Intel's intentions aside, Pentium III renews fears over what data can be pulled from a Net surfer's computer

02/23/99

By Doug Bedell / The Dallas Morning News

As computer processor giant Intel recently learned, the growing Internet audience takes its privacy very seriously, thank you.

Considerable dust has been raised in the last four years over a raft of issues. From cookies Ð those little text files injected onto your hard disk by many Web sites Ð to repeated government resistance to encryption measures that could guarantee security for online transmissions, these skirmishes have been ferocious.

The latest bluster comes with the release of Intel's Pentium III, which was set up to identify itself with an electronic serial number upon request, ostensibly to help track activity inside corporations' computer networks. However, consumer groups and privacy advocates immediately launched protests, fearing that Internet mass marketers and junk e-mailers would quickly convert the corporate tool for nefarious purposes.

As Intel began releasing the Pentium III last week, it was forced to make a bold concession. The chip's serial number feature, the company announced, would be set to the "off" position in default.

Says Gene Crick, director of the nonprofit individual rights group Electronic Frontier Ð Texas: "The Pentium III user identification notion is merely another salvo in the war against personal freedom on the Internet. Though the Net was born of individualism and initiative, these values are unwelcome to profiteers and politicians who want online activity to become controlled and commercial.

"We urge everyone to recognize and resist anyone trying to strip-mine cyberspace."

Rumors, online paranoia and constantly changing technology all contribute to emotionally charged arguments as the medium develops. Efforts to ensure privacy in the virtual world have produced a host of software and hardware responses. Fingerprint computer pads, retinal eye scanners, encryption known as PGP, or Pretty Good Privacy, and online browser certificates are in various stages of development.

Intel insists that the electronic serial number technology is intended to bolster - not undermine - privacy in electronic commerce and day-to-day computer networking, but how it will all shake out is anyone's guess. Some basic issues form the heart of the overall privacy debate. And the primary point being made by consumers is clear: We take our personal computers very personally.

What 'they' already know

Regardless of the Pentium III's on-off option, some information about your computer is already being broadcast when you explore the Net. If you use an Ethernet card on a local or remote network, an address for that card is used to route traffic to your machine. On another front, the Internet protocol, or IP, address from which you are accessing the Internet is also available.

The IP address is a 32-bit number that identifies each sender or receiver of information. When you request an HTML page on the Web or send e-mail, your IP address is included in the message.

Internet connectivity being what is, your computer must "broadcast" numbers that can be used in identifying you.

Intel's electronic serial number feature is not as indiscriminant. Special instructions and permission would have to be given to allow that number out of your box.

Intel's innovation produced an incredible backlash.

Junkbusters, a group fighting insidious electronic advertising, has urged a boycott of the Pentium III chip. And a poll by Windows On-line Magazine just last week showed only 18 percent of respondents would still purchase the processor "in light of the controversy surrounding the Pentium III chips' ability to reveal the identity of Web surfers."

The majority said they would switch brands.

David Sorkin, associate director of the John Marshall Law School Center for Information Technology and Privacy, says the reaction was predictable.

"I think there's some validity to concerns on the Pentium III," Mr. Sorkin says. "It was as though everybody was being assigned an ID number."

Within corporations, there is a strong need to ensure the identities of people sending sensitive data back and forth. Systems administrators trying to track viruses also wanted the serial number technology, says Intel spokesman Tom Waldrop.

"The reaction certainly did not hit us out of the blue," Mr. Waldrop says. "We are very much aware that where there is security, there needs to be identity. And that means providing information.

"But the concerns were stronger than we expected from some groups."

As a result, Intel made its change to permit users to permanently opt out of the serial number feature at installation.

Permission and trust

To Mr. Sorkin and Internet privacy specialists such as Lauren Hall, chief technologist for the Software and Information Industry Association, the reaction was similar to the flap over browser cookies, files sent from Web sites into computers to help regular visitors move quickly through Web site password procedures. They also help customize ad displays or Web site topic selections, making the experience more personal and less time-consuming.

