Information security professionals, and especially cryptographers, tend to think in terms of preserving the security properties associated with information assets, and CISSP's in particular tend to start with the CIA Triad. Clearly, privacy relates to the first member of that triad - confidentiality - in some way, but the relationship is not obviously clear. For example, we often use secrecy as a synonym for confidentiality, but privacy is something different.
The difference is centered on agency or control, and in particular the relationship between the subject of the information and the information custodian.
The vast bulk of enterprise information - whether it be private enterprise, or public - is internally-generated, and the subject is, ultimately, the enterprise itself. For example, an ERP system revolves around accounting data (GL, A/R, A/P, etc.) and the ledgers therein describe the enterprise's financial state and history of transactions (as well as future revenue, of course). A CRM system may contain information about customers, but the bulk of that information relates to the enterprise's transactional history with the customer - sales calls, orders placed, etc.
In such cases, the enterprise is custodian of its own information - it is both subject and custodian. There is no conflict of interest - as custodian, the enterprise is never going to breach the confidentiality of its own information, and indeed will implement controls - policies, identity and access management, security models - to ensure that its employees and agents cannot. The enterprise, as the subject, has authority over the custodians and users of the information.
However, a conflict of interest arises when an enterprise is custodian of information about identified (or identifiable) individuals. For example, a medical practice maintains health records about patients; it is the custodian, while the patients are the subjects.
The patient records obviously have value for advertising and marketing purposes, in addition to the intended purpose of patient diagnosis and treatment. For example, a company selling stand-up desks or ergonomic chairs would see considerable value in a list of patients who have complained of chronic back pain, while over-the-counter pharmaceuticals marketers might want to sell directly to patients whose test results indicate pre-diabetes, early indications of hypertension or any of a range of conditions. And an unscrupulous marketer might approach an unscrupulous medical practice manager, resulting in patients being subjected to sales calls for products they do not necessarily want or - worse still - their medical histories or problems being leaked to other interested parties such as family members or employers.
There is a clear conflict of interest here. The subject of the data is not the custodian, and in fact, has no authority over the custodian. It is in the custodian's interest to on-sell the subject's data to anyone and everyone who is willing to pay for it. And while the example of a medical practice involves only a small business, many enterprises are much, much larger and employ many lawyers, resulting in a power imbalance between the enterprise and the affected individual.
This is why governments, acting on behalf of civil society and the individual, enact privacy legislation - the legislation gives the individual some degree of authority over enterprises and restores the balance of power.
Note that many information security controls are able to preserve confidentiality, but not privacy. Personal information is stored in databases and document management systems which are ultimately under the control of an information asset owner and users who are free to access the information for a range of purposes; if he or she decides to extract data, copy it to a USB key and sell it externally, the first two steps are probably authorized while the third cannot be detected, let alone prevented.
Hence the need for a privacy policy and strong privacy education and awareness within the enterprise. In the end, privacy comes down to personal ethics and compliance with the law. It is really a matter of trust in the integrity of those who have access to personal information - and the threat of legal action provides a degree of assurance in that integrity.
Notice that, in this model, the distinction between confidentiality and privacy can be extended beyond individual persons to companies or other entities. For example, the Chinese Wall model is another situation in which information about one entity is in the custody of another (e.g. information about clients held by a consulting firm would obviously be of great interest to other clients who are competitors). In that sense, then, the Chinese Wall model is intended to preserve privacy rather than integrity.
Finally, consider personal information in the custody of the person themselves. The subject and the custodian are the same individual - there is no conflict of interest, privacy laws do not apply, and the issue here is confidentiality, not privacy.
The distinction between confidentiality and privacy, then, is whether the subject of the information has authority over the custodian - if he does, it's a matter of confidentiality, but if he does not, then it's a matter of privacy.
Of course, there are other common conceptions of privacy, as well as legal views relating to photography, etc. but these are not considered here.
Showing posts with label privacy. Show all posts
Showing posts with label privacy. Show all posts
Sunday, April 2, 2017
Sunday, April 21, 2013
2013: The Year of the Facebook Mobile Attack?
