Thank you, and good morning. Charles and his team were recently written up in the New York Times, and if I recall correctly, he was called dynamic, slender, and a thought leader. As the speaker following him, it's been a long time since anybody called me slender, you'll be the judge of the dynamic and I'm not sure about the thought leader part of it.

What I did hope to do for the next half hour or so is walk through a view on some of the technologies that are coming to bear to help us all address the privacy issue. And I'll give a perspective that is not unique to IBM, but rather reflects the current perspective of many vendors working in this space.

And of course technology is just one of the facets that we need to consider in the overall privacy discussion. Most of the others having been addressed previously by the earlier speakers. Public policy being the pre-eminent factor in addressing privacy needs, such as the electronic bill of rights that Mr. Magaziner referred to this morning, introduced last week by the White House.

Legal and contractual frameworks also being very important. Here in the US, that began two years ago on the state level, with states such as Arizona and Utah passing legislation that controls digital signatures, and the rights of digital signatures to be reflected in commercial contracts. So that a contract signed electronically is every bit as binding as a contract with a physical signature on it. And now that effort is progressing to the Federal, and indeed, international levels as well.

We'll be hearing this afternoon about the various business policies and practices that are being adopted by organizations such as trustee, the on line privacy alliance, Better Business Bureau, etc. And as was argued by the earlier speakers, those were also important ways that the industry can demonstrate its commitment to maintaining privacy.

And sort of last on the list is the topic of technology. Because there are in fact some underlying tools and technologies that can be used to help enforce privacy. So the view here is that privacy is a necessary component, but by no means sufficient.

Within technology, we'll be talking principally about public key infrastructure. And fear not. This will not be a bits and bytes discussion down in cryptography land, but rather a business person's view on some key PKI technologies as they are called, Public Key Infrastructure.

Beginning with an unfortunate amount of terminology, because there is some of this needed to make headway here. We think about privacy from the perspective of an information asset, an asset such as a piece of data, my credit card number, a transaction, the fact that I've used the credit card number to pay for a particular piece of merchandise or even a relationship, the fact that I have purchased something from LLBean. Any of those pieces of information becomes an asset, the knowledge of which potentially has useful information for somebody.

So we seek to protect such assets by allowing the owner, the person who's really entitled to control the use of that information asset, to establish a policy. A policy which is a set of rules that determines how and by whom, when and under what circumstances can that information be used. It's my credit card number, I'm happy to divulge it under certain terms and conditions to vendors I'm doing business with, solely for the purposes of paying for that transaction. I do not wish for those vendors to then turn that information around and use it back against me in a direct marketing or spaming attack. Nor to I want anybody outside of that transaction to have access to the information. Security, we're probably all familiar with, is the underlying mechanisms and procedures that allow us to control access to information through such policies.

We come now to trust, a nebulous concept, which is actually showing up as an increasingly important idea in consumer's and business' minds when they think about electronic commerce. Trust being the belief that the policies we seek to apply to those assets will in fact be enforced. And that therefore there is an acceptable and low level of risk that allows us to enter into transactions. I trust, in the case of this credit card example, that the parties that I'm doing business with, all conforming to what Visa and Mastercard have determined is a particular protocol for payments, called secure electronic transactions. I trust that all those parties will do what they're supposed to under that protocol. And therefore my personal information will not be compromised along the way.

So we come lastly to the concept of privacy. Which is actually your ability to set and manage policies over such assets and to be insured that they will be enforced. Try a little bit of this in pictures. The security topic which we're all familiar with, and which some 62 percent of large businesses identify is a concern, is an idea that we build upon by providing confidence in transactions leading to trust, trust being the operative notion here. Trust in e-business is what IBM is calling this. And trust is the key to get us started. But we need more than that. We need to build on that notion with the notion of confidentiality to get finally to privacy, which is what we seek here.

