Privacy and Security: Two Sides of the Same Coin

In April of 2013, I took on a new role and expanded responsibilities as chief data protection officer for my company.  Think chief privacy officer with a dash of information security and some European flair.  Reporting to the general counsel, the original idea was to use the position to better align information security and privacy functions across the organization.  In actual practice, I found myself focusing 90% of my time on privacy alone.  This caused me concern in the initial stages that I was moving further away from information security.  In the last year, I’ve had the opportunity to pivot and adjust both my own and others’ expectations for my role, as well as find the importance of treating privacy and security as different but complementary sides of the same coin.

In this article, I’m going to share a few insights on how focusing on privacy actually made me better at information security and in turn, how my experience in information security has helped me operationalize privacy.  It is when these two areas become complementary as opposed to distinct or disparate pieces of our organizational thought that we can better focus on the crux of the matters at hand: the value of the assets we’re trying to protect and the impact internally and externally when we fail.

If security is the “how”, privacy is the “why”…

We focus on firewalls and intrusion detection at the perimeter, antivirus and endpoint protection, encryption ad nauseum…all in the name of being “secure”.  But if I ask a deeper question as to ‘why’ are we putting all of these resources to bear the answers will vary from “our regulators require us to do so” to “well, we don’t want to be breached!”.  The maturity of a program and how well they’ve implemented a risk based approach creates exceptions to this, but I’m focusing on the majority in my experience.

Fundamentally though, the ‘why’ is rooted deeply in our personal and organizational concepts of privacy, and it is those concepts that provide value (monetary or qualitative) to the information assets we’re charged with protecting.  It also moves the implementation of security controls away from ‘outcomes’, such as passing an audit or preventing a breach, to one of ‘accountabilities and responsibilities’:  “I need to protect this information because <insert entity here> trusts me to do so”.  The success of those controls therefore holds a lot more weight, at least to me personally, than if the focus is on outcome alone.

Privacy does not mean secrecy…

A previous entry on this blog focused on the discrepancy between the consideration for privacy equating to secrecy versus equating to confidentiality.  The fundamental difference is one of keeping the data hidden versus ensuring the data is only collected, used, and accessed for the purposes it was authorized for in the beginning.  The former does not lend itself well to a digital economy while the latter is the crux of a success in the age of big data and ubiquitous computing.

What that means for security and privacy is that we can’t focus on just locking down “the box” containing the information; this has been true since computing moved beyond the mainframe and it is more so now.  We have to consider security controls in the context of enablement; enabling a consumer’s ability to choose, authorize, and be assured their data is being used as stated while balancing the organization’s ability to collect, process, and protect that information within the bounds of that agreement.  This sometimes means creative approaches, concessions on “best practices” that may inhibit data analytics, etc.  The complexity increases but so does the reward.

Data value is often influenced by privacy considerations…

The value of data is rarely derived solely from a single entity.  It is often an aggregate of the data subject, the entity collecting the data, and the entity (or entities) that process that data turning it into information that can return value to the individual or the organization.  A significant part of that value is driven by the sensitivity of that data, some of which is dictated by regulatory requirements but all are influenced by more personal perspectives of ‘private information’.

I’ve come to accept that my name, address, phone, and email, while personal information, is freely available on the internet, in the white pages, and in public records.  My religious and political affiliations, telephone metadata, medical history, and even my search histories?  Those hold more value to me and in turn have more value to organizations who’d like access to that information for a number of reasons, including surveillance purposes or targeted marketing.  So we shouldn’t lump all personal information into the same bucket and apply the same treatment and controls.  If all personal information are precious gems, we need to understand that means some are diamonds, rubies, and emeralds while others are peridot and amethyst.  When we have limited resources, we need to focus those resources on protecting the assets of most value.

The best risk mitigations are not necessarily security related…

We discuss topics such as security by design, and involving security personnel early in the process for threat modeling and risk assessment, but I’d argue even then we’re coming in late to the party.  Often we’re focused on ‘locking the box’, which is rarely a welcome conversation at the product and business level.  Also, effective security needs to be applied where there is the most value (see previous paragraph) and at a project inception that is likely not yet determined.

Privacy by design though starts looking at why we’re collecting the data, what our intended usage now and in the future will be, and what impact that data has on the individual, our organization, our brand, etc.  It’s a powerful tool that can change a proposal rapidly and drives back to the accountability and responsibility model I discussed earlier.  It forces us to acknowledge these obligations early and often and throughout the data lifecycle and in turn can feed the design and build of those security controls.  It’s also easier for the business and product people to grasp as it’s driven by a concept of “doing the right thing”.

