The privacy and security Viewpoints column had its start six years ago. Though our 25 columns have had 23 different sets of authors, the fact is that an editor puts an imprint on a column simply by selecting potential contributors. No one should hold sway for too long, and so this column is the last under my leadership as section board member for the Privacy and Security column. It is a good time to ask how privacy and security have fared over the last half-dozen years.
The short answer is that for privacy and security, this is not the best of times. If privacy and security were students in a course, right now their grades would be somewhere between an F and an F-minus (for those readers unfamiliar with the U.S. academic system, an "F" for fail is as low as you can go). Consider just the events of the past two years. We have had the Snowden leaks, which show the U.S. National Security Agency (NSA) partnering with the intelligence agencies of the other "Five Eyes" (Australia, Canada, New Zealand, and U.K.) vacuuming up metadata (signals about communications), and, in many instances, heavily collecting content as well. The Snowden leaks also demonstrate a breach of security within the NSA and its contractors. Under legal requirements, the British telecommunications company Vodafone must provide the governments of six unnamed nations with direct access to all communications.7 U.S. retailer Target ignored the warnings of breach behavior from its security firm, Fire-Eye, resulting in the theft of 40 million credit and debit cards (more correctly, data sufficient to forge 40 million credit and debit cards).13 Meanwhile Facebook has a new product that records ambient sounds on user requestthus not only capturing lots of information about the enrolled user but also capturing conversations of unsuspecting bystanders. Google is strongly pressing users to have an always signed-on experience, particularly on their smartphones.11
The long answer is considerably more nuanced. Yes, the Snowden leaks demonstrated a level of collection that only the more paranoid among us had anticipated. The continuing revelations, including the amount of collection by the U.K.'s General Communication Headquarters, France's DGSE, and Chinese and Russian signals intelligence organizations, demonstrated that the U.S. was far from alone in conducting such massive surveillance. Yes, the wide usage of Facebook, the lack of user response, in terms of a drop-off in usage, to changes in the Google privacy policies, the willingness of users to avail themselves of apps that downloaded user location, whether or not such information was needed by the app, demonstrated that users continued to be generally unconcerned about protecting their privacy. But subtle signs indicate these signals are not all there is to the present privacy and security stories.
Consider the fact that Gregg Steinhafel, Target's CEO, was forced to resign within months of the breach. This is significant. Companies have had major breaches for years, but cybersecurity had previously never played a role in a senior executive's resignation. Now it has. Cybersecurity has suddenly become a lot more important in the C suite.
Consider the sudden success of SnapChat, the app thatincorrectly, as it turned out5claimed it deleted photos seconds after their appearance on a recipient's screen. Someoneactually lots of someoneswanted such an app. Share a photo, but have it be ephemeral. There was interest in having email and text be ephemeral too. This is a desire to return to have communications largely be they way they were before digital transmission and storage made the most trivial utterance permanent.
Finally, consider the impact of the Snowden leaks on the U.S. government, which is now having serious, somewhat public, discussions about limits on collection. In January, President Obama announced he would move bulk metadata collection out of the government's hands.a The president also committed to restraining the use of communications collected for foreign-intelligence purposes in criminal cases and to restricting the length of time a National Security Letter, which "require[s] companies to provide specific and limited information to the government without disclosing the orders to the subject of the investigation" can be kept secret. There are some that would say the president did not go far enough in curbing intelligence collection. But these are substantive changes, and there may be even more forthcoming.
Thus that failing grade for privacy and security may not be an accurate description of where we are on privacy and security, though we do certainly appear to be at a nadir. Where we are headed is more than a little difficult to discern. Before I respond to that issue, we must first understand how we arrived at the present point. As security and privacy present substantively different issues, I will address them separately.
For security, partially the problem arose from the mistaken belief that security was all about confidentiality, integrity, and availability, and partially from the belief that security was merely a technical issue. But while the fact that both of these assumptions were wrong was obvious at least a dozen years ago, developing more complex responses to computer security was not easy. It may be difficult to design a secure cryptosystem; it has proven much harder to develop incentives that cause companies to adopt secure systems. The former is purely a technical problem,b the latter requires developing an economic model, perhaps including government regulations or laws, to pressure an entity into adopting a more secureand likely more expensivesystem.