Facebook has been pushing - if you don't update, you'll receive notifications in your newsfeed - a new version of the Facebook app for Android. I've reluctantly upgraded the version on my Nexus 7, but I'm holding off installing it on my phone. At this point, I'm not sure the increased risk is worth it.
"What risk?", I hear you ask. There's a potential exposure in the new Facebook app; the app requires somewhat looser permissions than the previous version, including - wait for it - the ability to directly call phone numbers. Big red flag here, Facebook. The major form of malware seen to date on Android phones has been apps that use this permission to call premium-rate international numbers, running up a huge phone bill for the victim and delivering a nice profit for the attacker.
The need to make phone calls arises from the introduction of the new "Facebook Home" - an app which takes over the home screen of a phone to present a Facebook-centric experience - as well as Facebook Messenger, which integrates Facebook messaging with SMS as well as supporting voice messaging. It's not clear to me why the main Facebook app, which does not support these functions, should also require access to the phone functionality, not to mention the ability to record audio, download files without notification, read your contacts and many other privacy-invading permissions.
At the same time Facebook has been a terrific vector for the spread of malware on the PC, sometimes in the form of infected videos or apps, as well as privacy-invading apps which harvest your profile, contacts or other information or download files.
The message: expect this to spread rapidly to mobile devices. Facebook now exposes a relatively large attack surface, and an attacker who can compromise the Facebook app on Android can use its permissions in a range of creative ways.
2013: the year of the Facebook mobile attack? I hope not, but it looks likely to me.
"What risk?", I hear you ask. There's a potential exposure in the new Facebook app; the app requires somewhat looser permissions than the previous version, including - wait for it - the ability to directly call phone numbers. Big red flag here, Facebook. The major form of malware seen to date on Android phones has been apps that use this permission to call premium-rate international numbers, running up a huge phone bill for the victim and delivering a nice profit for the attacker.
 |
| Properties required by the Facebook app for Android - notice "direct call phone numers" |
The need to make phone calls arises from the introduction of the new "Facebook Home" - an app which takes over the home screen of a phone to present a Facebook-centric experience - as well as Facebook Messenger, which integrates Facebook messaging with SMS as well as supporting voice messaging. It's not clear to me why the main Facebook app, which does not support these functions, should also require access to the phone functionality, not to mention the ability to record audio, download files without notification, read your contacts and many other privacy-invading permissions.
At the same time Facebook has been a terrific vector for the spread of malware on the PC, sometimes in the form of infected videos or apps, as well as privacy-invading apps which harvest your profile, contacts or other information or download files.
The message: expect this to spread rapidly to mobile devices. Facebook now exposes a relatively large attack surface, and an attacker who can compromise the Facebook app on Android can use its permissions in a range of creative ways.
2013: the year of the Facebook mobile attack? I hope not, but it looks likely to me.
Sunday, April 14, 2013
Google+: The Good, The Bad and The Ugly
I've recently introduced a group of online friends to Google+. We'd mostly met via Facebook, where we'd shared things via a secret group, but disenchantment set in and the group was fractured when some of our number were locked out of their accounts (the reasons for that are not at all straightforward and I won't go into them here).
So a few of us were chatting about how to get around this, and off the top of my head I quipped, "We ought to set up a similar group as a Google+ community". Then I thought, "why not?" and a minute later, I'd done it.
I spent the day intermittently writing short "How-To" posts for the new users I was dragging across from Facebook, and answering their questions, helping them to figure out how to get things done, etc. It's been a couple of days and the experience has given me a better understanding of Google+
Circles. You have to grok circles. Circles have both read and write, or in and out, functionality. You can use circles to filter what you see in your home page - for example, you can suppress a circle from appearing in your Home page stream (great if they are prone to posting NSFW images!). That's the "read" functionality. You can also limit posts to only certain circles so that your doings are not broadcast to the wrong people - that's the "write" functionality, which will be more important to some people (to be honest, I regard anything that I post on a social networking site as public).
The problem is that the importance of circles, and the things one ought to consider when creating them and adding people to them, are not immediately obvious - it's only after you've spent some time fiddling with the various configuration options that their importance becomes apparent.
