Wednesday, July 18, 2007

Half Baked

What follows are annoying thoughts that have been ground to meaningless gravel in my head for the past month or so. As soon as I think them through, and dismiss them, my brain belches them back up. Committing them to the ether seems the only way to purge them, but I've been wrong before:

Proximity and Privacy: Privacy breaches due to negligence occur when there is a distant relationship between the identity custodian and the individual. Malicious breaches occur when there is a close relationship between the two. (Half baked corollary: Web applications proxy a close relationship with distant actors.)

Metrics Will Be Juked: The compiling of stats is the prelude to the inevitable juking of stats. Observing, recording and reporting the data underlying a performance metric corrodes its value. The reason data that is difficult to access and compile is compelling is because it is difficult to access and compile. Once people realize that their behavior, or the results of their behavior are being observed and measured, their behavior will change, not necessarily to impact the desired results, but to change the metric. This change will be multiplied if the measure is tied to compensation or perceived to be tied to compensation.

Lone Gunmen Theory of Privacy Risk: Measuring a corporation's loss due of breach of privacy is futile and meaningless. This loss is not related to the harm to individuals whose privacy was violated. It makes no difference if the data is lost, stolen, or sold, or if it occurred within or without the bounds of the law. I don't see any equation that will match corporate postage, legal fees, data broker accounts receivables, or public relations consulting with personal financial trials, embarrassment, loss of employment, prohibition of travel, or physical detention. Privacy risk is borne by individuals, not corporations. Which is why I was a bit distressed when I read this:

If you are not suffering any damage due to these breaches, then why are you even trying to deter, detect, and respond to them in the first place?
In privacy, it's always the other guy that suffers the real damage.

Now I can concentrate on the important things: sorting out my emotions regarding the preemption of TV coverage of the German GP by live broadcast of Lady Bird's burial and Laguna Seca.

Monday, July 16, 2007

Privacy is a Technological Imperative

My seasonal July funk has been working on me and my attitude, but not so much that I can't find some perverse humor in the slashdot discussion on privacy as a biological imperative.

Ms. Sweeney's correlation of privacy to the stealth required by the predator stalk and consume prey was latched on to by the /.ers like an antelope at a watering hole. I don't see it myself. There is a fundamental difference between the biological need to eat and personal need for privacy. The development of information technologies creates the need for personal identity, and creates the tools to destroy it. Examples include the portable camera (which drove Warren & Brandeis to define the right to privacy in the context of the US Constitution), the telephone, punch-cards and TCP/IP.

These aren't new or original thoughts, but just how I see it.

Lion enjoying a private moment courtesy hannes.steyn.

Wednesday, July 4, 2007

The Easy No

From Concurring Opinions, this commentary on a recent New York Times article on Hypercompliance on the HIPAA front. Health care folks have been intimidated into denying access to PHI to people who have legitimate inquiries and a legal right to it.

This type of behavior is born out of fear and poor understanding of rules filtered through complicated reports written by obfuscating contractors. It seems reactionary, and unreasonable, but a means to the safety only an ass well-covered provides. As Mr. McGeveran points out, "it is always easier to say 'no' than to figure out how to say 'yes.'" I believe mistaken "safe" attitudes like this is often how security policies end up being implemented, and are difficult to purge once they become corporate folklore.

The "easy no" is not uncommon in security management, and enables ten thousand wannabe Kip Hawleys to exercise passive aggressive nonsense in its name.

Beats thinking.