This article was downloaded by: [Northeastern University]On: 21 November 2014, At: 19:56Publisher: Taylor & FrancisInforma Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House,37-41 Mortimer Street, London W1T 3JH, UK

Information Systems SecurityPublication details, including instructions for authors and subscription information:http://www.tandfonline.com/loi/uiss19

Conducting E-Business AnonymouslyRalph Spencer Poore CISSP, CISA, CFE aa Chief Technology Officer of Privacy Infrastructure, Inc., and Managing Partner of [.pi]R2Consulting. He is a Certified Fraud Examiner (CFE), Certified Information Systems Auditor(CISA), and a Certified Information Systems Security Professional (CISSP)Published online: 21 Dec 2006.

To cite this article: Ralph Spencer Poore CISSP, CISA, CFE (2001) Conducting E-Business Anonymously, Information SystemsSecurity, 10:4, 1-8, DOI: 10.1201/1086/43317.10.4.20010901/31770.2

To link to this article: http://dx.doi.org/10.1201/1086/43317.10.4.20010901/31770.2

PLEASE SCROLL DOWN FOR ARTICLE

Taylor & Francis makes every effort to ensure the accuracy of all the information (the “Content”) containedin the publications on our platform. However, Taylor & Francis, our agents, and our licensors make norepresentations or warranties whatsoever as to the accuracy, completeness, or suitability for any purpose of theContent. Any opinions and views expressed in this publication are the opinions and views of the authors, andare not the views of or endorsed by Taylor & Francis. The accuracy of the Content should not be relied upon andshould be independently verified with primary sources of information. Taylor and Francis shall not be liable forany losses, actions, claims, proceedings, demands, costs, expenses, damages, and other liabilities whatsoeveror howsoever caused arising directly or indirectly in connection with, in relation to or arising out of the use ofthe Content.

This article may be used for research, teaching, and private study purposes. Any substantial or systematicreproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in anyform to anyone is expressly forbidden. Terms & Conditions of access and use can be found at http://www.tandfonline.com/page/terms-and-conditions

RALPH SPENCER

POORE, CISSP,CISA, CFE, is ChiefTechnology Officerof PrivacyInfrastructure, Inc.,and ManagingPartner of πR2

Consulting. He is aCertified FraudExaminer (CFE),CertifiedInformationSystems Auditor(CISA), and aCertifiedInformationSystems SecurityProfessional(CISSP).

Conducting E-BusinessAnonymously

Ralph Spencer Poore, CISSP, CISA, CFE

In our society today, conductingbusiness anonymously verges onthe Herculean or even Sisyphean.1

If a transaction is not barter or cash,keeping the buyer anonymous poseschallenges even without the addition-al elements inherent in electroniccommerce. The conduct of businesselectronically (“E-business”) general-ly requires the participation of fourparties (or roles): buyer, seller (e.g.,merchant), fiduciary (e.g., bank), andtransport (e.g., delivery service). Thebuyer’s computer — particularly thebrowser software — provides theinterface for the buyer in a business-to-consumer transaction. The mer-chant’s computer — particularly theWeb site software — provides theinterface for the merchant to prospec-tive buyers. When the transactioninvolves the sale of software or data(e.g., music, visual art, text, or eventelemetry), the means connecting thebuyer to seller (e.g., the Internet) canalso serve in the role of transport. Ifthe seller is trusted to accept pay-ment by representation of the buyer’sidentity and authorization (as is thecase with a standard credit cardtransaction), then the fiduciarybecomes the credit card transaction

system (e.g., American Express orDiscover Card). Exhibit 1 describesthe important zones or domains ofcontrol:

� Zone A — The client’s accessdevice, usually a PC, but could be aPDA or cell phone or similar device.The “buyer” generally controls thiszone.�� Zone B — This is the telecommu-nications link between Zones A andC. This may include one or more ISP,one or more carriers, and one ormore technologies including broad-cast technologies. The “buyer” mayexercise some degree of control overthis connection.�� Zone C — The merchant’s server,which could be almost any comput-ing platform or platforms, generallyrunning under the control of the“seller,” but may include outsourcingto an ASP.�� Zone D — This is the telecommu-nications link between Zones C andE. Just as in Zone B, this zone mayinclude many players; however, the“seller” exercises control over thislink, the nature of which may beentirely unknown and unknowableto the “buyer.”

