Sunday, April 2, 2017

An Infosec View of Privacy

Information security professionals, and especially cryptographers, tend to think in terms of preserving the security properties associated with information assets, and CISSP's in particular tend to start with the CIA Triad. Clearly, privacy relates to the first member of that triad - confidentiality - in some way, but the relationship is not obviously clear. For example, we often use secrecy as a synonym for confidentiality, but privacy is something different.

The difference is centered on agency or control, and in particular the relationship between the subject of the information and the information custodian.

The vast bulk of enterprise information - whether it be private enterprise, or public - is internally-generated, and the subject is, ultimately, the enterprise itself. For example, an ERP system revolves around accounting data (GL, A/R, A/P, etc.) and the ledgers therein describe the enterprise's financial state and history of transactions (as well as future revenue, of course). A CRM system may contain information about customers, but the bulk of that information relates to the enterprise's transactional history with the customer - sales calls, orders placed, etc.

In such cases, the enterprise is custodian of its own information - it is both subject and custodian. There is no conflict of interest - as custodian, the enterprise is never going to breach the confidentiality of its own information, and indeed will implement controls - policies, identity and access management, security models - to ensure that its employees and agents cannot. The enterprise, as the subject, has authority over the custodians and users of the information.

However, a conflict of interest arises when an enterprise is custodian of information about identified (or identifiable) individuals. For example, a medical practice maintains health records about patients; it is the custodian, while the patients are the subjects.

The patient records obviously have value for advertising and marketing purposes, in addition to the intended purpose of patient diagnosis and treatment. For example, a company selling stand-up desks or ergonomic chairs would see considerable value in a list of patients who have complained of chronic back pain, while over-the-counter pharmaceuticals marketers might want to sell directly to patients whose test results indicate pre-diabetes, early indications of hypertension or any of a range of conditions. And an unscrupulous marketer might approach an unscrupulous medical practice manager, resulting in patients being subjected to sales calls for products they do not necessarily want or - worse still - their medical histories or problems being leaked to other interested parties such as family members or employers.

There is a clear conflict of interest here. The subject of the data is not the custodian, and in fact, has no authority over the custodian. It is in the custodian's interest to on-sell the subject's data to anyone and everyone who is willing to pay for it. And while the example of a medical practice involves only a small business, many enterprises are much, much larger and employ many lawyers, resulting in a power imbalance between the enterprise and the affected individual.

This is why governments, acting on behalf of civil society and the individual, enact privacy legislation - the legislation gives the individual some degree of authority over enterprises and restores the balance of power.

Note that many information security controls are able to preserve confidentiality, but not privacy. Personal information is stored in databases and document management systems which are ultimately under the control of an information asset owner and users who are free to access the information for a range of purposes; if he or she decides to extract data, copy it to a USB key and sell it externally, the first two steps are probably authorized while the third cannot be detected, let alone prevented.

Hence the need for a privacy policy and strong privacy education and awareness within the enterprise. In the end, privacy comes down to personal ethics and compliance with the law. It is really a matter of trust in the integrity of those who have access to personal information - and the threat of legal action provides a degree of assurance in that integrity.

Notice that, in this model, the distinction between confidentiality and privacy can be extended beyond individual persons to companies or other entities. For example, the Chinese Wall model is another situation in which information about one entity is in the custody of another (e.g. information about clients held by a consulting firm would obviously be of great interest to other clients who are competitors). In that sense, then, the Chinese Wall model is intended to preserve privacy rather than integrity.

Finally, consider personal information in the custody of the person themselves. The subject and the custodian are the same individual - there is no conflict of interest, privacy laws do not apply, and the issue here is confidentiality, not privacy.

The distinction between confidentiality and privacy, then, is whether the subject of the information has authority over the custodian - if he does, it's a matter of confidentiality, but if he does not, then it's a matter of privacy.

Of course, there are other common conceptions of privacy, as well as legal views relating to photography, etc. but these are not considered here.

No comments: