Only about a week into 2010 and already there are some very public indications that the current attention on information privacy, especially on the Internet, is likely to result in more visible changes in the way online companies, users, and the U.S. government thinks about privacy. Coincident with a question we posed a few days ago about whether heightened sensitivity about personal information disclosure on Facebook (as well as other sites and forms of social media) would result in changes in user behavior, Facebook CEO Mark Zuckerberg observed in an interview with Michael Arrington of TechCrunch that social norms about privacy and users’ comfort level with disclosing and sharing more and more personal information online have shifted dramatically in the relatively short time since Facebook began. (The relevant question and answer are the second of the interview, starting about 2:30 into the video recording.) Zuckerberg used this evolution of social norms in part to justify the significant step recently undertaken by Facebook of changing the privacy policy and default information disclosure practices for all of its 350 million users. This line of explanation might seem disingenuous given the regular disputes over privacy that Facebook has had, both in the U.S. and internationally, but given the enormous popularity and continued growth of Facebook, you have to ascribe the company some credibility for producing products and services that attract a broad user base. It’s possible of course that the continued heavy use of Facebook in spite of its history on privacy is an indication less of a societal shift in the desire for privacy protection brought about through the rise of social networking than a simple failure by many users to pay any attention to privacy policies, of Facebook or other online sites.
The disconnect between disclosure of privacy policies and practices and user awareness of those policies despite their conspicuous publication is a fundamental flaw in current rules under which online organizations must give notice to users about privacy policies and related practices such as information collection. The Federal Trade Commission, through its chairman Jon Leibowitz, has gone on the record suggesting that the current model of “advise and consent” — in which companies post their privacy policies and users who visit or conduct transactions online with those companies are considered to have given implied consent — isn’t working. Leibowitz and the FTC Bureau of Consumer Protection’s David Vladeck say they are looking at alternatives to the privacy policy disclosure practices, with an eye to coming up with options by this summer. One idea sure to get more detailed examination is a shift to an explicit opt-in model, as opposed to the opt-out approach that dominates privacy consent today in the United States. The FTC might want to look to practices in the European Union, which late last year moved to adopt a fully opt-in model on cookies. There is certainly a usability trade-off with strict opt-in requirements, as infrequent users of sites may not be interested in the additional time and effort required to read opt-in notices, and may instead choose not to proceed or answer affirmatively without knowing the terms to which they have agreed. Many e-commerce sites face this same sort of trade-off when determining whether user registration is required to complete an order transaction. In cases where users are willing to register with a site, it’s hard to imagine that the extra step of opting in to data collection and usage practices will present too much of a burden, although there’s some justified skepticism about how closely anyone will look at privacy policies and terms of use, even with opt-in.
During the 2008 trial implementations process and subsequent limited production operation of the Nationwide Health Information Network (NHIN), health information exchange between two participating entities relies on authentication at the entity (that is, organization) level, rather than at the individual user level. For the trial implementations, participating organizations were issued X.509 certificates from a single, centralized certificate authority in a public key infrastructure supporting authentication, basic authorization (there is a presumption than any authenticated request is authorized to receive the information being requested), and non-repudiation of origin. One of the security gaps identified during the trial implementation process was the future need to extend authentication and authorization to individual users, rather than the organizations with which they are affiliated, potentially including hundreds of millions of citizens, should the current administration’s vision for widespread adoption of electronic medial records and personal health records come to fruition. There are many technical and functional alternatives available that might be used to provide individual user authentication for health information exchange, but the only consensus seems to be that a solution relying on a single certificate issuer cannot scale to meet the need.
Last week, the NHIN workgroup of the Health IT Policy Committee met to hear testimony from public and private sector representatives on current activities on authentication and identity management, and to begin considering options for user-level authentication with the NHIN. As a federally led initiative, any NHIN authentication model must be consistent with appropriate government standards on electronic authentication, most importantly NIST Special Publication 800-63, which specified a four-level e-authentication framework against which online systems must be assessed. Given the sensitivity of health record data, security evaluations to date have suggested the NHIN falls under E-Authentication Level 3, the requirements for which include strong authentication and lay out specific requirements for identity proofing and subsequent authentication and authorization decisions. Any time the general public is considered part of the potential user base, e-authentication standards become complicated, as it is not uncommon for individuals conduct online transactions infrequently, posing challenges related to credential issuance, maintenance, and retrieval, as well as cost and logistical considerations about software or hardware token distribution. Among the vendors most likely to have answers to these challenges is Anakam, whose two-factor authentication solution leverages existing personal devices such as mobile phones as an alternative to purpose-specific smart cards or other hard tokens, and who was an active participant in the NHIN trial implementation process. Regardless of the technical solutions ultimately chosen, the fact that attention has turned to user authentication for the NHIN is a noteworthy development in itself. There remain a lot of moving pieces relevant to any solution in this area, including in-process revisions to the e-authentication guidance (a topic for another day), so this will be an interesting process to watch as it evolves.
With all the recent talk about personal information disclosure and the threat of identity theft showing no signs of abating, it’s useful to remember that there are a variety of free tools and routine practices that can help limit the amount of personal or potentially personally identifying information you disclose, especially information you may be revealing unintentionally. Protecting privacy in this vein covers two primary areas: computer clean-up and online privacy.
Computing best practices have long recommended regular maintenance of personal computers that includes removing old or unused or fragmented files, and to remove traces of programs that may have been left behind when the programs were deleted, even when using un-installation features included with the programs. These recommendations have largely been justified in terms of optimizing performance, particularly on Windows operating systems, because too much computer clutter can slow operations. More recently, recommendations of this sort have been cast as security and privacy measures, working to reduce the potential for identity theft and to protect users from computer forensic investigation tools. Some of the freely available tools often recommended for these clean-up activities, such as CCleaner and Eraser, fill one niche need for people looking to dispose of or donate old computers. The increasing frequency with which forensic scanning tools are used has provided another use case for these tools.
The most recent versions of Mozilla Firefox (since v3.5) and Internet Explorer (since v8.0) make it pretty easy to keep evidence of online behavior off client computers, essentially preventing the local storage of much of the information that a utility like CCleaner looks to remove. Removing traces from a computer is a much simpler matter than preventing the disclosure of potentially personally identifiable information, such as IP addresses, when users go online. In this arena most attention is focused on the use of web browsing proxies, which effectively enable anonymous browsing; plug-ins for Firefox and Internet Explorer and Safari are available to add anonymous browsing functionality (generally via proxy) within the browser itself. There are many reasons users seek anonymity while browsing, but the justification for masking identity when surfing online has been strengthened by the increasingly frequent use of online behavior tracking, notably including storage and retention of browsing and search query history by major search vendors such as Google. Partly in response to this trend, anonymous search engines such as StartPage offer private Internet searching, promising specifically that no user IP addresses are logged.
While it is certainly helpful that so many tools and services are available to help maintain digital and online privacy, the overall message remains that the onus is on the user to take steps to limit disclosure of personal information.
The Secure Flight program recently implemented under the authority of the Transportation Security Administration (TSA) is raising a number of privacy issues not just in the United States, but also in foreign countries whose privacy laws may run counter to the information sharing required by the program. Secure Flight requires air carriers to collect a variety of personal information about passengers in advance of travel, in order to facilitate the comparison of ticketed passengers to terror watch lists such as the no-fly list. It is intended both to reduce the number of false positives (that is, individuals mis-identified as being on a watch list, due to factors such as name similarities) and to improve the efficiency of the matching process, which ostensibly will help avoid false negatives such as the recent high-profile incident on Christmas Day in which a known person of interest was permitted to board a U.S.-bound Northwest Airlines flight and attempt to carry out an act of terrorism. The program pre-dates this latest incident by several months, and while no one has yet suggested that the Secure Flight program would have prevented the incident, the program is receiving a lot of attention due to the timeliness of its rollout.
One consequence of the Secure Flight program is the requirement for foreign air carriers to share passenger list data with the United States (currently this applies to flights landing in or taking off from the U.S., but is intended to include flights entering U.S. airspace, whether or not they have a termination point here). Carriers based in other countries have complained that sharing personal passenger information with the U.S. may be prohibited by non-U.S. national data privacy laws. For instance, while overflights from Canadian and Mexican points of termination are not currently subject to Secure Flight, a Canadian air carrier association is arguing that providing the data required under Secure Flight violates the Personal Information Protection and Electronic Documents Act (PIPEDA). This conflict between U.S. national security intentions and international privacy laws is not new; a similar program initiated in 2004 for sharing passenger name records between European Union countries and the U.S. required extensive negotiations in order to settle on a set of data elements acceptable to the European Union and its data protection provisions and extend certain provisions of the U.S. Privacy Act (which explicitly applies only to U.S. citizens and permanent resident aliens) to non-U.S. passenger name record data. The specifics of personal data protection laws vary greatly among different countries, but in the case of those in the European Union, under OECD privacy guidelines for transborder flows of personal data and the 1995 Data Protection Directive (95/46/EC), countries are only allowed to send personal data to other countries with comparable data protection laws. With passenger name records, legal arguments continued for several years until a compromised was reached in 2007, but this agreement only covers personal data in passenger name records; sharing of personal data more broadly with the U.S. remains legally problematic for organizations in many foreign countries.
In a story widely reported last Monday, enterprise software giant EMC Corp. announced its pending acquisition of the private company Archer Technologies, a vendor of IT governance and compliance solutions. EMC plans to make Archer part of its Security division, which itself was primarily created through EMC’s acquisition of RSA in 2006. Among the most compelling aspects of this story is a statement by Art Coviello, president of EMC’s security division (RSA), who explained RSA’s market perspective as follows:
“Traditional security management focuses primarily on addressing technology issues, but our customers are telling us that their real challenges are in the areas of policy management, audit and compliance. You can’t manage what you can’t see. The Archer solution not only offers the visibility into risk and compliance that customers need, it brings stronger policy management capabilities to the RSA portfolio. The end result is customers are able to better manage their security programs and prove compliance across both physical and virtual infrastructures, and effectively communicate to the business.”(emphasis added)
So to take the word of a leading security vendor, what customers say they need is help with compliance. To call this unfortunate greatly understates the issue, but it seems that the consistent emphasis of legal and regulatory schemes on security compliance — rather than effectiveness — is driving the market in a direction exactly opposite of where it should be going. While both government and commercial sector security approaches have been slow to realize the deficiencies of compliance-based security, more and more emphasis is starting to be (correctly) placed on continuous monitoring and event correlation, often in the name of achieving greater levels of situational awareness. In light of these trends, it is disheartening if not surprising to hear that those obligated to follow compliance-based security approaches apparently now prioritize demonstrating compliance and passing audits over enhancing security. Let’s be crystal clear, being in compliance with a security scheme that doesn’t measure overall security posture or security control effectiveness tells you nothing about how secure you are. Unless and until the regulatory requirements are revised towards controlling risk, mitigating threats, and testing security effectiveness, security programs are hung out to dry, with compliance having the greatest business visibility (at least until a major breach, outage, or other security incident occurs). Security managers have a hard enough time justifying security investment in economic terms; as long as compliance is the most tangible goal then compliance approaches will continue to take precedence over less emphasized but more significant efforts to actually improve operational security.