Information Today
Volume 19, Issue 2 — February 2002
Table of Contents Previous Issues Subscribe Now! ITI Home
IT Feature •
Paying the Price for Security
The financial and social costs of protecting digital information are growing exponentially
by Richard Poynder

Information technology and the Internet—so the mantra goes—offer significant cost savings, efficiency improvements, and substantial social benefits. Such assumptions, however, are increasingly being questioned.

In particular there are concerns that while the use of technology to process and manipulate information provides many advantages, it's much harder to protect that information once it's digitized. Moreover, attempts to increase the security of digital information are proving costly in both financial and social terms.

For instance, while there are undeniable benefits to making corporate information available to customers via the Internet and to partners via extranets, there are inevitable security implications, including viruses and hackers. "The more access that companies grant to their networks, the more vulnerability they create since it increases the number of entry points for intruders," says Allan Carey, a senior analyst at research company IDC.

And as demand for wireless access to corporate networks and remote working grows, the costs of protecting information will rise. IDC predicts that the worldwide market for information security services will nearly triple to $21 billion by 2005.

Those who sell digital products—such as the publishing, media, and software industries—are at even greater risk. Since their business is founded on intellectual property, their very survival rests on the security of their data. Yet file-swapping services like Napster have demonstrated just how vulnerable they are. "The problem is that it is far easier to copy digital information than it is to protect it," says Richard Chapman, an IT attorney with London-based law firm Berwin Leighton Paisner.

Consequently, new technologies are being developed to better secure intellectual property in the digital environment. Known collectively as digital rights management (DRM), they use encryption, software keys, and electronic watermarking with the aim of restricting access and prohibiting unauthorized copying.

In addition, governments are updating intellectual property protection for cyberspace. In 2000, for instance, the U.S. Digital Millennium Copyright Act (DMCA) went into effect. Likewise, the European Union (EU) has issued the Copyright Directive, which will see similar laws introduced in Europe by the end of this year. And acknowledging that information is increasingly housed in databases, the EU passed the Database Directive, which creates a unique database right that's designed to prevent unlawful extraction of data. This was implemented in the U.K. in 1998 as the Database Right.

Critics argue, however, that while much is being done to secure corporate information, too little effort is going into protecting personal data. Worse, they add, protecting corporate information is eroding traditional consumer rights.

Under copyright law, for instance, individuals are permitted to exercise fair use rights in which they can make copies of purchased content for personal use. But once it's sealed behind DRM padlocks it becomes impossible to copy content, regardless of legal rights.

Equally as controversial, the new laws are sanctioning these restrictions, thereby altering the traditional balance between the rights of content owners and the rights of the public in favor of large media companies. In the U.S., the DMCA has been particularly criticized for its impact on long-standing consumer privileges. "The DMCA is having the effect of eviscerating the concept of being able to make fair use of the material that you legally possess," says Barry Steinhardt, associate director of the American Civil Liberties Union (ACLU). "Further, it is not preserving intellectual property rights, but expanding them."

The European Copyright Directive will doubtless attract similar criticisms. "The situation will vary," says Charles Oppenheim, professor of information science at the U.K.'s Loughborough University. "But while in some countries fair dealing [fair use] will remain pretty much unscathed, in others there will be a drastic reduction in the ability of users to copy for private purposes."

There are also concerns about the Database Directive. "The law is very widely drafted indeed," says Hugh Brett, a specialist intellectual property lawyer in the London office of international law firm White & Case. "So in effect practically anything you copy from your computer screen is likely to be an infringement of the Database Right."

Moreover, critics argue, in their efforts to protect their own data—and maximize sales—companies are riding roughshod over consumer privacy. DRM technologies, for instance, are designed to capture as much information about consumers as possible, since knowing the identity of purchasers helps curb unauthorized copying. But this data also provides valuable marketing information. "If you pay a digital nickel to listen to a song from Vivendi, maybe Vivendi finds out who you are and what you listened to," explains Phil Agre, associate professor of information studies at UCLA and co-editor of Technology and Privacy: The New Landscape."Maybe Vivendi then sends you advertising for other music you might like. Many would consider this an invasion of privacy."

Further, like the invisible software programs known as "cookies" and "Web bugs" that are used to track and monitor users as they surf the Web, much of this information is harvested covertly. Since consumers are unaware that more and more information is being collected on them, says Mark Littlewood, director of campaigns at Liberty, a U.K. civil rights organization, "they don't realize that they might be under some form of threat from technology."

The most obvious threat is data spillage. "The prevailing level of security used to store data on individuals, and the care with which it is treated, is far too low in most organizations, leading to frequent leakage of sensitive data," says Jason Catlett, president of Junkbusters, a U.S.-based privacy-advocacy company.

The severity of the problem was underlined earlier this year when the Consumers' Association, one of the main advocates of online security in the U.K., inadvertently exposed the credit card details of nearly 3,000 of its customers to unauthorized third parties.

In short, says Chris Hoofnagle, legislative counsel at the Washington, D.C.-based Electronic Privacy Information Center (EPIC), when stored electronically, personal information is as vulnerable as corporate data. Yet companies often take it without permission, and then treat it with less care than their own data. "One of the interesting dichotomies we see is that companies are making very vigorous attacks on attempts by individuals to protect their personal information," he says. "Yet at the same time they are very forcefully protecting their own privacy—insofar as by preventing the publication of something, copyright can be viewed as a form of privacy protection."

And while there are counterweights—such as Europe's data protection legislation—many are skeptical about the efficacy of legal protection for consumers. "The problem,"says Littlewood, "is that there is insufficient manpower to enforce the law."

Some, however, believe that the costs associated with protecting digital information will eventually prove so burdensome—both for companies and individuals—that people will simply throw in the towel. "The time will come when the cost of protecting information is so high, and computer networks proliferate so widely, that individuals and organizations will for the most part give up the effort to protect their private data," says Niv Ahituv, vice president and director general of Tel Aviv University and author of A World Without Secrets: On the Open Information Society. "At that point, electronic information will be accessible to everyone."

Carey, however, is skeptical that companies will ever relinquish control. "Proprietary information provides them with competitive advantage, so they will never stop protecting their data."

For consumers, however, there may be little choice, says Chapman. While companies can use protective technologies to secure their data, there's currently no effective way to protect personal information. "So it is going to prove far more difficult to protect privacy than it is to protect intellectual property."

This, combined with the increasing surveillance powers that governments have sought in the wake of the September 11 attacks, suggests that privacy is fast becoming a rare commodity.

At the same time, traditional consumer rights like fair use may simply disappear. The social cost of our digital future perhaps?

Richard Poynder is a U.K.-based freelance journalist who specializes in intellectual property and the information industry. He writes for a number of information publications and contributes regularly to the London Financial Times.  His e-mail address is

Table of Contents Previous Issues Subscribe Now! ITI Home
© 2002 Information Today, Inc. Home