REVIEW: "The Privacy Papers", Rebecca Herold
- BKPRVPAP.RVW 20020926
"The Privacy Papers", Rebecca Herold, 2002, 0-8493-1248-5, U$69.95
%A Rebecca Herold
%C 920 Mercer Street, Windsor, ON N9A 7C2
%I Auerbach Publications
%O U$69.95 +1-800-950-1216 auerbach@... orders@...
%P 679 p.
%T "The Privacy Papers: Managing Technology, Consumer, Employee,
and Legislative Actions"
The preface asserts that this volume is intended as an introduction to
privacy for C-level executives. (I assume that means "Chief"
executive officers, security officers, information officers, and the
like, rather than referring to the grades they made in school.) This
assertion is a bit odd, both in terms of the enormous size of the
volume, and in terms of the statement, in the foreword, that the
papers are included based on the editors personal choice.
The introduction gives a historical look at early US privacy law.
Part one deals with business organization issues, including papers on
the privacy of employee email (case studies that are often
unresolved), email pornography policy (have one), computer forensics
and privacy (almost no content), policies for secure personal data
(random security topics), security awareness (good program, but
generic and not tailored for privacy), the case for privacy (vague
thoughts, no case), attorney-client privilege and electronic data
transmission (careless use of communications technology may void
privilege), computer crime and analysis of computer evidence (you can
get evidence from computers), a tale of two spies (spies may use
computers), (US) federal laws affecting information systems auditors
(more politics than details), computer forensics (*extremely* vague),
the dangerous precedent set in the use of electronic identifiers
(various cases linked *only* by the fact that *none* have been tested
in court and therefore no precedents have been set), jurisdictional
issues (almost irrelevant to privacy), anonymity on the net (generic),
erosion of confidentiality (anecdotal reports), export regulations for
cryptography (irrelevant to privacy), security awareness training
(irrelevant), security standards (irrelevant to privacy), chief
medical information officers (oddly irrelevant), information security
management in healthcare (interesting and detailed), criminal activity
on the Internet (clear but not much detail), identify theft
(interesting but undetailed), identity theft (US-centric and not
always helpful), obtaining information from ISPs (information service
providers) (detailed content on a complex topic).
Part two reviews tools and related technology. The first paper not
only does not advise on its stated topic, selecting a cryptographic
system, but it demonstrates essentially no understanding of
cryptographic concepts, and a truly astonishing range of errors.
(There definitely are inherent differences between symmetric and
asymmetric encryption, asymmetric encryption does not use digital
signatures, but provides for them, and the electronic codebook mode of
DES [Data Encryption Standard] is not less able to provide
authentication than the chaining modes.) Other essays deal with new
paradigms for steganography (pointless), cookies and web bugs (a brief
and limited apologia), online profiling (a political report on online
business), intrusion detection systems (a review of a conference on
the topic), Internet acceptable use policies (banal and unhelpful),
ethics and the Internet (a brief take, only marginally about privacy),
security of wireless LANs (long out of date), customer relationship
management and data warehousing (little about privacy), anonymity,
privacy, and trust (brief and random), Web certification (promotional
piece for ICSA Labs), and an exhortation to get people to sign a
Part three is about US laws and issues. The pieces in this section
are primarily either documents prepared by government departments, or
prepared testimony before legislative committees (and sometimes both).
There is a FAQ (Frequently Asked Questions list) on the HIPAA (Health
Insurance Portability and Accountability Act) privacy rule prepared by
the Department of Health and Human Services, testimony on HIPAA, a
non-detailed description of the provisions of the Financial Services
Modernization Act, a list of US laws with privacy provisions and
another of proposed laws as of July 2001, testimony about privacy in
wiretap laws, and a report on the Carnivore system.
Part four turns to international laws and issues. The European Union
directive on privacy is attacked as a barrier to trade, there is a
detailed (but not very interesting or helpful) review of the EU
directive and how it is implemented by some of the member states, a
Department of Commerce description of the Safe Harbor program, and a
list of international privacy laws.
While isolated articles in this volume are interesting, the reader
would have to be rather ignorant about privacy issues in order to get
much out of the text overall.
copyright Robert M. Slade, 2002 BKPRVPAP.RVW 20020926
rslade@... rslade@... slade@... p1@...
Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
November 25, 2002 November 29,2002 Toronto, ON, Canada
December 16, 2002 December 20,2002 San Francisco, CA
February 10, 2003 February 14, 2003 St. Louis, MO