Saturday, May 29, 2010

"Privacy" vs "Security" or Privacy AND Security

Perhaps I'm alone on this, but I may not think of "privacy" and "security" the same way as some readers of this blog. It's common to hear that there is a tension between these two ideas, but I consider them to be very different, at least at the enterprise level.

Privacy is primarily concerned with protecting customer data, often called Personally Identifiable Information (PII). Lawyers are typically the dominant players. This field is heavily regulated, with laws requiring disclosure when "records" are lost. The costs of an incident are borne primarily by the individuals whose PII was stolen.

Security is primarily concerned with protecting intellectual property, often including trade secrets. Security professionals are typically dominant players. The field is less regulated, since a company loses its own IP. The costs of an incident are borne primarily by the enterprise because they become less competitive.

In this sense, an enterprise seeks to preserve both privacy and security: protect customer data and company data.

Of course, there are plenty of "privacy advocates" who concentrate on "protecting" the activities of anyone who interacts with an enterprise, whether customers or employees. My problem with these sorts of privacy advocates is that their laws, tactics, and worldview are often detrimental to the privacy and security I defined earlier.

For example, intruders know that it can be difficult to instrument and monitor activity in countries with "strict privacy laws" (hello .eu). As a result, intruders prey on organizations operating in those countries, knowing that it is rough for CIRTs to detect and respond to intruders. The result is that customer and enterprise data is at greater risk thanks to "privacy laws."

In terms of my last post, More Evidence Military Will Eventually Defend Civilian Networks, the focus is clearly on security as defined in this post. I could see Cyber Command helping American companies protect intellectual property. Secretary Lynn clearly said he is not trying to aid consumers losing their credit cards to online thieves.

22 comments:

The Ubiquitous Mr. Lovegroove said...

I fail to see how privacy laws prevent organization from defending customer & employee data they hold.

Richard Bejtlich said...

Here's an example: some people interpret so-called "privacy laws" so strictly that collecting even *IP addresses* when gathering security data is considered a "privacy violation." Or, if that's not a violation, tying the IP address to the user will be a violation. So, if I find a company computer controlled by an intruder, it can be difficult to impossible to identify the owner because of "privacy" restrictions.

The Ubiquitous Mr. Lovegroove said...

That is a very interesting observation! Can you refer to some case laws or statues? I live in EU and this is new to me. Under EU directive 95/46/EC (wiki entry)as implemented by member states all that is required is to register such databases with regulator and to protect them.

Richard Bejtlich said...

I can't cite any laws. I'm mainly describing my organization's experience dealing with various privacy laws and regulators across .eu.

David Mortman said...

According to this: http://www.mediapost.com/publications/index.cfm?fuseaction=Articles.showArticle&art_aid=80136

As of 2008 the EU considers IP Addresses personal information at least with regard to search engines. Official document here: (http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2008/wp148_en.pdf).

Last I heard, in the US they are still not personal information: http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=109242

Some decent high level analysis of both rulings here: http://thefraudblog.com/2009/07/17/ip-address-and-pii-what-are-the-implications/

Bitwiper said...

Richard, I disagree with you on a number of points.

W.r.t. enterprises, protecting customer data is a matter of security, not privacy. Only if security is breached and customer data ends up in the wrong hands, privacy may play a role. For example, I do not consider theft and abuse of my credit card data a privacy matter.

W.r.t. your "(hello .eu)" comment: perhaps in Europe we (unfortunately) have more experience with governments (both in the past and nowadays) collecting information for scientifically unproven purposes, and those governments tend to either leak or loose that information, of abuse it for other purposes than claimed.

You write: "As a result, intruders prey on organizations operating in those countries". Unfortunately you do not provide any evidence w.r.t. this statement.
Allow me to point you to websites such as http://www.maliciousnetworks.org/ that clearly point out that most malware and spam still originates from the USA, thus proving you wrong.

It appears that, apart from the DoD, also NATO is looking for funding to compensate for the lack of interest by the public (voter) for traditional warfare, by appealing to FUD such as "cyber warfare" and "internet attacks by malicious governments". IMHO this is crap.