So a little layer cake on the bottom suggesting how we think this comes together. But the key concepts are the following: if we have a trusted environment to which we add confidentiality, we know that confidentiality can be applied sort of in classes of assets. We can say, for instance, that medical records in general, should only be accessible by certain kinds of doctors and healthcare providers. A particular instantiation of that for an individual would be that John Smith's medical records can only be read by doctors A, B and C. And that then becomes the guarantee of privacy for John Smith's medical records.

So we're working on the idea that privacy builds on trust, by adding confidentiality to that. We're finally through the terminology. And that will let us introduce some key concepts that I'll be walking through in subsequent slides. First the essence of privacy is that it pertains to the approved use of assets, these data and transactions and relationships. And note that it doesn't actually have to be an actual transaction or an actual piece of data. There can be an applied relationship. If I have in one of my databases information about my mortgage, and I also have in that database information about lawyers who specialize in renegotiating mortgages, one can infer that I'm about to go back to my bank to renegotiate. So relationships in addition to underlying atomic data.

Now in the physical world, we insure privacy by controlling the physical distribution of these assets, sort of under a span of control model, if you will. If I'm filing my taxes, my 1040 tax form is put in the mail and physically delivered through the U.S. mail to the IRS. Now I have some belief through that process that I know how that asset is being maintained and how my privacy is being secured. But my control is limited in scope to the particular channel that I use. Because I have no idea, really, what happens on the other end, once that document is received by the IRS.

So as businesses have gone digital, as people have now been allowed to file their taxes electronically, we have a model in which the assets are now no longer just being physically distributed, they're being electronically distributed. But the security, the privacy associated with them, has a funny property. It's no longer associated just with the asset. It's associated with the physical place in which that asset is stored. If I transmit my tax return from my lap top PC to the IRS, it is then stored on an IRS disc drive, an IRS data base. And the security that's found at that location, outside of my control, is determining the privacy that my data's treated with.

A better model would be if I could somehow extend my reach of information. Because it is my asset that we're talking about. And allow my policies to be enforced globally. Not just under certain particular physical PC's. So indeed there is a new class of trusted software arising that makes it possible to assure privacy in this fashion and we'll talk about that. So here again are the three thoughts. Beginning in the physical world, the consumer on the left is perhaps preparing her tax return, placing it in a physical envelope and mailing it at the top of the picture to the IRS. Which perhaps is digitizing the information at that point and redistributing it, perhaps in a hybrid-physical digital world to other government agencies.

So the consumer who thought that she was simply mailing information off to the IRS, may find that information residing on the computer systems of the FBI, the commerce department, and other government agencies as well. So her ability to assert control and policies on her physical asset have been diminished as that asset is distributed electronically, beyond her span of control. Early in the adoption of electronic commerce, there was work done on electronic data interchange trying to address this. Trying to say can't we keep these assets always in digital form and not have to convert them to physical form along the way? And while that has helped, it did not overcome the problem that asset protection is really a function still in this model of where the asset physically resides.

That as the asset moves from machine to machine, the local security of each individual environment is what determines the access and use of the information. It's still not controlled by the original owner, the consumer on the left. But something profoundly different is now possible in the era of the Internet which provides the kind of global computing capability that this picture suggests. Because we no longer have to make copies of information and distribute and propagate. We can all directly, anywhere, any time, access the information in it's original location, here still with the consumer on the bottom left.

So we should be able now to separate the issue of where data resides from the issue of how it is controlled and accessed. The mechanisms that let us do that are the concepts shown on this page. The first concept is, you have to know who's out there in order to understand their roles and responsibilities and access privileges. And the mechanism that the industry is heading towards that allows this to happen is something called a digital certificate or digital I.D. And as the name suggests, this is the electronic analog of documents you would have in your wallet today. A driver's license, a credit card, an ATM bank card.

All of those become certificates issued now electronically to you by parties that already know you, your bank, your state government, your employer. Certificates can contain a remarkable amount of information and they can in fact give signals to the people you do business with as to how much of your personal information you wish to share with others. The mechanism for doing this is something known as OPS, Open Profiling Standard. Which is the way in which an individual can describe through their certificate the different parts of their information they care to share with others. Under a hierarchy of trust so that I might elect for my employer to know my full name and address and the name of my relatives in the event of emergency. On the other hand, banks that I do business with, I might provide only a subset of information to. And anonymous parties that I've never dealt with before would simply get my name and address and nothing more.

OPS is an important and emerging standard that allows this hierarchy of authority to be delegated. Public key infrastructure is the collection of certificates and standards such as OPS, and the associated encryption and signature technologies that allow us all to provide a highly trusted and private environment. This is the eye test chart that I'm sure will overwhelm, but there's a lot going on in public key infrastructure. The various concepts shown on the bottom all come together to allow four important things to happen, shown at the top.

First is authentication. I'm a former banker and I remember from those days that the first rule of banking is, you should know your customer. And in some important way, the first rule of the Internet is you cannot because you don't see them.

So these certificates allow us to authenticate parties that we don't otherwise see. And therefore would otherwise not be able to trust. They also allow privacy to occur, in that transactions between two authenticated parties can be encrypted, so that they remain private to those two parties. They insure the integrity of information as it flows over the Internet so that the transactions I think I'm engaged in are in fact the same transactions that the other party sees. We agree on what we're doing business on.

And finally, they insure that these transactions are not repudiated or denied by either party. This is the equivalent of getting the binding handshake or the written signature at the end of a deal, that said yes, we both entered into this transaction voluntarily.

Now we can build on that environment of public key infrastructure through a new generation of what might be called trusted software. Trusted software that takes advantage of the fact that the Internet now provides access anywhere anytime to information assets. And therefore we can set policies, without regard to where the asset physically lives. And we can enforce trust without regard to location as well. And we can audit the enforcement of those policies at the same time.

Such trusted software enhances privacy in several respects. First, it isolates privileges by individual users and types. I might allow the system administrator on my system to have one kind of access to information but my other colleague's a different sort and my employer, my boss, yet a third kind. And importantly, trusted software can be used to do something that's quite difficult today. Which is to prevent the prying eyes of system administrators and operators from even knowing about it.

The type of technology I'm referring to here, in fact, allows me to store very sensitive information about myself on a data center storage device without anybody necessarily having access to it, including an operator or system administrator. Trusted software will move the policy control back to where it belongs, arguably, which is the owner of the asset itself. So that we're no longer worrying about where data lives and who controls that physical device. We're worried instead about who the originator of the information is. And as a result we can simplify the administrative burdens of managing very sensitive information in complex environments.

Now I'll introduce two thoughts that are helping to realize this vision of trusted software. The first of which is the concept of a vault. Which is combination of software and hardware that in essence constitutes a secure repository in which assets can be stored and managed without regard to the physical location on which they reside. And that the access to and use of this information is trusted to the owner of the information and not to the underlying owner of the physical asset. And at the same time, these assets can be protected from other information and assets that might happen to share the same physical devices.

So if I have my tax records on one system, and somebody else has their banking records on the same system, even though those are similar sounding types of information that might be stored co-located, they can be managed and enforced very separately.

Here's an example of how that works using what we call a trusted vault in which the consumer on the bottom left might be applying for a mortgage from a bank on the bottom right. In each of those parties, the consumer and the bank have their own personal lock boxes as you might think of them, in which information can be maintained and stored and indeed exchanged, but neither party can see what the other party has without being given explicit permission by the owner and neither party has a view into the activities of other lock boxes around them, the model here being a traditional bank model.

A slight refinement of this vault concept is a personal vault in which I can now also store the policies that govern my particular asset along with the assets themselves so it becomes a traffic cop shown here as the security guard who insures that anybody seeking access to my information has to conform to the policies that I set and even I myself have to have appropriate permissions to modify these policies.

This is a slight refinement of the underlying vault concept, now driven down the individual personal level, providing very granular control over information, that done properly, has the potential to really bring privacy to top line consideration.

We'll be introducing such capabilities in a product know as the IBM Vault Registry rolling out this summer. This is not quite the forum to walk through those so I'd be happy to take such discussion off line if there's interest but this class of super certificate authority or public key infrastructure, is coming from a number of vendors in the next few months of this year.

Conclusions? Real privacy is achieved when an asset owner has the right to set policies as to how those assets will be used and to trust that policies will be enforced. You can do that in a number of ways but technologies and mechanisms in software and hardware are typically more reassuring and more effective in this than the procedures that it can also be implemented, to assure information asset owners that policies are being enforced.

Finally, with this technology, we begin to shift the burden of trust away from the information technology owners back to the place where it belongs which is the owner of the asset itself.

So, as we proceed over the next two days in a discussion of privacy, these concepts of enabling technology should be in the back of our minds because they're not the first issue of consideration but they do play a role to play in helping to build a secure and private commerce environment. Thank you very much.

IRVING WLADAWSKY-BERGER

Thank you and we can have questions for Mark or for Charles if you can think of any questions for them.

Mark or Charles, we've been looking at the potential abuses of privacy as a result of the electronic age we're entering but we could equally look at the potential protection of assets that we can do electronically that before we never had to do. And it immediately comes to mind that things like medical records, which before you were dependent on the security of the file cabinet where they were stored, all of a sudden, you have a far better way of securing it electronically if you follow the right rules. So there is an incredible security for securing information that we never had before. Would you two comment on that?

MARK GREEN

I think that's right and to do so in a way that doesn't require physically being dependent of a particular person or place to provide that information. Of course, the challenge is that it has to be done the right way, because there is the concern that in the absence of such safeguards, medical records and other private information is more easily disseminated. In fact, this technology probably will have the impact of restricting access which is good.

CHARLES PALMER

Part of the problem seems to be that the value that we have of gathering this information now electronically is now we don't have to go through Bernice in records to get it. We can distribute it, put it at the point at which it is most needed, whether it's in a mobile computer in the hand of the doctor or some sort of display in a trader's office. And this dissemination of the information that we have to watch out for, it used to be that we had our arms around it or at least Bernice did and now, it's everywhere and we have to employ a little more care in keeping track of it.

QUESTION

I have two QUESTIONs. The first is, how often would you suggest a company does ethical hacking?

CHARLES PALMER

We certainly have plenty of work. Companies are coming to us all the time. What I would like to see happen is that a company who is concerned about security, and of course we all are, put together their own team, not so much to do the ethical hacking, but you go to IBM or somebody and do the ethical hacking once or twice and get your team trained either through IBM or whatever so that they can watch the systems and then do security for themselves.

A lot of companies don't have intrusion detection. Real time intrusion detection is absolutely necessary. When we've actually tested companies who have real time intrusion detection, they catch us at the door and they feel us and they notice us twisting the doorknobs in the sides of their companies and they stop it right there. Then they call us up and say, we got you, try again.

So, I would recommend you do the evaluation, the ethical hack, and act on the information and then you have your own staff meanwhile coming up to speed on how to maintain it themselves. Random acts of tests or physical break ins or whatever are an ongoing responsibility that this team should have. And the key though is when you have your own staff like that, just as with us, you have to make everybody understand that you're not out to get them and fire them.

If I catch somebody with his password on his laptop, my goal is not to get him fired. My goal is to get him educated so that he won't do that anymore and inside of a company, if have your own security troops, a lot of times they become hated because "oh, gosh, here they come just like the auditors?". We all love the auditors, but you need to try to defeat that aspect of it and let everybody realize that security is all part of their own responsibility.

