A Broad Definition of “Personal Information” is Needed in the Upcoming U.S. Federal Privacy Regulations

Following the rollout of the EU’s General Data Protection Regulation (GDPR) and a string of high-visibility privacy scandals at U.S. companies (like Equifax, Facebook, and Google), Federal regulators are finally getting serious about privacy.

The National Institute of Standards and Technology (NIST) is convening a series of workshops to develop a new Privacy Framework, which the body envisions will be a voluntary set of standards for assessing organizations’ privacy risks. This isn’t regulation and it won’t be mandatory, but it will create a benchmark against which companies’ data handling practices can be judged. And voluntary standards can become de facto mandates: if a company in the midst of a privacy PR disaster promises to do better by adhering to NIST standards, they can be held accountable by the FTC (under their “deceptive practices” enforcement authority) if they fail to do so.

Simultaneously, the National Telecommunications and Information Administration (NTIA) is developing an “approach” to consumer privacy on behalf of the Department of Commerce which has the potential to eventually inform privacy rules made by Federal agencies.

If you’re interested in all of this and want to weigh in during the policymaking process, now may be your best chance. Until November 9th, the NTIA is seeking public comment on a draft set of high-level goals and intended outcomes for the upcoming policy. You can write whatever you want, but effective public comments are brief, focused on a specific recommendation or point of clarification, and introduce relevant technical facts to make a cogent argument.

Below I’ve reproduced a comment I submitted to the NTIA’s request arguing that the way they use the term “personal information” is insufficiently vague and that it must be defined more broadly than it has been in other U.S. data protection laws. (more…)

Continue ReadingA Broad Definition of “Personal Information” is Needed in the Upcoming U.S. Federal Privacy Regulations

The Moral of “Trusting Trust”

I’m writing up a short summary for each classic cybersecurity paper that I have to know for my qualification exam. This week, let’s chat about “Reflections on Trusting Trust” by Ken Thompson (1984).

The three page paper comes from Ken Thompson’s Turing Award lecture in 1984. In it, he details a very elegant attack by which a backdoor can be injected into a program through a malicious compiler, leaving no evidence in the actual source code of the compiler or the program.

Moral

The moral is obvious. You can’t trust code that you did not totally create yourself.

Thompson argues that a skillful attacker can install a bug that will be almost impossible to detect. He spends the rest of the speech to say that most unauthorized access to computer systems is vandalism and should be treated as such by the media, the law, and society at large. This drawn out emphasis on the treatment of vandals undercuts the seriousness of the previous attack.

The moral is not that we cannot trust code we did not write ourselves.  The moral is that even the code we write could be corrupted. The keyword in Thompson’s paper is “totally.” This turtles-all-the-way-down attack stops only when you use your own vacuums.

(more…)

Continue ReadingThe Moral of “Trusting Trust”

Saltzer and Schroeder Design Principles

Alright, time to discuss another classic computer security paper! Today, it's The Protection of Information in Computer Systems by Jerome H. Saltzer and Michael D. Schroeder. Written in 1975, this document outlines some fundamental security concepts. I suggest focusing on Section 1, Basic Principles of Information Protection. The 8 design principles start at Section 1.3. As is apparent, these principles do not represent absolute rules--they serve best as warnings. Economy of mechanism: Simple is best.…

Continue ReadingSaltzer and Schroeder Design Principles

Stop Phish Shaming

Phishing won't be a problem. Everyone here is smart. tl;dr Stop shaming people for getting phished. Also, you can be phished. We need to stop encouraging the idea that only dumb people get phished. That's not how phishing works. Everyone can be phished, that's the nature of the sport. People get busy, answer emails with their phones, and don't have the time or attention to check every single link.  Furthermore, phish shaming can breed complacency…

Continue ReadingStop Phish Shaming

Classic Cybersecurity Papers

If you're looking for an accessible (read: short) list of classic papers on computer/information security, I've got you. My PhD program requires that we read five classic papers in our area for the candidacy exam. My area is cybersecurity, whatever that means, so I've been given five classic papers on security. I've included links to the online versions of the paper below. Jerome Saltzer and Michael Schroeder, The Protection of Information in Computer Systems, Proceedings…

Continue ReadingClassic Cybersecurity Papers