O Privacy, Privacy, Wherefore Art Thou Privacy?

After you read an article by Louis Menand, with the title “Nowhere to Hide: Why do we care about privacy?” in The New Yorker of June 18, 2018, you come away with the sense that the game is over, and the populace has lost. The article is also available online under the title “Why Do We Care So Much About Privacy?” (note the subtle difference—emphasis added) at https://www.newyorker.com/magazine/2018/06/18/why-do-we-care-so-much-about-privacy

The truth of the matter is that most people don’t seem to really care about privacy except if and when they are hit with a bad situation, such as identity theft or account takeover, and then they care a lot. But more on that later …

I particularly liked the description given in the article of the various flavors of privacy quoted in Menand’s article from Sarah Igo’s book “The Known Citizen” (which, incidentally, is almost 600 pages in length), as follows:

“Privacy is associated with liberty, but it is also associated with privilege (private roads and private sales), with confidentiality (private conversations), with nonconformity and dissent, with shame and embarrassment, with the deviant and the taboo …, and with subterfuge and concealment.”

These various flavors of privacy are generally different from what InfoSec folks are most interested in, which is DATA privacy. The other forms of privacy have been around for a long time, some for millennia, but data privacy in today’s electronic era is new in that one can steal electronic data, often without a trace, while leaving the source data intact. And the copy of the data is a true facsimile of the original data. Also new is the ease with which the stolen data can be distributed electronically and used for business purposes—some (questionably) legal, such as marketing, and others illegal and nefarious, such as identity theft and fraud.

As recent events with Facebook, Google, Apple and others have illustrated, we give up extremely valuable personal information at minimal, if any, cost to the receiving organizations, which then go on to make huge profits from the use of these data. Menand’s article concludes with the following statement:

“… the danger of data collection by online companies is not that they will use it to try to sell you stuff. The danger is that that information can so easily fall into the hands of parties whose motives are much less benign.”

Personally, I don’t think that the marketing applications are so benign. They have been shown to wage psychological warfare on individuals who can become addicted to legal, but intrusive, services being offered.

Elsewhere in Menand’s article, the author claims (correctly, I believe) that the job of “figuring out when law enforcement is crossing the line in getting the goods on criminal suspects is unending because technology is always changing.” I addressed such a concern in the January 2007 ISACA Journal with the article “The Dynamics of Privacy Risk.” In the article, which unfortunately is no longer available on the ISACA website, I describe how privacy issues will become more significant relative to traditional security issues over time as technology evolves.

As a case in point, you should read Alyson Kreuger’s article “Like Facebook, but Based on DNA” in the Sunday Styles section of the June 17, 2018 issue of The New York Times. Here we have an exciting new service that allows anyone to get his or her DNA analyzed for a modest sum and additionally having their DNA matched with others who have already submitted DNA. Some recipients are described as “giddy” on receiving information about the many to whom they are related. Others are “alienated” by the results. And yet others might be identified as having committed crimes, as happened with a serial killer who was arrested decades after his crimes were committed based on DNA evidence. Nevertheless, these services are particularly popular with more than 15 million subscribers and counting.

What is not mentioned in the article is the potential for invasions of privacy and the likelihood that the data will be “shared” for financial gain, as has occurred with Facebook, or for nefarious purposes. How secure are these systems? And who will be liable if errors, which could potentially have devastating effects, are made? As usual, cybersecurity considerations are given short shrift when these types of gee-whiz system are designed, developed and implemented, and this frequently leads to unintended, but sometimes very damaging, consequences.

Let’s chalk this up as just one more area where security and privacy requirements were not specifically stated and addressed in advance … along with those for IoT, autonomous vehicles, social media, etc., etc. It’s a crying shame, but who really cares about security and privacy anyway? Will we ever learn?

Post a Comment

Your email is never published nor shared. Required fields are marked *