Security and Privacy in Broadband Internet Services

by Lauren Matheson

Preview

As the public's increasing thirst for speed draws them towards broadband Internet alternatives new questions of security and privacy arise. Broadband connections, by their 'always on' nature, infrequently changing IP addresses and LAN technology interfaces, increase the vulnerability of computer networks.

Large institutions and corporations know how to protect their systems, but as more and more home users opt for broadband connections how much knowledge should be expected of them? With so many people using apparently low security Windows and Macintosh operating systems that enable file and printer sharing by default, there is much room for exploitation. When their computer's network neighbourhood very much resembles their own neighbourhood many home users are surprised, and those whose printers accidentally receive a neighbour's document are shocked.

To their merit, many broadband providers and hardware manufacturers have developed patches and workarounds to some of these glaring insecurities, but what standard of security and privacy should be expected? Are changes required to the construction of these networks and protocols? Information and misinformation abound regarding DSL vs. cable as means to deliver broadband service. Does either architecture offer an advantage for privacy and security?

Important as we ask so many questions is whose issue is it to resolve these security and privacy concerns. Is it the government's role to ensure a degree of data protection for its citizens, or is it rather a consumer's responsibility to choose a broadband service with a dedication to privacy they desire? This could be a new arena for broadband providers to compete with each other.

Six professionals join us this afternoon to discuss this topic. Robert Ellis and Myles Losch join us from ACM. Simson Garfinkel is a consultant and journalist. John Denker hails from AT&T Labs-Research, while Jacques Desroches and Dermot O'Carroll are from two national broadband providers, Bell Canada and Rogers Cable, Inc.

Review

The results are in. According to the panel of four broadband experts there is a real security problem: default file sharing, viruses, and careless or clueless users are the primary reasons. AT&T expert John Denker proposes that a threat analysis is necessary before trying to tackle the issue of network security. To protect a network against a foreign intruder or cracker requires different measures than against a friend, a host, a legal warrant or tap, a trojan virus, or data miners. The ability to protect is also quite different, especially against trojan horse viruses which users choose to install, but act much differently than expected. Data mining can also be difficult to avoid. A naive user may voluntarily disclose information, not realizing that it may be kept for a different use or joined to their information elsewhere, a phenomenon referred to by Denker as "getting nibbled to death by ducks."

Solutions, or at least stop-gap measures to some of these problems do exist and are being used by broadband providers. Commonly misconfigured ports - such as that used by the NetBIOS service in Microsoft file sharing - are frequently blocked by default. Modems operating as bridges filter packets at the user level so that they only receive information directed to them and not their neighbors. New modems incorporating firewalls may soon be used, thus enabling a heightened level of security without extra software to install. Similar hardware solutions also bypass the inherent insecurities of some operating systems. The panelists seemed to be in agreement though that configuration and implementation of security solutions must be understood by novice computer users to be effective.

Privacy may become a new arena for market competition. As consumers become increasingly aware of the degree of their exposure they will quite possibly demand higher standards from their ISPs. Freedom may also become a consumer choice as many may choose ISPs which filter certain types of content, thus creating more consumer options. If technology is the limitation, ISPs will be very competitive as their privacy standards will be comparable. However, this is all contingent upon the consumer's ability to differentiate between products based on privacy - an assumption which might not be valid.

Next, the panel considered the roles of different groups. Governments should be expected to set standards that guarantee personal privacy. However, industry may lead the government standards through as consumer demands grow. As for customers, Dermot O'Carroll longed to be able to expect from them some degree of rational behavior where they would learn to use a machine before pushing the limits. Simson Garfinkel proposed increased liability for software vendors and broadband providers which leave security holes open by default, a view supported by an analogy that certain levels of safety are expected from many other industries. But software is not held to the same consumer standards, and Denker strongly objected that liability is a model that simply does not work.

While broadband network security is a problem, it does not have a simple solution because end users are a part of the problem. However, if users become more knowledgeable and demanding, security failings may well be significantly reduced.