P R I V A C Y

S E P T E M B E R / O C T O B E R 2 0 0 1

P R I V A C Y

Dow

nloa

ded

by [

Nor

thea

ster

n U

nive

rsity

] at

19:

56 2

1 N

ovem

ber

2014

� Zone E — The financial servicesentity, i.e., the means through whichthe “seller” gets paid, is representedhere. Neither the “buyer” nor the“seller” exercise control over thiszone. In most E-commerce models,this zone is considered “trusted.”However, this is also the zone mostinsistent on knowing who the“buyer” really is.�� Zone F — This is the telecommu-nications link between Zones E andG, or in at least one variant, Zone Fmay be between Zones C and G. Justas in Zone B, this zone may includemany players. The “buyer” is gener-ally unaware of the controls in thiszone.� Zone G — Zone G represents thedelivery service. When the product orservice sold cannot be delivered elec-tronically, then Zone G representsthe physical processes required toaccomplish delivery and the informa-tion control mechanisms (if any) forthis role.

Many potential configurationsexist. For example, a buyer-centricconfiguration is possible (Exhibit 2)where each relationship with thebuyer is bilateral. More frequently,the merchant is the center as shownin Exhibit 3. Although the privacycontrol issues remain philosophicallythe same in each configuration, thetechnical challenges differ. First, Iwill describe the privacy controlissues generically associated with

each zone. Then, I will examine thetechnical challenges presented by dif-fering configurations of this model.

Privacy Controls over Zone AAlthough the buyer may exert nearlytotal control over this zone, we findfew privacy controls or the underlyingsecurity mechanisms essential toenforcing these controls. TheMicrosoft Internet Explorer 6.0 maycontain features enabling Platformfor Privacy Preferences Project (P3P)2

compliance, but existing defaults pro-vide poor privacy protections. That isunlikely to change. These end-userplatforms are themselves often rid-dled with security weaknesses eitheras concessions to convenience or as aresult of user ignorance.

Privacy Controls over Zone BThis zone admits of only one effectiveprivacy method: encryption. However,implementing end-to-end encryptionwithin this zone requires the coopera-tion of the buyer and the merchant(or whatever other zone to which thebuyer is connected). When connectingto Zone B requires a protocol such asPoint-to-Point Protocol or other ses-sion establishment protocol beforethe end-to-end encryption engages,then we introduce the potential ofadditional control weaknesses.

Privacy Controls over Zone CThe merchant may provide excellentsecurity over its site. To some extent,

S E P T E M B E R / O C T O B E R 2 0 0 1

I N F O R M A T I O N S Y S T E M S S E C U R I T Y

Electronic Transactional Order ModelEXHIBIT 1

AB

CD

EF

G

Telecommunications Links

Buyer Merchant Financial DeliveryService Service

Dow

nloa

ded

by [

Nor

thea

ster

n U

nive

rsity

] at

19:

56 2

1 N

ovem

ber

2014

the buyer can have some assurance ifan ICSA Labs Certification3 or anAICPA WebTrust Certification4 seal

is found and validated on the mer-chant’s site. Alternatively, the mer-chant may have poor security or

S E P T E M B E R / O C T O B E R 2 0 0 1

P R I V A C Y

Buyer-Centric Model — An example of the Buyer-Centric Model exists using thetelephone to accomplish a transaction in which the Buyer must initiate each step.The Buyer (A) calls the Merchant (C) and identifies the desired product and obtainspayment instructions. The Buyer then calls the Financial Institution (E) and author-izes payment in accordance with the payment instructions. The Buyer then callsthe Delivery Service and makes arrangements for the Delivery Service (G) to pickup the product at the Merchant and deliver it to the Buyer. In this model, theMerchant does contact the Financial Institution or the Delivery Service or even theBuyer. You may extend this analogy to the Internet. In the Internet, however, theindependent actions prove operationally less desirable and place excessivereliance of the platform least likely to be well secured — the Client PC.

EXHIBIT 2

AB

CD

E

F

G

Merchant-Centric Model — In the Merchant-Centric Model, the Buyer (A) providesthe Merchant (C) with all of the information necessary to complete the order, i.e.,product selection, payment information, and delivery information. The Merchantis then trusted to provide only the least amount of information essential to eachparty for each party to accomplish its role. This is the traditional on-line orderingmodel. However, implementing this model in a manner conducive to Buyeranonymity requires near Herculean efforts by the Merchant and by the Buyer.New technologies, e.g., American Express Blue and SET, help to protect the priva-cy of the Buyer with regard to the Merchant, but completely fail to protect theBuyer from the Financial Institutions.(E)

EXHIBIT 3

CB

AD

E

F

G

Dow

nloa

ded

by [

Nor

thea

ster

n U

nive

rsity

] at

19:

56 2

1 N

ovem

ber

2014

ineffective controls. The presence ofseals provides an indication; however,the user of the site should reviewcarefully the scope and the limita-tions of any certification. Just as thepresence of a privacy policy is noguarantee that your personally iden-tifiable information will remain pri-vate, the presence of a certificationseal is no guarantee that controls willnot fail. The merchant’s zone remainsproblematic for the buyer — caveatemptor remains the watch-phrase.

Privacy Controls over Zone DIn the merchant-centric model (seeExhibit 3), the merchant or financialinstitution for the merchant general-ly controls the nature of this zone.Therefore, the privacy controls hereare not visible to the buyer. In thebuyer-centric model (see Exhibit 2),the buyer may become aware of theprivacy controls supported in Zone D,but they remain as a general ruleunder the control of financial servic-es. Zone D may consist of many linksand the privacy controls may varyfrom link to link. This may be anencrypted link (or links encryptedend-to-end) using robust cryptogra-phy, or it may be entirely in the clear.Because common protective measureswithin this zone rely on potentiallyweak cryptography or cryptographylimited to authenticators, e.g., person-al identification number (PIN), cardvalidation code (CVC), or pass-phrase,the measures usually fail to protectpersonally identifiable information(PII) including nonpublic personalinformation (NPI)5 such as accountnumbers. The published privacy policyof the merchant will generally treatthis transmission of NPI as an author-ized use and, therefore, not a disclo-sure. Unless the merchant’s financialinstitution or clearing organization isalso the buyer’s, its privacy policy willprobably remain undisclosed to thebuyer. This zone remains problematicfor the buyer with a few notable excep-

tions. The proper use of integrated cir-cuit cards (ICC) often referred to as“smart cards” supports end-to-endcryptography capable of protecting PII.

Privacy Controls over Zone EIn the merchant-centric model, thefinancial services entity or clearingorganization will treat the transactionit receives as a business-to-businesstransaction when it enters this zone.The terms of the contract between thefinancial services entity and the mer-chant will control — an agreementthat is traditionally a trade secretunavailable to the buyer. Further, thebuyer will not know the published pri-vacy policy (if any) of this organiza-tion (or, possibly, a collection oforganizations) unless the buyer has adirect relationship with it.

However, if the buyer were to knowthe entities in this zone and were toobtain the privacy policy statementsgiven to customers of these organiza-tions, the buyer might find that theprovisions in these policies do notapply. Even companies that cleartheir own transactions, e.g., AmericanExpress and Novus/Discover Card,may have circumstances under whicha third-party network “interchange”or service bureau may participate inthe clearing process. Although thefinancial service is often touted as“trusted,” the real-world implementa-tions of privacy controls for this zoneare rarely assured and remain prob-lematic for the buyer.

Privacy Controls over Zone FWhether the financial service, the mer-chant, or the buyer connects to Zone F,the information conveyed through thiszone will reflect the data requirementsof the delivery service (Zone G). Only inthe model where the buyer connectsdirectly to this zone will the buyer havethe opportunity to assert the privacypolicy desired. Otherwise, bilateralagreements between the delivery serv-ice and the merchant or financial serv-

S E P T E M B E R / O C T O B E R 2 0 0 1

I N F O R M A T I O N S Y S T E M S S E C U R I T Y

Dow

nloa

ded

by [

Nor

thea

ster

n U

nive

rsity

] at

19:

56 2

1 N

ovem

ber

2014

Currentbusinesspractices formost companiesplace the buyerin a “take it orleave it”situation.

ice will dictate policy. In some imple-mentations, the merchant provides alink to the delivery service site. Inthese cases, the buyer may attempt todetermine the privacy policy of thedelivery service. Determining the effec-tive policy is not an easy task becausethe policy posted on the delivery serv-ice Web site may only apply to dataobtained through the Web site and notto data provided to the delivery serviceby the merchant or financial serviceentity. Zone F may face the same pri-vacy problems as Zone D. Further, con-trols in Zone F that are potentiallymandated by financial service entitiesor regulatory authorities for financialservice entities may remain entirelyvoluntary — and therefore absent — inthis zone.

Privacy Controls over Zone GThe delivery service represented byZone G may be physical or electronic.When it is electronic, the deliveryservice may be indistinguishablefrom the merchant either because itis handled through the same serversthat service the merchant or becausethe merchant continues to exercisecontrol over the systems used even ifthey differ from the ones used in ZoneC. In the former case, the privacy con-trols over the delivery service areprobably congruent with those of themerchant. In the latter case, they arelikely to be similar, but may be betteror worse. Regardless, if the buyeracquired software from the merchant,the download and installation processmay entail the release of additionalPII to the merchant and might estab-lish an ongoing invasion of privacy(e.g., as was alleged of several of theRealNetwork products6 and is a possi-bility with almost any software prod-ucts for which you register andreceive automatic updates). The pri-vacy policy associated with the mer-chant at the site of the sale may notapply to the relationship establishedthrough a product license delivered

through the delivery service. Theterms of such an end-user agreementmay provide limitations on remediesor may document your explicit grantof permission to collect, to use, and toresell your PII.

If Zone G is a physical delivery sys-tem, e.g., Federal Express, UPS, orthe U.S. Postal Service, then the infor-mation-handling systems of theseorganizations and their respectivebusiness policies become important.To accomplish a physical delivery, thedelivery service must have a validdelivery address. This need notinclude a person’s name or telephonenumber (although both are requestedby most delivery services), but mustinclude sufficient information to iden-tify uniquely the receiving location,i.e., in the United States, streetaddress (or box number), town or city,state, and zip code. Although this isthe least amount of information need-ed, delivery services routinely acquireand retain (and possibly disclose toothers) much more information. Someof this information reflects additionalservices they offer, including insur-ance, delivery confirmation, and spe-cial handling. Other data depends onthe business relationship with themerchant. If the merchant has, forexample, outsourced the returnsprocess to the delivery service, themerchant must provide transactionaldata sufficient to validate returns.This may include payment informa-tion (e.g., method, account numbers,and amounts), product registration,optional or extended warranty infor-mation, and customer contact infor-mation (e.g., name, work phone, ore-mail). Some merchants have fee-sharing arrangements with theirdelivery service, which may result inthe delivery service maintaininginformation about the product pur-chased — information the buyerwould not normally assume wasavailable to the delivery service.

S E P T E M B E R / O C T O B E R 2 0 0 1

P R I V A C Y

Dow

nloa

ded

by [

Nor

thea

ster

n U

nive

rsity

] at

19:

56 2

1 N

ovem

ber

2014

In those transactions where thebuyer selects the delivery service, thebuyer may have sufficient informa-tion to determine the privacy policy ofthe delivery service in advance.Where that decision rests solely withthe merchant, the buyer may be ableto determine the name of the deliveryservice only when the buyer receivesthe product — too late to object to theprivacy policy of the delivery service.

PRIVACY MODELSFrom the descriptions of privacy con-trols over each zone, you may con-clude that the buyer’s relativeposition in the model impacts thedegree of control the buyer is able toexert. Although this is certainly truefor zones undisclosed to the buyer,current business practices for mostcompanies place the buyer in a “takeit or leave it” situation. The E-com-merce nature of the transaction real-ly does not matter. This simplyreflects ordinary commercial practice.For example, in an in-person transac-tion at a major department store, askthe clerk for a copy of the privacy pol-icy of the store. If the clerk can pro-vide you with one (rare), ask that thepolicy be modified to conform to theprivacy policy you prefer. I believeyou will have the same choice youface with an online purchase; youmay choose to do business with thestore or not, but it will not change thepolicy.

Having established the philosophi-cal limitation, we may examine thetechnical limitations over privacy. Toa large degree, these limits are modeldependent. For example, insisting onSSL to protect all PII transmittedfrom the buyer is only feasible if thebuyer has bilateral communicationlinks with the merchant, financialinstitution, and delivery service.Protecting the identity of the buyer,i.e., preventing the merchant, finan-cial intermediary, and the deliveryservice from having PII, requires

either a trusted agent working on thebuyer’s behalf, whose identity cannotbe backward-associated with thebuyer, or a buyer who has one-time-only identities to use (a very difficultmodel when payment and physicaldelivery of product are required).Several technologies (none of which iswidely used as yet) exist to limit thevolume of PII given to the merchant(e.g., SET, American Express Blue).Although almost any ICC-based tech-nology could provide cryptographicencapsulation of PII — thereby limit-ing disclosure to those parties thatmust have it for the completion of atransaction — few merchants arehappy with this. Less secure, soft-ware-only versions of this technologyalso exist.

Physical World ExampleIf you could pay cash for a mailbox ata service other than the U.S. PostalService where the business agreednot to authenticate your identity(“Yes, Mr. John Q. Public, you haveBox 41”), and if each of the followingremains true, you have a start at con-ducting an anonymous businesstransaction:

�� You cannot be associated with themailbox location.�� You can travel to and from thatlocation covertly and access the mail-box without leaving evidence of youridentity at the scene.� You use the location to receive oneand only one shipment.

The next step requires that you payfor your purchase anonymously. Thisis not that difficult, but it is risky. Ifyou pay with cash, barter, or a bearerinstrument, you may have no recourseif the merchant fails to deliver thegoods. The underworld compensatesfor this control weakness by relyingon methods we would considerunavailable to us lest we become partof the underworld ourselves.

S E P T E M B E R / O C T O B E R 2 0 0 1

I N F O R M A T I O N S Y S T E M S S E C U R I T Y

Dow

nloa

ded

by [

Nor

thea

ster

n U

nive

rsity

] at

19:

56 2

1 N

ovem

ber

2014

Conducting E-businessanonymously infact requires theimplementationof a buyer-centric modeland the preposi-tioning ofphysical infra-structure

Because anonymous transactionsthat require delivery are difficult inthe physical world, attempting themin the world of E-business — espe-cially where part of the transactionremains a physical one — is difficult.This is one of the reasons identitytheft is on the rise. Using someoneelse’s identity provides a degree ofanonymity for the wrongful user. Isay a degree of anonymity, becauseeven a false name (pseudonym) ifused often enough can become youridentity. People using aliases arecaught all the time. The pseudonymmay even provide forensic value —linking the person to the crimes com-mitted under that name.

Anonymous E-Business ExampleThis example demonstrates theextraordinary lengths to which a per-son must go to accomplish an anony-mous E-business transaction. Asindicated previously, such a transac-tion increases the risk to the buyerthat the merchant will not honor thepurchase. Using mutually trustedthird parties or intermediaries canmoderate the risk but complicateassurances of anonymity. First, thebuyer must use the buyer-centricmodel (see Exhibit 2). Next, the buyermust use a public identity (for exam-ple, a general user ID at a publiclibrary or similar free and publickiosk) to obtain an e-mail address ona service that does not require PII forregistration (e.g., www.anonmail.net7

