P r o p o s a l

SLAC MEMORANDUM

November 4, 1994

TO: D. Leith

FROM: J. Winters and the Rest of the WWW Technical Committee

SUBJECT: Privacy and Confidentiality Issues in SLAC WWW Information

cc: C. Dickens

EXECUTIVE SUMMARY

World Wide Web (WWW) is a graceful and powerful Internet tool for accessing and manipulating information around the world. Its use has burgeoned in the past year, expanding far beyond its origins in HEP. The global audience does not know the SLAC context, nor perhaps anything about the institution. SLAC needs to find a new balance between open access to information, an integral part of the SLAC, WWW, and HEP traditions, and restricted access as SLAC's privacy and confidentiality needs require. Current WWW software limitations also affect the model.

Some information like confidential enterprise data and papers in progress are generally too sensitive to be put on the Web at all. Other information like accelerator operations logs and The Interaction Point may most appropriately be restricted to those logged in from the SLAC Internet address. However, material that is useful to distribute should generally be made available to the global WWW community. Lab management should encourage information owners to contribute material to the Web and maintain it. This sharing will help restore a collegial atmosphere to SLAC computing.

Institutional responsibility for putting information on the Web, specifying its accessibility (SLACwide or global), and removing it lies with the group leaders or their designates. Group leaders must also authorize all WWW servers because with current technology, they can present serious security issues if incorrectly configured.

Individual information providers are accountable for materials they place on the Web. Before installing their first item, providers must have a discussion with their group leaders on privacy issues. For subsequent items providers must interrogate themselves about the consequences of making the material available. Group leaders can modify the status of any item. To promote informed decisions, SLAC must proactively develop a common view of what types of information need what kinds of privacy restrictions and publicize the model through presentations, discussions, and on-line and printed documents. This privacy proposal tries to strike a balance between making SLAC information available on the Web in a timely and minimally onerous fashion while meeting SLAC's needs to restrict access to a subset of its information. The model may well evolve as WWW technology improves. To implement the proposal, more resources must be dedicated to SLAC's WWW effort.

ON WWW PRIVACY AT SLAC

The following proposal provides some background on the World Wide Web (WWW or the Web) and information access policies at SLAC, describes privacy and confidentiality problems in WWW, analyzes various aspects, and recommends ways for dealing with the issues.

N.B.: This document only addresses problems pertaining to the privacy and confidentiality of SLAC information on the Web. (These are hereinafter collectively referred to as "privacy" issues.) To implement the proposal, extra resources must be dedicated to WWW. Some of these will be used to develop related documents that treat WWW security, page creation standards and procedures, server establishment, and other topics. Without proper resources people will bypass the rules and procedures that do exist.

BACKGROUND

World Wide Web is a powerful, fluid, and flexible tool for sharing and manipulating information in diverse formats across platforms globally, from plain text and Postscript through hypertext, images, movies, and sound. People may also search data bases and perform other computing tasks remotely.

WWW was conceived at CERN by Tim Berners-Lee in 1989 and has spread very rapidly around the world in the past year. One recent estimate put growth in bytes retrieved at 1% per day!* Although WWW started as a tool for HEP collaboration, it is now being used not only by research laboratories and universities, but also by businesses, governments, not-for-profit organizations, and even individuals.

Since its inception SLAC has practiced an open information policy as part of its computer environment. Most on-line material has been readable by anyone who had computing privileges here. (In VM, that meant a READ password of ALL on most minidisks.)

The Web provides an opportunity for SLAC to extend its open information environment to people and groups around the world. This occasion also requires new decisions about the public or private nature of individual documents.

* Matthew Gray, Web Server Maintainer, Student Information Processing Board, MIT.

THE PROBLEM

Information on the Web is usually available to a global audience that may well have no knowledge of SLAC, the institution, much less its environment and mores. Instead of being used by a relatively homogenous set of people who know each other, Web documents may generally be perused by anyone who has access to the Internet from anyplace in the world. There is no SLAC wall around our Web information. This burgeoning accessibility may lead to mis-interpretation of information (e.g., using logging data as if they were a polished report) or even abuse of information (like planning robberies around staff vacation schedules).

SLAC must address:

  1. What information should be made available to the world and what must be kept private--and among whom.

  2. How privacy can be maintained where necessary without burdensome procedures that inhibit unnecessarily the distribution of useful information to SLAC, its collaborators, sibling labs, and others in the world.

ANALYSIS

It is important to make information that can be usefully shared available through WWW in a timely fashion to SLAC and its various collaborators. No one person or group knows all the material that falls into this category. We depend on others around the Lab to supply information from their own areas of expertise. We need to encourage them to contribute what they own to the Web and maintain it. Decentralized authority is the philosophy upon which WWW is built and has resulted so far in its spreading very effectively.

