Security or Privacy: Pick Any Two
I was at a Privacy Lab event this week, in which EFF’s Bill Budington talked about Advanced Tracking Techniques: the mechanisms by which data leaked by your browser is used to fingerprint you and track you on the web. It was much more technical than I anticipated, which was most welcome. (Except that it reminded me of how out of touch I am with modern browser tech. The Tangled Web was a long time ago.)
One thing Bill mentioned stuck in my mind because it caused me a bit of discomfort. In fact, I tried to probe a little at the end of his talk but I failed to make myself clear even though Bill tried valiantly to ’splain it all. Again.
The thing that was bothering me, Columbo-like, was the apparent tension between Security and Privacy. Bill himself said it was a false dichotomy, but then went on to give a couple examples of where favoring security jeopardized privacy.
“How can that be?” I roared internally. “There can be no privacy without security! The C in CIA stands for confidentiality which is the cornerstone of implementing Privacy.” Meanwhile, Bill seemed to get more and more adamant as he talked us through his examples, and I got more and more dismayed as I felt my whole understanding of S&P was being dismantled.
My belief was and still is that Security provides the controls that make Privacy possible. Clearly Bill was upsetting my applecart. I mean, he’s super-smart and he’s with the EF motherfuckin F! Who am I?
I thought about this for a couple days, and then, while listening to a podcast on compliance, it hit me. A narrow definition of Security is half the problem. And an imprecise definition of Privacy is the other half.
I’ll say it, ’cause I know you’re thinking it: Not everyone is as broad-minded and big-thinking as I am. And modest too. And super good-lookin’, of course, jus’ sayin’. I’m a Thought Leader, bitches.
Here’s my own example of what (I hope) Bill was getting at. Authentication for financial transactions. The app that lets you send $20 to Steve as your share of the keg probably does a whole bunch of things you might not be aware of. Maybe the app fingerprints your phone. Maybe it’s tracking your GPS location, and definitely your IP address. Maybe it’s using the sound of your voice or ambient light to identify and track you and your environment.
Why are they doing this? Because those signals can all be used to identify you. That helps the service make sure it’s really you sending your money to Steve, and not APT38 syphoning off funds to bolster the DPRK’s fragile economy. This identification is a good thing from the point of view of securing the financial transaction.
But Privacy advocates are def going to want to take a long, hard look at a scenario like this. That degree of data sharing is terrible for Privacy. What happens if the service provider decides they want to go all Facebook and abuse that data? Or what happens if someone breaches the service provider and spreads all that tracking/fingerprinting/other data around? What happens if someone along the way goes rogue and uses the data for evil?
So that’s what I mean by a narrow definition of security. To my mind, Security is inclusive of Privacy, and if only some data (financial transactions) is protected, but other data (tracking data) is not, then that’s a Security lapse.
The other half of the problem is that Privacy is not well defined, and it veers from ethics to morality without ever being tempered by law. This is especially true in the US where “free market” ferver has been known to stand in for ethics, morality and common sense.
Privacy, according to modern lore (aka my Twitter feed), is whatever makes you feel queasy. When we challenge orgs on whether they have violated our privacy, they point to a “contract” they we “agreed” to. Legally, it’s all perfectly above board, but morally it’s slimy as fuck. (The fact that “click to agree” is enshrined in law is itself a travesty.) What you and I mean when we say our privacy was violated has nothing to do with long legal contracts. We mean that social norms — the foundation of society — have been violated. Shit that we don’t want shared got taken without our informed consent.
But this non-definition of Privacy is not what I’m talking about. I was taught that Privacy is a Policy. When you’re implementing or enforcing Privacy controls, you work according to the Policy. The Policy guides and informs you.
And the Policy trumps everything, even the law. Yup, that’s right, when you’re making decisions, look at the Policy, not the law or regulations. That one was a bit of a shocker to me when I first learned it, but it makes sense: You should have clauses in your policy that say “obey the following laws and comply with those regulations.” If it’s not in the Policy, it won’t get implemented. Think of the Policy as a requirements doc for orgs, for products, for pretty much everything.
I ran into this the other day. I was working on the launch process for a device along with its software. The flowchart I was using for guidance had a diamond with “Medical Device?” in it. I knew instantly that this was a technical term with a specific, well-defined meaning so I asked our compliance lawyers to help me make a determination. The Policy says that certain reviews and authorizations (not to mention certifications and licenses) have to be completed when what you’re working on is a Medical Device: Medical Device? Jump through these hoops. Not a Medical Device? Skip ahead to box 13.
Another thing Policies do is help you avoid work. In the case of my device, if a certain class of data is never shared with certain people, then a whole lot of extra work can be avoided. Smart lawyers have figured this all out for me. I don’t have to think about it. In a way, the Policy is interpreting the law and taking a defensible legal stance; all I have to do is follow the Policy and we’re good. This is a sensible thing. And best of all, I don’t have to read all of HIPAA and make my own interpretations. (Can you imagine how I’d fuck that up?)
So Policy is a good thing that helps orgs frame their decisions. Policy is a bad thing when it’s rammed down people’s throats without their full understanding/knowledge/engagement. But Policy is the only tool we have for defining Privacy.
And Security encompasses Privacy.
Back to my hypothetical financial app. Their Privacy Policy is probably quite legally defensible, but morally questionable. Because they fail to protect the looser, pop-culture definition of privacy, they fail at Security.
A syllogism?
