November 2001
Protecting Online Privacy
By Chula G. King
Harry Potter and the Goblet of Fire is the most popular book at Arthur Andersen & Co., SC. “Sex and the City” is the favorite video at KPMG, while Deloitte & Touche’s favorite toy is Tekno the Robotic Puppy. The DVD Sound of Music is unusually popular at Ernst & Young. All That You Can’t Leave Behind by U2 tops the charts at PricewaterhouseCoopers.
This and significantly more information about the buying habits of companies, universities, not-for-profit organizations, et cetera, can be found buried within Amazon.com’s website, in its purchase circles feature (statistics as of August 31, 2001). What makes Amazon.com unique is not that it has this information, but rather that it makes it available.
What privacy compromising risks does the average Internet user face as more and more time is spent in cyberspace? Why should CPAs care? What can be done about it?
CPAs and Privacy Risks
In November 1999, Congress enacted the Gramm-Leach-Bliley Act, “Privacy of Consumer Financial Information.” CPAs that prepare individual income tax returns, provide nonbusiness tax advice, or offer financial planning services are required to comply with the Act’s provisions. On or before July 1, 2001, those subject to the Act’s provisions were required to furnish notices regarding their privacy policies to all nonbusiness individual clients for whom financial products or services are provided. The initial notice is required by the time a new client relationship is accepted. Privacy notices are required on an annual basis for continuing clients going forward.
In addition to compliance with the Gramm-Leach-Bliley Act, CPAs are bound by state ethics requirements regarding the disclosure of confidential client information. AICPA members must comply with Ethics Rule 301 of the AICPA Code of Professional Conduct, which generally prohibits members in public practice from disclosing confidential client information without the specific consent. Finally, subject to certain exceptions, IRC section 7216 makes it a misdemeanor for a paid income tax return preparer to disclose tax return information other than in connection with the preparation of the tax return.
CPAs that would not overtly violate the client confidentiality requirements could unintentionally disclose not only confidential client information, but also personally identifiable information about themselves, their coworkers, or their employer.
Example. Jane receives an e-mail with an attachment from a colleague. The message indicates that the attachment is the file that she requested. Jane opens the attachment, an Excel spreadsheet, but it doesn’t look familiar. She shrugs her shoulders and goes back to work.
Unbeknownst to Jane, her computer has just been infected with the W32/SirCam worm and virus. First, the virus will write a similar e-mail message, attach a randomly chosen Word, Excel, or .zip file from Jane’s computer, and send it to all of the people in her address book. Second, the virus may also consume all of the free space on the hard drive, making it impossible to save any files.
Now, what if the file the virus randomly selects is a letter Jane sent to the IRS concerning suspected fraudulent activity by one of her clients? Because the letter has been sent to everyone in her address book, Jane has probably just violated the Gramm-Leach-Bliley Act, state ethics requirements, AICPA’s Ethics Rule 301, and IRC section 7216.
Computer viruses and worms. A computer virus is a small program that, without the user’s knowledge, executes itself and infects executable files on a computer system while making copies of itself. When infected program code is executed, the virus code is also executed. It then attempts to infect other programs on the same computer or on other computers via a network.
A computer worm is a program that replicates itself from system to system without either the use of a host file or human intervention. Generally, worms exist inside of other files, such as Word or Excel documents. The worm will release the document that contains the worm code, and send the entire document to other computers via networks or e-mail.
Information Security and the Internet
In addition to being exposed to viruses and worms, Internet users operate in an environment in which personally identifiable information is easily gathered and may be disclosed to third parties.
Using the Internet inherently requires the exchange of at least some information; to capitalize on certain personalized services, it requires exchanging a good deal of personal information. To view a website, for example, a user sends a request to the specific web server through the Internet. This request contains a user’s IP (Internet protocol) address, the date and local time, and the URL (uniform resource locator) from which the request is sent. A request also includes information about the user’s Internet service provider, computer’s name, browser software, and operating system.
Much of this information is relatively innocuous and necessary in fulfilling the server request and providing access to a website. On the other hand, this information provides an entrée into the beginnings of the profiling of online behavior. At the very least, a company can capture this information to track a user’s movements from one page to the next within in its website. In addition, the company can log the time spent on each individual page, the information accessed, the internal links followed, and the user’s destination upon exiting the site. In fact, this is how Amazon.com is able to compile the information in its purchase circles.
