In the history of computer security, Pretty Good Privacy (PGP) is one of the most influential encryption programs ever created. With the ability to make data and email communications more secure, even to government entities, it’s an invaluable tool.
But as powerful as PGP is, Alma Whitten and J.D. Tygar wrote in their seminal paper Why Johnny Can’t Encrypt - A Usability Evaluation of PGP 5.0, that user errors cause or contribute to most computer security failures, yet user interfaces for security still tend to be clumsy, confusing, or near nonexistent. So, even with a robust program like PGP, the powerful encryption is worthless if incorrectly implemented.
When it comes to data privacy within an organization, getting it right is significantly more complex and challenging than just a single encryption program. In Practical Data Privacy: Enhancing Privacy and Security in Data, author Katharine Jarmul has written a superb guide detailing what needs to be done to enable this beast called data privacy.
It was not that long ago that data was seen as an asset. With cheap storage, organizations had no incentive not to obtain as much data as they could and store it for as long as they wanted. But regulations such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and many more have turned data into a liability.
In November 2022, Google settled with 40 states over claims they misled users into thinking they had location tracking turned off. Google agreed to pay nearly $400 million to settle location tracking investigation lawsuits. Meta, a company that does not take fraud seriously, and had long treated privacy as an afterthought, was fined $277 million for the data leak of half a billion users. So, the costs of privacy non-compliance are significant.
The book starts with an overview of privacy, anonymization, and other core topics. Then, Jarmul launches a tour de force into the myriad details needed to ensure data privacy is implemented. She makes a fundamental point throughout the book: privacy is not just done by information security. It needs to be done in a multi-disciplinary approach with various teams in an organization. The key to doing privacy right is to move it from a piecemeal approach to privacy by design. While privacy by design and by default is a crucial part of GDPR, it must also be part of every effective privacy program.
The chapter on privacy attacks is particularly interesting. While much has been written about network and application attacks, there are countless attack vectors where sensitive data can be breached due to failures in the underlying privacy controls.
Privacy is a challenging task to do correctly. Firms have two options, be proactive and do it right. Or, be in the receiving end of a lawsuit and eventually do it right. Practical Data Privacy is an invaluable guide to show you how to do it right.
Jarmul has written a highly technical yet very readable and practical guide for those looking to both start or enhance their privacy initiatives. This is a book that should be in the hands of every developer, systems architect and security team member in every organization.
Those organizations that have been on the receiving end of a lawsuit due to privacy concerns will often be left with six-figure legal bills, from which they gain no benefit. The best way to do privacy right is proactively, and this is one of the best books on that topic.