Asbestos underwear, fair information principles, and security

Tales from the Net co-author Deborah Pierce’s Into the Lion’s Den — a privacy advocate’s work is never done (on her tribe.net blog) talks about a panel she was just on at ere expo, “the nation’s leading recruiting conference.” She was there for a debate with the CEO of a company whose mission is “to map every business organization on the planet, contact by contact”:

The CEO started by asking how many in the audience had heard of Jigsaw or had used Jigsaw. About half of the people raised their hands. When my turn came, I asked how many people had heard of Fair Information Principles*. There were about a hundred people in the room and about three people raised their hands. With this crowd I wasn’t surprised.

Well, yeah: most people in the US haven’t heard of the Fair Information Principles. Heck, they don’t even merit their own Wikipedia page, although the Privacy Law page gives a summary. Even so, they’re the skeleton for a lot of privacy laws in the US (the Privacy Act, for example) and internationally, as well as corporate privacy policies — when I was at Microsoft, I remember seeing the campus plastered with them for a few months. In the US, they’re usually phrased as notice, choice, access, security, and redress; the OECD version uses different language and adds explicit requirements for data quality and prohibitions on secondary uses.

In both versions, security is a key, as well it should be: companies and governments that collect and store people’s personal information have the responsibility for safeguarding it. As attrition.org’s data loss archive makes it easy to see, all too often … they don’t. Deborah talked about the major breaches in March, including TJX’s $40 million dollar settlement of the TJ Maxx data breach, and then got a helpful question from the audience:

Finally someone asked both of us the question “if there was a big data breach at Jigsaw, what do you say to the reporter at the NBC Nightly News’. I said, ‘hey, that’s an easy one for me, I just trot out my sound bite on Fair Information Practices – I don’t even need the asbestos underwear that I’m wearing for this crowd’. That line practically earned me a standing ovation. Seriously. My CEO opponent agreed that his job would be much more difficult with NBC and that about all he could say was that he was doing his best.

Indeed. In that situation, sucks to be him.

There’s valuable data in sites like Jigsaw — or LinkedIn, or Facebook, or MySpace, or any site that collects personal information or credit card numbers or …. Identity thieves and other criminals are increasingly targeting these kinds of systems, and mandatory breach reporting laws make it a lot harder to cover it up when there’s an accident or a break-in. So there are going to be more and more CEOs up in front of the NBCs of the world — or Congress, like the Choicepoint CEO after their huge data breach saying “we did our best.”

One of the things I wonder, though: how many of these sites really are doing things well enough that they can honestly say they’re doing their best? Take a basic minimum bar: threat modeling, a security architecture, external reviews of design and architecture, unit and penetration testing, well-defined process making use of available tools. What percentage of the data collection and social networking sites out there do all of these — and do them well?

This is one of those places where it’s in the industry’s interest to clean up their act quickly. Otherwise, the risk is that the government feels like it has to act and introduces some well-intentioned but flawed regulation (such as a less-than-fully-thought-out form of liability). But I digress.

Deborah continued on with some of the other principles:

This went on for a while, and I hammered home the notion of notice and the fact that most people outside of the recruiting circles don’t even know that Jigsaw exists, and even if we do find out about it, we can’t get out even if we wanted to. The CEO said that people could get out, and opined that I might be a tad confused on the removal issue. I replied that I wasn’t confused, and in fact, here is the removal process (or lack there of) on the last page of Jigsaw’s ‘fair information statement’ page. In fact, I had printed out the page, and highlighted and underlined their procedure so I was able to quote it for him instantly.

And in the end wound up shifting a lot of the crowd over:

The moderator came up to me and said “I don’t know if you felt it or not, but about mid-way through the discussion, the room changed. You convinced about half of the people.” I hadn’t realized it was so many, but I had felt the change.

Even more interesting is the response after:

About a half dozen or so people came up to me wanting to meet offline to discuss how they could do privacy and security better.

… which an astonishingly high percentage from an initially-skeptical crowd of around a hundred.

“Conventional wisdom” is that people don’t care about privacy, but I’m not convinced. I’ve heard too many stories like this from Deborah and others, where as soon as you set it things terms that people can relate to, it clicks, and they do care, for a lot of different reasons. Combining the clear framework of Fair Information Principles with experiences that people relate to — the Hotel California feel of not being able to get out of the database, for example — very often works.

jon

* actually, Deborah called them Fair Information Practices. Strictly speaking, they’re the Fair Information Practice Principles. People tend to use the various terms interchangeably. I prefer “principles” and so asked Deborah if I could modify her quote here to read that way; she graciously agreed.