Information Security vs Privacy

Information Security vs Privacy, are the Lines Blurring?

My original title was “Data Security vs Data Protection[…]”, but an unfortunate number of people see these as pretty much the same thing, even interchangeable. Then I chose Cybersecurity instead of Data Security but that doesn’t cover all forms/formats of personal data, so I finally had to settle on Information Security.

As for Data Protection, it’s not, in and of itself Privacy, and so on…

But you see the problem already? If we can’t even agree on common terminology, how are we expected to ask the right people the right questions in order to solve our problems? But I digress…

For the purposes of this blog I have chosen the following definitions of ‘Information Security’ and ‘Privacy’:

  • Information Security – “…is the practice of preventing unauthorised access, use, disclosure, disruption, modification, inspection, recording or destruction of information.”; and
    o
  • Privacy – “…is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively.”

It should be immediately obvious that these are NOT the same thing. Significant overlap, yes, but as always, security is just an enabler. Security does not dictate the goals of a business, it enables them; security does not give you privacy, it enables you to have it. A personal trainer does not make you healthy, s/he provides guidance in ONE aspect of your health goals. You still have to eat better, drink less, stop smoking, reduce stress and so on.

But now there seems to be an expectation that security people should also be privacy experts (I’m not saying they can’t be, but I actually don’t know any). Because GDPR is a big deal and ‘data protection’ is seen as the same as ‘data security’, everyone is looking to security people for guidance. Would you hire a fat personal trainer?

Take me for example: I have spent a large chunk of the last 2 years learning more about privacy (and GDPR in particular), I still consider myself 99.9% a security guy. I have even written fairly extensively on both privacy (personal opinion) and GDPR (hopefully accurately), but once again, neither of these things is what I DO. Privacy is not a core competence of security (just look at the CISSP CBKs).

But, and to the point of this blog, can a ‘security guy’ keep doing just security in the brave new world post-May 25th? The short answer is of course yes, if that’s all they want, but are they doing their careers any favours? And what about their clients? Can a security expert without at least a foundation in privacy really perform their function appropriately? For security to enable anything, they need context, privacy is now a major factor of that context for any business.

In other words, has privacy now become so important, that any field with a significant impact on it must revise its training syllabus? And given that information security has such a significant overlap with privacy, are security people best placed to take on a bigger role in providing privacy guidance?

The answer, as in everything else, is; that depends. A business has to be able to find the appropriate help, and the ‘expert’ has to have the appropriate skillset. There is no standard here, and only the people [on both sides of the equation] who educate themselves should be making any decisions. Should.

In reality, most organisations don’t even have in-house security expertise, let alone privacy expertise, so where is this guidance supposed to come from? I now think that security folks are very well placed to begin taking on a larger privacy mantle. I even believe that security folks who don’t get a foundation in privacy are severely limiting their careers. Could you imagine hiring a CISO who hasn’t even read the GDPR?

Information Security and Privacy will never merge completely, they are just too big and too different, but the lines are indeed blurring.

[If you liked this article, please share! Want more like it, subscribe!]

Privacy

The Right to Privacy: Don’t Tell Me I Have to Care!

I’ve already written on the subject of privacy several times, and will likely be regurgitating a lot of what I’ve said previously, but an article I read last week really pissed me off; Three Reasons Why the “Nothing to Hide” Argument is Flawed. It’s exactly this kind of absolutist nonsense [from both sides of the privacy ‘debate’] that makes true progress so bloody difficult.

Their first point:1) Privacy isn’t about hiding information; privacy is about protecting information, and surely you have information that you’d like to protect.” is backed up by several metaphors, one of which is “Do you close the door when you go to the bathroom?” Seriously? Even the Universal Declaration of Human Rights qualifies the right to privacy with the word ‘arbitrary’:

“Article 12 – No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

Every other treatise [that I’ve read] on privacy has a similar qualifier, which clearly infers that there can be very good reasons for ‘interference’. This is further supported by the fact that privacy is only a fundamental right, not an absolute right.

Their second point:2) Privacy is a fundamental right and you don’t need to prove the necessity of fundamental rights to anyone.“. If you’ve never read anything about privacy, you would think that a fundamental right is immutable and incontestable. It’s not. As Recital 4 of the GDPR phrases it; “The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.

In other words, your right to privacy must be put into context with EVERYONE else’s OTHER rights. e.g. Hypothetically, if I believed that ‘mass surveillance’ increases the safety of myself and my family, then your demand for privacy-first puts my loved ones directly in harms way. Therefore, my absolute (or ‘unalienable’) rights to what American’s call ‘life, liberty and the pursuit of happiness’ are more important than you not being seen with your trousers around your ankles.

But then they go big and say: “We change our behavior when we’re being watched, which is made obvious when voting; hence, an argument can be made that privacy in voting underpins democracy.“, which is a ridiculous stretch. Democracy through a “cohesion produced by a homogenous people.”? Sure. Democracy through a ‘consensus on fundamental principles’? Absolutely. Democracy through “privacy in voting”? Get a bloody grip.

And their final point; “3) Lack of privacy creates significant harms that everyone wants to avoid.” is basically true. But their example of “You need privacy to avoid unfortunately common threats like identity theft, manipulation through ads, discrimination based on your personal information, harassment, the filter bubble, and many other real harms that arise from invasions of privacy.“, makes it sound like organisations and governments are forcing us to put this stuff online. WE have the choice about what personal data we expose online, and while there absolutely should be [more] checks and balances against Governments overstepping their bounds, and organisations like Google should be completely transparent in their dealings, we are the ones giving our personal data away in exchange for convenience.

