WSJ runs a great article on issues with FB current privacy position. It seems FB position themselves as a repairing mechanics not as a professional architect when they work on privacy controls.
The newspaper story started with an example of involuntary disclosure of sexuality when a teenage joined a chorus FB group. Her parents was informed about her sexuality via FB. The reporter Geoffrey A. FOWLER then explained some inevitable change to privacy: “For much of human history, personal information spread slowly, person-to-person if at all.”; “Personal worlds that previously could be partitioned—work, family, friendships, matters of sexuality—become harder to keep apart.” ;”Facebook is committed to the principle of one identity for its users.” ; “increasing privacy settings may actually produce what they call an “illusion of control” for social-network users.”
After reading this article, I noticed that although FB is responsive in fixing the technical issue, they did not discuss how they design and verify privacy BEFORE launch. Millions of FB users do the test for FB for free. The largest software testing I ever know. FB improves their system after their user already suffered the misbehave of their system.
Privacy settings affect every user and FB should design each new function or each disclosure with systematic impact analysis. There should be a clear document listing how each activities is displayed to friend and the public. FB should notify the user community what impact a new system feature will bring to such disclosure.
The idea that we letting FB continuously fixing their system scares me. Privacy should start with impact analysis and robust testing before thing happen.
If you are the CISO of your organization and implementing a security programme, what questions shall you ask yourself to help realizing a successful programme rollout ? No, it is not about what software to use, what hardware to install, what process to put in place or even what vulnerabilities you are going to remediate or mitigate. In fact, they are:
- Are we doing the right things ?
- Are we doing them the right way ?
- Are we getting them done well ?
- Are we getting the benefits ?
Four simple questions about your security programme, all about the business results – but not technology, schedule, and resources. Four questions about the reality such that your company can make informed decision. In addition, each of the four questions can be further elaborated, for examples:
Are we doing the right things ?
- What technology, processes are proposed ?
- For what business outcome ?
- How do the deliverables within the programme contribute ?
Are we doing them the right way ?
- How will it be done ?
- What is being done to ensure that it will fit with other current or future capabilities ? (e.g. Business / Operational / Technical capabilities)
Are we getting them done well ?
- What is the plan for doing the work ?
- What resources and funds are needed ?
Are we getting the benefits ?
- How will the benefits be delivered ?
- What is the value of the security programme ?
You shall answer all the questions based on relevant, current accurate business-focussed information. By that time, I am sure, you will find that to have a successful security programme, it is no longer depending on the technology, process and policy only, but also an investment that has an enormous impact on creating and sustain business value.
For my first post, i’d like to discuss privacy enhancing technologies.
When i was a fresh out of graduate school, i joined a start up called “zero-knowledge systems”. This being in the middle of the dot com boom, they had 300+ employees, great parties and essentially no revenues! Beyond the hype and fluff, we created truly innovative solutions to protect online privacy. Their main product was essentially a “mix-net” somewhat like “tor” that masked the users’ ip addresses. I was in what they called the “evil genius” team and working on future products. I was fortunate to work on privacy enhancing credentials based on the work of stefan brands. This technology is awesome (and now belongs to microsoft) it allowed one to show certificate properties without divulging anything else (even with collusion of the verifier and the certificate issuer) – this is highly counter-intuitive. Using these mathematical tricks, we could develop electronic cash that had properties that were almost identical to physical cash – it was impossible to determine who had owned the cash before the current transaction. This was very exciting stuff at the time.
Despite their amazing potential, these technologies have not really hit the main stream. Privacy seems to be the realm of lawyers and regulators nowadays. Back in 2000, we did not think things would evolve this way. The internet has changed since then with google, facebook, etc. however i persist to believe that privacy enhancing technologies can more easily solve many of the privacy issues we are dealing with today…
Perhaps, just like mobile payments that are just now starting to take off after being feasible for 10+ years, privacy enhancing technologies should be revisited… The business cases did not fly back then, perhaps they would today.
Looking forward to hearing your views. I also understand that there are huge variations in how people perceive privacy in different cultures. Perhaps a more fundamental question is whether in the age of facebook we even care strongly about privacy?
Warning: my career has taken many twists and turns and i have not worked on this for several years and may not have the most up to date information.