There’s more…

But I think I’ve provided enough food for thought for one post.  This past year has changed my worldview as it relates to recognizing the information assets we’re trying to protect and the fundamental importance (the ‘why’) that responsibility places on our shoulders.  It has also refreshed my hope as it relates to achieving a balance between enabling the businesses we’re in and ensuring data privacy and security; two sides of the same coin and all that.

I am interested though in hearing others thoughts on this topic, particularly those who have had a foot in both the security and privacy domains or those aspiring to cross that gap.  Please comment here or reach out to me on Twitter!

When I Say Privacy, You Say…

What comes to mind when I say the word, ‘Privacy’?  Go ahead and think about it for a moment, I’ll wait here…

Oh, you’re back?  So what did you come up with?  Hold that thought.

Did you know that at the end of 2013, proclaimed ‘Privacy’ the word of the year?  It’s true, click on the link below!  I’m not just saying that to justify my job!

Word of the Year

Now let’s see what has to say when we ask it to define ‘privacy’:

  1. The state of being private; retirement or seclusion;
  2. The state of being free from intrusion or disturbance in one’s private life or affairs;
  3. secrecy;
  4. Archaic. a private place.

Privacy is an abstract concept; I’d argue much like ‘security’ but that’s a different blog all together.  I find when I interact with others on this topic, their typical response falls somewhere between the second and third definition…particularly when it comes in a post-Snowden era of government surveillance and Orwellian fears.   Even Warren and Brandeis in their influential 1890 essay described privacy as, “the right to be left alone.”

Did you know that essay was spurred by technology innovation, the handheld camera, even in 1890?  Food for thought next time you glare at one of those “Glass-holes” in a San Francisco bar.  But I digress…

I think the concept that we’re really looking for is much more concise…confidentiality.  Let’s look at that definition, shall we?

  1. Spoken, written, acted on, etc., in strict privacy or secrecy; secret;
  2. Indicating confidence or intimacy; imparting private matters;
  3. having another’s trust or confidence; entrusted with secrets or private affairs
  4. Bearing the classification confidential, usually being above restricted and below secret.  Limited to persons authorized to use information, documents, etc., so classified.

Somewhere between the third and fourth definition sounds about right.  When we talk about our ‘online privacy’, aren’t we really concerned about entrusting that the data we (often) freely give is being used, processed, and shared in an ‘authorized’ manner? How many looked at the Snowden leaks and said, “Well, duh…I KNEW they were doing that…I just wish they would have told me they were doing that?”  The entire model of ‘Notice and Consent’ is based on this premise; transparency as to the collection and usage and the ability for the data subject to opt-in (or opt-out) of those practices.

This becomes relevant as we discuss the future of ‘privacy’ in an age of government surveillance, ubiquitous computing, and big data.  We’re riding the wave of unprecedented technological benefits and convenience, and there are pundits that say it is in turn the death knell of privacy. So we rail against data collection and say, “Don’t look at me!” and look to build bigger walls to try to stem the tide.  We turn to cryptography and other privacy enhancing technologies, which have their place,  and think “let’s fight technology with technology!” but that can raise barriers for responsible use and learning curves can leave average consumers in the cold.

Meanwhile, the answer is finding balance.

What if we agree that what we’re really looking to do is establish a social norm where we retain a measure of confidentiality and control?  To maintain our choice of who, where, and when our personal information is used and transparency as to the actions powered by that information?  Then the conversation moves from one of blame and shame, “How dare you look at me!!!” to a much more reasonable, “Look at me…but let me know that you’re looking, and tell me what you see.”  That seems like a better approach, wouldn’t you agree?

There’s some interesting conversation and solutioning ahead…

BSides Las Vegas 2013 – Data Breach Panel

Davi Ottenheimer, Raymond Umerley, Jack Daniel, Steve Werby, David Mortman & George V. Hulme – Breach Panel

“A burglar steals an unencrypted powered-down laptop containing PII and is immediately hit and killed by a bus. Data breach?” as more laws are passed there remain many difficult questions to answer. this panel will try. come see opposed minds in the industry debate the ethics and economics of incident response and related regulations. we will debate things like: have the past 10 years of breach legislation helped or hurt our efforts in information security? when is a breach really a breach? is it wrong to say “any loss of control is a breach and must be reported?” do you agree there “no safe harbor for encryption?” is it “unduly costly on society” if our breach definition is too broad?