Jeff Northrop

Privacy and security

Read this first

Information Security Risks Becoming a Failed State

Current events are depressing. President Obama, on the television last night, let us all know he has approved US airstrikes in Syria – an indication of the deepening struggle of both the Syrian and Iraqi governments attempting to maintain some semblance of control. The situation in Ukraine is on a knife’s edge as well for much of the same reasons. These are indicators that we may be witnessing the last gasps of failing states in those regions, but while that news is bad, in the midst of constant updates on the instability in Ukraine, Syria and Iraq are news reports of major data breaches, most recently JP Morgan and Home Depot. I fear that much like the situation with the aforementioned regional political conflicts, an analogous story can be told about the current state of information security.

The unfunny punchline to the case I’m about to lay out is that...

Continue reading →


Welcome to Our New World Order

The kerfuffle over explicit personal images of nearly one hundred celebrities continues to make the news and is choking social media with cries of indignation, pleas for support, tasteless jokes and voyeurs salivating over the whole thing. Given the scale of the leaks and the notoriety of the victims none of this is surprising, but the media coverage of it is sensationalist and lacks perspective (I guess that isn’t really surprising either). Some articles are better than others but most condemn a handful of sites as if they were welcoming denizens of evil and ignore the fact this type of privacy violation has become commonplace. All of this mis-focused attention is just feeding the cycle of interest.

There are three lessons to learn from all of this.

Things spread fast on the internet and it cannot be controlled

When news broke of the leaked photos, the internet moved fast. The...

Continue reading →


Celebrity Nudes Whodunnit

Today the internet is all a-buzz with the news that a hundred or so celebrity’s personal photo accounts were hacked. Tonight it’s all about indignation, tomorrow will come the speculation about how this could occur.

Make no bones about it, this is a massive privacy breach and on a scale I’m not sure we’ve seen before. Particularly when you account for the personal nature of the photos and the sheer number of celebrities affected. Given that, someone will want to say they were the first to get it right, and that includes yours truly.

First, let’s dispense with what this is not. I have a gut feeling this is not an iCloud exploit, as most suspect (UPDATE: Apple now confirms this). This is certainly not some nation-state effort. It is on that scale but that would be ridiculous – even the most fervent jihadist has better things to do. I also don’t...

Continue reading →


When Policies and Practices Don’t Match

The Center for Digital Democracy (CDD) recently filed a compliant with the FCC alleging that 30 U.S. companies are failing to comply with the US Safe Harbor Agreement. The companies are all data brokers of some sort – either as their primary business, such as Axciom, or a by-product of what they do such as with Salesforce. The filing is 100+ pages of background, opinion and evidence, but the whole thing can be boiled down to one simple allegation: These companies say they do one thing in their policies but in practice they do something else.

This filing is not unique, as the FTC earlier this year settled similar allegations with twelve companies and, over the years (and with increasing frequency), they have brought a number of similar cases against individual companies. All of these cases almost always boil down to someone doing something with personal information that their...

Continue reading →


Is Privacy Necessary Without Humans

I finally found some time to catch up on the week’s news last night and, not surprisingly, there were a number of different stories reporting on Google’s new tools for tracking user’s on their smartphones. The effort from Google is not surprising in the least, nor do I think it is all that interesting, it did however send me thinking of something I hadn’t considered before.

Note: The Google announcement is yet another story, in a long line of such stories, where companies announce some increased ability to track customers and people respond to the news by expressing discomfort over being tracked. I’ve written about this many times before so I won’t belabor the point, but to readers who are running services that collect personal information you really should confront the issue in a transparent manner and not simply hide behind some legalese filled...

Continue reading →


Getting Dirty in Modern Web Development

The IAPP just launched a complete rebuild of its virtual face to the world – privacyassociation.org. As part of my current position at the IAPP the website, and this project, is the responsibility of my business unit. It’s been a number of years since I tackled a website project of this magnitude and I was shocked to realize just how far web development has advanced in, what seems to me, such a short period of time.

It’s not like I don’t read the news or keep abreast of the latest technical trends, so when the project kicked-off I knew of the modern components and best practices that go into building a new website, I just hadn’t considered their overall scope when taken as a whole. This post might be helpful for those embarking on the same journey (with similar past experiences) but largely this one is for me. I think it’ll be fun to look back on...

Continue reading →


My Recent Public Exposure

Part of my current role is public outreach and it’s been a busy couple of weeks for me doing just that. Here are the highlights:

I did a webinar for a technology recruiting firm on why privacy is a good skill for information security professionals. You can watch it on Vimeo.

I had media interviews with IT Business Edge and Health IT Security to help promote the IAPP’s newest certification.

Finally, I participated in Infosecurity Magazine’s Summer Virtual Conference 2014.

That should do it for me until September when the conference circuit starts up again. One other note: I was accepted as a speaker at BlackHat (which I was super excited about) but, due to cost considerations, I had to withdraw – bummer. Maybe next year.

Continue reading →


Apple HealthKit

Apple announced HealthKit today at WWDC. This was rumored to be coming so no surprise there, but their description leaves out one critical bit of information. See if you can spot it.

HealthKit allows apps that provide health and fitness services to share their data with the new Health app and with each other. A user’s health information is stored in a centralized and secure location and the user decides which data should be shared with your app.

I’m glad the information is stored securely and the user has control over what is shared with targeted apps, but it says nothing about what is shared with Apple. Woops! If I’ve said it once I’ve said it a thousand times, companies need to be clear about these things up front. Expect to see more information from Apple in the coming days, but also expect bloggers and other media to zoom in on this missing piece of information....

Continue reading →


Consumer Expectations

Or alternatively titled, “How security and privacy both intersect but are different and why it would benefit to pay closer attention,” but that would be way too long of title. As CTO of the IAPP – at the center of privacy – I have a unique perspective and I see both an obligation and an opportunity emerging.

One constant for me since early 2013 is that I am continually asked about Snowden, or more precisely how has the secrets he revealed changed our collective thinking about privacy. Short answer: not much, but it did consolidate our collective voices.

The only lasting effect Snowden has had so far was to emphasize just how much the public does care about privacy and those of us working in privacy already recognized that the public cares deeply about maintaining control over their personal information. You’d think after all of the media attention that...

Continue reading →


InformaticaWorld, One Lesson Learned and One Cool Tool

I’m on the plane coming back from InformaticaWorld and I’m still trying to digest everything that went on this week, but two things stick out that I’d like to share. Monday afternoon I gave my presentation followed by a short Q&A session at the ILM preconference. It seemed to go well and I had some good feedback, but I was to learn on Tuesday morning that my message might not have quite hit the mark it could have, and had I known then, what I know now I would have presented things differently.

During the Tuesday morning keynote, opening the first day of the full conference, Informatica CEO Sohaib Abbasi asked the audience, “Raise your hand if you consider yourself a security expert.” I would have guessed that many, if not a majority of these professionals, would have demonstrated expertise in security and would raise their hand.

After all, these...

Continue reading →