Jeff Northrop

Privacy and security

Page 4

New Year, New Host, New Start

It’s been over a year since I last blogged. I was burned out. I needed a break, and if there was ever a year to skip I think 2013 was that year. While the topic of privacy certainly exploded in the news last year, so much so that deemed “privacy” word of the year, I’m not sure I would have added much to the conversation.

The stream of revelations from the NSA breach orchestrated by Edward Snowden was undoubtedly the driving force launching privacy to prominence, and while it is of significant historical importance and worth writing about, everyone was covering the story, from every conceivable angle. What more could I have added?

But here I am again, ready to start fresh on the Svbtle platform. I’ll be posting intermittently including my first topical post shortly after this post: I’m going to post a transcript of a presentation I prepared for Dreamforce last November.


Continue reading →

Considering the Psychology of Security

Note: This is post represents a somewhat rambling collection thoughts. If you’ve been following my blog for a while you’ll recognize that I have an interest in the psychology of “privacy.” This post is a formation of my thoughts as I extend my interest towards the broader topic of security.

It’s well known that human error from inside a company is the most prevalent cause of a security incident. This is a well studied phenomenon yet still we—information security professionals—don’t apply considerable resources towards addressing this.

Sure, we pay lip service to the importance of awareness and training, but it is often treated as ancillary to the “larger plan” and not elevated to that of an operational priority. As a result, a corporation will generally set aside some small amount time for training, but the challenge of persuading a non-security related professional that securing data...

Continue reading →

Privacy is not Security, II

Late last year I wrote about the differences between information security and privacy. What was true then is still true now: That information security professionals, often by default, are tasked with handling privacy for their organization—and I wouldn’t want to discourage that. I believe those who possess the knowledge, skills and experience to protect data are well positioned to extend their responsibilities to handle information privacy as well.

However, the mechanisms with which information security professionals perform their functions don’t fully cover privacy. Compliance with laws and regulations such as DSS-PCI, HIPAA and GLBA work to ensure that certain types of data are well protected from improper access and use, but as the field of data analytics (a.k.a. Big Data) continues to mature, those narrow protections are inadequate.

Consider the tension around privacy for a moment...

Continue reading →

Dawning of Privacy

My presentation two weeks ago at the Security Congress went a bit differently than I’d expected. I wanted to take a stab at challenging the audience and inviting an argument. It’s not that I enjoy disagreement, but I thought that it might be helpful to encourage a debate. The main thesis of my presentation was that information security professionals, while often tasked with the responsibility to handle privacy, do a lousy job of it.

Given that I was talking to predominantly information security professionals, I thought that it would likely insult a portion of the audience, and I expected to be called to task for it. Much to my surprise no one seemed to disagree, and I even had a fair number of what I like to call “head bobbers” in the crowd. A head bobber is a person that nods affirmatively in response to whatever you say.

Then this past Thursday I spoke at an Application Developers...

Continue reading →

September Update #2

I know I promised new material, and it is coming, but I’ve been busy. In the meantime check out the coverage of my presentation at the (ISC)2 Security Congress last week.

Also, if you are in the Boston area, I’ll be speaking at the App Developer Privacy Summit on Thursday September 18. It’s a free event so there is no excuse not to come, mingle and learn a bit about privacy.

View →

Privacy and Legal Liability

f you read this blog regularly you’ve read me explain that privacy is big news these days. The FTC is settling with companies with increasing frequency, Facebook’s historic IPO brought to the fore many privacy concerns, Europe is moving to strengthen it’s privacy protections, and that’s not to mention the numerous coverage of data breaches and stories on big data. The prevalence of these stories all further the importance of data privacy in the public’s mind.

However, while the public is experiencing real fear, the basis of that fear isn’t so clear. It’s not so easy to find people who have actually been hurt by the collection of their personal data. And most privacy disclosures don’t put the public in immediate physical or emotional distress either. But, given a worldwide population and the millions of records disclosed every year, harm is inevitable – at least that is what the...

Continue reading →

Guest Post with Privacy Tips

Read my guest post on FounderSync detailing five tips for being privacy sensitive.

View →

Transparency is More Than a Privacy Policy

Privacy laws and regulations are behind current technology’s ability to capture and process personal information, and they’ll never catch up. Technology is moving too fast and the political process is too slow. At the same time the public is becoming more aware that when they divulge their personal information it often benefits the company gathering that information significantly more then the benefits they themselves receive. The recognition of this inequity is creating a public that is increasingly hesitant to share their personal data.

The inherent tension between these two trends is difficult to tackle, but if a company is open about what they do with the information they collect (a.k.a. transparent), the tension can be ameliorated. Transparency is often required to comply with laws and regulations, but, if executed properly, it can also build trust with users. And that bond of...

Continue reading →

Guest Post on Privacy Policies

You need to create a privacy policy for your startup. That’s a given. If you are confused on where to start, read my guest post on the FounderSync blog for guidance.

View →

British Airways Brings Doctrow’s Fiction to Reality

Cory Doctrow’s short story Scroogled opens with the harassment of the main character as he is making his way through customs on his return from a vacation to the United States. Most of the trouble is caused by the officials misinterpretations of what they see in the Google results they are using to help screen passengers.

“Tell me about your hobbies. Are you into model rocketry?”


“Model rocketry.”

“No,” Greg said, “No, I’m not.” He sensed where this was going.

The man made a note, did some clicking. “You see, I ask because I see a heavy spike in ads for rocketry supplies showing up alongside your search results and Google mail.”

Greg felt a spasm in his guts. “You’re looking at my searches and e-mail?” He hadn’t touched a keyboard in a month, but he knew what he put into that search bar was likely more revealing than what he told his shrink.

“Sir, calm down, please. No...

Continue reading →