Those of us who come to the privacy management arena from a computer security background tend take an extremely narrow and focused view of how technology can protect privacy. We love to debate each other on esoteric subjects cryptographic key strengths, the merits of strong two-factor authentication, trust models in networked systems and all sorts of deep technologies. As someone who worked in public key infrastructure technologies for several years and firewall technology before that, no one is a bigger fan of emerging security technology than I. These are all good and useful topics to be discussing and theses sorts of technologies are important foundations of a networked world.
Traditionally we think of privacy enhancing technologies has tools for hiding, obfuscating, and controlling disclosure. But in terms of an overall approach to privacy management we should also think about how technology can be used to creates visibility and awareness of informations security practices.
This point was made quite well recently by Harriet Pearson, VP of corporate affairs and Chief Privacy Office for IBM, in an interview with Computer World.
Ms. Pearson was asked about her opinion of the various state data breach notfication laws and the trigger language in those laws:
Q: What is your personal opinion of breach notification triggers as they exist today?
A: I have an analogy that I use. In the 1980s and the 1990s, I was an environmental lawyer, and I was in California around that time when a law called Proposition 65 was passed. What happened was California required businesses to make disclosures of the release of chemicals and stuff like that. When you are actually required to disclose those kinds of things, it changes people’s behavior. But you want to be careful and strike a reasonable balance. I don’t know exactly what the formulation of language should be. If it is too [restrictive], you are going to get too many warnings, and it’s going to result in overnotification.
Transparency changes behavior. That’s a very simple and powerful idea that is all too often overlooked by the IT security industry.
There have been some efforts to in the field of privacy enhancing technologies that help create transparency of information security practices. The Platform For Privacy Preferences is one such standard.
One thing to keep in mind is that we often think of transparency as an external reporting tool so that the public or oversight bodies can be reasonably informed, but transparency can also be a powerful internal tool for modifying behavior. For example, if an internal department has awareness of how much and what kinds of information are being given to a business partner, they will naturally have a tendency to minimize it. As we look at new challenges in information security practices coming at us in the next few years, those of us in the technology community need to think just as much about how to use technology to raise awareness of risks and create transparency in our data handling as we do in creating technology to mitigate the risks.