Now to some good points I've noticed and others have commented on.
Firstly, the Home page has filtering, so you can view just specific circles. Across the top of the home page are buttons for "All", "Friends", "Following", or whatever circles you've created. This means you can choose to see only posts from colleagues during the workday, then spend some time catching up with friends, or reading up on products/technology you're following.
The integration with Gmail, Contacts, Youtube, Blogger, etc. is nice - but only important for users who have already engaged with the Googleverse. It's good for me - I use Google Apps for both business and university purposes, and it was that that led me to get my Google+ profile sorted out and then start using it - but for people looking for a Facebook alternative, the fact that you might have to use some other Google service such as Google Drive to get things done seems odd.
There are some nice usability features; for example, you can drag and drop pictures directly into the "Share what's new..." comment box - there's no need to click on "Add Photos/Video" first. However, on the down side, sharing URL's requires you to click on a link button to get a field, rather than auto-recognising the URL in your text. And Google+ doesn't automatically provide previews of URL's in comments like Facebook does.
The privacy and security options are very granular; this is great if you're willing to take the time to learn and use them. Not every is willing, though - and it can be confusing for the new user, who doesn't know what all these things are.
Communities are essentially equivalent to Facebook groups, and can be made public with no barriers to joining, public with approval for joins, or secret, which will require an invitation to join. A nice feature which Facebook doesn't have is "Categories"; for example, I quickly created a a "Using Google+ And This Community" category where I could post hints and answer questions without overwhelming the main "Discussion" category. Of course, the default view when one logs in is "All posts", which displays everything - and it takes the new user some time to discover and use categories. Until they do, they post everything in the default "Discussion" category and (under "Bad") there's no way for moderators to move posts to the correct category.
It's quiet. I've given up on Twitter; it's been over-run by social media "marketers" who think they're slick, and aren't. Facebook is rapidly heading the same way; my newsfeed is starting to fill with posts from link farmers trying to trap people into granting access to their Facebook profiles. Google+ doesn't have that, as far as I can see. Yes, there are marketers there - I follow a couple of my favourite brands - but so far, it's a pretty well-behaved place.
But there are problems, and it's been obvious as I've introduced these new users.
It's noisy. By default, every post, every comment on a post, every damn thing that happens, fires off an email. There's a notifications on/off button in communities, but that doesn't seem to do much to quieten things down - instead, you have to go to your profile,
Configuration options and settings are spread out in various places, mostly accessible from your Profile, via the gear-wheel icon at top right. Some options are under "Profile and Privacy" (https://www.google.com/settings/privacy) - for example, you can control which people appear in the "People in his/her circle" listing on your profile, on a circle-by-circle basis if you want. But other settings, such as just what "Your Circles" means when you share something with "Your Circles", and the email/SMS notification noise level, are under "Google+" (https://www.google.com/settings/plus). It all gets rather confusing, especially for the new user.
Another big issue is the lack of group chat functionality. Just like Facebook, there's a "Chat" tab at lower right of most pages, but unlike Facebook, you can't add multiple people to the conversation. Googling "Google+ group chat" leads to articles that imply it's possible, but the software has obviously changed since they were written. And the confusion over Google's IM products don't help, there's Google+ Chat, Google Talk, Google Messenger and Google Voice, and they're all different things. In fact, it seems that two different things on different platforms (PC vs Android) can even have the same name even though they're incompatible and not interoperable.
If you really want a multi-way conversation, Google+ pushes you towards "Hangouts" which offer up to 10-way videoconferencing and have some really neat features such as screen-sharing, etc. However, not everyone has a webcam, or even a microphone, or they don't want to be seen. And Hangouts require special software; when you start a hangout (or try to join one?) without the software, you are prompted to download GoogleVoiceAndVideoSetup.exe. The messages seem to imply that the software has installed itself; however I soon discovered that it hadn't, and when I found and ran GoogleVoiceAndVideoSetup.exe, it downloaded and installed the actual code required. At this stage, no-one else in our little group seems to have completed the process and so we haven't actually accomplished a Hangout. If we do, we might well move this feature to the "Good" side of this balance sheet.
