Reckoning with Trust Deficits: The Role of Privacy in the Context of Information Security
INTRODUCTION: MENDING THE LONG ARC OF THE DIGITAL AGE
We stand at a critical milestone in the arc of the digital age when nations and organizations around the world struggle with mounting privacy and security pressure. [1] Russian cyber-attacks on Estonia in 2007 served as a key driver enabling the small Baltic nation as “the first fully digital republic.” The unintended consequences of that action pushed Estonia into a new way of being. [2] Those social pressures borne out of privacy decay and security decline resulted in the drive for greater digital resilience which “include[s] data literacy, online safety, and problem solving in digital environments.”
The case of Estonia provides a unique insight into a small society whose necessity birthed their case for change. There are other cases where necessity has come from within, but in all cases there are strong relationships between security and privacy not the least of which revolves around the global challenge of adapting to a new digital age. [1] This research will resolve these challenges back to the human layer, unwrapping information security (infosec) and privacy aspects of culture, behavior, and awareness. An important convergence between privacy and security exists where one supports the other (e.g., strengthening confidentiality assurances), in contrast to where the two may be in conflict with one another (e.g., employee monitoring). How do infosesc and privacy concepts give us tools to prepare for the future and how might the same tools work against societal needs?
It is important to step back to consider foundational aspects of defining privacy, information, and security (see figure 1). Those terms can be complicated by the diversity of culture looking at this interwoven problem. Making the case for how interwoven these topics are help us to collectively agree. An important aspect shaping this complex topic is that cybersecurity “in the end … is securing people.” [3] The human processor (mind) is the end point for many information processes when we strip away the core concepts of cybersecurity.
The trust budget is out of whack and there is no clear remediation for our expenditures.
In simple terms, infosec is related to procedures protecting information. Privacy is more fundamental and is more akin to rights according to a global information privacy consortium. [4] Information are “facts or details about someone or something” at its most fundamental level. [5] Organizations and nations define and maintain these core principles across society thus establishing and growing trust between governing bodies and the governed alike. People balance “diligence and discipline” at every echelon driving down risks to both privacy and security.[6] People’s trust and confidence are essential to both business and societal success.
PRIVACY ATMOSPHERICS: SOCIETAL FACTORS IN THE DIGITAL AGE
What do Cambridge Analytica, [10] Ericsson, [11] Finland, [12, p. 10], Iranian SIAM, [13] United States (U.S.) Office of Personnel Management (OPM), [14] the U.S. Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (PATRIOT) Act, [15] Twilio, [16] and Twitter [17] all have in common? Each demonstrate the human nature encircling security. Each influence society’s perception of major organizational data privacy vulnerabilities. Each show the level of effort involved in securing systems which enable our digital ecosystem.
The nation of Finland is routinely viewed as among world leaders in cybersecurity. [12] It has taken a very proactive approach to establishing youth awareness programs and matured its approach to digital literacy. Digital literacy is the “ability to use information and communication technologies (ICTs) to find, evaluate, create, and communicate information, requiring both cognitive and technical skills” according to an American consortium. [18] Finland’s digital literacy and security programs are partly driven by external threats of mis, dis, and mal-information [19] from neighboring Russia. [20]
Reaching Finnish children has proven to be a simple but critical first step towards enhancing online critical thinking. Putting culture first has netted positive impacts on both privacy awareness and security. Finnish culture developed an acute interest in privacy expediting the roll-out of the European Union (EU) General Data Protection Regulation (GDPR). It was considered the fastest GDPR adoption and was the easiest places in the 27 member union to implement the EU’s privacy regulation. [21] Part of Finland’s privacy awareness was internally driven by its culture. It is clear that Finland is dedicated to enhancing societal resilience.
Germany as the fourth largest economy in the world should be a strong indicator of the nation’s industriousness. Despite that, some may find digital reach in Germany to be remarkably limiting to business. It’s no wonder as privacy has been a key societal indicator of government over-reach since around 1946 when its civil governance was restored under American chief diplomat James F. Byrnes following his infamous “Speech of Hope.” [22] Since that time privacy has become an internal driver of societal compliance - many shops and stores have limited or no online presence. The result is Germany, up-to and including the digital age, has found ways to drive aspects of privacy across society. Germany, as a critic of GDPR, signed only when it ensured the EU provisions met Germany’s social norm. Privacy as a societal building block meant that GDPR (and thus German sovereign law) managed security from a privacy-first approach including transparency in any discoveries of security misgivings.
Iran provides an example of a situation where an organization prioritizes security over privacy. Iran’s use of invasive and questionable human-rights practices which exploit privacy are achieved by extension through their employment of cybersecurity people, processes, and technology. Iran’s use of privacy exploitation through their SIAM lawful intercept (LI) program as a cybersecurity and thus security capability is not exceptional, but it is extraordinary. Iran has developed national policy that essentially force information and communication technology (ICT) companies to enable privacy exploitation. SIAM enforces application programming interfaces (APIs) on ICTs which fully resolve every packet sent and received (e.g., Deep Packet Inspection, Internet Protocol Detail Record, Packet Data Network Gateway) to a unique person. SIAM-mandated APIs so intrude matters of privacy that its ability to resolve an individual (ID Res) includes name, birth certificate number, birthdate and place, email address, gender, zip code and address, nationality, passport details among other highly sensitive information. The information remains unminimized intentionally to provide state security elements exquisite insights into their population .[13] In an autocratic organization or society, having a say in the extent to which privacy expectations are exploited is not always possible.
Democracies are not immune from usurping privacy for the cause of national security. The U.S. has a steeped history in privacy baking in the role of privacy law from its origins. There have been episodes in American history where state security needs have elevated to a point of requiring invasive privacy techniques. Among the many drivers in the American privacy experience are the industry-specific, (individual) state-specific, and case-specific law that lacks an overarching omnibus policy on the matter. There are considerable difference between the “right to be let alone” [23] and modern constructs limiting on law enforcement (LE) under recent U.S. Fourth Amendment (4A) Supreme Court rulings. [24] It can be stated that the logic for privacy invasion as a means to security enhancements have precipitous effects.
The PATRIOT Act serves an example in recent times where the U.S. government has enacted law that placed security over privacy. The law (essentially a LI measure), extended several times, has come under increasing scrutiny from privacy right’s advocates. [15] Some question its efficacy, while more question its role in enabling the U.S. LE and intelligence actions. The images from September 11th helped shift public opinion to a chorus of support, but we are starting to see the tide recede as more than half of Americans oppose this invasive law. The case for the PATRIOT Act and Federal Intelligence Surveillance Act (FISA) will remain of interest in privacy advocacy camps. The question remains: how will the U.S. balance privacy matters and infosec to meet the surge of information denial, exfiltration, extortion, and manipulation? The trust budget is out of whack and there is no clear remediation for our expenditures.
.
INFOSEC BENEFITS: PRIVACY CONCEPTS ENABLE MORE HOLISTIC INFOSEC
In most cases, privacy enhancements improve organizational security. Privacy-by-Design (PbD) is a concept whereby organizations build capabilities from the ground up with privacy in mind. This helps ensure applications, databases, procedures, and tools do not expose personally identifiable information (PII), personal health information (PHI) or other sensitive information. PbD implements practice from policy to tooling, helping assure consumers, customers, and employees that restricted and private data receive adequate care. PbD is baked into GDPR and other data privacy regulations. The concept helps, but ultimately the practice builds trust.
Organizations that continue to reduce the ‘say-do” gap validate their values by showing commitment to private matters of their people. Trust within an organization results in a sense of agency helping create more attainable security culture and behaviors. People that care have far better security attitudes than those that do not. We can look to the examples of Finland and Estonia to see societies where privacy practices have had positive security impacts. [1]
PRIVACY BENEFITS: INFOSEC CONCEPTS ENABLE MORE HOLISTIC PRIVACY
Infosec practitioners routinely view security through the lens of confidentiality, integrity, and availability (CIA). When organizations try to balance the requirements of the three-legged CIA stool, their care for confidentiality and integrity directly impact privacy measures. Organizational confidentiality and integrity are key to protecting consumer, customer, and employee records.