For privacy, the situation is even more complicated. The first need was developing an understanding of privacy in the electronic age. In the 1960s, Alan Westin defined privacy as the ability "to determine for themselves when, how, and to what extent information about them is communicated."17 In the 1970s, the "Ware Report" operationalized and extended this into the Fair Information Practice Principles, which have been widely adopted throughout the world.16 But the principles of "Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation, and Accountability"8 do not cover a world in which a user may install hundreds of apps on her smartphone, each of which requests access to multiple permissions. And that is only the phone: the user also must confront her work desktop and its browsers, her shared family tablet, her laptop, and ...
It is a good time to ask how privacy and security have fared over the last half-dozen years.
This brief reprise of the current communication and computing world tells us that handling security and privacy involves understanding economics (for developing incentive schemes to build security into applications and to help users manage their privacy if they so desire), anthropology (for understanding the different ways people approach their electronic gadgets), psychology (for developing models that give people the computer interactions they want), design (for getting the colors, sizes, and signals right for people to achieve what they want), law (for balancing different interests in society), and so forth. While human-computer interaction has been an established field for at least three decades, the Workshop in Economics of Information Security is only in its 13th year and the Symposium on Usable Privacy and Security is just 10 years old. And while there is a Privacy Legal Scholars Conference that focuses, to a large extent, on digital privacy, there is no equivalent Cybersecurity Legal Scholars Conference. The point? Scholarship in these human aspects of privacy and security is nascent. That means translation into actual use is even more so.
Where does that put us? Being always connected is increasing and we are moving to the Internet of Things; both of these will create additional privacy and security risks. It is likely that for many peopleespecially those living under repressive regimes and those with less opportunity either as a result of economics or because of a lack of capabilitiesprivacy and security incursions will mount. In such situations, digital communications technologies appear to be leading to increasingly oppressive and invasive situations for many people.
I think we have done a reasonable job covering a broad and complex set of topics.
On the other hand, there are changes in the air. danah boyd describes how American teens have learned to hide their actions in plain sight,1 the U.S. government is seriously considering certain limitations in its collection of communications, both domestically and abroad, the Europeans are attempting to put limits on what information is available about individuals (though the European Court decision on "the right to be forgotten" decision4 seems to me to confuse data being accessible on the networkthe real issuewith data being linked through search engines). There appears to be considerably more interest by private individuals in securing and protecting their data; Tor usage, for example, is approximately twice what it was in May 2013.c,15
Whether the latter will be a lasting change is, of course, crucial. It is a question I cannot answer. But I can address how well this column has handled broadly addressing the issues surrounding privacy and security over the last six years. And there I think the answer is, "Reasonably well."
Long before the Snowden leaks, we had columns on electronic surveillance in Sweden9 and a proposed code of ethics for U.S. intelligence officers.14 We had more technical columns focused on de-anonymizing anonymized networks12 and on why air gaps do not work for SCADA networks.3 We have had some on the social science side, including on the role of emotions in making complex security decisions,10 and on the impact that Fear, Uncertainty, and Doubt play in determining how to fight back against computer crime.6 We have covered the value, or lack thereof, of professionalizing the cybersecurity workforce.2 We have had researchers, implementers, engineers, computer scientists, lawyers, social scientists of many flavors, and management experts writeand there have been authors from three continents and at least 27 different policy persuasions. I think we have also done a reasonable job covering a broad and complex set of topics.
With this, I hand the mantle of Communications Privacy and Security columns to Carl Landwehr, for 30 years a leading cybersecurity researcher. Carl is a National Cyber Security Hall of Fame inductee and a former editor-in-chief of IEEE Security and Privacy. Many thanks for the pleasurable run.
4. European Court, Judgement of the Court, Grand Chamber. Google Spain SL Google Inc. v. Agencia Espanola Proteccion de Datos Mario Costeja Gonzalez, May 13, 2014; http://bit.ly/1prYAfk.
8. Gellman, R. Fair Information Practices: A History, Version 2.11 (Apr. 2014); http://bobgellman.com/rg-docs/rg-FIPShistory.pdf.
11. Mirani, L. Google's sneaky new privacy change affects 85% of iPhone usersbut most of them won't have noticed. Quartz (Apr. 3, 2014); http://bit.ly/1fKRDB2.
15. Tor Metrics Portal, Users; http://bit.ly/1oMOzJA.
a. "Remarks by the President on Review of Signals Intelligence," January 17, 2014; http://1.usa.gov/1awEWY8.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2014 ACM, Inc.