Jeff Northrop Security BSides Boston 2013 - The State Of Privacy & Proper Planning For The Future

hello everybody thanks for coming I'm Jeff Northbrook I'm the chief technology officer at the International Association of privacy professionals we are a non-profit non-advocacy organization supporting those who deal with the troubles and woes of information privacy um I know I've got too many times today my watch is broken so I'm going to be checking my cell phone she's going to give me time for evidence I'll give you one that's 10 and 5 left all right I may check this I'm not checking messages I swear yeah so um glad to see people showed up I know this is generally a technical crowd in this historical policy kind of issue um but I think it's an important issue for

the information security Community to better understand because we're seeing more and more and I see it among our members which go by history we're legal people and they compliance until now we're starting to see more information Security Professionals and among our members because you're being asked to deal with privacy issues and so securing the data and and getting the okay from your compliance team is not necessarily 100 coverage on issues and privacy so what I'm going to do today is I'm going to talk a little bit about the history of privacy very little and and how we got to where we are today um and why there's such an explosion of regulations and so much interest in it

and then I'm going to walk back through uh what a privacy program looks like at an organization how components of it are constructed so let's kick this off with a brief history lesson when we go back to 1890 we have Lewis Brandeis who is not yet appointed Justice of the U.S Supreme Court but it's becoming noted for his his uh work to support the Common Man authors an article or an essay in the Harvard Law review that talks about the risk of a loss of privacy to its citizens from the technology of the day the new technology of the day he called it the right to privacy anybody want to take a stab at what that technology was

it's a camera right and and what he does in this article you can still go back and read the article it's fascinating um he cites this case where a group of people were meeting in private they didn't want to be seen recognized meeting together and there was a photograph captured of it right and so this was this was their loss to privacy and Dan Greer talked about it this morning the unobservability I changed the slide because I loved that word um right so the fact that they were to be able to be observed and it was one of the first times in history where it wasn't one person's word against another that something happened you were

capturing there would be physical sense and you know this was not a concern that expanded out to the Commonwealth I mean this was a concern that was among the intellectual Elite academics um judicial people lawyers and we see it over and over again throughout history and received with the Advent of movies we see it with the Advent of Television we see with the Advent of radio that people are concerned that there's a loss of privacy because they're being observed in a sort of physical way in ways and capturing ways that they couldn't had uh been subjected to before and in 1967 uh Alan Weston who is largely considered the grandfather of sort of modern privacy thought writing a seminal

textbook called privacy and freedom which is still in print today uh about the risk of a loss of privacy from again new technology of the day this is computers the fact that we were able to gather bits of data about people and corroborate them and correlate them in a way that we hadn't before would be a severe loss of privacy this and that's sort of the way we think about it today nobody I mean we do still think about being photographed as a loss of privacy but I think in the larger context most of us would think about it in the sense that you know data the data we have about us can be correlated to expose sequence or

things that we want to be kept deprived and Alan Wesley was very influential um it wasn't long after after hit that textbook and others that followed at his public speaking and his role as a professor that he helped push forward the Privacy Act of 1974. now if any of you uh work for the government in some capacity you're still obliged to follow this this is the laws that that limit what governments can do with the personal the U.S government I should say what they do with the personal information they collect that's still enforced and if you think back to 1974 and and people's concern for privacy was the year of what the government could do

and we see this throughout we have the oecd coming out with their very personally needed protection of privacy transporter flows of personal data I had to take a reference this thing uh laid out a framework for how personal data should be protected and stored for the very same reasons that Alan West had out late in 1967 that's followed in the mid 90s by the EU data directive the European Union do you know what the data directive is so the EU data directive is an incredibly robust set of I don't want to call her regulation it's suggested regulations that that were drafted in the European Union that would help their citizens be protected from from a loss of privacy and what it does

is it gives incredible control to the citizens of the EU over what companies or republican or other private entities do with the data they collect so if you hear the privacy laws are are tough in Europe it's because of the data-directed and this was a seminal moment I mean this is 1995 they drafted it in 1998 it was was released and if you think about where the World Wide Web was at that point was in its infancy and I don't I don't want to get too deep too deep into to laws and regulations here because I don't think that's necessarily appropriate but um understand that that directed when it was set out is still sort of the high

Mark for for what a a government can do to protect its citizens from the loss of privacy the U.S is not near that at all and actually if you you want to look up something interesting you can go Forester produces a heat map of privacy laws and you know the hotter it gets uh the more robust those laws are if you look around the world you know Europe Europe is red hot and Hong Kong and Singapore and uh Argentina are red hot the U.S is not quite ice cold it's China but really cold right there with Russia so our laws are aren't robust at all but we do have an awful lot of laws here

but it's a sectoral based right so we have right around the time you data directly came out we decided to protect our citizens not just from the government but also from Health we get HIPAA uh followed by the Bad actors around 2000 remember Enron and uh World common and Adelphia and on and on and on and proliferation of gay breaches and loss of a credit card we get socks and grandage Flyleaf and then further to protect students we've got Kappa protecting children we've got the Fair Credit Reporting acrosession creating some of that and on and on so we had this this menagerie of of laws and regulations um not to mentioned it and and Dan Greer

this morning Dr Greer talked about the California data breach notification law that is one of 46 different laws across this land and believing hinted that there were some differences among different states there are a lot of differences there were 46 laws among 48 states um all technical assistance privacy in different ways it's a mess and the regulations are are prolific they're very recent if you look at the history from you know Lewis breaks back in 1890 to 1967 and then from 1967 to the mid 90s which is the union direction to today it's been a bearable explosion and it's not slowing down Dr Greer also mentioned there are 25 bills throughout the Congress right now talking about cyber

security almost every single one of those has some privacy component to it as well so they're coming if I can interview with a quick question yeah feel free to take it off live um can you comment on the level of compliance for for the Ed data direct which provides more robust parts for citizens versus the U.S passport approach laws do you have an idea what the compliance burden is relative to those two can you repeat the question please for the recording sure so you're cons you want to talk about how difficult it is to comply with the EU regularly uh yeah there are Worlds Apart so there's two things with with the the EU data directly one is it's a framework

it's actually not a regulation so when it was released in 1998 and I'm not going to spend too long we can certainly talk about it all times uh when it was released in 1998 they intended the European member states to adopt it sort of whole cloth and maybe tweak it a little bit it was haphazardly adopted and it's like a Swiss cheese so Germany's really robust and Italy's kind of robust and France you know not so great and the UK has got its own set of laws they're very difficult to comply with if you're operating within those countries if you're just doing transport of data flows we have Safe Harbor laws here and for Safe Harbor compliance and

generally you're okay um the laws here in the U.S are um we're libertarian kind of society so if there's no harm done we're not going to create a law around it well they're using Healthcare you know oh they've lost credit card data we need PCI you know um compliance is tough and and I'll talk about how laws and regulations roll into a program so you can work with those and that you know that that sort of leads into my next slide we're Security Professionals we know how to secure the data securing the data is really important um any compliance people in here and so a couple a couple of Appliance people we have compliance is a growing

uh function within an organization laws and regulations are complicated we need compliance professionals to help us manage those compliance is is great too the two definitely need to work together right compliance people um but it's still not that still doesn't cover the entirety of privacy and we have two very recent examples that are uh that highlight why that's the case one is half you know the the mobile ads social platform for mobile applications when they said in their privacy policy that hey when you install our application uh we're gonna we're gonna mine your your address book that's on your phone and upload it as as part of our installation it's sort of a two slimy

within a privacy policy and they said and they put their desk I agree okay wherever it was and it did this when it came out in the public that this is actually happening I don't know if somebody read the privacy policy or reverse engineer at the app or whatever they did uh it blew up it exploded on them and the FTC came down on them and and very recently they agreed to a settlement I don't think they actually proved uh admitted yield but they agreed to a settlement where they are under a 20-year consensual Freedom that requires them to subject themselves to a privacy audit every year and submit the results to the federal level of the future

