Releative Position and Privacy

Ed Felton recently wrote two posts on the failure of the marketability of privacy, and how corporations and consumers should respond. According to Felton:

There’s an obvious market failure here. If we postulate that at least some customers want to use web services that come with strong privacy commitments (and are willing to pay the appropriate premium for them), it’s hard to see how the market can provide what they want.

In the follow-up, Felton describes a standard contract and a sort of privacy escrow protocol to protect individuals against the desperate actions of a cratering start-up.

The more I read and think about privacy, the theory that an individual's privacy has a value that can be exchanged on the market becomes less and less compelling. Frank Pasquale wrote at Concurring Opinions that in the market model, you trade your privacy for efficiency and convenience, using Gmail as an example:

[C]onsider the type of suspicions that might result if you were applying to a new job and said "By the way, in addition to requiring 2 weeks of vacation a year, I need to keep my email confidential." The bargaining model is utterly inapt there. . . . just as it would have been for women to "bargain" for nondiscrimination policies, or mineworkers to bargain, one by one, for safety equipment.

He concludes that people who trade their privacy will outcompete those who do not, and that
"[a] collective commitment to privacy may be far more valuable than a private, transactional approach that all but guarantees a 'race to the bottom.' " The paper he cites on cost benefit analysis and relative position was interesting (to me at least) when read in terms of privacy. From the abstract:

When a regulation requires all workers to purchase additional safety, each worker gives up the same amount of other goods, so no worker experiences a decline in relative living standards. The upshot is that an individual will value an across-the-board increase in safety much more highly than an increase in safety that he alone purchases.

"Privacy" can be substituted for "safety." Can "security" also be considered in this context? Is it already?

The Easy No

From Concurring Opinions, this commentary on a recent New York Times article on Hypercompliance on the HIPAA front. Health care folks have been intimidated into denying access to PHI to people who have legitimate inquiries and a legal right to it.

This type of behavior is born out of fear and poor understanding of rules filtered through complicated reports written by obfuscating contractors. It seems reactionary, and unreasonable, but a means to the safety only an ass well-covered provides. As Mr. McGeveran points out, "it is always easier to say 'no' than to figure out how to say 'yes.'" I believe mistaken "safe" attitudes like this is often how security policies end up being implemented, and are difficult to purge once they become corporate folklore.

The "easy no" is not uncommon in security management, and enables ten thousand wannabe Kip Hawleys to exercise passive aggressive nonsense in its name.

Beats thinking.

New Concepts in Data, Compliance and Marketing or The Overly Dramatic Truth

Like the rest of the world, I read J. Cline's article on the upcoming data eclipse while listening to El P's I'll Sleep When You're Dead, which is the best way to read it.

J. Cline is prophesyin' the impending darkness where all corporations will crumble 'neath the cleated boot of data governance.

Mr. Cline identifies the signs of the data eclipse endtimes: Ford has abandoned autos to focus on quality improvement. Wal Mart has unburdened themselves of the lucrative Chinese tube sock trade for supply chain management. In the post-eclipse world, we must surrender control of our enterprises to the wanton desires of regulators, lawyers and audit chimps such as myself. We no longer make the decisions, but wait for them to be passed down from these distant parties who ponder our fate far from the red meat and hot breath of corporate operations. It's not the moon, after all, but the pointing finger of compliance and legality we should focus on.

I may have been born yesterday, sir, but I've been up all night. Like a diamond bullet between the eyes, I was struck with an aces-on Notion (with a little backing I think I could turn it into an Idea) which will make me the fortune I frankly deserve. A methodology that will empower the document generating wherewithal of ten thousand legions of certified information control professionals.

I will call it the Compliance Legal Object Audit Client Architecture: CLOACA. Look for my booth at a tradeshow near you.

CLOACA: You'll Be Surprised What Can Come Out Of It!

Throwing Scorpion Out With the Frog Water

Declan McCullagh says that the federal government is unlikely to implement the National Research Council's privacy recommendations, in particular, a privacy commissioner, because it isn't in the federal government's scorpion-like nature. Ars Technica also has coverage. (And why must it always be a czar?)

The US is having the same issue with privacy legislation that it had with television resolution. We adopted early, because we needed to see our Felix the Cat on the airwaves, and 441 lines of resolution are all that NBC in 1941 could muster. Likewise, the privacy principles developed by the US government in the 1970s were developed too soon, when databases were just creeping out of the punch card era. US privacy law ends up like broadcast TV sets - an archaic lo-res standard, while other parts of the world lagged behind, but adapted a more advanced standard. Think of Europe's Privacy Directive as PAL.

From what I've read of the NRC's paper (the Executive Summary), it seems they are going for a full blown HiDef 1080p Dolby Surround sort of privacy regime. Just as the networks dragged their feet on the 441 lines of resolution until they were forced to move ahead with HD by the FCC, so will industry drag their feet on privacy until a privacy czar, prince or archbishop cajoles them into the 21st century. I'm being optimistic, but at least the frog was committed.



