PrivatelyExposed

A Blog dedicated to exploring privacy and technology

Posts Tagged ‘privacy’

Reversing Negative Privacy Behaviors Using a Didactic Approach

Posted by Wayne on March 14, 2014

There is an old phrase of death by a thousand cuts. This simple and oft used phrase refers to a slowly occurring negative change, so slow that we often don’t seem to notice and even go as far as to adjust and accept the inevitability of the path that we’re on.

Personally this is what I believe many of us have come to accept when it comes to privacy in the digital age. When a new gizmo or website presents us with a new way of improving our life – we ignore the voice in our head and click through the privacy policy, fill in answers to questions, link other systems to the one we’re in and trade one more small slice of our privacy for convenience.

Image

In fact – I think this picture depicts what it is like – we are led by these tiny morsels of goodness – in trade for heading in a direction. Like Pavlov’s experiment we are trained slowly and in the smallest increments that it is ok to divest our ownership of our own information and acquiesce future control over the use or modification of the information.

The problem with this learned behavior is that the incremental loss of authority, access, and provenance of our data has to eventually lead to bad outcomes. Are all of the data collection systems bad? Not in the least. However as technologies such as the Internet of Things, Cloud, and Big Data – continue to develop ways to create, collect, harvest, and analyze data about us – we are assisting the populating the data warehouses.

So that gets us to what can we do about it? Thankfully there are a number of companies that are starting to tackle just that problem. One example is a company called Lookout which is a mobile app that helps a mobile user digest the privacy policy. We need products that alert us and teach us how to protect our privacy. One of the best models I’ve seen for this kind of teaching method is what Toyota has included in its Prius dashboard.

Image

 

If you’ve ever driven one – it has a visual feedback mechanism that gives the driver positive feedback when driving economically. I’ve personally experimented with it and if I ignore it and drive it like a big V8 – foot to the floor when the lights change, drive at 80+, etc. I get as little as 40 MPG. If I drive it paying attention to all the feedback and the conditions are right I learn to drive in a way that I can get between 54-60 MPG which is a huge difference in mileage.

This is what we need in privacy – companies that are not leading us down a path of complete exposure but down a path that teaches us how to be far more aware of our privacy risks and alert/monitor that what we are sharing is the right data at the right time. With as complete an understanding of what the data is going to be used for and how as it is put to use. This applies to data in all three phases – in use, in flight, and at rest.

I’m excited because for the longest time privacy protection wasn’t monetizable – companies can’t exist without revenue and wouldn’t be able get investors interested without a solid economic model. Recent events have catalyzed innovation in privacy that have created interest in the VC community as well as for entrepreneurs. I will be talking these exciting new companies over the coming weeks and months on this site.

It is good to be back and a very exciting time for privacy.

Wayne

Advertisements

Posted in Uncategorized | Tagged: , , | Leave a Comment »

Part 2 – Choosing the Assessments

Posted by Wayne on March 2, 2012

Once I had detailed the research questions I next needed to decide what privacy assessments I was going to use. First I looked to the security instruments out there to see what they had and found that several of the common security instruments did have a few questions that pertained to information privacy they were by no means comprehensive. For example the ISO/IEC 27002:2005 instrument has sections on privacy policy management and data classification but is missing specifics on notice, use, or retention as examples. The next place to look was for books on privacy assessments. Again though I found books that contained sections on privacy such as Debra Hermann’s book “Complete Guide to Security and Privacy Metrics” only about 10% of all the metrics listed were US-centric privacy metrics. US-centricity was a self-imposed requirement to managed the scope of this research.

Next approach was to try something that I figured this would be an easy step – run a few searches on the Internet and I’d probably have too many privacy assessments to choose from. Instead what I got was a lot of commercial consulting companies that have all developed their own assessments. Now what? More searches – only directed and emails to friends and friends of friends! I found three that seemed to be pretty good choices and also finding them detailed in an article written by Roger Clarke on Privacy Impact Assessments helped support the use of them.

DHS/DOJ Privacy Impact Assessment – The first one is the only mandated privacy assessment in the US which is mandated by the DHS/DOJ when deploying a new government system (also someone government specific as well). Since it is a privacy impact assessment it is designed to be used as a ‘pre-assessment’ before a system is implemented. I couldn’t determine the provenance of the DHS/DOJ PIA but I had to assume that it is a ‘best practice’ and is reviewed by the office of the CPO. Also the DHS/DOJ PIA only has 40 questions in it making it the briefest of assessments.

ISO/IEC 22307:2008 Financial Services Privacy Impact Assessment – This is an international standard and is financial services biased. It is also a pre-assessment instrument and has a total of 102 questions. I had to purchase this assessment for my research from ANSI who manages ISO standards here in the US.

SharedAssessments Privacy Assessment – Shared Assessments is a not-for-profit group that was created by leading financial institutions and accounting firms. The instrument I used was an earlier version and was freely available. However if you wish to access the tools today you have to become a member.The SharedAssessments tool that I used has 127 questions.