QUESTION

In writing a security and privacy statement and posting it on your Website, I know that Amazon.Com mentions that they have never had a breech of security and I'm just wondering what level you go to without making an open initiation to a hacker to come and break into your site.

CHARLES PALMER

That sort of thing is just a really bad idea. Paint a target on your shirt and run around. You just don't ever say things like that, one because it's a lie. You can't possibly know if you've ever been attacked or if you've ever been broken into. You can't know with certainty that it's never happened.

If anybody tells you, well, after we check you out, you're a hundred percent secure forever, not true. Just like after I do a test, you're secure for the next 15 minutes but once your system administrator comes back from the thrashing that he just got, he or she might not make the right decisions. Or tomorrow, the back up person may come in and make a mistake.

So, that's why, I come in, show you what you need to improve and then you and your staff work together to maintain that level of security from that point on. So, don't make any kinds of statements like that on your Website or anywhere else. When asked, you can just safely say, as I do, we were not broken into as far as I know and just leave it at that.

QUESTION

Can either or both of you comment on the tradeoff of outsourcing for essentially increasing the security of the internal networks and if that is a benefit, what parts of systems should be outsourced?

CHARLES PALMER

Clearly, I would like to see you outsource the ethical hack at least once, but, in general, you need your own security staff unless you're going to completely outsource the whole IS shop. Even if you do outsource the whole IS shop, you're still going to have lap tops, you're going to still have a personal policy issue so you'll need to have a security person hanging around to keep that going.

When you do outsource things such as warehousing your data and so on, long term storage like that, you need to use technology like Evolved or whatever to make sure that it is maintained in the manner in which you had in mind.

MARK GREEN

And if I may just add to that, the operation of that class of that certificate authority, public key infrastructure, is actually fairly complex. And yes, there are certainly large organizations that can do that for themselves. In our case, you will find that as we roll this offering out later this year, that we've teamed with parties that have expertise in doing that and run large scale, high security, very cost efficient and reliable operations, so there will in fact be service bureau providers of that kind of certificate authority.

QUESTION

Hello, I've only been here for a short period of time, but in the short period of time I've been here, I'm concerned that we're confusing the issue of privacy with the issue of security, and privacy and security are very very different. Privacy is about how information is used. Security is how it's protected and they can be very different. And since you can only have one information policy in the society, if we start making rules based on how we secure data and transfer it over to protecting, to controlling the use of the data, then we run the risk of changing the society a great deal. Can you please respond to that?

IRVING WLADAWSKY-BERGER

First of all, everybody before these two speakers talked only about privacy. And all the issues and policy matters contained around privacy and generally there are not pure privacy technologies although we're all working on things like P3P and others.

However, the reason we now had the discussion on security is because a key part to privacy is to also secure all the information that you have to the best of your ability. It is not sufficient but it's necessary. That is, I can be the best meaning person in the world when it comes to privacy but if I have lousy security, I run the risk of having screwed up the privacy of all my customers and everybody I deal with.

So, that's the relationship between the two. You're absolutely right. They're not the same but it's fair to say and I heard your comments, I don't know if you can have a really solid privacy policy without a really good security policy although it is possible to have a superb security policy and a lousy privacy policy.

CHARLES PALMER

I would just agree with what he said. As a paid professional paranoid, my goal is to help you identify what it is that you consider to be private information, whether it's an electronic property, employee records or whatever. So once you, with my help, identify what that is, then it's my job and my role in this matter to help you make sure so that happens. So, security, accurate and well done security is an enabling technology for your privacy.

IRVING WLADAWSKY-BERGER

But you're right. They're not the same. You're absolutely right.

QUESTION

You run the risk if you begin to think that you can coral the privacy issues by using the technology of security and the concepts of security. I've seen part of the problem in what we're dealing with today is this idea that you can transfer security concepts to the whole area of privacy and I'm just concerned with that.

IRVING WLADAWSKY-BERGER

But, again, let me reiterate. We agree totally with you that privacy is a whole set of policy issues on how you handle the information and just being a hundred percent secure, does not in any way guarantee that you have a great privacy policy. We totally agree with you.