Lo-Res Felix from FelixtheCat.com

Auditing Privacy Part 1 - Ethics and the Canon

It would comfort many compliance auditors to discover the ultimate checklist and tear after their organization's privacy program, collecting tick marks and developing the dreaded deficiency finding. I say to them, "Google is your friend." For the more enlightened internal auditor, the first step in evaluating their organizations privacy practices should be a step back.

The Canon
There are best practices, and there are benchmarks. There are torts, laws, and rational fear of the irrational regulator. However, for most every auditable area there is also The Canon. Take a file to the gilded crust of Sarbanes-Oxley and the PCOAB (and all their works and all their ways), you eventually uncover the Generally Accepted Accounting Principles. Take a snowblower to the myriad layers of dust and ash of the Code of Federal Regulations. If you squint and hold your head just right, you'll see a vague outline of the Decalogue. And somewhere below ornate filigree and baroque ornamentation of HIPAA, Gramm Leach Bliley and SB1386 is the shape of the Fair Information Practices of the US Department of Health, Education and Welfare, 1973.

From the link above, here are the five practices of the modern privacy canon:

1. Collection limitation
2. Disclosure
3. Secondary usage
4. Record correction
5. Security
   

These five principles will be your mantra for your audit. They will guide your question and inform your issues. Advanced practitioners may chose from the following according to their path:

The 10 AICPA's Generally Accepted Privacy Principles

The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data


The Ethos
Like the Torah, the Sermons of Buddha, the Qur'an, the Gospels, or Fermat's Principle, a canon is only meaningful if applied. You must ask the CEO, the CIO, the Chief Marketeer, the General Counsel, and listen, and interpret their answers accordingly. Are the principles used as values to guide their decisions, obstacles to be worked around, or are they simply unknown? Read your corporate policies regarding privacy. Do you see in them evidence of the Fair Information Practices, or do they appear to be more oriented to a specific set of industry specific regulations? Interview the folks who handle the data. Do they treat the data with the care they would treat their own? The answers to these questions will begin to lead you to determining if your organization has the ethical basis for a privacy program.

What Does This Mean?
A compliance oriented organization may maintain reasonable concordance with Fair Information Practices without even knowing what they are. However, the organization may be reactive, and inefficient. The organization's privacy direction will be dictated by outside entities, rather than developed within.
A organization with a firm foundation in privacy practices, coupled with an ethic duty to privacy, will be more efficient, more effective, and retain a better reputation in the face of an incident.

SSN Panic, Texas Style

Here's the Computerworld run-down. And here's the Attorney General's letter (worth reading) and the proposed bill to change the law Texas HB 2061 so as all the county clerks don't get thrown in jail.

The AG letter says it in fourteen different ways NO, YOU CANNOT RELEASE SSNs, quoting an imperial raftload of laws, state and federal, why, and why you should even be asking the question. The clerks need to grab a big ol Sharpie and start their redactin'. Shut down your infonet tube, and stop selling your goods to some skanky information brokers from the desolate wasteland known as "Not Texas." Good on the OAG. Shame on collective elected doofi that are trying to find them an out.
I can only take solace in knowing the traditional efficiency and effectiveness of Our Lege.

This fiasco is an example of why privacy principles rather than mere compliance is important to an organization. Even if the Ft. Bend clerks were ignorant of the law, they reflected a disregard for the citizens they are charged to serve.

Everyday Privacy and Security: The Drug Store

After a conversation with a friend, I thought I'd cite some examples of how privacy and security impact day-to-day life. Here's the first in the series; though I admit, dissecting the CMEA would take more effort than I have time to fully understand. My ear is still ringing and Battlestar is on in 20 minutes.

The scenario:
Last week I went to see the doctor about my tendinitis and a persistent ringing in my right ear. I rarely go to the doctor, so you must take my word that these were annoying, persistent and painful condititions, resulting in grouchiness, restlessness, nonsensicalitude and Irritable Spouse Syndrome (ISS). I was processed through the HMO machine like a burger at Jack in the Box, with a shot of cortisone in my arm and an Rx for some OTC pseudo-ephedrine.

At Walgreens, I scan the aisles for Sudafed, a rare purchase since I'm not normally an allergy sufferer. I pick up a card for the store-branded Wal-Phed and head over to the pharmacy. The pharmacist asked for my drivers license. I show it to her, figuring it was an age requirement. She asks me to take it out of my wallet. I hand it to her, and she types my information into the cash register. She asks me to sign what looks like a receipt. What for? I'm paying cash. It's the law. It's for the Wal-Phed. So I pay her the $3.50 or so, grab the receipt, my license and leave.

