.com
Co-Founder, PFIR: People for Internet Responsibility - http://www.pfir.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
]
------------------------------------------------------------------------
IT Professionals: Match your unique skills with the best IT projects at
http://click.egroups.com/1/3381/14/_/595019/_/961733208/
------------------------------------------------------------------------
------------------
http://all.net/