Jeff Northrop

Privacy and security

Read this first

Celebrity Nudes Whodunnit

Today the internet is all a-buzz with the news that a hundred or so celebrity’s personal photo accounts were hacked. Tonight it’s all about indignation, tomorrow will come the speculation about how this could occur.

Make no bones about it, this is a massive privacy breach and on a scale I’m not sure we’ve seen before. Particularly when you account for the personal nature of the photos and the sheer number of celebrities affected. Given that, someone will want to say they were the first to get it right, and that includes yours truly.

First, let’s dispense with what this is not. I have a gut feeling this is not an iCloud exploit, as most suspect (UPDATE: Apple now confirms this). This is certainly not some nation-state effort. It is on that scale but that would be ridiculous – even the most fervent jihadist has better things to do. I also don’t...

Continue reading →


When Policies and Practices Don’t Match

The Center for Digital Democracy (CDD) recently filed a compliant with the FCC alleging that 30 U.S. companies are failing to comply with the US Safe Harbor Agreement. The companies are all data brokers of some sort – either as their primary business, such as Axciom, or a by-product of what they do such as with Salesforce. The filing is 100+ pages of background, opinion and evidence, but the whole thing can be boiled down to one simple allegation: These companies say they do one thing in their policies but in practice they do something else.

This filing is not unique, as the FTC earlier this year settled similar allegations with twelve companies and, over the years (and with increasing frequency), they have brought a number of similar cases against individual companies. All of these cases almost always boil down to someone doing something with personal information that their...

Continue reading →


Is Privacy Necessary Without Humans

I finally found some time to catch up on the week’s news last night and, not surprisingly, there were a number of different stories reporting on Google’s new tools for tracking user’s on their smartphones. The effort from Google is not surprising in the least, nor do I think it is all that interesting, it did however send me thinking of something I hadn’t considered before.

Note: The Google announcement is yet another story, in a long line of such stories, where companies announce some increased ability to track customers and people respond to the news by expressing discomfort over being tracked. I’ve written about this many times before so I won’t belabor the point, but to readers who are running services that collect personal information you really should confront the issue in a transparent manner and not simply hide behind some legalese filled...

Continue reading →


Getting Dirty in Modern Web Development

The IAPP just launched a complete rebuild of its virtual face to the world – privacyassociation.org. As part of my current position at the IAPP the website, and this project, is the responsibility of my business unit. It’s been a number of years since I tackled a website project of this magnitude and I was shocked to realize just how far web development has advanced in, what seems to me, such a short period of time.

It’s not like I don’t read the news or keep abreast of the latest technical trends, so when the project kicked-off I knew of the modern components and best practices that go into building a new website, I just hadn’t considered their overall scope when taken as a whole. This post might be helpful for those embarking on the same journey (with similar past experiences) but largely this one is for me. I think it’ll be fun to look back on...

Continue reading →


My Recent Public Exposure

Part of my current role is public outreach and it’s been a busy couple of weeks for me doing just that. Here are the highlights:

I did a webinar for a technology recruiting firm on why privacy is a good skill for information security professionals. You can watch it on Vimeo.

I had media interviews with IT Business Edge and Health IT Security to help promote the IAPP’s newest certification.

Finally, I participated in Infosecurity Magazine’s Summer Virtual Conference 2014.

That should do it for me until September when the conference circuit starts up again. One other note: I was accepted as a speaker at BlackHat (which I was super excited about) but, due to cost considerations, I had to withdraw – bummer. Maybe next year.

Continue reading →


Apple HealthKit

Apple announced HealthKit today at WWDC. This was rumored to be coming so no surprise there, but their description leaves out one critical bit of information. See if you can spot it.

HealthKit allows apps that provide health and fitness services to share their data with the new Health app and with each other. A user’s health information is stored in a centralized and secure location and the user decides which data should be shared with your app.

I’m glad the information is stored securely and the user has control over what is shared with targeted apps, but it says nothing about what is shared with Apple. Woops! If I’ve said it once I’ve said it a thousand times, companies need to be clear about these things up front. Expect to see more information from Apple in the coming days, but also expect bloggers and other media to zoom in on this missing piece of information....

Continue reading →


Consumer Expectations

Or alternatively titled, “How security and privacy both intersect but are different and why it would benefit to pay closer attention,” but that would be way too long of title. As CTO of the IAPP – at the center of privacy – I have a unique perspective and I see both an obligation and an opportunity emerging.

One constant for me since early 2013 is that I am continually asked about Snowden, or more precisely how has the secrets he revealed changed our collective thinking about privacy. Short answer: not much, but it did consolidate our collective voices.

The only lasting effect Snowden has had so far was to emphasize just how much the public does care about privacy and those of us working in privacy already recognized that the public cares deeply about maintaining control over their personal information. You’d think after all of the media attention that...

Continue reading →


InformaticaWorld, One Lesson Learned and One Cool Tool

I’m on the plane coming back from InformaticaWorld and I’m still trying to digest everything that went on this week, but two things stick out that I’d like to share. Monday afternoon I gave my presentation followed by a short Q&A session at the ILM preconference. It seemed to go well and I had some good feedback, but I was to learn on Tuesday morning that my message might not have quite hit the mark it could have, and had I known then, what I know now I would have presented things differently.

During the Tuesday morning keynote, opening the first day of the full conference, Informatica CEO Sohaib Abbasi asked the audience, “Raise your hand if you consider yourself a security expert.” I would have guessed that many, if not a majority of these professionals, would have demonstrated expertise in security and would raise their hand.

After all, these...

Continue reading →


Presentation at InformaticaWorld

Note: To follow is a transcript of the presentation I gave at InformaticaWorld 2014. The intent was to give data professionals a reason to consider privacy as part of their roles and responsibilities. I will be following this up in a couple of days with my thoughts on the InformaticaWorld conference.

I want to spend a couple of minutes and take you on a quick trip. I’m going to start with what you already know about privacy and hopefully end up connecting it right into your everyday work responsibilities. I’m going to cover a lot of ground really quickly, so buckle up. Let’s start: For consumers privacy is a top-of-mind issue.

If you need evidence of this, then look no further than an ongoing online poll from the Web We Want Project. It asks one simple question: What kind of web do you want? The viewer chooses from six answers. I want a web that:

  • Safeguards privacy
  • ...

Continue reading →


Tesla Phones Home

Catching up on the news this weekend I came across a piece by an automotive reviewer who found an ethernet port in his Tesla Model S. By hooking up to that port and poking around a bit, he found some fun stuff. The Model S runs, partly, on a Linux distribution with services like SSH, HTTP and X11 providing some of the car’s functionality. Further he was able to access the system and run some of his own commands. That’s pretty cool and gets me thinking about the possibility that the car can be jailbroken.

This discovery brings up the obvious concerns for the security of the system and speculation about whether components such as the accelerator, steering or braking system could be hacked compromising the safety of the vehicle. These are valid concerns, and although the reviewer found no evidence that the part of the system he accessed had access to any major system in the...

Continue reading →