So these the three assessments I used. In my next post I’ll talk about the cloud providers I choose and why.

thanks,

Wayne

p.s. There is a bit of irony that I want to mention – a complete book on privacy impact assessments was published just recently that may be useful if you are interested in knowing more about this topic: Privacy Impact Assessment (Law, Governance, and Technology Series).

Posted in cloud, privacy, risk, Uncategorized | Tagged: , , , | Leave a Comment »

Part 1- An Introduction to my Dissertation Research

Posted by Wayne on February 11, 2012

Over the next few months I’ll finally be able to come out of hiding … not that I’ve been doing anything stealthy or that exciting even. I’ve been working on completing the hardest thing I’ve ever under taken in my life – a PhD. Four and a half calendar years and literally well over a thousand hours of time. For some I guess this is something they know they are going to do when they are young and full of energy and strong of heart and mind but for me this was my mid-life-crises.

Anyway – the coolest outcomes are: I definitely think a little different about things and the research that I got to do has some interesting and (I think) valuable results.

My initial goal was to do something epic, far reaching, and somehow alter the way we think about things. Did I accomplish that? Yes for me I did. I had some outstanding help from some great minds on my dissertation committee that helped me to explore a few things that will add to the science regarding privacy. I learned a lot from the body of knowledge already out there, from and about myself, and from those who supported me through the process.

The topic of study was “An Empirical Study of Privacy Risk Assessment Methodologies in Cloud Computing Environments” the initial abstract was published here and it has changed to look more like this. The abstract is not the only thing to change – the hypothesis changed, the research questions changed, and even the methodology changed. Fortunately what didn’t change was the data.

For this post I’m just going to share the research questions:

Q1.Do existing privacy assessment methods adequately assess privacy risk exposures of cloud computing for the enterprise?

Q2.By using the scoring system (outlined in the methodology section) are the new characteristics in cloud computing such as on-demand/self-service, broad network access, measured services, shared resources, and elasticity adequately evaluated or accommodated in existing privacy assessment methods?

The drivers for these questions were based on some basic phenomena that I had observed 4 years ago when I started looking for problems to explore. First and foremost I was (and still am) so excited about cloud computing. In my opinion Cloud is the most interesting technical thing to happen since the 80’s and Vax/VMS clusters ruled the computing world. The second thing that I realized was that privacy was also a domain that seemed to be important and was so incredibly polarizing with my peers in school and colleagues at work. The last thing that I noticed was that we seem to have this blind belief system and trust in assessment methods. Security folk call it checklist compliance – find a good checklist, check things off, and everything will be fine.

In the privacy domain risk assessments are very immature compared to the security world. Also what got me thinking about all this was – who says we’re asking the right questions? When we’re done why can’t we have a risk score like with our credit card score? I found some work done by Dr. George Yee (Estimating the Privacy Protection Capability of a Web Service Provider) that became the basis for my inquiry – how do we get assurances of privacy when we connect with web service providers?

More to come soon …

/wayne

Posted in cloud, privacy, risk, security, Uncategorized | Tagged: , , , , | Leave a Comment »

Why Privately Exposed?

Posted by Wayne on October 3, 2009

Seems to me like privacy issues come up every day in the news whether it is good news, bad news, or just new regulations and laws about privacy – it is becoming harder to hide or be off the grid. I just googled the word privacy and got over 1 billion hits! The UK has installed over 10,000 cameras in 32 boroughs (dated 2007) and Washington DC has a penchant for the same type of privacy invasion with CCTV cameras appearing on every corner, at all public transport sites, all government buildings, etc

Add to this the fact that our lives are becoming a mere shadow of our digital existence and it quickly becomes an area that I think we should be paying close attention to. Security provides the instruments needed to protect our privacy – and privacy is information about us that we choose to share, we understand where that information is going to be seen and used, how it will be combined with other information, where it will be stored, how long it will be kept around, and have choices/consent when all this will happen with OUR information.

Add to that the “cloud computing” phenomena and now you have some really smart people scratching their heads about privacy in this new computing paradigm. What happens when information that used to be inside the chinese wall of the enterprise are now sitting in a 3rd party providers data center? Does the Patriot Act come into play in a different way than it did when the data was inside the enterprise? What about the use of 3rd parties that use 3rd parties? Do the protections flow with an “inheritance clause” or is each sub-level of agreement treated with a new service level and privacy protection level?

Like I said – the good news is some really smart people are spending a lot of time discussing  and working towards solving these issues – from government to academia to the enterprise. My hope is to help expose some of the good and bad of what is going on in the privacy domain (especially as it relates to cloud and the enterprise), put my opinion out there, show what I find in the research, and together we can come away with a new consensus on how to proceed.

Also – be warned – I’m here to learn and use what I learn in my research for my doctorate and beyond so I may want to contact you directly if you comment to find out more from you!

-wayne

Posted in Uncategorized | Tagged: , , , , | Leave a Comment »

 
%d bloggers like this: