got privacy?  Musings on the state of Privacy in a connected world.
 
Aaron Weller, CEO We live in an information age, where the answer to almost anything we think of (or *can* think) of is instantly available to us wherever we are. I am an Information Security Officer. My goal is to ensure as best as I can that data important to my users is available when required, has integrity and is only made available to people with a need to know, in line with laws and regulations and the assurances that my company has made to our customers and employees.

Most organizations these days have very complex technology “plumbing” that connects applications and systems and enable business processes. This plumbing consists of many “pipes”, “connections” and “faucets” (i.e. Technology Components), and “water” passing through this plumbing (i.e. Data).

Although ensuring that the pipes are in good order is important, these days every organization’s plumbing is very complex and relies on pipes owned by third parties, some which are located in places that we do not control, and with many opportunities for leaks.

My job as an Information Security professional means that I need to care not only about the infrastructure but also about where the water is and who has access to it. In my role where the water is building up behind a dam, and who is drinking it are just as important as the pipes that it passed through to get into the reservoir.

In practical terms, this means that an Information Security professional needs to know not only where all of the “pipes” (networks), “reservoirs” (data stores) and “faucets” (access points) are and how they are protected and maintained, but also about the type and quality of water in each place. Just focusing on the technology often misses the context of what the organization has collected the information for in the first place.

In this context, personal information is be water that is not immediately drinkable but could be either cleaned (sanitized / scrubbed) or only used for certain purposes. Just like grey water can be used to water your garden, you wouldn’t want to drink it, or have others drink it by mistake!

IT Security is just a part of the overall Information Security picture. It is a very important one, particularly for IT departments, but Information Security (and to an even greater extent, Information Privacy) focus on business processes and how data flows through them, whether in electronic or paper form. This helps Information Security professionals to understand where to spend their limited IT Security budgets to protect certain systems and types of devices where the most sensitive data resides or is processed.

Why should information be protected by a million dollar access system when it is on a server, but a dump of that same information into a spreadsheet can be downloaded onto a mobile device which is not owned by the organization and which may have very basic, or no, security controls at all?

I see it as absolutely vital that someone within organizations that I work with is available to have their primary focus on IT Security (or there is ready access to good consultants or outsourced services with those skills). But having a great suite of well configured tools and technical controls is not enough to manage the risks to organizations that are caused by their capture, processing and usage of sensitive data.

Getting the whole organization to understand what data is collected and why, how it can be used, and that it should be disposed of as soon as the costs of storing and protecting it exceed the business value of retaining it is vital to reducing the damage that could be done in the event of a data breach.

There have been many recent examples of organizations that retained sensitive data long past the point that it was of little value. This same data represented a significant (and avoidable) liability when a breach occurred. IT may be able to control access to a database, but by and large they are not able to impose tighter retention periods, or force tokenization, hashing or other controls on the business without either a regulatory or legal mandate, or a clear explanation of why the additional cost and effort is worth it.

So, if you are an IT Security professional, think about whether becoming an Information Security professional would be a good move, both for you and your organization. And if this isn’t something that appeals to you, at least consider raising the point that someone should be looking at the water while you’re running around fixing the pipes.

My biggest satisfaction has been when I start to hear that business leaders and other executives have started to ask the same questions that I do “why are we capturing that data, and what are we going to do with it?” Your customers are waking up and starting to ask similar questions. If you’re going to be able to meet their changing expectations, you should have the answers ready.

This article was originally published on www.roer.com .  Reproduced with permission.

Aaron Weller
 
 
A little bit off topic, but having just got back from RSA, and with a bunch of other conferences coming up, I thought I would share this checklist that I pulled together a while ago.  Conferences are usually expensive, and you can miss out on many opportunities if you just attend the sessions and then go home. This checklist gives you some tips on how you can maximize the time that you spend at a conference and make sure that you walk away with more than just another folder for your shelf.

Before the Conference

  • Plan which sessions to attend.  Note who the speakers are for all of the sessions as well as the content (you generally have access to this information before the conference).  Check for target clients, alliance partners and competitors and decide whether it’s worth going to a presentation to be able to get to talk to someone from a key target, or to find out what they are doing. 
  • Sort out your logistics.  Book flights that give you time to get to the conference allowing for flight delays.  If the conference is in a hotel (and they often are), try to make sure that you stay in that hotel to a) get the special discounts that the conference will obtain for you and b) make it a lot easier for you to get between your room and the sessions.
  • Clear your ‘to-do’ list.  Easier said than done, but taking conference calls during the sessions and working in the breaks means missing networking opportunities and not getting value for money.
  • Divide and Conquer.  Try to find out if anyone else from your company is attending the conference, make contact with them and try to split target sessions between you, compare notes etc.
  • Take a lot of business cards. They're easy to carry, and if you don't use them, so what?
  • Know what to say.  Sooner or later, someone will ask you about your company.  Work out what you are going to say about the firm and your role.
 During The Conference

  • Timing is everything.  Try to be around in the general area before the sessions start and during breaks.  You never know who you might meet, or what you might find out.
  • Be an Ambassador.  If appropriate for the dress code, consider wearing branded (or otherwise 'conversation worthy' clothing so that you’re noticeable).  At RSA, a woman walked up to me and literally asked for the shirt off my back.  Note: This is not always a good thing - and I do have witnesses!
  • Work out what you want to get out of each session.  Do you want to talk to the speaker afterwards?  Would you like a demonstration?  How does the session add to what you already know?
  • Collect business cards.  When you speak to someone, who you might want to contact again, be sure to collect a business card.  Write on the back a little about that person (business & personal info), what you discussed and any other useful information to jog your memory when you get back.
  • Enter all vendor raffles.  You never know what you might win.
  • Work the crowd.  Sit next to different people at each session and introduce yourself to them.  If possible, review the attendee list and be strategic in who you sit next to.
  • Maintain a ‘to do’ list.  Whenever something strikes you as interesting or you should follow up on, make sure you write it down and then action it when you return to your office.
 After the Conference

  • Get business cards into your CRM system.  A business card in your bag is not much use.  In your company CRM system, it shows other people who come into contact with that person who else knows them.  
  • Follow up.  Write personalized emails where appropriate to people that you met, either sending them information that might be of value to them, or suggesting a follow up discussion or meeting.
  • Be timely.  Make follow-up calls / emails within a week of the end of the conference.
  • Keep your CPE certificate.  You may be audited one day and be glad you did.
  • Share your knowledge.  Tell other people in the office what you found interesting, and keep the course material in a place that other people can use it. 

    Congratulations!  If you follow these steps then you will find that you get a lot more out of conferences, both for yourself and the company.
 
 
While many organizations have a strong desire to make their web-sites useable and accessible for as many people as possible, most likely do not realize that this can result in some loss of privacy for users.

Accessibility can work in a number of ways, either through active involvement by a user choosing certain options on the site, or passively without direct user interaction through good site design, color palette selection and similar.  Where active involvement by a user is required, this may be achieved either with them making a conscious choice at the time of using a site, or they may already have made a selection (e.g. choice of browser, screen resolution, use of screen reader) which is communicated to the site at the time of use.  For users with disabilities, the availability of appropriate and useable accessibility options may mean the difference between them being able to use a site, or looking elsewhere.

How this overlaps with privacy may not be immediately obvious.  Privacy refers to the amount of control that we have over our personal information, and how this is shared and used.  On the Internet, Privacy can be taken to mean that you are aware of the information that you are sharing, and this information is used in a way that you are comfortable with until it is destroyed.

Browser Information Leakage
So how can accessibility compromise privacy?  By knowing that a user is visually impaired, and combining that information with other information, for example that they are located in a certain area (from their IP address, or GPS or other location), you could compromise an individual’s privacy.  Research has already indicated that between 63% and 87% of Americans can be uniquely identified by birth date, gender and 5-digit zip code (see here and here for the research and here for some analysis by the Electronic Freedom Foundation).  If you’re not convinced – check out the Panopticlick “browser fingerprinter”, also from the EFF.  When I just tested my browser, its fingerprint was unique amongst nearly 800,000 configurations tested so far. 

Logon Information Leakage
Other accessibility options, such as reading text aloud, may be appropriate for an application being used at home, but may impact privacy if they are used in a location such as a library or a bank lobby, or may not even work if the appropriate hardware is not in place.  Developers must give thought to where a website may be used when developing privacy options, particularly when the website grants access to sensitive information.

How Privacy can impact Accessibility
Restrictions on sharing information about people’s health and health conditions may impact the ability to plan appropriately accessible services for them.  As a result, companies may not have the information that they need to know how to adapt their sites to their user base, reducing their ability to provide accessible information for all.

While none of these issues are insurmountable, the fast evolving fields of Accessibility and Privacy mean that practitioners must be conscious of these areas when designing new applications as in many places there is no standard for managing the overlap of these two fields.

 
 
 
January 28th is Data Privacy Day.  In a single generation, privacy concerns have shifted from worrying about who can see through your windows to who might be able to see your medical records on the Internet.  Data Privacy Day gives us a chance to reflect on these changes, and to think about what steps we can take to better control personal information and manage our privacy.

The fact is that information, from where you live to how you live, is now available to many companies that you do business with, or in some cases to everyone with an Internet connection.    This disclosure can provide many benefits, from customized offers based on purchase history to a free cup of coffee on your birthday.  Disclosure also carries risks.  Many of us have received notices telling us that our personal information has been lost or stolen, and although most of these instances do not lead to direct harm to us individually, they often cause concern.

Interestingly, the number one privacy concern that most people have is not related to the information that they share. Given the proliferation of social networking and other online activities, people are often comfortable (sometimes too comfortable) when it comes to sharing information in the public (or semi-private) domain.  The real concern for many is how information that has been shared with trusted people or organizations will be managed and protected once is out of our direct control.  Individuals can reduce this risk by limiting what they share, but we also need to take responsibility for holding organizations to their privacy policies and agreements; they are stewards of your information.

So to mark Data Privacy Day, here are 4 simple things that you can do to improve your own privacy:

1.       Think before sharing your personal information.  For example, when a shop asks for your phone number at the checkout ask why they need it.  Usually the request is because they want a number that uniquely identifies you, rather than because they plan to call you.  So, consider declining or just choose a generic number that you can remember.  Similarly, if someone asks for your birthday, then January 1st will often suffice.

2.       Always opt-out.  Unlike Europe, where you need to opt-in to consent to your data being shared, we in the U.S. have to ensure that we opt-out whenever we have the opportunity to restrict companies from sharing information with other companies or partners.  It only takes a few seconds, and restricts what can be done with your information.  Find those boxes, and tick them.

3.       Treat Social Networks like coffee shops.  If you wouldn’t talk about it in a coffee shop, don’t talk about it on Facebook or Myspace.  If you wouldn’t shout it on a street corner, don’t share it on Twitter!  Once you have shared something electronically, it is out of your control, even if you think that only your friends will be able to see it.

4.       Maintain Healthy Skepticism.  Be suspicious about any requests for personal information, even if they look like they come from a person or organization that you know.  Many people continue to be fooled by these requests.  It’s easy to take a couple of minutes to make a call and confirm that a request is genuine before providing information that could be used to commit identity theft, or cause you other problems.
 
 
If a tree falls in a virtual forest, does it make a virtual sound?  These days, a lot of trees are falling in a lot of virtual forests and the noise is becoming louder in the real world.  There are now university classes taught virtually, simulators replicate situations that are expensive or dangerous in real life and surgeons practice techniques virtually before they attempt the real thing.

As Virtual Worlds (VW’s) have become more complex and functional, they have become more valuable, both to their users and to attackers.  Nearly half a million users spent money in Second Life, one of the most popular VWs, in August 2009.  Interestingly, over 1000 of these transactions exceeded $4000.  The total GDP of Second Life was estimated at around $500m in 2007 – larger than some small countries. 

This increase in functionality and usage has also led to an increase in the number of people attacking the system or the people using it.  While some early attacks focused on gaining control of in-world resources or disrupting the experience of other users, more recent attacks try to gain access to real world resources and bank accounts.

While few corporations currently use VWs, it is likely that this will change over the next decade as they become more ubiquitous and gain Enterprise Class features to encourage their adoption.  This will increase the urgency to develop a system of controls to protect both users and the environments themselves.

So, as information security professionals, how can we help to make Virtual Worlds a better place to live and work?

To help secure VWs from attack, it helps to think about them as a connected system with a number of components which can each be modeled.  This helps us to understand what the attack surface looks like, and understand the key vulnerabilities and how they might be able to be defended against.