And as I said, and I'm only saying it because you mentioned you came in late so you didn't hear those talks before the break, in my remarks and then even more in Ira Magaziner and Professional Alan Westin's remarks, we totally focused on the privacy policy issues and didn't mention technology once except a passing reference to P3P that we'll probably discuss a little bit more this afternoon.

You're absolutely right that it will create a false sense of security to think that because you have great security, now you have a good privacy policy. Not true.

QUESTION

If this is going to be covered somewhere else, I'll withdraw, but I have two questions. Would any of you like to comment on the liability that a company would assume if they are going to become their own certification authority. One question, and the second question, do you have any comment on government or military, uh, restrictions on encryption standards.

MARK GREEN

I think I dare number one and I know better than to dare number two. The business of certificate authority places one into the same kind of liability and risk profile that any kind of paper credientialing process today does. A bank that issues a credit card today, is making a statement about the credit worthiness and identity of the individual who receives the plastic card and that carries with it risk and banks are accustomed to managing that.

A properly constructed digital certificate carries the same risk and in fact, there can be, an exclusive declaration of the scope of that liability within the certificate itself. Some of the implementations you see today of certificate of authority are less careful than you might wish and so there's potentially more liability, but that's not inherent in the concept of certificates. Certificates are really sort of the electronic analog of the way that the physical world works today.

QUESTION

Other than presenting yourself physically, how far does a company have to go to really establish that they've certified the individual?

MARK GREEN

You see that range of variation today in the physical world. How far do you have to go today to establish your identity as a plastic credit card holder in order to receive one in the mail? In some cases, you have to call in on the phone, some cases you have a written application, there are lots of different ways of doing it. The same thing would be true in this electronic space.

IRVING WLADAWSKY-BERGER

Or a signature on a check.

MARK GREEN

A signature on a check, right, a check guarantee.

IRVING WLADAWSKY-BERGER

Those are all the techniques we're all trying to develop. We haven't realized, obviously you do since you're in the banking business, what a contracted signature is, until we're trying to replace the equivalent with the electronic signatures and now we all have to decide how do we really know and trust the electronic signatures and again, certificates and related techniques are the way that we hope we're going to do that.

But, this is at the very earliest of stages of understanding and again, to the point before, we are all very comfortable about the technology, you know, the public key infrastructure and related methodologies will work but what we're all now going to learn in the market place is how do you apply them and what is the best use. And we'll all be learning as much as possible and especially, one thing that we are all doing in IBM, and we encourage everybody to do is, they're a lot of professionals out there so there is a lot help and a lot of them are bringing that expertise from the physical to the electronic world and it won't be difficult to set up links so that there are multiple ways of getting things done with a variety of services.

Now, the question on the government and encryption, let's just say that it's been a struggle balancing the requirement of law enforcement agencies with the requirements of being able to have secure electronic commerce around the world. And we and others in the IT industry have been encouraging the US government to be as open minded as possible. But there are all kinds of political battles with law enforcement agencies, often pushing one way and then those of us who want to do business around the world, including those agencies in the government pushing. And we all have our fingers crossed that the right things will happen.

There is also the question whether the cat is out of the bag, that is if we can control what the US government let's you export but there are experts in unlimited encryption technology in lots of other countries that don't have any export rules. And so we could be having a dialog just amongst themselves while in the mean time, it's all out there and gone.

And as Ira Magaziner so correctly said, it is a pity to have laws in the books that you cannot enforce. It's more than a pity, it's probably dumb but the political process takes time, sometimes, to work itself out and we'll see what happens.

There are also governments that don't like 128 bit encryption. They think that's too much and they want even less than that, even less than 64 so it's not so strong, sometimes we've had to change our products because some governments want even weaker encryption than what we are allowed to export. So, these things are going to work themselves out.