Note: for index of full report see: http://jya.com/nrcindex.htm

---------



                              I


          Industry-Specific Dimensions of Security


   The discussion in Chapter 1 is couched in terms that are
relatively independent of the specific industry or business
involved. However, industries differ in the specifics of the
information they wish to protect and in the operational
questions they ask about security. What follows is an
indicative -- not exhaustive -- discussion of security issues
as they relate to specific types of business.(1) As discussed
in Chapters 1 and 2, cryptography is only part of an overall
approach to dealing with information security concerns, and
other factors also matter, such as administrative and
technical procedures for controlling access to sensitive
information and the trustworthiness of computer operating
systems and applications software, among others. However,
cryptographic technologies for authentication, integrity, and
confidentiality can strengthen an organization's overall
information security in many ways.


             I.1 BANKING AND FINANCIAL SERVICES


   Banking and financial services are a good example of how
communications underpin the economy. The flow of currency is
largely digital. Funds are transferred from account to
account, from customer to vendor, from bank to bank -- all
without the trade of tangible property. As evidenced recently
by the economic crisis in Mexico, the rapid transfer of
investments has the ability to make or break an economy, much
as the weather affected economies during the agricultural era.
Network-enabled communications speed back-office (check and
accounts) processing, as well as mortgage and loan application
processing, and indeed interlink financial services, banking,
and investment systems worldwide. Wholly new securities (e.g.,
derivatives and indexes) and services are created by the
effective use of information communicated in a prompt and
timely fashion.

   Banks and financial service institutions have had a long
history of being a target of nefarious elements in society and
thus traditionally have been willing to spend money on
security measures (e.g., safes). This history, coupled with
their dependence on information technology and their
capability for networked communication among themselves, has
led to a relatively high degree of concern within the banking
and financial service sector for information security. Given
the importance of U.S. banks in the world economy, large U.S.
banks with multinational connections have needs for security
that are quite stringent.

   In the matter of managing electronic transfers of financial
transaction information, banks are much more concerned with
authentication than with data confidentiality, although
concerns about the latter are growing as the result of
regulation and increasingly common business practices. The
reason is that false authentication may lead to an
unrecoverable loss of financial assets, an event regarded as
more disastrous than the loss of privacy. Nonetheless,
confidentiality is important as well,(2) not so much because
personal financial transactions need to be kept private (they
do, but the ramifications of divulging one person's
transactions are generally limited to that person), but
because an adversary's understanding of the data flows within
the banking system can itself lead to security breakdowns.
(For example, with access to confidential information, an
adversary may learn how to bypass certain access controls.)

   Banking is extensively international today and will become
more so in the future. Moreover, it has moved relatively
quickly to bring customers (both individual and institutional)
on line in an attempt to reduce costs. (For example, some
banks with South American customers call the United States and
are answered in Spanish or Portuguese from processing and
customer service centers in Europe.) For these reasons, the
banking industry may represent the leading edge of information
security needs as far as other increasingly internationalized
and electronically interconnected industries are concerned.
(Box I.1 describes some of the issues that arise when retail
customers might apply for a loan through an electronic
connection.)

   To date, losses due to electronic penetration of banking
systems have been a relatively small fraction of the billions
of dollars written off every year in bad loans, unrepayable
debt, and the like.(3) Yet the fact that any penetrations at
all have occurred raise the specter of much larger losses
(billions rather than millions of dollars) as the result of
similar but more sophisticated actions. In addition, given the
central importance of banking systems in the U.S. economy, a
major disruption of service in these systems could have
cataclysmic consequences for the world economy. Finally,
customer and patron trust is at the heart of modern financial
systems around the world, and such trust, once lost, is
difficult to regain. Even small bank losses -- if made widely
known -- could well affect customer trust in banks adversely,
and the result could be a significant and widespread loss of
trust leading to enormous financial disruption and chaos.

----------

   (1)  These industry-specific comments should not be read as
being mutually exclusive -- concerns raised in the discussion
of one industry may apply to other industries as well.
Nevertheless, as presented, they do reflect concerns raised in
discussions with representatives from the industries
indicated.

   (2)  Note that banks, as part of a highly regulated
industry, are relatively less concerned about government
monitoring of their financial transactions, since governments
usually have extensive authority to monitor any aspect of bank
transactions in any event.

   3)   For example, losses on credit cards issued to
consumers are considerable, but the amount lost due to
outright fraud is small compared to the debts that consumers
are simply unable or unwilling to pay.

____________________________________________________________


          I.2 MEDICAL CONSULTATIONS AND HEALTH CARE


   Many health care professionals believe that computer-based
health care information systems, both within individual
institutions and networked over a national information
infrastructure, hold great potential for improving the quality
of health care, reducing administrative and clinical costs,
increasing access (e.g., through telemedicine in rural areas),
and enabling data aggregation in support of research on the
cost and effectiveness of alternative treatments. Computer
storage, retrieval, and network accessibility of health care
information, such as medical records and diagnostic test data,
can sharply increase the efficiency with which patients, care
providers, and others (such as payers, researchers, and public
health officials) use that information.(4)

   At the same time, the digitization and transmission of such
information raises concerns about the heightened vulnerability
of personal information in a profession with a tradition of
maintaining the confidentiality of patient records that goes
back to the days of Hippocrates.(5) Indeed, patient records
may contain a great deal of sensitive information, photographs
and other images, physicians' observations, clinical tests,
diagnoses and treatments, life-style information (e.g.,
tobacco and alcohol use and sexual behavior), family medical
history, and genetic conditions. If divulged to parties
outside the patient-caregiver relationship, such information
carries the risk of causing great personal anguish and/or
financial harm (e.g., loss of insurance, employment).

   Trends in health care today suggest an increasing
aggregation of clinical, demographic, and utilization
information into a single, patient-based record(6) or the
development and deployment of systems for virtually linking
these sources of information.(7) As a result, the number of
access points to the information contained in computer-based
patient records is increasing, thereby increasing its
potential vulnerability. In addition, as the practice of
telemedicine spreads, patient information and conferences
among geographically separated medical professionals treating
a single patient, which are transmitted across communications
networks may be susceptible to interception.

   Data aggregation presents another concern. For example,
databases without personal identifiers may be assembled for
purposes of research or public health planning.(8) Despite the
fact that it may not be necessary to know the identities of
individual patients, it may be possible to cross-index these
databases with others (such as employment histories, insurance
records, and credit reports), enabling the determination of
personal identities.(9) This might be done, for example, in
order to generate a list of names and addresses for direct
marketing of a pharmaceutical product or a health service. Box
I.2 describes one cryptographic method that can be used to
reduce the risk of improper data aggregation.

   The risks of improper disclosure of patient information
come from two sources: disclosure through actions taken by
unauthorized "outside" parties (e.g., eavesdroppers, hackers,
visitors wandering through a hospital unchallenged,
individuals posing over the telephone as physicians and
convincing medical personnel to divulge sensitive information
or grant remote access to an information system) or disclosure
through actions taken by authorized "inside" parties who abuse
their authorization (e.g., a hospital staff member snooping
out of curiosity into the records of relatives, friends, or
celebrities or a medical records clerk motivated by financial,
political, or other concerns, who gives or sells lists of
women with appointments for abortions to an antiabortion
political group.(10)) Health care organizations tend to be
much more concerned about the "insider" than the "outsider"
threat. Information systems for health care organizations are
no longer freestanding "islands of information"; instead,
because they are increasingly networked beyond their walls,
the number of "inside" authorized users is expanding to
include other primary and specialty health care providers,
health insurers, employers or purchasers, government agencies,
and the patient or consumer.

   A final category of concern related to health care
information security is the need to ensure the integrity and
the authenticity of data associated with a patient. Thus,
computerbased patient records must be secure against improper
alteration or deletion of data (data integrity) and known with
high confidence to be associated with the particular
individual with whom they are claimed to be associated (data
and user authenticity).

   This categorization of risks suggests that, within health
care organizations, needs for authentication of users and
access controls (for both insiders and outsiders) may well be
more important than encryption for confidentiality (in the
information security sense of the term). The reason is that
good authentication and access controls enable to a very high
degree the creation of audit trails that can help document who
has accessed what information and for what reason. However,
the need for interorganizational transmission of data is
encouraging many health care administrators to reevaluate
their strategic risk analysis and consider cryptography for
data confidentiality.

