Ben's Book of the Month: Review of "Privacy Is Hard and Seven Other Myths"


Posted on by Ben Rothke

It’s unclear who initially observed that “if you tell a lie and tell it frequently enough, it will be believed.” For example, the FCC and telecoms have told the public that scam robocalls are extremely hard to stop. When in fact, with some simple controls, about 60% of them could be stopped. Stopping those would collapse the economic incentive, and scam robocalls would be a thing of the past.

 

Regarding computer security, countless lies and myths have been propagated to the general public. For the longest time, people were told that they should change their passwords every 90 days for effective computer security.

 

But overly frequent password changes can, in fact, make security worse. That is why NIST updated their guidance in NIST Special Publication 800-63B, noting that password expiration is a concept that needs to be looked at again. Lance Spitzner writes that there has been a community effort to kill password expiration for years, but this is not something new. People like Per ThorsheimMicrosoft’s Dr. Cormac HerleyGene Spafford of Purdue, and the Chief Technologist at FTC have been working hard to kill password expiration.

 

In Privacy Is Hard and Seven Other Myths: Achieving Privacy through Careful Design (MIT Press), author Jaap-Henk Hoepman (Associate Professor at the Institute for Computing and Information Sciences, Radboud University, Netherlands) attacks eight myths that have long been treated as gospel within information technology in general and information security specifically. 

 

The myths the book masterfully shreds are:

  1. We Are Not Collecting Personal Data
  2. You Have Zero Privacy Anyway—Get Over It
  3. I’ve Got Nothing To Hide
  4. It’s Merely Metadata
  5. We Always Need To Know Who You Are
  6. Your Data Is Safe With Us
  7. Privacy and Security Are a Zero-Sum Game
  8. Privacy Is Hard

Perhaps the most pervasive and well-known of the myths is the observation by then CEO of Sun Microsystems Scott McNealy that “you have zero privacy anyway, get over it.” Hoepman shows how this erroneous notion can be countered.

 

And that is the central message of the book, that the architecture of a system, the way it is designed, has a fundamental impact on whether it respects and protects our privacy or not. Those who take privacy seriously (and that does not include Facebook, Google, Instagram, etc.) need to address this in the architecture of their systems.

 

This notion of privacy by design is an important engineering approach. The essential idea is that privacy should be considered first as a design requirement from the beginning and through the lifecycle of a system.

 

When it comes to scam robocalls, there is an economic incentive both for the scammers and the telecommunication companies for it to continue. When it comes to privacy, the incentives are often, as the book details, favored in place of the software vendors and not the consumer.

 

Anyone who has ever downloaded a copy of their information on Facebook is astounded by the depth and breadth of the information there. Every search, like, post, message, location, ad clicked, and much more is there in detail. And Facebook is but one of the scores, if not hundreds, of information junctions where a person can be monitored.

 

The book systematically and articulately takes apart the eight myths and details the privacy design strategies vendors and system architects need to implement for effective security and privacy. And it’s no myth to say this is one of the most important books you can read on the topic.


Contributors
Ben Rothke

Senior Information Security Manager, Tapad

Privacy

PII data security privacy

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community