The internet is full of cyber *criminals* that have to be taken care of, and we fail horribly in doing so. Criminals penetrate organizations and companies for financial gain. We don't need the army to fight them, we need international justice to haunt them down, and disconnect them from the Internet. We need governments to sanctionize other governments that maintain safe havens for criminal attackers (RBN, "bulletproof hosting" etc). We need governments to mandate ISP's to take compromised PC's offline, so that they cannot be used to execute DDoS and spam attacks, and spread malware. We need governments to sanctionize companies that fail to protect customer data (in this respect the USA does a better job than the EU). We need governments to hold software makers (financially) responsible for security bugs in their software. Finally governments should spend more money on research to make software and (network) infrastructures more secure.

Deep packet inspection by NSA sensors in our network is not the solution; attackers will easily evade them, while there is even a risk that attackers exploit such green/brown colored monitoring equipment. No thanks for me.

dearista said...

UML,
Read ...
https://ssd.eff.org/wire/govt/pen-registers
It is a very well studied concept that to catch people breaking rules requires some monitoring and surveillance. This can be automated (speeding cameras, IDS, etc.) or it can be more manual/tool assisted (cop with radar gun standing on side of road, analyst pouring over logs and SIEM, etc.).
It is impractical or nearly impossible to have a surveillance program that only captures information relevant strictly to security violations. This fact raises concerns about WHAT ELSE those who are vigilantly looking for bad guys may be seeing.
The link above is a good start. Check out CALEA, FISA courts, Patriot Act, and The US Bill of Rights.
I believe it is a trade off…how much privacy am I willing to give up for a reciprocal amount of security?
This obviously begs many questions. For years a ‘risk management’ community has attempted to apply project management/financial accounting type methods (R= v*t*i) to determine how to best optimize of find the right balance b/w the two.
Separating security and privacy (especially in the context of Einstein sensors) is something, Richard, I have to really question your reasoning on.
-Dan

Richard Bejtlich said...

Bitwiper, you said

'You write: "As a result, intruders prey on organizations operating in those countries". Unfortunately you do not provide any evidence w.r.t. this statement.
Allow me to point you to websites such as http://www.maliciousnetworks.org/ that clearly point out that most malware and spam still originates from the USA, thus proving you wrong.'

*Your* "evidence" means nothing to me. "Malware and spam" mean almost nothing in my world. Those events are a nuisance compared to the sorts of threats I worry about.

You're clearly entitled to your opinion, but remember I am speaking from the perspective of defending a Fortune 5 global enterprise with over 300,000 users and half a million systems. Maybe I don't relate well to some of my blog readers, but if you want that sort of large-scale, global perspective that's what you will get here.

Richard Bejtlich said...

dearista,

Speaking in the spirit of my last comment -- I am describing a real separation between security and privacy, not a theoretical one. It's based on my real-world observations. If it doesn't match your experience, that's fine.

Bryan said...

I agree with you. I'm a big privacy advocate but I believe employees should have no expectation of privacy while on the job.

Gavin said...

I can't cite any laws. I'm mainly describing my organization's experience dealing with various privacy laws and regulators across .eu.

You deal with these various privacy laws, but cannot reference them?

Maybe I don't relate well to some of my blog readers, but if you want that sort of large-scale, global perspective that's what you will get here.

Perhaps some actual examples to help prove the somewhat controversial and grandiose statement that "customer and enterprise data is at greater risk thanks to "privacy laws."" would be useful to aid our limited understanding.

Richard Bejtlich said...

Gavin,

When you work in a really large organization you have to rely on others who are experts in various laws, regulations, and other restrictions that affect my work. Sorry, I'm just a caveman. If you want a law blog, look elsewhere.

Here's a few "actual examples" to "aid your limited understanding":

1. I need to sign contracts (!) with various *internal* business units in strict privacy law countries just to deploy instrumentation to combat threats.

2. It can take me 6 to 12 months to deploy sensors in locations with strict privacy laws.

3. I have seen intruders repeatedly set up shop on those networks.

The Ubiquitous Mr. Lovegroove said...

Richard,

On 1. I am not sure contracts strictly speaking are required to send over personal data, one must only ensure that it is protected as per originating country requirements (EU directive, e.g.). People love papers, so they will sign something; fine, I buy this.