One could still argue that the tracking information is rather benign: nothing in a server request per se uniquely identifies a user. Without a unique identifier, a company cannot correlate subsequent visits to its website with information from previous visits. It can, however, use one of three technologies to build user profiles: what they like, what sites they visit, what they do at a site, and what they are likely to do in the future. These technologies are cookies, web bugs, and port scans.
Cookies. Cookies are small text files placed on a visitor’s hard drive by the web server. They act as a type of identification card that enables a company to recognize repeat visitors. Cookies allow companies to store both the information included in a server request and any additional user-provided information, such as name, address, and credit card number.
The use of cookies can be viewed as good or bad depending upon one’s perspective. Companies can use cookies positively to enhance the user experience. Some consumers worry about a company’s ability to collect vast amounts of personal information, which can be used to create detailed user profiles.
Web bugs. A web bug is graphic that is placed on a web page or in an e-mail message. Web bugs are generally clear in color and one pixel by one pixel in size, making them practically invisible to users. Web bugs, combined with cookies, are used by companies not affiliated with the website to capture information about individual visitors. Web bugs can be used to determine if and when an e-mail is read, and how often that message is forwarded and read by others.
Port scans. Most Internet use can be conducted without any cookies. Users can instruct their browser to block all cookies and can erase cookies that have already been set. Even without cookies, companies can use a technique called port scanning to compile information about website visitors.
Computers utilize two different types of ports. Hardware ports are used to connect peripheral equipment, such as printers, to the computer. Software ports allow different pieces of software to communicate with one another. There are currently over 64,000 different software ports available for computer communications. Port 80 is reserved for acceptance of the hypertext transfer protocol (HTTP) requests.
When viewing a web page, an HTTP request is sent from a specific port, e.g., 1793, to the server’s port 80. In addition to serving the information requested, the server can solicit information about active ports. The server knows that the request came from port 1793 and that it is active or open. At the very least, it can scan information that can uniquely identify the requesting computer. This unique identifying information can be used in place of a cookie. Unlike cookies, port scans generally occur without the user’s knowledge and supply information over which the visitor has little or no control.
Protecting Online Privacy
As insidious as viruses and worms are, there are a number of things that can be done to prevent infection. Use anti-virus software from a well-known, reputable company. Run anti-virus software each time the system is launched and regularly scan the entire system for viruses. New viruses and worms are released daily, so anti-virus software that is even a month old may not offer adequate protection. Most anti-virus software can be regularly updated via the provider’s website.
Anti-virus software should be used to scan any new programs or other files, including e-mail attachments, before they are run or opened. As a general rule, one should be very careful about opening any e-mail attachment that is an executable file. Common executable files include those with the .exe, .com, .vbs, .bat, .jse, and .pif extensions. Be especially wary of double extensions like doc.pif, xls.com, or zip.bat.
For further protection, avoid downloading programs from the Internet. They could contain not only viruses and worms, but also trojan horses and spyware. Remember that floppy disks can be carriers of viruses as well. Never assume that a computer is completely protected.
Cookies are not required for the majority of Internet usage and can be easily disabled through the web browser. Once a cookie is placed on a computer’s hard drive, it stays there until it either is deleted or expires (which could be decades from now). Cookie files are merely .txt documents and should be regularly deleted.
For websites that require registration, the use of an alias and false or alternate e-mail address is good practice. Avoid using public computers to access the Internet; a good deal of personal information could be stored in the cookies that are left behind.
Web bugs in e-mail rely on the HTML formatting option available in many e-mail programs, which can be disabled. In general, avoid opening e-mail from advertisers and solicitors; they are the most likely to be using web bugs to track mailings.
Firewall software is essential for any computer or network attached to the Internet. Firewalls can prevent unwanted intrusions from solicitors and hackers. Disable or minimize the use of file sharing and remote access software. Without adequate safeguards, file sharing can be used by hackers to infiltrate a network and access information.
Read a website’s privacy statement before submitting personally identifiable information online. The statement should disclose not only what information is captured about visitors to the site, but also what is done with that information. Do not transmit sensitive information, such as credit card numbers, over the Internet unless the connection is secure (indicated by “https” in the URL).
Editor:
Robert H. Colson, PhD, CPA
The CPA Journal
The
CPA Journal is broadly recognized as an outstanding, technical-refereed publication
aimed at public practitioners, management, educators, and other accounting professionals.
It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting
professionals with the information and news to enable them to be successful accountants,
managers, and executives in today's practice environments.
©2009 The New York State Society of CPAs. Legal Notices
Visit the new cpajournal.com.