BKPRVPAP.RVW 20020926 "The Privacy Papers", Rebecca Herold, 2002, 0-8493-1248-5, U$69.95 %A Rebecca Herold %C 920 Mercer Street, Windsor, ON N9A 7C2 %D 2002 %G 0-8493-1248-5 %I Auerbach Publications %O U$69.95 +1-800-950-1216 auerbach@wgl.com orders@crcpress.com %P 679 p. %T "The Privacy Papers: Managing Technology, Consumer, Employee, and Legislative Actions" The preface asserts that this volume is intended as an introduction to privacy for C-level executives. (I assume that means "Chief" executive officers, security officers, information officers, and the like, rather than referring to the grades they made in school.) This assertion is a bit odd, both in terms of the enormous size of the volume, and in terms of the statement, in the foreword, that the papers are included based on the editors personal choice. The introduction gives a historical look at early US privacy law. Part one deals with business organization issues, including papers on the privacy of employee email (case studies that are often unresolved), email pornography policy (have one), computer forensics and privacy (almost no content), policies for secure personal data (random security topics), security awareness (good program, but generic and not tailored for privacy), the case for privacy (vague thoughts, no case), attorney-client privilege and electronic data transmission (careless use of communications technology may void privilege), computer crime and analysis of computer evidence (you can get evidence from computers), a tale of two spies (spies may use computers), (US) federal laws affecting information systems auditors (more politics than details), computer forensics (*extremely* vague), the dangerous precedent set in the use of electronic identifiers (various cases linked *only* by the fact that *none* have been tested in court and therefore no precedents have been set), jurisdictional issues (almost irrelevant to privacy), anonymity on the net (generic), erosion of confidentiality (anecdotal reports), export regulations for cryptography (irrelevant to privacy), security awareness training (irrelevant), security standards (irrelevant to privacy), chief medical information officers (oddly irrelevant), information security management in healthcare (interesting and detailed), criminal activity on the Internet (clear but not much detail), identify theft (interesting but undetailed), identity theft (US-centric and not always helpful), obtaining information from ISPs (information service providers) (detailed content on a complex topic). Part two reviews tools and related technology. The first paper not only does not advise on its stated topic, selecting a cryptographic system, but it demonstrates essentially no understanding of cryptographic concepts, and a truly astonishing range of errors. (There definitely are inherent differences between symmetric and asymmetric encryption, asymmetric encryption does not use digital signatures, but provides for them, and the electronic codebook mode of DES [Data Encryption Standard] is not less able to provide authentication than the chaining modes.) Other essays deal with new paradigms for steganography (pointless), cookies and web bugs (a brief and limited apologia), online profiling (a political report on online business), intrusion detection systems (a review of a conference on the topic), Internet acceptable use policies (banal and unhelpful), ethics and the Internet (a brief take, only marginally about privacy), security of wireless LANs (long out of date), customer relationship management and data warehousing (little about privacy), anonymity, privacy, and trust (brief and random), Web certification (promotional piece for ICSA Labs), and an exhortation to get people to sign a confidentiality agreement. Part three is about US laws and issues. The pieces in this section are primarily either documents prepared by government departments, or prepared testimony before legislative committees (and sometimes both). There is a FAQ (Frequently Asked Questions list) on the HIPAA (Health Insurance Portability and Accountability Act) privacy rule prepared by the Department of Health and Human Services, testimony on HIPAA, a non-detailed description of the provisions of the Financial Services Modernization Act, a list of US laws with privacy provisions and another of proposed laws as of July 2001, testimony about privacy in wiretap laws, and a report on the Carnivore system. Part four turns to international laws and issues. The European Union directive on privacy is attacked as a barrier to trade, there is a detailed (but not very interesting or helpful) review of the EU directive and how it is implemented by some of the member states, a Department of Commerce description of the Safe Harbor program, and a list of international privacy laws. While isolated articles in this volume are interesting, the reader would have to be rather ignorant about privacy issues in order to get much out of the text overall. copyright Robert M. Slade, 2002 BKPRVPAP.RVW 20020926