   Some informal discussions with health care leaders reveal
that security issues are generally delegated to their chief
information officers and are not a standing top-priority item
in their overall strategic planning. However, many of the
country's foremost health care organizations continuously
conduct risk analysis and generally have decided that serving
the needs of authorized patient caregivers for rapid access to
clinical information is their paramount priority. Any
technical or policy approach to implementing cryptography for
confidentiality will always be measured against this patient
care priority.

----------

   (4)  See, for example, Institute of Medicine, *The
Computer-Based Patient Record: An Essential Technology for
Health Care*, R.S. Dick and E.B. Steen (eds.), National
Academy Press, Washington, D.C., 1991; and Information
Infrastructure Task Force Committee on Applications and
Technology, *Putting the Information Infrastructure to Work*,
NIST Special Publication 857, U.S. Department of Commerce,
National Institute of Standards and Technology, Gaithersburg,
Md., 1994.

   (5)  It is interesting to note that for health care
professionals, "confidentiality" refers to keeping certain
information out of the hands of unauthorized individuals by
whatever mechanisms are necessary, whereas for information
security providers the term refers to a specific property of
encrypted information.

   (6)  L.O. Gostin, J. Turek-Brezina, M. Powers, R. Kozloff,
R. Faden, and D.D. Steinauer, "Privacy and Security of
Personal Information in a New Health Care System," *Journal of
the American Medical Association*, Volume 270(20), 1993, pages
2487-2493.

   (7)  E.H. Shortliffe, Stanford University School of
Medicine, personal communication, November 5, 1994.

   (8)  Institute of Medicine, *Health Data in the Information
Age: Use, Disclosure, and Privacy*, M.S. Donaldson and K.N.
Lohr (eds.), National Academy Press, Washington, D.C., 1994.

   (9)  E. Meux, "Encrypting Personal Identifiers," *Health
Services Research*, Volume 29(2), 1994, pages 247-256.

   (10) E.H. Shortliffe, personal communication, November 5,
1994.

____________________________________________________________


                      I.3 MANUFACTURING

   Large manufacturing companies are increasingly
multinational. For example, General Motors (GM), the world's
largest full-line vehicle manufacturer of cars, trucks, and
automotive systems, has units worldwide that support all
dimensions of its production. Its divisions range from those
that build mechanical subsystems and components for
automobiles and electronic systems for automotive electronics,
telecommunications, and space and defense electronics to those
that provide financing and insurance for dealers and end
customers. GM has about 600,000 employees in 170 countries
worldwide.

   Manufacturers are placing more emphasis on product
variety.(11) Variation inevitably increases costs (e.g., each
variant requires considerable engineering; thus, the
engineering costs per variant rise). To amortize these fixed
costs, manufacturers necessarily seek larger markets for these
variants, and the result is often a global market. For
example, a market for a certain product in a particular
foreign nation may exist, and a variant of a product
originally intended for a U.S. market with local content added
in that foreign nation may prove quite successful. To manage
sales globally, companies may well need to establishing
company offices in foreign countries that remain in frequent
communication with company headquarters in the United States.

   Manufacturing operations must be managed globally as well.
For example, a problem in a manufacturing plant in Brazil may
require an engineering change order to be generated at an
engineering design center in Germany and synchronized with
tooling supplied by Japan and parts manufactured in Mexico. A
second incentive for global operations is that labor costs are
often lower abroad as well, for both white-collar and
bluecollar workers.

   The network of vendors and suppliers that serve large
manufacturing operations is also global. The day is long since
gone when it makes economic sense for a manufacturer to take
responsibility for fabricating every component under its own
direct control -- outsourcing such fabrication is often much
more efficient. In some cases, foreign suppliers of parts are
used because foreign purchase of parts is an additional
incentive for a foreign nation to buy the finished U.S.
product. However, to obtain the right mix of price, quality,
volume, and timeliness, manufacturers increasingly search
globally for subcontractors, and these subcontractors must be
integrated into the manufacturer's information network. At the
same time, it may not be desirable for subcontractors to share
the same level of access as the primary company, especially if
these subcontractors are competitors. Unauthorized disclosure
of information between such parties constitutes a threat by
endangering and presenting a risk to important communications
links between the company and the customers and suppliers
(reducing business trust). The same is true for manufacturers
and customers: a manufacturer of capital-intensive products
may well wish to share product information with potential
customers. Yet since potential customers may be competitors
among themselves (e.g., an airplane manufacturer may have
several airlines among its customers) and information
regarding customer-desired product configurations may have
competitive significance, the manufacture has an important
requirement to keep information about one customer private to
that customer.

   The information flows associated with such activities are
enormously valuable to manufacturing firms. These flows
contain sensitive and proprietary information related to:

   +    Product design, and research and development;

   +    Marketing, sales, and bidding;

   +    Plant operations, capabilities, and efficiencies;

   +    Costs and prices of parts or services being purchased
        and products being sold;

   +    Strategic plans;

   +    Profits and losses;

   +    Orders to and from suppliers;

   +    Product readiness and repair; and

   +    Product problems and incident investigations.

   These information flows need not necessarily be electronic;
many companies still use people on airplanes with briefcases
locked to their wrists. In electronic form, however, they can
be transmitted instantly via electronic mail, telephone, fax,
and videoconference, and action can be taken on a much shorter
time scale. Specialized communications infrastructures can
make all the difference in the world -- one manufacturer
reported that before a specialized network was installed,
engineers in the United States were cutting large engineering
drawings into 8-1/2 x 11 sheets and faxing them to their
counterparts in another country.

   At the same time, the compromise of communications can be
significant in manufacturing. Theft of product design data can
result in the loss of competitive advantage in products; if
the products in question have military significance, such data
may well be classified and the compromise of data may lead to
a national security threat to the United States. Premature
release of financial information can affect stock prices.
Knowledge of specific problems in a given plant can give
competitors unwarranted leverage. Unauthorized changes to
engineering orders can result in chaos on the assembly line or
in operational disaster. Destruction or alteration of key data
by insiders or outsiders could be as significant as physical
sabotage, and subtle changes to digital designs or software
may be undetectable for an indefinite time with possible
consequences such as product recall.

----------

   (11) For more discussion, see National Research Council,
*Information Technology for Manufacturing: A Research Agenda*,
National Academy Press, Washington, D.C., 1995.

____________________________________________________________


                 I.4 THE PETROLEUM INDUSTRY

   The petroleum industry is inherently international; a
typical multinational oil company may operate in dozens of
nations. Moreover, the scale of oil exploration and production
requires substantial collaborative efforts, even among
potential competitors. Thus, this industry highlights the need
for protecting sensitive, proprietary information that must be
shared worldwide, potentially across telecommunication
networks. Sensitive information of particular significance to
the industry includes the following:

   +    Personnel information. Top executives of large
multinational oil companies are often placed at substantial
physical risk by threats of kidnapping, extortion, and other
criminal activity. Thus, the whereabouts of such individuals
are often confidential.

   +    Personal information. Midlevel employees who work and
live in politically unstable areas are often concerned about
maintaining their personal safety. Since they may engage
routinely in communications between home and office that could
disclose their whereabouts, compromise of these communications
could subject them to personal attack.

   +    Seismic and other data indicating the whereabouts of
oil and natural gas underground. Such data are particularly
sensitive because the competitive advantage of a given oil
company may well be in the data it has been able to collect on
a given field. The use of such data, coupled with advanced
computing capabilities, has saved hundreds of millions of
dollars by helping drillers to avoid "dry" wells.(12)

   +    Information related to bidding. Oil companies often
bid for rights to drill or to explore in certain locations,
and premature disclosure or disclosure to inappropriate
parties of such information could seriously compromise bidding
negotiations.

   +    Conferences among technical experts. With worldwide
operations, it may be necessary, for example, for experts at
a potential drilling site to consult with experts located
halfway around the world to make a reasoned decision about
drilling. These experts display the same seismic data on their
computer screens (data that is confidential as described
above), but the in-house expertise needed to interpret such
data (as expressed in their communications) can be an
additional competitive advantage that cannot be compromised.

   A significant amplifier of the information security threat
relevant to U.S. multinational oil companies is the fact that
the oil companies of other nations are often state owned and
operated. The close integration between such foreign oil
companies and their governments, combined with the large
economic stakes involved, raises significant concerns in U.S.
oil companies that all of the resources of those foreign
governments may be brought to bear against them, including
foreign intelligence services.