File sharing is difficult. Facebook groups have a "Files" tab and even an "Add file" link right at the top of the page. There's nothing like this in Google+ communities. The easiest way to share something seems to be to upload it to Google Drive, make it public and accessible to anyone who has the link, then copy and paste the link into a Google+ post. This is awkward at best, and it also means that the file is stored in an individual user's Drive, rather than storage space that belongs to the community. At the very least, the Share... menu option in Google Drive ought to have options for sharing to Google+ - that functionality already exists in Youtube and could almost be copied and pasted into the Google Drive code base.(Update: it turns out that there may be a button which allows direct sharing to Google+ [or email, Facebook or Twitter], but I don't see it because I'm using the Google Apps version of Google Drive. Just another complication - different people see different versions of the same thing, depending upon which Google services they're signed up for.)
Terminology keeps changing. For example, the term "stream" has fallen into disuse - your "stream" is now your "Home page". And I've already mentioned the confusion over the IM apps.
Functionality keeps changing and is inconsistent. Google+ - and the rest of the Googleverse - is obviously in a constant state of change and flux. New functionality is constantly appearing while older and less-used - but popular with its users - features are liable to disappear. I need only mention Google Reader at this point - but it's an issue I'll return to.
Related to this is the fact that while Google is positioning Google+ as the central hub of their applications and services, at least for identity and profile management, it is not very good as a user-centric dashboard. As one of my friends pointed out, iGoogle was much better for that - but it's due for end-of-life later this year. It's a great pity - Google needs something that provides a single page with widgets for Gmail, Calendar, Contacts, Google+, etc. Ironically, I realised that's what my home screen on the Nexus 7 provides - it would be wonderful if Google could provide a web page that could run the same widgets as Android devices. How about it, Google?
Now we're down to cosmetics - the kind of thing that a bit of CSS fine-tuning could probably fix
Google+ doesn't seem to fit as much information on the page as Facebook does. I say, "seem", because on close inspection they both use the same font size for the main text of posts. Google+ puts its major app icons down the left column while Facebook lists groups, apps and pages there; scrolling up, Facebook shifts it up, leaving empty white space. Over on the right, Google+ lists more "stuff" you might like while Facebook puts a scrolling "ticker" app, which is dense with a smaller font and less white space.
Part of the reason for the less dense appearance of Google+ is its use of boxes around posts and grey shading. Facebook's all-white page is much cleaner looking. Google+ could really use a makeover from a good designer.
Overall, the impression one gets is that Google+ is "geekier" - it's stronger and more innovative on the back end server functionality. There are lots of configuration options, but Google annoys most first-time users by not setting appropriate defaults - there are far too many email notifications and the privacy settings probably aren't set high enough for most users, requiring a good half-hour or more of stumbling around, changing things by trial and error.
I believe that Google+ is going to grow and get better - as more and more users acquire Android devices or switch to using Google Apps and Gmail, they will be assimilated, and the functionality will be refined. But for now, it's still rough round the edges and a bit abrasive for the user switching over from Facebook.
So a few of us were chatting about how to get around this, and off the top of my head I quipped, "We ought to set up a similar group as a Google+ community". Then I thought, "why not?" and a minute later, I'd done it.
I spent the day intermittently writing short "How-To" posts for the new users I was dragging across from Facebook, and answering their questions, helping them to figure out how to get things done, etc. It's been a couple of days and the experience has given me a better understanding of Google+
Neither Good Nor Bad - Just Important
Circles. You have to grok circles. Circles have both read and write, or in and out, functionality. You can use circles to filter what you see in your home page - for example, you can suppress a circle from appearing in your Home page stream (great if they are prone to posting NSFW images!). That's the "read" functionality. You can also limit posts to only certain circles so that your doings are not broadcast to the wrong people - that's the "write" functionality, which will be more important to some people (to be honest, I regard anything that I post on a social networking site as public).
The problem is that the importance of circles, and the things one ought to consider when creating them and adding people to them, are not immediately obvious - it's only after you've spent some time fiddling with the various configuration options that their importance becomes apparent.
