A Blog dedicated to exploring privacy and technology

Archive for March, 2012

Rethinking Privacy in the Digital Age

Posted by Wayne on March 27, 2012

I’ve been teaching grad school for the past couple of years with the desire to eventually be able to create a course on a subject that is near and dear to my heart – Privacy. Well that time has finally come as I’ve been hard at work developing a course that has practitioner and theoretical content. The course includes combining four ways to frame privacy – legally – different laws by state and data type, technically – PETs and surveillance systems, regulatory – FTC/FCC/OECD, and socially – Facebook/Linkedin,and more.

Here is the announcement from the director of the program (and one of my mentors) Dr. Maria Garcia:

“Greetings, Students!
Are you concerned about the privacy and security of your personal data? Do you work in an industry that manages sensitive data? Read on!
All businesses know the importance of safeguarding confidential data. This practice is no longer limited to companies subject to regulation, such as healthcare, education, and financial services. With increased access to personal information via social media and consumer products, such as smartphones and gaming systems, the growing risk of exposure affects everyone, personally and professionally.
With this in mind, Franklin Pierce is launching a new course – Rethinking Privacy in the Digital Age. In this class, students will learn the fundamentals of privacy – its origins, risks, and protections. Learn how to assess the value of your and your customers’ privacy when data is shared through online systems designed to use your information as currency.
Rethinking Privacy in the Digital Age (GI 590) will be offered at the Manchester, N.H. center in an eight-week hybrid format; hybrid classes meet every other week and classwork is completed online during the alternate weeks. The class begins on Tuesday, April 24, 2012 and ends on Tuesday, June 12, 2012.

I can’t begin to tell you how excited I am! The sessions are going to include debates on for/against advertisers and commercial companies rights verses the individuals rights, an exercise writing a privacy bill, practical experience trying to gather information on others, and reviewing the new FTC privacy framework just published this week.  If you have 8 weeks to spare – come join us! I know we will all learn something about privacy together and you get graduate or undergraduate credits as well.

Hope to see you there!


Posted in cloud, privacy, risk | Leave a Comment »

Part 2 – Choosing the Assessments

Posted by Wayne on March 2, 2012

Once I had detailed the research questions I next needed to decide what privacy assessments I was going to use. First I looked to the security instruments out there to see what they had and found that several of the common security instruments did have a few questions that pertained to information privacy they were by no means comprehensive. For example the ISO/IEC 27002:2005 instrument has sections on privacy policy management and data classification but is missing specifics on notice, use, or retention as examples. The next place to look was for books on privacy assessments. Again though I found books that contained sections on privacy such as Debra Hermann’s book “Complete Guide to Security and Privacy Metrics” only about 10% of all the metrics listed were US-centric privacy metrics. US-centricity was a self-imposed requirement to managed the scope of this research.

Next approach was to try something that I figured this would be an easy step – run a few searches on the Internet and I’d probably have too many privacy assessments to choose from. Instead what I got was a lot of commercial consulting companies that have all developed their own assessments. Now what? More searches – only directed and emails to friends and friends of friends! I found three that seemed to be pretty good choices and also finding them detailed in an article written by Roger Clarke on Privacy Impact Assessments helped support the use of them.

DHS/DOJ Privacy Impact Assessment – The first one is the only mandated privacy assessment in the US which is mandated by the DHS/DOJ when deploying a new government system (also someone government specific as well). Since it is a privacy impact assessment it is designed to be used as a ‘pre-assessment’ before a system is implemented. I couldn’t determine the provenance of the DHS/DOJ PIA but I had to assume that it is a ‘best practice’ and is reviewed by the office of the CPO. Also the DHS/DOJ PIA only has 40 questions in it making it the briefest of assessments.

ISO/IEC 22307:2008 Financial Services Privacy Impact Assessment – This is an international standard and is financial services biased. It is also a pre-assessment instrument and has a total of 102 questions. I had to purchase this assessment for my research from ANSI who manages ISO standards here in the US.

SharedAssessments Privacy Assessment – Shared Assessments is a not-for-profit group that was created by leading financial institutions and accounting firms. The instrument I used was an earlier version and was freely available. However if you wish to access the tools today you have to become a member.The SharedAssessments tool that I used has 127 questions.

So these the three assessments I used. In my next post I’ll talk about the cloud providers I choose and why.



p.s. There is a bit of irony that I want to mention – a complete book on privacy impact assessments was published just recently that may be useful if you are interested in knowing more about this topic: Privacy Impact Assessment (Law, Governance, and Technology Series).

Posted in cloud, privacy, risk, Uncategorized | Tagged: , , , | Leave a Comment »

%d bloggers like this: