Joint Workshop on Mobile Web Privacy WAP Forum & World Wide Web Consortium
7-8 December 2000
A certain confusion exists in the industry about security and privacy. Some people equate security for privacy, while others think privacy is something that will only interest "those with something to hide". Security is a necessary tool to build privacy, but a communication or transaction environment can be very secure, yet totally unprivate. Privacy is a basic human right and is recognized as a necessity by the European Union (Privacy Directive) and the OECD (Principles of Fair Information Practice). Finally, privacy is simply good business, and will be required for M-Commerce to gain widespread adoption by consumers around the world.
Security and privacy are closely related technologies, however, there are important differences that need to be understood in order to design new systems that address both. Privacy is about informational self-determination--the ability to decide what information about you goes where. Security offers the ability to be confident that those decisions are respected. For example, we talk about GSM voice privacy--can someone listen to my call? There is a privacy goal, which is to allow me to say no, and a security technology, encryption, that allows me to enforce it. In this example, the goals of security and privacy are the same. But there are other times when they may be orthogonal, and there are also times when they are in conflict.
There is a security goal of authenticating a handset. In some instances this may be done by RF fingerprinting, which is not a privacy issue-we securely authenticate that the handset is the one that is linked to an account, thus ensuring that the right person is billed. Here, security and privacy are orthogonal.
Caller presentation is an example of a place where security and privacy can conflict. I may want privacy, in not letting anyone else see my number, while the callee may want the security of thinking they know who is calling. In this situation, in most countries, a balance has been struck in favour of informational self-determination, allowing the caller to choose if caller information is available.
In the area of location information, allowing disclosure of location information out on an continuous basis creates a number of privacy issues, but occasionally, when calling for emergency services, it is useful to reveal. It is important to design these system so that the phone's owner is in control and happy, and to ensure that the security measures in place support the owner's decision effectively.
SSL is often confused with privacy. SSL offers "privacy" against eavesdroppers, but this is better called confidentiality. The well-publicized break-ins at CDNow and other retailers using SSL show that privacy requires more than SSL. (The same issues apply to WTLS, although WTLS also creates a problem with the decryption at the WTLS gateway, and a question of is that trustworthy?) It requires minimizing the amount of information that is transmitted and stored.
So, in handling payments, one can achieve strong security by sending around the electronic equivalents of cheques, which are cleared, online. The cheque is signed, the bank is asked if there is enough money, and everything flows smoothly. Excellent privacy with the same security can be obtained with using modern e-cash systems. E-cash with online verification allows the money to be spent without revealing the account number. Since the account number is never given to the merchant, privacy is strongly preserved, even when there is a security lapse. Private Credentials can enable a totally secure AND private environment for mobile payment and signatures.
Whether it is for payment, signature or location-based services, Privacy protection technologies must be an integral part of future mobile infrastructure in order for new mobile services to be adopted by consumers.