The Good
Now to some good points I've noticed and others have commented on.
Firstly, the Home page has filtering, so you can view just specific circles. Across the top of the home page are buttons for "All", "Friends", "Following", or whatever circles you've created. This means you can choose to see only posts from colleagues during the workday, then spend some time catching up with friends, or reading up on products/technology you're following.
The integration with Gmail, Contacts, Youtube, Blogger, etc. is nice - but only important for users who have already engaged with the Googleverse. It's good for me - I use Google Apps for both business and university purposes, and it was that that led me to get my Google+ profile sorted out and then start using it - but for people looking for a Facebook alternative, the fact that you might have to use some other Google service such as Google Drive to get things done seems odd.
There are some nice usability features; for example, you can drag and drop pictures directly into the "Share what's new..." comment box - there's no need to click on "Add Photos/Video" first. However, on the down side, sharing URL's requires you to click on a link button to get a field, rather than auto-recognising the URL in your text. And Google+ doesn't automatically provide previews of URL's in comments like Facebook does.
The privacy and security options are very granular; this is great if you're willing to take the time to learn and use them. Not every is willing, though - and it can be confusing for the new user, who doesn't know what all these things are.
Communities are essentially equivalent to Facebook groups, and can be made public with no barriers to joining, public with approval for joins, or secret, which will require an invitation to join. A nice feature which Facebook doesn't have is "Categories"; for example, I quickly created a a "Using Google+ And This Community" category where I could post hints and answer questions without overwhelming the main "Discussion" category. Of course, the default view when one logs in is "All posts", which displays everything - and it takes the new user some time to discover and use categories. Until they do, they post everything in the default "Discussion" category and (under "Bad") there's no way for moderators to move posts to the correct category.
It's quiet. I've given up on Twitter; it's been over-run by social media "marketers" who think they're slick, and aren't. Facebook is rapidly heading the same way; my newsfeed is starting to fill with posts from link farmers trying to trap people into granting access to their Facebook profiles. Google+ doesn't have that, as far as I can see. Yes, there are marketers there - I follow a couple of my favourite brands - but so far, it's a pretty well-behaved place.
The Bad
But there are problems, and it's been obvious as I've introduced these new users.
It's noisy. By default, every post, every comment on a post, every damn thing that happens, fires off an email. There's a notifications on/off button in communities, but that doesn't seem to do much to quieten things down - instead, you have to go to your profile,
Configuration options and settings are spread out in various places, mostly accessible from your Profile, via the gear-wheel icon at top right. Some options are under "Profile and Privacy" (https://www.google.com/settings/privacy) - for example, you can control which people appear in the "People in his/her circle" listing on your profile, on a circle-by-circle basis if you want. But other settings, such as just what "Your Circles" means when you share something with "Your Circles", and the email/SMS notification noise level, are under "Google+" (https://www.google.com/settings/plus). It all gets rather confusing, especially for the new user.
Another big issue is the lack of group chat functionality. Just like Facebook, there's a "Chat" tab at lower right of most pages, but unlike Facebook, you can't add multiple people to the conversation. Googling "Google+ group chat" leads to articles that imply it's possible, but the software has obviously changed since they were written. And the confusion over Google's IM products don't help, there's Google+ Chat, Google Talk, Google Messenger and Google Voice, and they're all different things. In fact, it seems that two different things on different platforms (PC vs Android) can even have the same name even though they're incompatible and not interoperable.
If you really want a multi-way conversation, Google+ pushes you towards "Hangouts" which offer up to 10-way videoconferencing and have some really neat features such as screen-sharing, etc. However, not everyone has a webcam, or even a microphone, or they don't want to be seen. And Hangouts require special software; when you start a hangout (or try to join one?) without the software, you are prompted to download GoogleVoiceAndVideoSetup.exe. The messages seem to imply that the software has installed itself; however I soon discovered that it hadn't, and when I found and ran GoogleVoiceAndVideoSetup.exe, it downloaded and installed the actual code required. At this stage, no-one else in our little group seems to have completed the process and so we haven't actually accomplished a Hangout. If we do, we might well move this feature to the "Good" side of this balance sheet.
File sharing is difficult. Facebook groups have a "Files" tab and even an "Add file" link right at the top of the page. There's nothing like this in Google+ communities. The easiest way to share something seems to be to upload it to Google Drive, make it public and accessible to anyone who has the link, then copy and paste the link into a Google+ post. This is awkward at best, and it also means that the file is stored in an individual user's Drive, rather than storage space that belongs to the community. At the very least, the Share... menu option in Google Drive ought to have options for sharing to Google+ - that functionality already exists in Youtube and could almost be copied and pasted into the Google Drive code base.(Update: it turns out that there may be a button which allows direct sharing to Google+ [or email, Facebook or Twitter], but I don't see it because I'm using the Google Apps version of Google Drive. Just another complication - different people see different versions of the same thing, depending upon which Google services they're signed up for.)
Terminology keeps changing. For example, the term "stream" has fallen into disuse - your "stream" is now your "Home page". And I've already mentioned the confusion over the IM apps.
Functionality keeps changing and is inconsistent. Google+ - and the rest of the Googleverse - is obviously in a constant state of change and flux. New functionality is constantly appearing while older and less-used - but popular with its users - features are liable to disappear. I need only mention Google Reader at this point - but it's an issue I'll return to.
Related to this is the fact that while Google is positioning Google+ as the central hub of their applications and services, at least for identity and profile management, it is not very good as a user-centric dashboard. As one of my friends pointed out, iGoogle was much better for that - but it's due for end-of-life later this year. It's a great pity - Google needs something that provides a single page with widgets for Gmail, Calendar, Contacts, Google+, etc. Ironically, I realised that's what my home screen on the Nexus 7 provides - it would be wonderful if Google could provide a web page that could run the same widgets as Android devices. How about it, Google?
The Ugly
Now we're down to cosmetics - the kind of thing that a bit of CSS fine-tuning could probably fix
Google+ doesn't seem to fit as much information on the page as Facebook does. I say, "seem", because on close inspection they both use the same font size for the main text of posts. Google+ puts its major app icons down the left column while Facebook lists groups, apps and pages there; scrolling up, Facebook shifts it up, leaving empty white space. Over on the right, Google+ lists more "stuff" you might like while Facebook puts a scrolling "ticker" app, which is dense with a smaller font and less white space.
Part of the reason for the less dense appearance of Google+ is its use of boxes around posts and grey shading. Facebook's all-white page is much cleaner looking. Google+ could really use a makeover from a good designer.
Summing Up
Overall, the impression one gets is that Google+ is "geekier" - it's stronger and more innovative on the back end server functionality. There are lots of configuration options, but Google annoys most first-time users by not setting appropriate defaults - there are far too many email notifications and the privacy settings probably aren't set high enough for most users, requiring a good half-hour or more of stumbling around, changing things by trial and error.
I believe that Google+ is going to grow and get better - as more and more users acquire Android devices or switch to using Google Apps and Gmail, they will be assimilated, and the functionality will be refined. But for now, it's still rough round the edges and a bit abrasive for the user switching over from Facebook.
Monday, September 7, 2009
Privacy Isn't Just Confidentiality
I've been following some discussion, in a private security-related mailing list, on the topic of what constitutes sensitive information. What's interesting is that many participants seem to have completely missed the point about privacy, as opposed to security.
The whole thing started with a query as to whether a person's date of birth could be considered sensitive or confidential if combined with other personally identifiable information. The thread then meandered around various topics inclduing privacy, identity theft and authentication. It pretty much ended with various contributors suggesting that any security professional worth his (or her) salt should not need to ask this question, and in particular, the last person to ask it of should be a lawyer. One contributor - who had better remain nameless - stated outright, "No slight intended on lawyers, but if anybody who considers themselves to be an information security professional needs to rely on lawyers to tell them what sensitive information is and how they are to protect it then we are all doomed!".
Bzzt! Thank you for playing, Anonymous! Please bring on the next contestant.
Infosec professionals need to be aware of the law in this area, as in many others. And, the law being what it is, the best approach is to consult a lawyer. Certainly, one should have some degree of familiarity with the relevant local law; for me, here in Australia, this is the Privacy Act (C'wealth) (1988) [1] which defines personal information that is subject to the Act, as well as "sensitive information" which is subject to additional safeguards.
The Act defines personal information as "information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion."
It further defines "sensitive information", which requires specific treatment under the Act as:
"(a) information or an opinion about an individual's:
(i) racial or ethnic origin; or
(ii) political opinions; or
(iii) membership of a political association; or
(iv) religious beliefs or affiliations; or
(v) philosophical beliefs; or
(vi) membership of a professional or trade association; or
(vii) membership of a trade union; or
(viii) sexual preferences or practices; or
(ix) criminal record;
that is also personal information; or
(b) health information about an individual; or
(c) genetic information about an individual that is not otherwise health information. "
If you're like me when I first read that list, you are probably surprised at some of the items on it, but upon mature reflection you'll probably come to agree and perhaps think of additional elements that should be added. All of which suggests that our intuitive understanding of privacy is often incomplete.
Notions of privacy vary enormously around the world; furthermore there is often a considerable gap between what an enterprise thinks it ought to know about its customers/clients/employees and what those individuals would like the enterprise to know and do with what it knows.
The essential difference between security/confidentiality and privacy is who has control; for security in general, the owner of the information has control, but for privacy, the subject of the information has control. As an individual, the subject clearly has little influence and especially not authority over what an enterprise information owner does; hence the mechanism by which subjects collectively exert that control is legislation.
Security professionals tend to focus on how to assure the confidentiality, integrity and availability of the information in the systems in their care. We put a lot of effort into making sure the bad guys can't get access to our information. But privacy legislation is written to make sure that we aren't the bad guys - that we don't collect information we shouldn't, and that we don't use information in ways we shouldn't. Sometimes that poses ethical conflicts, when our employers think it would be a good idea to collect or aggregate personal information contrary to legislation; in that case, we have to advise against this and require compliance with the law.
For the individual, the decision to disclose personal information is a trust decision. In some cases - when dealing with other individuals, for example - we are able to rely on their benevolence. But massive corporations, by and large, are not benevolent and not possessed of individual free will. We have to rely much more on their competence, their integrity in the sense of willingness to be bound to privacy compliance, and their ability to resist security breaches. Individuals are therefore forced to rely on what is sometimes called deterence-based trust - the existence of legal sanctions which ensure that penalties for breach of trust will exceed any potential benefits from opportunistic behaviour.
An excellent example from Icelandic usage of population genomics databases [2] illustrates the deeper complexities; most individuals have given virtually no thought to the privacy implications of releasing their DNA for research purposes, but fortunately medical and legal ethicists have been thinking about it and proposing additional safeguards. (Thanks to Graciela Pataro for this example).
So to say that security professionals don't need to consult a lawyer is disingenuous. Winging it and assuming that defending our systems against external threats simply isn't enough.
References:
[1] Privacy Act, 1988, as amended, Commonwealth Government of Australia. Available online at http://www.comlaw.gov.au/comlaw/management.nsf/lookupindexpagesbyid/IP200401860
[2] Herman T. Tavani, "The Case of DeCODE Genetics, Inc" in Chapter 1, "Ethics at the Intersection of Computing and Genomics" in Herman T. Tavani (ed.), "Ethics, Computing and Genomics", Jones & Bartlett Publishers, 2005. ISBN 0763736201, 9780763736200. Available online at http://books.google.com.au/books?id=wlrPaPRshesC&pg=PA15&dq=the+case+of+DECODE+Genetics+Inc#v=onepage&q=the%20case%20of%20DECODE%20Genetics%20Inc&f=false
The whole thing started with a query as to whether a person's date of birth could be considered sensitive or confidential if combined with other personally identifiable information. The thread then meandered around various topics inclduing privacy, identity theft and authentication. It pretty much ended with various contributors suggesting that any security professional worth his (or her) salt should not need to ask this question, and in particular, the last person to ask it of should be a lawyer. One contributor - who had better remain nameless - stated outright, "No slight intended on lawyers, but if anybody who considers themselves to be an information security professional needs to rely on lawyers to tell them what sensitive information is and how they are to protect it then we are all doomed!".