However, we also need to be concerned about issues of privacy. Information may be irrelevant, embarrassing, misunderstood, or even dangerous if read by the wrong audience.

Access to information on WWW may be granted variously. When considering making files available, document owners should initially consider the questions and answers below. These do not limit all relevant inquiry since only the document owners, who know their material best, can form the most appropriate set of questions.

  1. Should the SLAC information be made available on the Web at all?

    Given current WWW technology, restriction to a particular group at SLAC is impossible to implement securely, so SLAC information that must have such limited access should not be put on the Web at all.

    Enterprise data like personnel, financial, and salary information and drafts of papers in progress generally fall into this category. Serious consideration should also be given before installing preliminary hardware and software evaluations, vacation schedules, and some pager numbers.

  2. Should the SLAC information be made available only to people logging in from the SLAC.Stanford.EDU domain?

    Restriction can currently be handled securely by limiting access to users whose Internet addresses match a portion of SLAC's Internet address (IP number string). Accelerator Operations logs, The Interaction Point, the Stores catalogue, and problem reports like PROBTRAK are common examples of this category.

  3. Should the SLAC information be made available only to SLAC.Stanford.EDU folks and collaborators who are not/cannot login to SLAC hosts?

    Given current WWW technology, restriction to a group of collaborators at SLAC and elsewhere is impossible to implement securely. Casual browsing may be discouraged by parsimonious use of passwords for particular files or file hierarchies, but their use creates an additional load on those responsible for Web information and software.

    Some experiment planning and discussion documents fit into this category.

  4. Should the SLAC information be made available globally to users of WWW?

    The Beam Line, SLAC Pubs, preprints, the "white pages" of the SLAC phone book, and SCS documents for users are common examples of this category.

Ultimately, group leaders or directors or their designates (hereinafter collectively referred to as "group leaders") are responsible for the appropriateness of SLAC information put on the Web. Traditionally, responsibilities like these have been delegated to computing czars.

THE PROPOSAL

WWW Documents: As called for in the "Final Report of VM-Phaseout Committee," Lab management will encourage SLAC information developers to contribute their knowledge to WWW to help restore "the collegial atmosphere which existed in SLAC computing in the early 80's,...." Part of this effort must be to create an institutional culture that proactively considers privacy issues along with WWW page creation. Specifically:
  1. People making their first information available to WWW must read a short "WWW Information Contributor's Guide" and confer with their group leaders about the appropriateness of their proposed pages, discussing privacy issues explicitly.

    These include questions about the consequences of making their pages globally available. Will publicizing this information hurt someone? Infringe on the safety of the Lab? Betray plans of the Lab before their time? Make the Lab look unprofessional? Disseminate research results prematurely? Present working documents without necessary context? Broadcast incomplete drafts? And is this information appropriate for reading by some but not all people on the Web?

  2. For subsequent contributions, the authors must consider privacy issues themselves for each document they add to the Web. If they have any questions, they should discuss problematical points with their group leaders. Page owners shall be held accountable by their group leaders, both for the information they supply to WWW and to whom it is accessible.

  3. After the fact, group leaders may cause any information to be removed or access restricted as seems necessary. If time allows, any changes shall be discussed ahead of time with the authors; otherwise, afterwards.
WWW Servers: All Web servers must be authorized by group leaders. Each server should have a strong justification like SLD's (heavy use and specially tailored code for Oracle access). Web servers can present serious security issues if incorrectly configured.

SCS will provide a document on risks, standards, conventions, procedures, and software for installing and maintaining WWW servers. Before setting a server up, the owner must register centrally each one. The exact procedure is still to be determined but will include assignment of a unique name according to standard conventions.

IMPLEMENTATION

To implement the proposal the following steps should be taken:

  1. Develop a common view among Lab management, WWW czars, and other responsible parties at SLAC on the types of privacy restrictions we need for what kinds of information.

  2. Document the consensus in a "WWW Information Contributor's Guide" that treats privacy considerations along with other standards, conventions, procedures, and software for creating pages for the SLAC Web.

  3. Publicize the model with a presentation to the key managers, a UNIX Journal Club seminar, an article in The Interaction Point, discussions at the (anticipated) Web Users' Group, etc. Make the document available through WWW itself.

CONCLUSION

This proposal tries to strike a balance between supplying WWW pages in a timely and minimally onerous fashion, while meeting SLAC's needs for the privacy of a portion of the information it puts on the Web. The proposal is patterned partly after the successful way U-disk file contributions were handled in VM at SLAC.

The model is a collaborative work in progress. As the technology improves in server code, tools, etc., it may well prove beneficial to iterate the model to take advantage of these advances.