How Do Security Pros Understand Privacy?


How Do Security Pros Understand Privacy?

Privacy is contentious today. Some say the information age has brought real changes to privacy norms. With so much private data leaking through breaches, accidents and digital business practices, it’s often said that ‘the genie is out of the bottle’. Many think privacy has become hopeless. Yet in Europe and many jurisdictions, privacy rights have been strongly and freshly enforced, and for the very latest digital processes.

For security pros coming to grips with privacy, the place to start is the concept of Personally Identifiable Information (PII). The threshold for data counting as PII is low: any data about a person whose identity is readily apparent constitutes PII in most places, regardless of where it came from, or who might be said to ‘own’ it. This is not obvious to engineers without legal training, who may form a more casual understanding of what ‘private’ means. So it seems paradoxical to them that the words ‘public’ and ‘private’ don’t even figure at all in laws like Australia’s Privacy Act!

There is a cynical myth that ‘Technology outpaces the Law’. In practice, it is the law that challenges technology, not the other way around! The grandiose claim that the ‘law cannot keep up with technology’ is often a rhetorical device used to embolden developers and entrepreneurs. New technologies can make it easier to break old laws, but the legal principles in most cases still stand. If privacy is the fundamental right to be let alone, then there is nothing intrinsic to technology that supersedes that right. It turns out that technology neutral privacy laws framed over 30 years ago are powerful against very modern trespasses, like wi-fi snooping by Google, over-zealous use of biometrics by Facebook, and intrusive search results extracted from our deep dark pasts by the all-seeing search engines. So technology really only outpaces policing.

One of the leading efforts to inculcate privacy into engineering practice has been the ‘Privacy by Design’ movement (PbD), started in the 1990s by Ontario privacy commissioner Ann Cavoukian. PbD seeks to embed privacy ‘into the design specifications of technologies, business practices, and physical infrastructures’. As such it is basically the same good idea as building in security, or building in quality, because to retrofit these things too late leads to higher costs and disappointing outcomes.

In my view, the problem with the Privacy by Design manifesto is its idealism. Privacy is actually full of contradictions and competing interests, and we need to be more mature about this.

Collection Limitation for example can contradict the security instinct to retain as much data as possible, in case it proves useful one day. Disclosure Limitation can conflict with usability, because PII may be siloed and less freely available to other applications. And above all, Use Limitation can restrict revenue opportunities in all the raw material digital systems can gather.

PbD naively asserts that privacy can be maximised along with security and other system objectives, as a “positive sum” game. But it is better that engineers be aware of the trade-offs that privacy can entail, and that they be equipped to deal with real world compromises implied by privacy just as they do with other design requirements. Privacy can take its place in engineering along with all the other real world considerations that need to be carefully weighed, including cost, usability, efficiency, profitability, and security.

*Extract from “Blending the practices of privacy and information security”, Ch. 19 of the new book “Trans-Atlantic Data Privacy Relations as a Challenge for Democracy?” Dan Svantesson &  Dariusz Kloza (editors).

We’ll be discussing these topics and many more at Cloud Identity Summit, June 19-22, 2017. I’ll be leading the GDPR, Assured Identity and Privacy track; there’s the ‘Great Privacy Debate’ panel; and a range of technical and business topics that touch on the evolving role of privacy. I hope you’ll be able to join us for CIS in Chicago!

 

By Steve Wilson
VP & Principal Analyst at Constellation Research Inc.

View More Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Excited to be leading such a great Enterprise Identity Track lineup at this year's @Identiverse where we will have fantastic talks from Tejas Dharami, Will Rose, @GoneSecuring, Namitha Krishna, @bpuhl, & @krobert7. Hope to see you in DC in June! https://t.co/C2BLJ6hmQ3

Put the candy hearts away. We have something you’re really going to love! With 4 months to go, we can’t think of a better way to share the love this #ValentinesDay than giving the gift of #Identiverse! Use code: "identiverselove" by Feb 16 to get 50% off! https://t.co/qgjYZR0vJ2

As the @FIDOAlliance continues to strive for a stronger #authentication world w/o #passwords, the rapid adoption of the #FIDO2 standard is showing a lot of promise. Read this #Identiverse blog for FIDO2 specs & how it’s enabling deployment at scale. https://t.co/KD5RehxToS

Identity pros - find the DC area @WomeninID you work with and encourage them to come meet their industry peers next week. A little bit of time spent could have great results! https://t.co/WRJ8cZdoGn

Many people have asked how #Identiverse continually produces an identity industry conference agenda that sets the bar so high. So from our CFPs to committee review to speakers taking the stage, here’s how it works. @andrewhindle https://t.co/hTVcrnEyDL

Load More...

Enter your details to receive email updates from Identiverse