       I.5 THE PHARMACEUTICAL AND CHEMICAL INDUSTRIES


   The pharmaceutical and chemical industries are also global,
since foreign nations often possess both the intellectual
expertise and the natural resources needed to be successful in
these industries.(13) The critical dimensions of these
industries in which information must be protected involve not
products per se but rather other areas:

   +    The scientific and technical expertise that allows
companies to conceptualize new molecules or adapt previously
known moiecules to new functionality. Research and development
of new drugs and chemicals is the lifeblood of these
industries, and information or data in which the creativity of
their chemists is reflected are critical.

   +    The regime of intellectual property protection.
Intellectual property rights are one primary mechanism on
which the pharmaceutical and chemical industries depend to
protect their large investments in research and development.
However, intellectual property rights are generally granted to
the parties that are first with a discovery or invention.(14)
Thus, the speed with which discoveries can be made or a patent
application filed becomes a parameter of critical importance,
nonrepudiable (i.e., irrefutable) proof of the integrity of
data from clinical trials and of the dates of patentable
discoveries can be useful to strengthen patent claims. In
addition, given the public nature of much of the science
underlying these discoveries, small intellectual advances that
save time may be the only advantage that a company has in the
race to be first. Premature disclosure of information
associated with the protection of intellectual property rights
can lead to patent challenges or even loss of protection and
thus may be extraordinarily damaging.

   +    The processes by which drugs arld chemicals are
manufactured. In general, drugs and chemicals are at the end
of a long processing chain in which raw materials are
transformed into the desired substances. Even small process
improvements that reduce the volume of raw materials
necessary, problems of quality control, or the dangers or
complexity of the overall manufacturing process can be
reflected in large savings of time and money. Such
improvements may be protected by intellectual property rights,
but enforcement may be difficult if it is not known that a
competitor is using a stolen process improvement. In other
instances (e.g., safety), widespread publicity of information
taken out of context may cause a company many public relations
difficulties.

----------

   (12)  Written testimony of Jack L. Brock to the
Subcommittee on Science, Technology and Space of the Senate
Commerce Committee, March 5, 1991, page 4.

   (13) For example, in August 1995, Upjohn announced a merger
with a Swedish competitor (Pharmacia AB) that would result in
the ninth-largest drug company in the world, with 34,500
employees worldwide. See Associated Press, "Upjohn, Rival Drug
Firm Plan Merger," *Washington Post*, August 21, 1995, page
A-6.

   (14) In some regimes, "first" means first to discover or
invent. In others, first means first to file for patent
protection. For purposes of this discussion. the distinction
is irrelevant.
____________________________________________________________


               I.6 THE ENTERTAINMENT INDUSTRY


   The product of the entertainment industry is information,
information that is increasingly migrating to digital form.
The dominant concern of the entertainment industry is how to
protect digitized music, movies, games, and the like from
unauthorized mass distribution without proper payment of
royalties and fees. A secondary, though still important,
concern is how the integrity of such products can be ensured.
For example, an unprotected digitized movie could be altered
unmaliciously (with the intent of enhancing its appeal, e.g.,
by colorizing an original black-and-white movie) or
maliciously (e.g., by changing a scene for purposes of
embarrassing the producing company).


                       I.7 GOVERNMENT


   The U.S. government is, and will continue to be, a major
user of cryptography, both for internal purposes and in its
exchanges with citizens. As more and more government services
are implemented using electronic methods, it becomes
increasingly important to identify and authenticate
individuals and to verify the accuracy of data. To the extent
that people wish to use electronic means to communicate
personal information to the government, the need to maintain
confidentiality also increases. Cryptography supports all of
these goals in an electronic world. Several of the many
examples of how cryptography will be used in the federal
government are described here.

   The Internal Revenue Service (IRS) is responsible for
collecting the taxes that fuel all government programs. Every
year, citizens and corporations transmit financial data to the
IRS and interact with the agency to resolve any problems. The
agency processes approximately 100 million individual tax
returns and more than 1 billion supporting documents (e.g.,
W-2 forms, 1099 forms) annually. The primary goal of the IRS's
Tax Systems Modernization (TSM) effort is to facilitate this
process by increasing its use of electronic processing and
electronic interchange of information.(15)

   The TSM effort will allow the IRS to process 100% of all
tax return data on line and will significantly increase the
amounts of data that are submitted electronically. It is this
latter capability that requires the use of cryptography,
primarily in the form of digital signatures, to ensure that
tax returns are submitted in a proper manner. Currently, the
IRS is required to store the handwritten signature of the
person(s) for each and every tax return, including those
submitted electronically. The use of digital signatures will
allow the IRS to eliminate handwritten signatures without loss
of authentication, which will streamline the data-gathering
process. The IRS will be supporting the Digital Signature
Standard, as well as other signature standards that become de
facto commercial standards.(16) While most electronic filing
of income tax returns is currently carried out by authorized
tax preparers, the IRS is working on creating a secure system
using cryptography that would enable taxpayers to file
directly from their home computers.

   Similar to the IRS, the Social Security Administration
(SSA) also collects data from citizens and corporations on a
regular basis. Furthermore, the SSA is responsible for
disbursing funds for old-age and survivors insurance,
disability insurance, and supplemental security income
programs. The effective and efficient management of these
programs increasingly relies on automated data processing and
electronic exchanges among the SSA, citizens, and
corporations. The agency is also involved in the deployment of
digital signatures to streamline its operations. Digital
signatures will allow citizens with home computers to check
the status of their benefits 24 hours a day, rather than
waiting for a telephone service representative to provide the
needed information. Without digital signatures, such a service
cannot be provided electronically because of concerns about
protecting the security of the private information involved in
such an exchange.

   The wide-scale government use of cryptography will require
an extensive infrastructure for maintaining public keys for
all citizens, corporations, and organizations. The Security
Infrastructure Program Management Office (SI-PMO) at the
General Services Administration is planning pilot projects to
test the use of cryptography in electronic communications
between agencies and citizens. Agencies such as SSA, IRS, and
the Department of Education will participate. Citizens
participating in the pilot tests will use a personal computer
or government kiosk and the Internet to access Social Security
information, file income tax forms, or -- in time -- apply for
a student loan.

   In the pilot studies, the U.S. Postal Service (USPS) will
be responsible for issuing the digital signatures that will
identify users through the use of tokens. It will develop an
infrastructure for assigning and maintaining the critical
"certificates" that are needed for proper authentication.(17)
Many believe that the USPS is a natural candidate for such a
responsibility because of its vast network of postal offices
and operations that are aimed specifically at providing
individual and business services. Furthermore, the USPS is a
"trusted" organization that has the backing of legislation to
perform its duties, as well as a mature oversight framework.

In addition to the citizen-to-government interactions
described above, there is a complete spectrum of cryptographic
methods used throughout the government for internal
communication and processing purposes. The Treasury Department
has long used cryptographic methods for the authentication,
integrity, and confidentiality of financial transactions. The
Department of Energy has also been a long-time user and
developer of cryptographic methods, which are employed to
safeguard nuclear control systems, among other things. A
number of nondefense agencies have begun to adopt FortezZa
PCMCIA cards (described in Chapter 5), including the
Departments of Commerce, Justice, Energy, State, and Treasury,
as well as the National Aeronautics and Space Administration,
the IRS, and the Coast Guard. The broad-based use of this
system among civilian agencies is as yet uncertain.(18)

   The effort to make the federal government more efficient
often increases the need for and difficulty of protecting
copyrighted, private, and proprietary information. For
example, improving federal services to citizens by providing
them electronically requires more sharing of information and
resources among agencies and between federal agencies and
state or local agencies. Increased sharing of information
requires interagency coordination of privacy and security
policies to ensure uniformly adequate protection. During a
time of tight federal budgets, information security managers
in federal agencies increasingly must compete for resources
and support to implement the needed safeguards properly.
Agencies must look for the least expensive way to ensure
security, and the cost of some encryption systems currently is
prohibitive for some civilian agencies.

----------

   (15) Computer Science and Telecommunications Board,
National Research Council, *Review of the Tax Systems
Modernization of the Internal Revenue Service*, National
Academy Press, Washington, D.C., 1992; and *Continued Review
of the Tax Systems Modernization of the Internal Revenue
Service*, 1994.

   (16) "IRS, SSA to Let Public Try Digital Signatures,"
*Government Computer News*, November 13, 1995, page 1.