You’ve probably heard the quote by Snowden; “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.

If that’s true, I could argue that what most people actually do online is little different from someone who cuts out their tongue. Regardless of whether we have the RIGHT to privacy, it does not mean we HAVE privacy, and certainly not online. If it’s online, it’s exposed, so you have two choices:

  1. Don’t put it online, so no more online banking, Facebook, Amazon, and so on; or
  2. Put online only the things you don’t care about losing (i.e. no nude selfies), or can protect in other ways (i.e. insure your bank accounts)

To one degree or another we all trade our privacy for functionality. We all want the convenience of online banking, shopping, communication, and all the world’s knowledge at our fingertips. But did you really think this was free? Our right to privacy is both a privilege, and a currency, which means you have a responsibility to protect it, and a responsibly to spend it wisely respectively. Both of these responsibilities require you to NOT be ignorant, to educate yourselves and not rely on others to do it for you.

But in the end it has to remain a CHOICE! The ‘privacy-first’ side of the debate will NEVER agree with the ‘nothing-to-hide’ side, but like every fundamental right we have (and yes, democracy itself), this choice will be determined by the majority. So even though, as Snowden said; “[…] the majority cannot vote away the natural rights of the minority.“, the opposite is equally true; “The wishes of the minority cannot outweigh the wishes of the majority.” To put it another way, if a person wants total privacy, then they should have the right to have it, but not if that conflicts with the rights of the others.

What very few people address is the fact that my definition of privacy may be different from yours. You may think ‘secrecy’ is the best way to privacy, but I think ‘hiding in plain sight’ is more appropriate in the Information Age. The more that is known about me, the more unlikely it is that someone can pretend to BE me.

I could go on bitching, but there’s no point. I will not change your mind, and you will not change mine. The only difference is that I’m not going to try to shame you for your opinions, or even LACK of opinion. We choose the things we care about, and NO ONE can care about everything. As long as your decisions are not based on ignorance of the subject, do as you wish.

[If you liked this article, please share! Want more like it, subscribe!]

Technical and Organisational Measures

GDPR: Reporting Your “Technical and Organisational Security Measures”

You could almost be forgiven in thinking that words/phrases like; ‘pseudonymised’, ‘anonymised’, ‘access control’ or ‘encrypted’ are all that is required when reporting your technical and organisational security measures for Article 30 – Records of Processing Activities.

Almost.

The UK’s ICO themselves provided a sample of what records of processing should look like, and even included examples of content. Their column headed “General description of technical and organisational security measures (if possible)” contains just two examples; “encrypted storage and transfer” and “access controls“. So in the absence of more detailed guidance from any supervisory authority [that I have seen] just what are organisations supposed to do?

First, you need to understand that in Article 32 – Security of Processing, the phrase “technical and organisational security measures” is qualified twice by the one word that makes the whole thing not only clear, but very simple; “Appropriate”.

Article 32(1): “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…”.

I’m not going to go into detail about how you define ‘appropriate’, I’ve already done that in GDPR: How Do You Define ‘Appropriate’ Security Measures?, but I am going to provide an example of what this would look like on the only medium that counts; paper.

Continue reading

GDPR Muppets

GDPR: Now We Know Who the Muppets Are

Well, here we are, close of business May 25th, and oh look!, the sun is still shining, the world is still spinning, and no one [decent] went out of business.

What we do have however is an indication of who the world’s biggest muppets are. For example:

…and:

…and the list goes on and on.

As if the barrage of ridiculous and utterly meaningless emails over the last few months wasn’t enough, the spectacular ignorance shown by these and many other organisations defies belief. The only good thing I can say about these weapons grade plums is that they are actually taking GDPR seriously. They DID something. The fact that they are needlessly damaging their reputations is apparently beside the point.

Continue reading

Enough

GDPR May 25th – Slow Down and Get it RIGHT!

If you hadn’t heard of the GDPR before the last month or so, you have now. You have all received at least one, and more likely dozens of emails from organisations with whom you have had some contact in the past. Most of whom you have probably forgotten about. e.g. I hadn’t used my Garmin account for over a decade but still received an email asking if wanted to ‘opt in’ to continue receiving its “many benefits”.

I wouldn’t mind so much, but every last one of these ‘calls for action’ is utterly, inexcusably, and embarrassingly wrong! Literally, not one that I have received has followed what amounts to a clear instructions from the many qualified sources available (i.e. ICO for the UK, Art. 29 WP for everyone else, numerous law firms etc.) on what to do.

Therefore both of the following are true:

  • The organisations looking for GDPR guidance had no idea what they were asking for from their ‘expert’ help, or whom to ask; and
  • The providers of the guidance had no clue what they were doing

I can also assume that no one in the respective organisations had actually read the GDPR, and the providers of guidance clearly learned just enough to fool all those who have remained clueless. Frankly these people deserve each other.

Here are some of my favourite vendor emails [paraphrased]:

  • “If you don’t respond to this email we will assume you want to keep receiving emails from us.”;
  • “Unless you read and sign our new terms and conditions we will cease all communication.”;
  • “Our database of customers’ email addresses, including yours, will be deleted.”
  • “If you don’t opt in to receive emails relevant to the services we provide you, we’ll stop sending them.”
  • “Our website is not available to any European member state…”

Continue reading