Industry Leaders Testify at Government Privacy Hearings by Susan Hastings In an era in which technology constantly provides people with newer and more useful tools, a decision must be reached on how the information provided by technology should be used by society. In hearings before the U. S. House of Representatives last winter, business leaders in the computer field attempted first to define the issues of computer security and privacy, and then to demonstrate the roles government and industry must play in their efforts to make the new technology beneficial to all of society. There is a great difference between the terms "privacy" and "security". Privacy is - or should be - the inherent and legal right of individuals, groups or institutions to determine for themselves when, how, and what information about them is communicated to others. In relation to computers, security is the means taken to ensure that privacy. Privacy is a legal, political and philosophical concept, and properly belongs in the domain of government. Computer security deals with technique, and is the province of the manufacturer. Law and technology must cooperate in their efforts to make the benefits of modern electronics available to everyone. Rapid progress in electronics has raised the processes of data collection, storage, retrieval and dissemination to the point where it will be easier to invade the privacy of citizens. Although continuing progress makes it possible to develop systems designs and controlling software that provide much better protection against man or machine failure, business must take upon itself the task of developing even newer systems to protect the rights of the individual. Separate computer privacy studies in the United States, England, and Canada have agreed upon four recommendations for legal and technological control over systems as they relate to sensitive information about people: 1) An individual should be given right of access to information about him contained in record keeping systems and a way to find out how the information is used; 2) There should be a way for an individual to correct or amend a record of identifiable information about him; 3) There should be a way for an individual to prevent information about him that he provided for one purpose from being used for another without his consent; 4) The custodian of data files containing sensitive information has a responsibility for endeavoring to maintain the reliability of the data and to take precautions to prevent misuse of data. The manufacturer is faced with the technological problem of implementing these recommendations. His chief responsibility is to provide the hardware and software that will enable computer users to achieve the degree of security necessary to insure the accuracy and pertinence of personal information held in data files. Although all manufacturers recognize that technology alone cannot prevent the abuse of information by authorized persons, it can provide for journaling and auditing techniques which may serve as effective deterrents. IBM's policy on data security would no doubt hold for the entire industry: "Although the customer has overall responsibility for the protection of data, IBM has a responsibility to assist our customers in achieving the data security they require. In this regard, lBM will offer systems, products, services, and counsel that clearly contribute to the solution of data security problems." The objective of any data security program is to cut the risk and probability of loss to the lowest affordable level and to implement a full recovery program if a loss occurs. Lewis M. Branscomb of IBM and Robert P. Henderson of Honeywell believe that their companies have recognized their responsibilities for providing better safeguards for computer security. In 1972 IBM committed itself to an investment of some $40 million over a five year period to study the requirements of data security and to make further developments of appropriate safeguards of their products. Like Honeywell and other manufacturers, they are working on devices in the hardware and software areas that will provide protection in the security area. Despite ever more sophisticated technology to increase the security of computer systems, there is no such thing as perfect security. Beyond legal action, there is a great deal that users can do, however, to promote their own security. Users must be educated to take the responsibility of determining their own security needs and selecting the right combination of operating procedures, physical security measures, hardware devices, and programming tools that will fill those needs. Historically, the security of any information system depends on normal procedures of business and accounting control and traditional physical security measures. A computer installed behind showplace plate glass windows may be good for a company's public image, but it renders the computer vulnerable to people with malicious designs. Likewise, users should exercise a special sensitivity in selecting the personnel who have access to data banks, for no matter how secure the system, there is always the danger of people being compromised. Trained, dependable people are an absolute necessity. No matter what the level of hardware and software security, one must always remember that people run (and break) the system, not technology.