"If I visit The New York Times page, I appreciate cookies keeping me from having to re-enter my password all the time," says Mr. Sorkin. "They do fulfill that function in a lot of cases. The problem is they can be used for purposes not intended by their creators."

Proponents of the Intel serial number technology point out that it is not broadcast on the Internet. Rather, the ID numbers are available to Web site programmers trying to be sure you should be allowed access to sensitive information.

Intel's feature will be used like Active X and other browser controls. Surfers are asked permission beforehand to implement some of those features.

The whole question is one of trust, Ms. Hall says. Consumers make privacy trade-offs every day, she says. Even the bonus cards used by grocery chains could have security repercussions if stores weren't trusted to use shoppers' personal information properly.

"I get very nervous if all I buy is red meat, butter and whole milk and you're selling that information to my insurance company," Ms. Hall says.

But, she says, "if they want to use my purchasing information to keep their shelves stocked properly, I don't mind."

Software has been developed to partially counter Internet cookies, which arguably perform functions equivalent to the grocery store bonus cards. Programs such as The Anonymize can actively intercept any outgoing personal information from a computer. Another, AT&T's The Crowd, lumps information about your surfing habits with that from thousands of others before letting the data be read by Web sites. Most browsers can now be set to warn when cookies are being sent.

In the view of Intel, the serial number technology is just another way to ensure that communications and electronic commerce are conducted securely.

"On the consumer side, we view this as a first step. . . . The Internet and e-commerce are just starting to develop," Mr. Waldrop says. "We intended this as an additional layer of security that can be used - or not used - at the owner's discretion."

Automatic teller machines weren't widely used for years because of similar consumer privacy fears, he says. "It may have been easier and more secure, but people didn't take very easily to banking without a person involved. When you have a new field like this and technology like the Internet, it does present challenges."

Evolving technology|

Privacy experts believe the Internet is peculiar in that it combines a sometimes frightening new technology with purchasing and information options never before presented to consumers.

"Different consumers have different levels of expectations of privacy," says Ms. Hall. "You can offer people choices. What people want is very, very different from individual to individual."

She advises Web site designers to clearly lay out privacy policies.

"Companies are incredibly interested in making sure they protect the privacy interests of their visitors," she says. "Generally, they're not interesting in exploiting that information. That's not to say they're not interested in using it.

"There's a difference between exploiting information and using it in the services you deliver to customers. One of the key benefits of the Web is that you can customize service."

While some companies are developing technologies to restrict unauthorized access to sensitive data and transactions, others believe the most secure technology is already available.

Vint Cerf, co-author of the computer language underlying the Internet, says he strongly supports public key encryption standards for worldwide commerce. With public keys, all traffic can be scrambled. Information can't be unlocked unless the sender provides a digital key for its release.

"I mean, the Net does need to be made secure. . . . We've been strong proponents of pretty liberal cryptographic policy which allows people to encrypt their traffic in any way they see fit," says Mr. Cerf, now an MCI WorldCom vice president.

But Ms. Hall and Mr. Sorkin note that encryption is very complicated for most users. And, they say, governmental concerns that it can be used to mask criminal communications are bound to hold back popular use.

Several companies, including VeriSign, have also tried to set themselves up as third-party identity guarantee services. They issue browser certificates that are supposed to help make online transactions secure and reliable. A key barrier to using certificates, however, has been the question of liability when transactions go sour. The legal system has yet to sort this out.

Across the digital landscape, consortiums of major companies are banding together to come up with viable, universal security methods. For instance, CommerceNet UK - helped by firms that include AT&T, Netscape and Compaq's Tandem Group - is testing something called Secure Internet EDI.

The nature of personal computing, however, will be the impetus for a range of options such as Intel's serial number technology, experts say.

"Yes, it is possible to steal credit card numbers and other personal information on the Internet," says Ms. Hall. "But, by and large, the most serious breaches will always be internal and involve people.

"Ultimately, this Internet security issue is one that the marketplace will sort out on its own."

Back to Top
Send a letter to the Editor about this story
Discuss this story in our technology forum