On 2. 6-12 months of deployment in those countries sounds like a lot of internal inertia. I don't believe that only privacy laws are to blame for delays so significant.

On 3. that's mighty interesting!

dearista said...

Richard,

You are not describing "a real separation between security and privacy" in you blog post... And pumping your credentials (which I do admire, and still hail your Extrusion Detection as one of the most seminal books in network security) into the conversation may intimidate some folks, but it doesn't make your argument any more compelling.

IMHO, you're evading the problem by defining privacy concerns with "PII", and security concerns with the protection of "IP". Then saying that they are both value at risk...then you make this leap that this 'solves' any privacy concerns...half baked.

Again, you have to give up privacy if you want monitoring, and you have to monitor to catch bad guys.

Going back to our initial exchange (on this topic) ; what makes you think that the privacy concerns have been resolved? How will relevant data be separated from the stream while doing DPI? If it is available, I couldn't think of anyone else who could explain that to me than yourself...in part why I read your blog.

In an effort to stay on topic, I haven't even begun to bring up all of the other issues with this idea of govt. IDSs going onto private networks on by voluntary consent of the owner...

-Dan

Richard Bejtlich said...

Dan,

Give me a break. I am not trying to "pump my credentials" to "intimidate" anyone. I am trying to describe my experience and why that may be different from someone else's experience.

dearista said...

Hey, somebody has to bust your balls :)...it's tough to convey sentiment over text...

Everyday I look back and haven't watched/defended a network in years...I guess I am just a theorist at this point...hell I'm about to start a PhD.

I would like to see more of a 'result oriented' approach from the goverment, which I believe will require more accountability than this ineffectual 'voluntary monitoring' or 'voluntary information sharing' tone.

If I may quote, "What a disappointment."

-Dan

CyberG said...

Anybody that has every had to pull a forensic image from an EU nation knows this is something very difficult to accomplish in any reasonable amount of time. Typically the evidence is long gone by the time the approvals are done. I think a lot of privacy advocates are out of touch and comment on things, like incident response, that they are not necessarily familiar with at the granular level we are discussing.

I am all for consumer privacy and think US can learn a lot for Europe in this regards. However, every privacy law should be constructed with a well-worded System Administrator's exception that allows for rapid defense and investigation of YOUR OWN computing assets regardless of location. That is the downfall of the EU privacy laws IMHO.

The Ubiquitous Mr. Lovegroove said...

CyberG,
Can you specify in some tangible depth on why exactly it takes so long? laws, policies, general fear of doing things wrong?

CyberG said...

Yes I can. In my past experiences, prior to doing any forensic image we had to have approval from the corporate legal counsel before doing anything. So that would be corporate policy driven by various laws. A typical approval for a US bases computer would be hours to days. For a similar EU based system 3 months to never. If you are looking for specific statues that drive the corporate policy I wouldn't know those because I'm not a lawyer obviously. From the IR perspective, we concede to the legal department who then concedes to EU privacy laws. I think you can make the case that there are inefficiencies within the company(imagine that :-0), however the bottom line is that the EU laws drive this behavior. That is only my humble incident responders opinion. If you are an EU privacy law expert, then you might outline the specific statues that create this fear of lawsuits.

The Ubiquitous Mr. Lovegroove said...

Some quick research has yielded this FAQ on data transfer to third countries - from EU/EEA to US as an example. It talks about special provisions for multinational companies. I will analyze in depth and probably write my first worthwhile blog post, but it appears that EU->US data transfer scheme can be devised once in a company and not take the many months cited here.

dearista said...

I think in the same veighn as Bryan (no expectation of privacy on corporate networks), that those images should not be protected in that way.

In my experience it wasn't privacy concers as much as lack of logs!

dearista said...

UML,

You may consider researching around the American Bar Association's Section of Science & Technology Law, Information Security Committee. I saw their Jody Westby and colleagues give a well rounded panel discussion on international cybercrime law enforcment issues.

http://new.abanet.org/sections/scitech/ST230002/Pages/default.aspx?com=ST230002

-Dan