The major vulnerability points are:

·         Client Software.  Once you have installed code on a client machine, that code is vulnerable to being manipulated, either by changing the code itself or changing the way that it interacts with the VW server.  This technique was used successfully to hack many online games and resulted in the development of programs such as PunkBuster which control which other programs can be running at the same time as the game client and performing checksums on key files to ensure their integrity.

 ·         The Virtual Environment.  Whether it’s performing a certain sequence of events that always produces game currency, or manipulating certain aspects of the VW to operate outside the rules (basically what the character Neo does in the film The Matrix), designers of the VWs are not able to predict every single way that a user might interact with the world, so they have to design safeguards that will work whatever the interaction is. 

 ·         The Users.  One of the most common attack vectors seen to date is to exploit trust between users to the benefit of an attacker.  Most users tend to assume that if they have been interacting with another character in a virtual world for some time, that they can trust them.  In reality, many of the cues that we get when interacting in person are masked when interacting with their avatar.  Both the appearance and actions of an avatar may be designed to elicit certain responses in the same way that con artists may take on a certain persona to achieve their goals.

Gaming VWs (e.g. World of Warcraft) are by their nature used by very competitive people who would be tempted by anything that might give them an advantage.  This has enabled recent attacks to be successful by promising to show how to achieve or obtain certain things within the game world and then downloading malware which is used to steal credentials or set up backdoors on the user’s machine.

While not a new phenomenon, attacks against VWs have been getting more attention as the technology becomes more mainstream and blended attacks result in real-world losses.  As security practitioners, we need to understand the benefits and risks related to the use of VWs in our environments and set boundaries appropriately.  It is likely that the use of VWs for business purposes will expand in the future, just as social networks have done.  Humans are social animals and these technologies provide new and fun ways to interact with our colleagues and clients.  We just need to be aware that a virtual bear could be hiding behind every virtual tree and act accordingly.
 
 


One of the major problems that organizations face when they’re reviewing their compliance program is understanding why they are doing what they are doing and how to achieve a ‘steady state’ where compliance becomes part of the scenery rather than an ongoing struggle.  For many organizations, this state seems to be receding ever further into the distance.  Each year bring more controls that need to be implemented and monitored.  Every gap analysis finds more gaps and every effort at remediation appears to lead to little relief.

Part of this issue is that for most organizations a ‘gap analysis’ is about the worst thing that they could be doing.  A ‘gap analysis’ frames the situation to prejudice an outcome and rarely helps an organization get closer to a steady state of compliance.  Framing is a term from linguistics which describes how the choice of words activates certain emotions and thought patterns.  With a ‘gap analysis’ the framing works like this:  Gaps are bad.  Analyzing and fixing gaps is good.  Having no gaps is best of all.  However, in practice there are always more gaps to be found.  Existing gaps may reoccur in other forms or auditors will just dig deeper to find smaller and smaller gaps.  But seeking to identify weak areas is good.  It shows that we care about what is wrong.  Therefore we should do gap analyses.

Even in organizations that are highly compliance focused, this approach doesn’t make a lot of sense.  It provides a never ending stream of ‘remediation activities’ and ‘refresh testing’ which keeps people employed and consultants in business, but it may or may not contribute to making organizations more secure or compliant.  And after a point, there is not much point in being more compliant than is enough to achieve a particular sign-off or to provide a level of due care should an organization be sued.
 
 
A man drives out of his own driveway and drives into a post.  This story probably wouldn't even make the local paper unless it was a slow news day, but because the man in this particular situation was Tiger Woods, this has been front page news on both sides of the Atlantic.

What reasonable expectation can celebrities have to privacy?  What right to privacy should celebrities reasonably expect, in circumstances where they are involved in minor incidents that the rest of us would not expect to of real interest.

As of this afternoon, Tiger has said that he won't be playing any more golf tournaments until 2010.  I'm sure that he doesn't need the money, but unfortunately, this is likely to fan the flames even further.

So - what expectations of privacy should anyone be able to expect in a situation like this.  Have celebrities, by their very status, given up any expectation of privacy in any circle of life?  It's interesting to ponder whether there is a sliding scale of privacy which is inversely proportional to how famous (or rich?) someone is. 

To me - that seems to be an equivalent of (Security Through Obscurity) (call it Privacy Through Obscurity) which doesn't really sit very well.  If we really want privacy to be protected we need to make sure that it is actively defended, rather than gradually eroded as someone becomes more "interesting".
 
 
Twitter has recently rolled-out a new feature - the ability to create sub-groupings of people that you follow, and share them with other users.  This has a number of useful benefits, including the ability to be able to group people into certain subject areas (for example, you might have a list of people that you work with, and another one for friends outside work).

Let's start with the good privacy feature that has been build into the current version of lists - the ability to mark lists private or public.  This is a sensible idea and has been implemented in a way that is easy to use (although we would prefer it if the default was for lists to be private rather than public - but this does seem a little like splitting hairs!)

Unfortuntely - the way that the lists have been set up currently are open to a number of forms of abuse.  The primary reason for this is because a user does not have to authorize being added to a list.  i expect that this is a useful (and necessary) feature for the top-ranked users, who could be added to hundreds or thousands of lists and would not want to have to accept every single request to add them.

On the other hand - this does mean that people can add you to lists without your permissions - and some of the following could occur:

1.  You are added to a list that gives away some information which you didn't want shared (e.g. parents of XYZ Middle School) - this could be significant information leakage, dependent on which lists you are added to.
2.  You are added to a list that isn't relevant to you (not so bad)
3.  You are added to a list maliciously or acciedentally that is damaging to your reputation (e.g. Registered Sex Offenders)

There needs to be a trade-off here.  On one hand, we could subject everyone to "list spam" and render the feature next to useless.  On the other hand, there could / should be some better tools to manage what lists you are on, and to remove yourself.

Although lists "follow" you in the same way as people do - you can't seem to block the list, just the person who created the list.

It's a brave new world out there.  Would be interested to hear others experiences and thoughts on this.
 
 
Does someone's right to privacy end once they are dead?  In the US, we do not have a constitutional right to privacy in the same way that Europeans do (yet!), but explicit provisions in HIPAA (Health Insurance Portability and Accountabilty Act) maintain that information about an indivudual should be maintained as private after their death, but other regulations such as the Freedom of Information Act may conflict in certain situations, in addition to free speech rights guaranteed under the First Amendment.

In the EU, the right to personal privacy explicitly survives death

Some interesting links around this subject can be found at:

Is there privacy after death?
Privacy after death debated.

Some more thoughts on this topic from Rebecca Herold (@privacyprof) who had written a couple of thought pieces around this topic here and here
 
 
Interesting article this week in the IAPPs Privacy Advisor which talks about the ethics of Googling someone, which got me to thinking.

Even a couple of years ago - before social networks really caught on - this question wouldn't really have been asked.  Unless you were a celebrity or information about you was available through other channels such as magazines - Google wouldn't have had a great deal of additional information to add.  That has certainly changed over a relatively short period of time, particularly since Social Networks like Facebook started exposing more of the data that they had collected about people outside of their own network so that search engines could see it.  Anyone who has tried to manage their Facebook privacy settings will know that these are far from being easy to use and it is easy to see how people unintentionally expose information to the world that they intended to keep just within a network of a few friends.
 
Which brings us back to the Ethics of Googling someone.  While this blog thinks that things that are posted onto the public Internet, such as this blog, are fair game for anyone to stumble upon or find, there are some types of information that people have an expectation to be kept private, which unfortunately is not always met.  And then, there are to our mind the practices that are completely unreasonable invasions of privacy. 

The worst example that I've seen of this to date (although I'm sure there are others) was brought to our attention viaTwitter (thanks @ChristianVW for the heads-up).  The City of Bozeman, Montana has decided that just doing a Google search on a potential employee is not enough.  They have been asking for usernames and passwords to prospective employee's Facebook and other social networking accounts.

The quote that I thought best summed up this sorry affair was prompted by a local radio station.  "One thing that's important for folks to understand about what we look for is none of the things that the federal constitution lists as protected things, we don't use those," said attorney Greg Sullivan.  Basically - give us access to everything and trust us to use it properly.

Sorry - that doesn't cut it with us, and I suspect with a lot of readers of this Blog feel the same way.  At a minimum, Bozeman should engage someone who actually does understand Internet and Privacy law and rethink how they run their background check process.  Beyond that - anyone who has handed over any passwords should change them immediately.

We'd be interested to hear of any other employers who are trying similar tactics.  Please comment and let us know.