you're compliant right but they didn't overtly break any laws and the same thing happened with Google it's happened to google a number of times the most recent one is the uh street view of Aqua right so they were driving around with their their camera on their car mapping things and one of their Engineers decided you know we could use this would be kind of cool let's just have pure interest not really business interest just curiosity uh let's collect the the Wi-Fi tracker from unsecured routers on the public streets and on trespassing and they did and I don't know if they ever got to the point where they found any interest in it but but when the FTC

got into what they were doing it came down on them again the AKA said they recently settled and again no Mission would be like they settled for a seven million dollar fine they're required to spend some odd million of millions of dollars on public education for security or Wi-Fi routers so it'll work for those use paper articles and whatever else they're going to get that out for securing Wi-Fi routers um and again the same sort of incentive for your privacy audit which they were already under for what they did with buzz and be subverting so far as third party uh internal conferences and these are interesting cases because you can have robust security you get a

perfect Security in that case you can be really robust with your compliance and still fall prey to what the FTC is enforcing Under And they're they're getting more bold about enforcing on this reasonable expectation of the privacy of their citizens all right so path and Google both violated a reasonable expectation of privacy you know they didn't violate any law overtly and so that's sort of a cautionary tale and and it leads to um why you know why all of a sudden is all this stuff about privacy why is the FTC going more aggressively against companies over privacy why is it in the major media every single day every single day you can find some news in a

major media Outlet talking about something about privacy where even five certainly 10 years ago you saw almost nothing about them well there's there's two things going on there's two sort of actors in The Marketplace that are growing and it's and as they grow and they battle each other it's in creating an incredible tension one of those are the general consumers and I've written part of the statement up here but consumers currently feel a loss of control of their personal information that's a very carefully constructed statement and I want to give credit to to Dana boy a very talented and interesting Microsoft researcher if you ever get a chance to read Christopher senior speed do so

um and I like that statement for for one specific reason because when we talk about generally we talk about people fearing a loss of privacy it often concludes with well we just share too much and I think that's that's kind of bump and we share information all the time and and you guys know this right and it's not just social media where we share stuff we know we're sharing information when we're surfing on the web unless you're using a tour or or other foxy or some extraordinary method that no average user would ever be able to implement we know we're sharing personal information on search engines and other things online certainly we're sharing information on our smartphones I think

everybody gets that we share our personal information with with the dumb phones too right location data call history uh anybody an easy pass from your car and you're sharing your personal information at Easy Pass and with your credit card and Shoppers rewards cards most definitely that's why they give those things to you um we share our personal information when we talk to our doctors so we're sharing prolifically and all of those services are becoming part of our daily lives I mean people aren't shying away from them they're embracing them and they're growing they're exploding so it's not to say that we all have a fear that we're over sharing it just doesn't pan out and people wouldn't

be using these things if that was their fear so when I say they're fearing a loss of control of their personal information it's it's not that primary actor that they're sharing with it's the secondaries it's the material uses of that data so you're okay with you post stuff on a social media platform but who else has access to it and where is it being stored and what purposes are they using it for and do I have control over that data I'm sorry I'm banging your life um and why is it so difficult to answer those questions you have a question well you had answers I don't have an answer to the question because I think

there's a mixed bag here I think people are not paying attention to what's going on around them if you're in Facebook and you want to play with any of those apps that come your way whether it be uh the the yearbook or other sharing you know like this whatever a lot of those applications they have an agreement right up front that says you're agreeing to share everything not just a piece of what your information they're saying you're giving this application access to all your data in Facebook absolutely and yet people just grab them all the time that's my point they're happy they're happy to do that right so how about Facebook's a great example yes you have you have incredible

control over how Facebook uses your data within a certain limit but really they've gone to extraordinary Langs to give you pretty good control over what you're doing yeah people's you know a billion people now right or some somewhere close to that are using Facebook so that that's running they don't fear that but when you talk about well you know you're being profiled for advertising purposes that gives people eating genius that's what creates them out and that's that's why and it's it's that it's why I describe it as a fear of a loss of control over the person when you share something on Facebook or Facebook who is the only one to have it and you were able to move it back I

don't I think people would be okay with that it's the propagation those agreements go but those agreements say that they're gonna they have the right to use your information for virtually any purpose including sharing it out with other partners I agree with you and that you know that's sort of required by a law to be transparent but you know let's show a hand how many people here read privacy policies