What Just Happened Here:
An ingredient in the Wal-Phed is used to manufacture bathtub methamphetamines (speed/crank). To stem this scourge, the Combat Methamphetamine Epidemic Act (CMEA: part of the USA PATRIOT Act Reauthorization of 2005) placed additional controls on retail sale of ephedrine, pseudoephedrine, and phenylpropanolamine.
Consumers have to show ID and be tracked by retailers so they get just enough to take care of their stuffy nose, but not enough to start up a meth lab. The retailers have to protect the privacy of their congested customers according to the law, thusly:

C) PRIVACY PROTECTIONS.—In order to protect the privacy of individuals who purchase scheduled listed chemical products, the Attorney General shall by regulation establish restrictions on disclosure of information in logbooks under subparagraph (A)(iii). Such regulations shall— ‘‘(i) provide for the disclosure of the information as appropriate to the Attorney General and to State and local law enforcement agencies; and ‘‘(ii) prohibit accessing, using, or sharing information in the logbooks for any purpose other than to ensure compliance with this title or to facilitate a product recall to protect public health and safety.

The Data the Walgreens Now Has On Me:
Well, my name and my Texas Drivers License information (DOB, address, glasses wearer, motorcycle rider). According to the DEA website, I could also show my passport, or, if I were under 18, my report card. They also know that I bought Wal-Phed and paid cash.


What About the Data Now?
Good question. The CMEA states that the retailer has to keep it for 2 years. There is also a raft of conflicting state laws, some requiring the logbooks to be kept electronically. The retailers' association raises concerns regarding HIPAA, tracking consumer behavior (e.g., can Walgreens send me a coupon for Wal-Phed now?) and real-time tracking versus logbook maintenance. Ever since it went behind the counter, pseudoephedrine sales have decreased, so does it really matter anymore?

Everyday Privacy For Me?
Walgreens knows I ride a motorcycle because my ear rings.
This data for a cash transaction will be maintained for two years.
It may or may not be subject to any privacy rules, depending on when/if the DEA writes the regulation.
I may have no recourse if Walgreens decides to use the information in a way to which I haven't consented.
I may have no recourse if Walgreens loses, misplaces, or sells the information to unsavory third parties.

With The AM Radio On

The imperial raftload of opinions on who really is the victim of credit card fraud, stemming from the Boston Globe article on the legislative reactions to the Stop and Shop Skimming Shenanigans, is centered around this quote as much as any:

"If this legislation passes, all retailers, all companies, and all
banks will know they'll be responsible for absorbing every cost
associated with a data breach."

Of course that quote doesn't make a whole lot of sense once you parse it, it just seems to be pluralizing the victims in a bizarre twist on bystanderism, i.e., if were just going to sit around and watch the crime happen, let's all be victims!

Most puzzling to me are the voices of the outraged merchants on the Slashdot thread, sounding too much like a hoodlum's fence pleading ignorance to the cops on the legal state of goods in his possession. The merchants are no doubt getting the shaft in the current credit card fraud scheme. They may not have the financial resources and high powered lobby as the banks and credit card outfits, but the merchants do have the capacity to do more to validate a transaction that to make sure the magnetic strip is functional. Are credit card transactions getting to the point were they need to be validated as vigorously as a personal check. Remember those?

I see a business opportunity here. Heck, I'm in love with the modern world and I'll be out all night.

Buzzword Compliance or Compensating Controls

The most recent SANS e-mail letter, this article from Computerworld on pretty minor (all things considered) security incident at federal retirement fund agency.

The voice of SANS (Pescatore in this case) remarked thusly:

This and the Nordea incident, as well as the huge TJ Maxx compromise, continue to point out how commonplace financially motivated, targeted attacks now are. Attacks change faster than regulations - tunnel vision on being compliant with regulations, whether Sarbanes Oxley, Basel, or PCI, means you will not be looking at processes and architectures that can deal with changing threats.

Pescatore, duuude. Hate the game, not the playa.

First, I don't any of those regulations really apply to the TSP, except as perhaps amusing past-times in the off season.
Secondly, what the hunh??? I really don't get how some users who got their account hijacked through the client side would have to do with a focus on regulations. About a dozen accounts, $35,000 all told. In retirement fund terms, not a whole lot. And they did find out about the incident, it is possible that some account monitoring controls were in place. So maybe the system worked. And cruising around the TSP site, it looks like they are trying to educate their users.

Unfortunately, whatever cred the TSP folks gained is blown in the following quote:

"External penetration testing has demonstrated that our system has not been breached"

Umm... ? I'd like to see the pen-test firm that signed off on that. Maybe next time you should hire some forensic analysts over for a post-incident discussion. They may give you better results.

Just because you don't have heavy super duty NAC/HIDS/NIDS two factor network with buzzwords du jour and a burled walnut interior, doesn't mean that you are so distracted by your BASEL II crossword puzzle that your accounting department doesn't notice some odd ball transfers. It's all about the compensating controls.