   (17) *Government Computer News*, November 13, 1995.

   (18) "Fortezza Faces Uncertain Future," *Federal Computer
Week*, November 13, 1995, page 12.

____________________________________________________________

                  BOX I.1 Loans by Network

   Loans are an essential part of many large transactions such
as the purchase of houses and automobiles. Consumers provide
information in loan applications which the loan provider uses
as the basis of a loan approval. The formal approval commits
the lender to a specific interest rate and, when it is
accepted, the user to a specific repayment schedule. Since
only information is exchanged, an application in principle
could be conducted entirely without face-to-face interaction
between consumer and provider, thus freeing the consumer to
search the Internet for a provider offering the best rate.(19)

   In practice, however, the prospect of an Internet loan
application raises many questions:

   +    How is the personal data transmitted from the consumer
to the provider to be protected as it crosses the Internet? In
a face-to-face interaction, the information is provided at the
bank, and so there is no difficulty in protecting the
information in transit.

   +    How does the consumer know that she or he is sending
the data to the proper bank? In a face-toface interaction, the
consumer can look at the sign on the front of the building to
verify that it is indeed a branch of First Citibank of
Washington. (People have been known to send faxes to the wrong
fax number.)

   +    How does the consumer know that the institution with
which he or she is interacting is a trustworthy one (e.g., an
organization chartered and regulated by the Federal Deposit
Insurance Corporation)? In a face-to-face interaction, the
consumer can look for the Federal Deposit Insurance
Corporation seal at the front of the building and have some
confidence that the seal is indeed associated with the offices
inside the building.

   +    How do the parties ensure the integrity of a quoted
interest rate? In a face-to-face interaction (or over the
telephone), the parties can simultaneously view a piece of
paper on which a certain interest rate is typed.

   +    In many loans, the interest rate is tied in an
algorithmic fashion to a market index of some sort (e.g., 3
percentage points over the prime interest rate). In a
face-to-face interaction, the lender can pull out a copy of
the Wall Street Journal and point to page B-4.

   +    How does the lender verify the consumer's identity? In
a face-to-face interaction, the consumer can present two photo
identification cards and a recent tax return.

   +    How can the lender as a commercial entity protect
itself against cyber-anarchists who believe that commercial
transactions have no place on the Internet? In offering
services to consumers on a face-to-face basis, police and
security guards protect the bank against robbers.
----------

   (19) Indeed, laws and regulations governing the granting of
credit explicitly or implicitly forbid the inclusion of
factors such as race or "character" that might be ascertained
in a face-to-face interaction.

____________________________________________________________

BOX I.2 Preventing the Unauthorized Aggregation of Health Care
Information

   Use of the Social Security number as a de facto universal
identifier gives rise to concerns on the part of privacy
advocates regarding the unauthorized aggregation of data about
individuals collected from many different institutions that
have been individually authorized to release specific data.
Peter Szolovits has proposed a mechanism based on public-key
cryptography that would generate a unique identifier tied to
the individual and a specific institution under which that
individual's information could be stored by that institution.
With such a mechanism in place, a positive user action would
be required to create an identifier, and the individual would
gain control over the parties who could aggregate personal
data because he or she could refuse to create an identifier
for any given institution requesting particular data.

   In essence, Szolovits's scheme relies on the individual's
performing a public-key digital signature on the institution's
name. The result of this operation is a piece of data, usable
as an identifier, that only the individual could have created,
but that anyone can verify the individual has created. More
specifically, the individual "decrypts" the plaintext that
gives the name of the institution using his private key. Only
the individual could have created the result, because only the
individual knows the private key. However, anyone can encrypt
the identifier using the individual's public key. If the
result of this encryption is the name of the institution, it
can be known with confidence that indeed the individual
generated the identifier.

   Of course, policy would be needed to support this mechanism
as well. For example, it might be necessary to conduct random
data audits of various institutions that would check to see if
a given institution was indeed properly authorized by the
individual to receive given data.

----------

SOURCE: P. Szolovits and I. Kohane, "Against Universal
Health-care Identifiers," *Journal of the American Medical
Informatics Association*, Volume 1, 1994, pages 316-319.

____________________________________________________________

[End Appendix I]




