Image based on Three Poppies by Federico Ferrari.

by Aaron Titus

In late June, 2009 I attended the Privacy Bar Camp DC (Twitter: @PrivacyCampDC) organized by Shaun Dakin with support from the Center for Democracy and Technology, and conducted at the Center for American Progress. I confess that I attended primarily to aid my job search (psst… that was a shameless, self-promoting plug), but ended up having a great time. Bar camps have an ingenious format which promotes a high degree of participation, interaction, and brainstorming. They have nothing to do with a state legal bar, nor camping. And the genius is, they don’t have an agenda.

About 50 people showed up Saturday morning, and after a brief round of introductions, everyone interested in leading a discussion pitched their ideas to the group. Then each discussion was placed on a grid schedule with four rooms, each with four sessions. The “camp” ran all day, and each attendee chose which combination of the 16 sessions they wanted to attend. Each session was highly interactive, spontaneous, and collaborative.  The topics ranged from Government and Web 2.0 to “Empowering Big Brother,” to Open ID, to lock-picking (my personal favorite). Thomas “cmdln” Gideon and I hosted a session on “Personal Information as Property and the Platform for Privacy Preferences (P3P).” During the discussion, the concept of “Privacy Commons” came up, and several of the session participants agreed to work on the idea.

Privacy Commons

We soon had a group interested in developing the idea, and have been working on it since. Modeled in the spirit of Creative Commons, Privacy Commons (PC) aims to help individuals and organizations clarify privacy expectations, practices, rights, and mutual responsibilities by providing a series of comprehensive model privacy policies.

I admire what the Creative Commons movement has done for copyright. With its easy-to-understand concepts and clear iconography, Creative Commons is successful because it embodies commonly held cultural notions of intellectual property and copyright, which are otherwise absent from the law itself. Creative Commons fills the gap between what the law is, and what many think the law should be. Likewise, Privacy Commons will be successful only when it can identify, articulate, and empower under-served cultural expectations of privacy with easy-to-understand concepts and clear messages.

The Need for Complete, Informative, and Enforceable Privacy Policies

Privacy policies in the United States suffer from several deficiencies. First, they are often unsophisticated and incomplete. They often fail to protect an appropriate scope of information or individuals. Second, many privacy policies waive, rather than confer, privacy rights. But most importantly, courts have consistently interpreted privacy policies as unbinding notices, rather than contracts. In other words, privacy policies are unenforceable, and a victim of a privacy policy breach usually has no enforceable rights. As a result, privacy policies can have the unfair effect of creating an expectation of confidentiality, privacy, special technological protections, or even fiduciary responsibility even where there is none.

Protecting Personal Information via Contract vs. Intellectual Property

Intellectual property (IP) law is not an appropriate legal framework to protect personal information because nobody owns personal information. Personal information are facts, which are not copyrightable. Unless a person is famous, a name or SSN can’t be trademarked. An address probably does not qualify for trade secret protection, and a date of birth is certainly not patentable. Even if some sort of property right accrued to personal information, it would most logically belong to the originators of the information. For example, parents would logically “own” a child’s name and date of birth, since they created them. The government creates social security numbers, and the credit card companies create credit card numbers. The post office creates addresses, and the phone company creates phone numbers. Even third parties create gossip (beneficial or harmful), and it would be difficult to draw a line distinguishing a person’s ownership interest in gossip or other third-party-created personal information.

In contrast to Creative Commons (which operates under IP licensing law), Privacy Commons is structured around principles of contract, where two parties can bind themselves to mutual obligations through offer and acceptance. Each model privacy policy would exist between a Data Steward (Steward), and a Data Subject (Subject). A PC Policy may be converted into a contract when the Steward and Subject formalize the policy through contract principles of offer, acceptance, and consideration.

What do you think?

There is an ad-hoc working group and a Privacy Commons Wiki, which is starting work on the project, and has already published a few articles on mission, scope, and approach. The wiki is closed (to prevent spam), but logins are liberally granted with a simple e-mail. I, for one, find the project pretty exciting.

I recently returned from yet another amazing time at the EDUCAUSE Security Professionals Conference. Out of all of the different security conferences that I have had the good fortune to attend, and out of all of the conferences that have taken pity and allowed me to talk, the SPC continues to be one of my favorite events. Not only does the SPC boast outstanding presentations, but the hallway conversations, informal roundtable discussions during meals, and Birds of a Feather gathers offer unparalleled opportunities to meet other security professionals in higher education and learn new, unique ways to address issues. I strongly urge all security professionals in higher education to beg, argue or barter for the funds needed to attend this yearly gathering.

The conference lineup this year was interesting. While there were the usual technically-focused talks, the majority of the talks did not center on specific technical topics. Instead, much of the conference was focused on building and maintaining a strategic information security program within higher education. There were sessions on building risk management programs, using frameworks to build information security policies and programs, creating standardized and measurable procedures, and even talks on how to leverage internal resources such as internal audits to help improve security posture.

Like many industries, information security grew up out of the IT departments at most colleges and universities. Unfortunately, many educational institutions still equate “network security” with “information security”, and information security is often still viewed as a technical issue. However, the presentations at this year’s conference clearly indicate that the viewpoint on information security is quickly changing at colleges and universities.

This shift in how information security is viewed within higher education speaks to the maturation of information security programs at many colleges and universities. Thankfully, the industry seems to be moving away from the misguided view that all institutions need is one staff member “doing security” to be secure. This type of growth and maturity of information security programs within higher education is a great sign that perhaps I will soon have nothing to report on Education Security Incidents.

Here, in no particular order, are the top three presentations out of the sessions I was able to attend. “An Auditor’s Perspective on Frameworks for Information System Security in Higher Education” by Erwin Carrow and Brian Markham were useful in teaching me that internal auditors can, in fact, be your friends. “Using the EnCase Field Intelligence Model in Assisting with Forensic Examinations” by Yu Chang, Tammy Clark, and William Monahan were useful in showing how Georgia State University handles requests for forensic investigation. “Mapping the Shifting Landscape” by Phillip Deneault and Brain Smith-Sweeney were useful in providing excellent quotes such as “Ready-Fire-Aim” and Brian’s poorly rendered yet still amazing image on the drivers and functions of an information security program.

Congratulations and thanks are in order for this year’s SCP program committee. These folks did an outstanding job.

Image used with permission from FreeDigitalPhotos.net