25 people in here so even even among this community that's small and I'll speak to communities of privacy professionals and I'll have even less people right you get the statement even worse you know you get the statement annually from your credit card company in your bank Does anybody read those actually yes and yes um you made a very very important statement um people want to have the ability to pull the information back and the key to being safe harbor compliant a key to people's Comfort level with our privacy policies is there are statements Within These privacy policies wherein I can pull the information out if I want to the moment it starts getting into third

parties they use the ability to do exactly that because they're not the ones who gave it to the third parties the relationship between this company X and this company why this company is he gave it to those third parties and and so a key challenge to implementing privacy successfully in your own privacy policy is being able to track what you've shared with your partners so that if your customer comes back and says pull my information back you have the ability of pulling it back from every place you've shared it with so this is this is one of those areas where I work for a non-advocacy organization so we can't promote certain best practices that is certain only one train of

thought and you see that with the data directive Dan Greer talked about the right to be forgotten and that's exactly what the right to be forgot is is trying to enforce because you track the original collector of the data uh the data or attracts the data through all its uses so you can pull it all back another train of thought and this is largely the way the U.S laws unless you've got health information financial information or for the other government are architected uh just required you to educate the user on what their what they're doing when they're submitting their information to you right that's notice you have to provide adequate notice and that's why you see the proliferation of privacy

policy of which one is the right one you know is really an open question I was signing up for some online service or website and it must have been 100 110 pages long and I'm like I don't have time to read this I click through it and I know that bills in Congress are kind of the same thing and so I and I will get to the I will get to the final of the slide that talks about that tension because these these really hit on it but um you know with regard to that that's where the FTC is going after a reasonable expectations so if you've got something in this size with something like 64 pages on it it's not reasonable

unexpect of consumer to regret but I'm just going back you know about reading the Privacy this is a whole lot in opt out I think a lot of people who are signing up for Facebook didn't know they were walking and sharing so much information yeah I'm not sure if they change the original way that they were doing it um but I think that when you even signed up you were opting in for a lot of things that you weren't aware of yeah so there are and and there's no way I'm going to get through my entire slide down at this point this conversation is great and I'll make sure I have this line deck available for you guys uh but in in the

in the program itself um our accommodations for that and it specifically toxic so any everybody knows everybody knows what this is right yeah you know the 800-53 publication is their their security controls they just updated that with a new revision it is no longer it was information security controls for federal agencies um it is now information security and privacy controls and they add an entire appendix of just privacy controls that really outline what a privacy program should look like and one of it and I'll just make the point now is going to make it later but I think it's important to recognize the the significance of that that they're specifically calling out the information security Community to handle

privacy issues for the U.S federal government now a lot of other people voluntarily adopt those missed standards but you know it's one of those things to watch whether that's a Bellwether again and I don't know if Sands or certain rules will start including privacy controls aicpa certainly has something in it um one of the reasons why I'm here is that you guys are being I think I said you guys are being called upon to handle privacy issues more and more so let me finish this tension so we've got we've got consumers fear and loss of control of their personal data on the other hand we have the ever-present march of technology and um again Dr Greer talked about this

morning how it was just easier to keep all the data you had it was cheaper than to try to analyze it we have massive amounts of data and Moore's law has given us the ability to collect and store and process unlimited amounts of data very inexpensively and there are businesses built around this is a big data thing right I hate the term big data so I'm just going to say data analytics the data analytics where not that long ago was really a slick competitive Advantage if you were doing sophisticated data analytics early 2000s you were cutting edge right it is now sort of a cost of doing business everybody's doing some form of data so

Walmart's certainly doing it to control their inventory but the who is using data analytics to find flu epidemics and the UN is using it for for political outbreaks find out where the political hot spots are likely to be and you know it's it's improving our quality of life in many ways and it's driving business Innovation and bolstering our economy a data analytics is sort of the next evolution of uh our technology growth and if you think of that as as an engine right engine driving all of these things you know what's the fuel well it's personal information and a very significant way and so if you think this is this is bolstering our economy it's driving Innovation and it's

improving our quality of life everybody loves it but you marry that with the fear of loss of control of personal information that you're really set up for for a great deal of tension and that's what we're seeing in the marketplace and if there's one thing I I want everybody to take away from here it's it's that because that's causing all the regulations I mean The Regulators as cynical as we we are about our politicians they do try to resolve it but it is incredibly difficult to at once reduce people's fear without stifling business innovation and this is where you get the tension you have the EU regulations that that really try to produce fear and

people have a lot of trouble too it isn't it and innovating in that environment we have the US where well you know if you tell them what you're doing with the game you do anything you want with it it drives the Innovation nobody's nobody's found the correct solution for that so where does that mean we're going well there's two things we need to do to get privacy right one is accountability and the information security Community compliance folks we get accountability right we have programs in place we do reporting we have metrics we do all of these things to ensure that that we're protected we're protecting our data and we're managing our risk and that makes

and and we're okay with the accountability for having lost that comfortable with that transparency is something the information security doesn't do very well notifying the consumer how you're how why you're collecting the data how long you're going to store it for how you're protecting it what kind of controls they have over them that's where privacy is going and whether whether it's the model or it's the US model or the model that's in Asia and Asia has some very robust laws that are very different from both of those it's largely looking to educate a consumer on what you what you're doing with their data and being accountable if you lose it or misuse it and so the rest of the slab I'm going to

skip over it but I'll mention one one thing it talks about how privacy is sort of proliferating I'm already down to 10 minutes um I have failed with you guys and sticking to my slide then so um I was talking about how important it is and I'll mention is one thing you know this is a case in point of where privacy is going within an organization David Hoffman very well known respective privacy guys we see CEO of Intel forever 10 10 plus years came from a legal background he's stepping aside to focus on policy for Intel still there in his place instead of you know the next in line for legal they they uh promoted

Malcolm Harkin who is their information security guy he's their sister and they they retitled him from Chief Information Security Officer to Chief Information Security and private schools and they gave him the Privacy program to run clearly a technical guy no legal background whatsoever um and I'll leave that to you guys just to stick away in the back of your head so let's talk about what a privacy program looks like and this is sort of administrative stuff you need somebody to head out go ahead yeah just real quick um having an internal privacy program isn't that like the fox running house no why would you not want a an outsider third party to um come in and say instead of you doing

all this yourself as a retainer of game I'm going to repeat the question so yeah would would it be better off using an external uh organization to to manage your privacy uh because I'm not sure why you would do that other than well if you're the ones using the data why would you have strong privacy um uh instructions well I mean that's sort of a cynical look at it you know that's that's like saying when you only secure the data to the minimum legal requirement right because that costs a lot more because there's there's brand problems there's there's uh PR problems there is there is certain risks and I think a team that and I don't know

whether it's better to have an internal wear external I think that's something but having somebody that understands your processes that that knows the players that understands the business units is probably better set so talk to your board of directors or the CEO CFO coo and and get support be my my thought it's basic risk management and you want to manage risks internally and that's why they're turning to a chief security officer to become a chief security and privacy officer because for the two security officer is very comfortable with is managing risk what you want to do is very much like what you're doing here with the security program we have external audits uh through a stock 2 program or through an ISO 27

double arguments program I want to make sure our external audits the Privacy is either essential I I think everybody understands that's a great point we all understand that so I'm gonna this is my Auctioneer move but have somebody that had a team get a team that's across you know somebody you need you need I have to Chief privacy officer it doesn't matter what the title is but they have to have authority across business levels and being accountable for the board and then gather a team from from different uh business units and constituents within the organization so that you're properly managing the program you're not just making decisions that may affect other other areas and setting a vision

um yeah

work within a framework information security again we have a lot of robust Frameworks already to work with there are some good ones with privacy they are not nearly as mature or well accepted as securing Frameworks but those are out there I have notes that go along with this deck that they'll point to to those um set your metrics just has a has a great document that helps with security metrics there are a lot of privacy things in in there as well make sure they're quantitative and qualitative and I've listed some there you know recording the number of incidents reporting the average time to respond to and this is a privacy incident this is what doesn't necessarily mean data

breach it could just be somebody complaining that you're misusing their data um and then it goes down and you know a privacy part has something new to you just you know how many how many plans do you have existing the cover that cover your data how many employees you train those sorts of things and and so that that sort of sets your framework right you've got a team of points and you've got a vision you have your metrics you know what you're going to be measuring you have to measure what you're doing otherwise how are you even know that you're successful um and that's not necessarily easy but then the real work starts and and uh that

first bullet up there looks so innocent privacy impact assessment that's a lot of work right so so uh you know that's inventorying where all your personal data is who has access to it how it flows how you dispose of it and and then matching the risks and you know whatever risk model you want to use imagine the risks to that data is a huge task that that gives you a scope for for what you need to to do and you know that'll that'll help you review your policies review your insurance coverage this is something I I keep mentioning and in every group a lot of people are like really like you know cyber insurance is

is awesome it'll help you pay it for a data breach but so often those insurance coverage has covered your computer systems so if you host your data at somebody else's system whether it's just a VPS slice that's not yours that's somebody else's so really check your insurance coverage to make sure you're covered um review your legal obligations flaws are changing very frequently so use the legal team to help you with that and the general info set stuff is always good uh this is information security 101 right you've got you've got your policies in place of course them secure data and I've listed this third bullet privacy enhanced system design and development with something that's quoted

right out of the new domestic privacy controls catalog um and this goes to to your point earlier that is requiring you if you're responsible for complying with this 800-53 to automate your privacy uh controls and that I believe is is ensuring that somebody has to opt in if it's something that is optional so marketing this is advertising uses for a party the default should be your opted out uh prepare and sustain so if you're monitoring have a way of managing complaints external people will complain that you're violating your privacy make sure you have a way of managing that uh creative incident response this may look different than a security incident response they may extend that that'll be

specific to you and then train your all right and wrapping up those things that I want to make sure I have room for questions I'm sorry I had to do it we have about two minutes to three minutes for questions um if anything spills over that time we do have a speaker area in the back when you first come in to the conference on the right hand side so we can continue the discussion as we have a couple of minutes and I'm hanging around all day so yeah um does your group play a role at all in working with lobbyists on legislation we are a non-advocacy organization so foreign

to what extent do you think that privacy um trying to add Advanced privacy is Complicated by um customer misperceptions and confusion so this is my personal opinion I guess meaningful meaningful transparency is probably the most difficult but the most important thing we could all work towards together and by meaningful transparency it means getting beyond the privacy policy that spells things out and communicating to the user in a way where they understand exactly what they're committing themselves to right and and there are a lot of people trying to do this Facebook takes a lot of grief because they do an awful lot of work trying to be transparent and their business model is profiling people so

you know they try to be open to that Google's got a whole good to know site if you guys haven't seen it it's a remarkable effort to try to gain some transparency they've gotten for that too that included consolidating or privacy and policies but that is that's incredibly difficult problem important no just comments response on General Public awareness you know my mother-in-law will click any button in the world to play Scrabble online and yeah so I um that gets into policy and I I can't as an officer of the IEP I just can't comment on it but I will I will point you to uh the NCSA the national cyber security lines the head of data privacy day and they are making

uh a recent effort to outreach to to schools and to to the elderly to educate them on private school yeah how do you get this paid for within any kind of company or anything because it's not at all important for the bottom line until it is well today okay it's a risk proposition right so I mean there are there are very real costs to the data region um but there are also a lot of costs to Brand if if things are misused and you know it's we're moving from a you could say people vote for their wallet but in a modern economy if you're online with free service people are voting in their data so if so that's the problem we finally

have time for one more question yeah um I was going to ask um why are people so um averse to having their information why is this such a passionate sort of thing coming up it's creepy because it's allowing Waters well I I think that's that's a human nature question you don't yeah you don't want somebody to know your deepest Secrets unless you want them and this exposes those secrets for all those who uncover without your other consent um please remember to fill out your emails