or www.advicebox.com8). Using theanonymous e-mail, contact the mer-chant and negotiate product andprice. If the merchant will agree tocash on delivery (COD), this reducesyour risk. Otherwise, obtain an ordernumber. Using cash, purchase amoney order for the proper amount(you may have to do some investiga-tion to find a location where you canavoid being photographed, video-taped, or having to provide false cre-dentials).9 Obtain a mail drop (see

earlier discussion on mailboxes). Ifpaying COD, arrange with the maildrop to pay using cash or moneyorder. If you must have prepay, placethe order number on a money orderand mail first class using a publicmail collection box (preferably onenot located in the same part of thecountry in which you live). For legaltransactions that are unlikely to war-rant FBI interest, this process is suf-ficient. Otherwise, many additionalsteps are needed to reduce the foren-sic evidence produced in any humaninteraction (i.e., fingerprints, saliva,hair, dermal cells, envelope manufac-turer and sales locations, sale loca-tion of money order, and a host ofother evidential materials).

Most important to maintaininganonymity is the rule that you neveruse the same pseudonym, mail drop,payment source, or e-mail accesspath. The use of IP-stripping softwareand other tools to attempt to removeidentifiers from your e-mail mayprove useful, but it is safer is never toreuse an e-mail address.

Although you will continue to seeonline sites that allege private or evenanonymous business transactions,conducting E-business anonymouslyin fact requires the implementation ofa buyer-centric model and the preposi-tioning of physical infrastructure (e.g.,means of payment and physical deliv-ery). Although the use of a stolen orfalse identity may provide a modicumof protection from identification (andmay be unlawful), its effectivenessdepends almost completely on thetransaction going unnoticed, for if thetransaction becomes the subject of aninvestigation, your anonymity mayfall to computer forensics.

Please let me know if you are inter-ested in future privacy-related arti-cles or if you have a greater interest inother security, audit, or control sub-jects: rspoore@ralph-s-poore.com. �

S E P T E M B E R / O C T O B E R 2 0 0 1

P R I V A C Y

Dow

nloa

ded

by [

Nor

thea

ster

n U

nive

rsity

] at

19:

56 2

1 N

ovem

ber

2014

Notes1. Sisyphus, in classical mythology, was a son of

Aeolus and ruler of Corinth noted for trickery. Hewas punished in Tartarus by being compelled toroll a stone to the top of a hill with the stonealways escaping him before reaching the top androlling back down. Thus, a Sisyphean task is onethat is unending and unavailing.

2. For more information on Platform for PrivacyPreferences Project (P3P), refer tohttp://www.w3.org/P3P.

3. For more information, refer to http://www.icsalabs.com/html/certification/index.shtml.

4. For more information, refer tohttp://www.aicpa.org/assurance/webtrust/princip.htm.

5. The Gramm–Leach–Bliley Act (GLBA) uses thisterm for information that a covered entity mustnot disclose to third parties without the data sub-ject’s permission. With enforcement of the GLBAto begin in July 2001, I expect to see litigationresulting from disclosures through insufficientlyprotected financial transactions.

6. See, for example, the article by CourtneyMacavinta, Staff Writer, CNET News.com,November 1, 1999, 2:50 p.m. PT, availablethrough the CNET Web site www.News.com.

7. Anonmail is a fee-based service. The number offree e-mail services that allow truly anonymousaccounts has dropped precipitously as falloutfrom the “dot coms” funding problems and as aresult of governmental pressure.

8. This service is not really an e-mail account, butdoes permit you to send a free, anonymous e-mail. For many transactions, this is sufficient.

9. If you can tolerate the risk and if your merchantwill permit it, you may use cash instead of amoney order or other bearer instrument. In myexamples, I use a money order to permit the mer-chant to believe that I may have recoursewhether I would choose to exercise it or not.

S E P T E M B E R / O C T O B E R 2 0 0 1

I N F O R M A T I O N S Y S T E M S S E C U R I T Y

Dow

nloa

ded

by [

Nor

thea

ster

n U

nive

rsity

] at

19:

56 2

1 N

ovem

ber

2014