Bzzt! Thank you for playing, Anonymous! Please bring on the next contestant.
Infosec professionals need to be aware of the law in this area, as in many others. And, the law being what it is, the best approach is to consult a lawyer. Certainly, one should have some degree of familiarity with the relevant local law; for me, here in Australia, this is the Privacy Act (C'wealth) (1988) [1] which defines personal information that is subject to the Act, as well as "sensitive information" which is subject to additional safeguards.
The Act defines personal information as "information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion."
It further defines "sensitive information", which requires specific treatment under the Act as:
"(a) information or an opinion about an individual's:
(i) racial or ethnic origin; or
(ii) political opinions; or
(iii) membership of a political association; or
(iv) religious beliefs or affiliations; or
(v) philosophical beliefs; or
(vi) membership of a professional or trade association; or
(vii) membership of a trade union; or
(viii) sexual preferences or practices; or
(ix) criminal record;
that is also personal information; or
(b) health information about an individual; or
(c) genetic information about an individual that is not otherwise health information. "
If you're like me when I first read that list, you are probably surprised at some of the items on it, but upon mature reflection you'll probably come to agree and perhaps think of additional elements that should be added. All of which suggests that our intuitive understanding of privacy is often incomplete.
Notions of privacy vary enormously around the world; furthermore there is often a considerable gap between what an enterprise thinks it ought to know about its customers/clients/employees and what those individuals would like the enterprise to know and do with what it knows.
The essential difference between security/confidentiality and privacy is who has control; for security in general, the owner of the information has control, but for privacy, the subject of the information has control. As an individual, the subject clearly has little influence and especially not authority over what an enterprise information owner does; hence the mechanism by which subjects collectively exert that control is legislation.
Security professionals tend to focus on how to assure the confidentiality, integrity and availability of the information in the systems in their care. We put a lot of effort into making sure the bad guys can't get access to our information. But privacy legislation is written to make sure that we aren't the bad guys - that we don't collect information we shouldn't, and that we don't use information in ways we shouldn't. Sometimes that poses ethical conflicts, when our employers think it would be a good idea to collect or aggregate personal information contrary to legislation; in that case, we have to advise against this and require compliance with the law.
For the individual, the decision to disclose personal information is a trust decision. In some cases - when dealing with other individuals, for example - we are able to rely on their benevolence. But massive corporations, by and large, are not benevolent and not possessed of individual free will. We have to rely much more on their competence, their integrity in the sense of willingness to be bound to privacy compliance, and their ability to resist security breaches. Individuals are therefore forced to rely on what is sometimes called deterence-based trust - the existence of legal sanctions which ensure that penalties for breach of trust will exceed any potential benefits from opportunistic behaviour.
An excellent example from Icelandic usage of population genomics databases [2] illustrates the deeper complexities; most individuals have given virtually no thought to the privacy implications of releasing their DNA for research purposes, but fortunately medical and legal ethicists have been thinking about it and proposing additional safeguards. (Thanks to Graciela Pataro for this example).
So to say that security professionals don't need to consult a lawyer is disingenuous. Winging it and assuming that defending our systems against external threats simply isn't enough.
References:
[1] Privacy Act, 1988, as amended, Commonwealth Government of Australia. Available online at http://www.comlaw.gov.au/comlaw/management.nsf/lookupindexpagesbyid/IP200401860
[2] Herman T. Tavani, "The Case of DeCODE Genetics, Inc" in Chapter 1, "Ethics at the Intersection of Computing and Genomics" in Herman T. Tavani (ed.), "Ethics, Computing and Genomics", Jones & Bartlett Publishers, 2005. ISBN 0763736201, 9780763736200. Available online at http://books.google.com.au/books?id=wlrPaPRshesC&pg=PA15&dq=the+case+of+DECODE+Genetics+Inc#v=onepage&q=the%20case%20of%20DECODE%20Genetics%20Inc&f=false
Subscribe to:
Posts (Atom)