The impact of data breaches and exfiltrated sensitive records is reduced. The net effect is that organizational trust increases when security features help to protect their information. For example, the Health Insurance Portability and Accountability Act (HIPAA) has both privacy and security requirements. HIPPA dictates the integrity and confidentiality be protected in order to ensure individual trust in a network. [25], [26]
There are helpful concepts from PbD including anonymization, minimization, and pseudonymization. These are better achieved when administrative, physical and technical controls secure the infrastructure used by security practitioners. These core elements of privacy are strengthened by defense in depth approaches, the principle of least privilege, and zero or dynamic trust concepts. The CIA infosec triad are strengthened by another triad of IT, cysec, and privacy components. We see this in Germany’s social norms where security systems limit technology applications and infrastructure using privacy concepts as the driver. [27]
COMPETING FOR PRIMACY: INFOSEC AND PRIVACY CLASH
Privacy and infosec are not always symbiotic. In practice they can collide in given circumstances, As previously discussed in this paper, National Security and LE routinely use security over privacy, whether in Iran, the U.S., or elsewhere. There are monetary challenges to placing privacy over security, where organizations stand to make enormous profits from private information collected through online applications or marketing content. In other cases, personal ethos inclined towards privacy mean individual users actively choose to “opt-out” of organizationally issued devices or other forms of technology that affect their privacy boundaries.
National Security is the most obvious scenario where security trumps privacy in an organization. While Iran’s SIAM LI program may be tilted toward LE, its function combines aspects of LE like the PATRIOT Act and national counterintelligence like FISA. Iranian cost-benefit analysis has outweighed threats from within as more dangerous than its position on enabling societal privacy from undue government influence. This is certainly made easier in an autocratic theocracy. Despite SIAM, domestic uprisings have become more commonplace in Iran and the outlook shows very little in the way of improvement. We have little veracity in SIAM’s impact on Iranian pursuit of intelligence and influence agents. It may also be worth noting that privacy to Iranians may not be consistent with established western concepts of privacy.
In the U.S. LE programs like the PATRIOT Act have become prominent topics of debate within congress and across concerned citizenry. It was enacted immediately following the event of September 11th when popular support was at its highest. In recent years, the shift towards greater and greater disapproval has accelerated. Whilst the remit of the PATRIOT Act has remained relatively the same, American society has pushed-back, viewing it as an intrusive program. With little or no public proof of its value in the war on terror, this 20 year security capability has hit a wall looking to reverse the trend. [15], [28]
Large international organizations outside of government are equally motivated by security and privacy. The monetary opportunities through marketing, targeted adware, socio-cultural surveys, and behavioral analytics is clear. Meta, parent organization of Facebook, WhatsApp, and Instagram have been in a tricky spot since revelations of privacy incidents with Cambridge Analytica (CA) were made public in 2016. Motivated by large out of cycle profit opportunities, Meta brokered deals with CA and others. Little government oversight was in place to adequately address this technology and practice. In recent times, Meta has whitewashed its profits accusing CA of violating terms of service (TOS) and other agreements. Monetary gains have impacted sensitive data handling most governments are ill-equipped to regulate. The policy gaps outlined in the TOS may also present purpose-built vulnerabilities further reducing security between Meta and third-party providers. [10]
Third-party risk management (TPRM) has become a focal point for leading international organizations. Outsourcing can save money and meet emerging demands, but it also presents vulnerabilities to an organization and its information. Critical dependencies between and among competing organizations can have catastrophic consequences. This includes technology measures (e.g., multi-factor authentication, password managers), physical measures (e.g., servers, ICT infrastructure) and administrative measures (e.g., due diligence, hiring, and vetting). Organizations must determine ways TPRM use those capabilities and records at proportionate levels to anticipated risks. The challenge internally is just as hard.[29]
Insider Threat (InT) programs, sometimes referred to as insider trust or insider risk, are routinely established to prevent, identify, and respond to InT incidents. InT programs often seek to use telemetry and other technical data to augment administrative and physical records of employees and third-parties.[30] This can be complicated in countries, regions, or states where labor laws and unions have strong positions on privacy (e.g., Germany).
General Electric (GE) Power experienced this issue resulting in an economic espionage indictment and sentencing for Chinese-born, U.S. residents Zheng Xiaoqing and Xu Yanjun. [31] Zheng was sentenced to two-years in federal prison for using steganography to hide the “millions of dollars” in exfiltrated stolen intellectual property. Only due to GE Power’s administrative controls were invasive end point monitoring technology solutions enabled. That combination, including some invasive private matters, helped reveal and make the case for the U.S. Federal Bureau of Investigations (FBI), [32], [33] Here again we see security trump privacy. GE’s purpose-driven privacy position ensured that due-diligence, rules of proportionality, and anonymization were upheld.
COMPETING WITH SOCIETAL NEEDS: PRIVACY AND INFOSEC RISKS
Through many of these examples we see where society is put at risk. From autocratic and democratic governments to profit-driven organizations, security and privacy often see privacy invasion as the lesser evil for the greater good. While one-off scenarios may incrementally shift societal perspectives on the value of privacy, the in-aggregate effect may lead to a large-scale collapse in trust. We can also see where organizations have prioritized a symbiotic relationship between PbD and Secure-by-Design approaches – looking for the enabling effects of the co-mingled values without full dependencies.
Experts recognize the delicate balance between privacy and security going so far as to say “…you can’t have privacy without security, but you can have security without privacy.” [34] So where is the demarcation point between enough security and not enough privacy? The former FBI Director highlighted almost a decade ago that the U.S. privacy-security balancing act in more than “…200 years was not complicated by technology.” Former Director Comey illustrates how the balancing act is precarious because imbalances in either direction lead down slippery slopes. [35] Requiring too much security endangers society by corroding trust through loss of privacy. Enforcing overly rigid privacy rules endangers society by corroding trust through diminished safety and security. This combination is illustrated through password management and multi-factor authentication. Experts believe the best authentication methods require the most invasive privacy measures. They expect the use of identifiable information as key to driving down credential theft. [36, p. 3] While privacy officer or security officer weigh-in, executive decision-makers must limit the ‘say-do’ gap to drive trust-based organizational culture
CONCLUSION: BARRIERS DRIVEN BY HUMAN ACTION/INACTION
There are lessons peppered throughout this research. The most compelling lesson relates the balancing act bequeathed to us as humans, as members of society, or as stakeholders in an organization. Our voice to adequately address observed imbalances must come through research, education, and awareness. When we value our privacy while enjoying the relative security environment in which we live and work, we owe informed feedback to decision-making bodies. Silent majorities will remain, but our role is to draw attention to these topics so they can choose for themselves. Balancing privacy and security is an abstract act enabling trust.
There remains a strong inclination towards security over privacy. There are effective tools to enabling security while maintaining relative privacy. That implementation from one organization to the other and the net collective that opts to leverage tools of privacy and security by design will help drive positive change. Will cost effectiveness drive inaction? Will federal oversight start applying its own rules to its bodies as it does to commercial sectors? The biggest barrier to change is how we limit the ‘say-do’ gap – when statements and vision match our actions and behaviors, our organization will have more trust and confidence in enabling the vision. Trust, while important to cybersecurity, is human too. A culture of trust values both security and privacy. The extent to which factors prohibit trust will impact an organization tomorrow. Limiting corrosive trust factors depends on the actions we take today. We must start building our trust reservoir for “trust is built in drops and lost in buckets”[37] and we are largely at a trust deficit.
References:
[1] H. Hoops, “Cybersecurity Countermeasures Starts with Hardening the Mind,” Medium, Feb. 06, 2022. https://hatterashoops.medium.com/cybersecurity-countermeasures-starts-with-hardening-the-mind-7a73ca13db3 (accessed Jan. 19, 2023).
[2] “Digital resilience is key to post-COVID recovery in Eurasia.” https://blogs.worldbank.org/digital-development/digital-resilience-key-post-covid-recovery-eurasia (accessed Jan. 19, 2023).
[3] “The Feedback Loop by Singularity: FBL37 — Eva Galperin: Cybersecurity, Privacy, and Cultural Differences on Apple Podcasts,” Apple Podcasts. https://podcasts.apple.com/us/podcast/fbl37-eva-galperin-cybersecurity-privacy-and-cultural/id1468766317?i=1000544128132 (accessed Jan. 21, 2023).
[4] “Privacy and Information Security: The Territorial Challenges.” https://iapp.org/news/a/privacy-and-information-security-the-territorial-challenges1/ (accessed Jan. 21, 2023).
[5] “information noun — Definition, pictures, pronunciation and usage notes | Oxford Advanced American Dictionary at OxfordLearnersDictionaries.com.” https://www.oxfordlearnersdictionaries.com/definition/american_english/information (accessed Jan. 21, 2023).
[6] 5. People Are the Perimeter. Accessed: Jan. 21, 2023. [Online]. Available: https://learning.oreilly.com/library/view/managing-risk-and/9781484214558/A340914_2_En_5_Chapter.html
[7] CHAPTER 1 Information Systems Security. Accessed: Oct. 30, 2021. [Online]. Available: https://learning.oreilly.com/library/view/fundamentals-of-information/9781284116465/xhtml/ch01.xhtml
[8] D. Weinberger, “The Problem with the Data-Information-Knowledge-Wisdom Hierarchy,” Harvard Business Review, Feb. 02, 2010. Accessed: Jan. 21, 2023. [Online]. Available: https://hbr.org/2010/02/data-is-to-info-as-info-is-not
[9] M. Chapple and J. Shelley, Chapter 1: Privacy in the Modern Era. Accessed: Feb. 22, 2022. [Online]. Available: https://learning.oreilly.com/library/view/iapp-cipp/9781119755463/c01.xhtml
[10] “Meta settles Cambridge Analytica scandal case for $725m,” BBC News, Dec. 23, 2022. Accessed: Jan. 21, 2023. [Online]. Available: https://www.bbc.com/news/technology-64075067
[11] N. Goud, “Ericsson serious about the data breach and data leak to media,” Cybersecurity Insiders, Apr. 13, 2022. https://www.cybersecurity-insiders.com/ericsson-serious-about-the-data-breach-and-data-leak-to-media/ (accessed Jan. 21, 2023).
[12] “Top 10 Cybersecurity Breaches in Finland.” https://www.cyberlands.io/topsecuritybreachesfinland (accessed Jan. 21, 2023).
[13] “You Move, They Follow: Uncovering Iran’s Mobile Legal Intercept System — The Citizen Lab.” https://citizenlab.ca/2023/01/uncovering-irans-mobile-legal-intercept-system/ (accessed Jan. 23, 2023).
[14] J. Fruhlinger, “The OPM hack explained: Bad security practices meet China’s Captain America,” CSO Online, Feb. 12, 2020. https://www.csoonline.com/article/3318238/the-opm-hack-explained-bad-security-practices-meet-chinas-captain-america.html (accessed Jan. 21, 2023).
[15] “USDOJ: Ten Years Later: The Justice Department after 9/11.” https://www.justice.gov/archive/911/legal.html (accessed Jan. 21, 2023).
[16] “Twilio discloses another hack from June, blames voice phishing,” BleepingComputer. https://www.bleepingcomputer.com/news/security/twilio-discloses-another-hack-from-june-blames-voice-phishing/ (accessed Jan. 21, 2023).
[17] “200 million Twitter users’ email addresses allegedly leaked online,” BleepingComputer. https://www.bleepingcomputer.com/news/security/200-million-twitter-users-email-addresses-allegedly-leaked-online/ (accessed Jan. 21, 2023).
[18] “Digital Literacy — Welcome to ALA’s Literacy Clearinghouse.” https://literacy.ala.org/digital-literacy/ (accessed Jan. 21, 2023).
[19] “Misinformation, Disinformation and Mal-Information,” eReader. https://www.mediadefence.org/ereader/publications/introductory-modules-on-digital-rights-and-freedom-of-expression-online/module-8-false-news-misinformation-and-propaganda/misinformation-disinformation-and-mal-information/ (accessed Jan. 21, 2023).
[20] J. Gross, “How Finland Is Teaching a Generation to Spot Misinformation,” The New York Times, Jan. 10, 2023. Accessed: Jan. 21, 2023. [Online]. Available: https://www.nytimes.com/2023/01/10/world/europe/finland-misinformation-classes.html
[21] “Data protection in Finland, four years after GDPR came into force | Computer Weekly,” ComputerWeekly.com. https://www.computerweekly.com/news/252525464/Data-protection-in-Finland-four-years-after-GDPR-came-into-force (accessed Jan. 21, 2023).
[22] “GHDI — Document.” https://ghdi.ghi-dc.org/sub_document.cfm?document_id=2300 (accessed Jan. 23, 2023).
[23] H. Hoops, “Privacy in the Early Age of Devices,” Medium, Oct. 22, 2022. https://hatterashoops.medium.com/privacy-in-the-early-age-of-devices-5f2036b68263 (accessed Jan. 23, 2023).
[24] H. Hoops, “Challenging Democracy in the Age of Information:,” Medium, Nov. 11, 2022. https://hatterashoops.medium.com/challenging-democracy-in-the-age-of-information-2903adc84bdf (accessed Jan. 23, 2023).
[25] O. for C. Rights (OCR), “The HIPAA Privacy Rule,” HHS.gov, May 07, 2008. https://www.hhs.gov/hipaa/for-professionals/privacy/index.html (accessed Jan. 27, 2023).
[26] “Privacy & Security Resources & Tools | HealthIT.gov.” https://www.healthit.gov/topic/privacy-security-and-hipaa/privacy-security-resources-tools (accessed Jan. 27, 2023).
[27] “Surviving the Germans’ extreme online privacy — DW — 10/13/2022,” dw.com. https://www.dw.com/en/surviving-the-germans-extreme-online-privacy/a-55899579 (accessed Jan. 27, 2023).
[28] “What is the USA Patriot Web.” https://www.justice.gov/archive/ll/highlights.htm (accessed Sep. 02, 2021).
[29] “What Is Third-Party Risk Management: The 3 Types of TPRM,” CyberGRX. https://www.cybergrx.com/resources/defining-risk-management-third-party-risk-vendor-risk-supply-chain-risk (accessed Jan. 28, 2023).
[30] C. W. Probst, J. Hunker, D. Gollmann, and M. Bishop, Eds., Insider Threats in Cyber Security, vol. 49. Boston, MA: Springer US, 2010. doi: 10.1007/978–1–4419–7133–3.
[31] “Industrial espionage: How China sneaks out America’s technology secrets,” BBC News, Jan. 16, 2023. Accessed: Jan. 25, 2023. [Online]. Available: https://www.bbc.com/news/world-asia-china-64206950
[32] “Ex-GE engineer sentenced for stealing turbine tech for China • The Register.” https://www.theregister.com/2023/01/04/ge_turbine_china_prison/ (accessed Jan. 25, 2023).
[33] “Former GE Engineer and Chinese Businessman Charged with Economic Espionage and Theft of GE’s Trade Secrets,” Apr. 23, 2019. https://www.justice.gov/opa/pr/former-ge-engineer-and-chinese-businessman-charged-economic-espionage-and-theft-ge-s-trade (accessed Jan. 25, 2023).
[34] T. Bradley, “Finding The Right Balance Between Security And Privacy,” Forbes. https://www.forbes.com/sites/tonybradley/2019/03/22/finding-the-right-balance-between-security-and-privacy/ (accessed Jan. 25, 2023).
[35] “Expectations of Privacy: Balancing Liberty, Security, and Public Safety,” Federal Bureau of Investigation. https://www.fbi.gov/news/speeches/expectations-of-privacy-balancing-liberty-security-and-public-safety (accessed Jan. 25, 2023).
[36] “Season 3 finale: What’s the deal with Authentication, MFA, and Password Managers?,” The CyberWire. https://thecyberwire.com/podcasts/8th-layer-insights/30/notes (accessed Jan. 27, 2023).
[37] “Trust is built in drops and lost in buckets 1,” PalletOne Inc. https://palletone.com/ceo-blog/trust/ (accessed Jan. 29, 2023).
