Given the arguments from the first article in this series, if privacy should be and is essential — what does the average network engineer do with this information? How does privacy impact network design and operations? To answer this question, we need to look at two other questions.
First, what is private information, precisely? The network carries information from one device to another; which of that information can be considered private, and what can the network do about it? What about the privacy of network users versus the company or organization (things like business processes, formulas, personnel, plans, and so on)? Organizational privacy can sometimes conflict with user privacy, which can give rise to competing interests.
Further, network operators collect information about the traffic being carried through the network. Does any of this metadata contain private information? If so, can and should network operators do something about it?
Second, what is the relationship between privacy and security? We tend to treat these as two separate topics, but they are related. Let’s consider each of these in turn.
What is private information?
For an organization, private information primarily concerns anything that can jeopardize the long-term strategic interests of the company. For instance, plans to merge with another organization, future deals, personnel actions, and so on.
For individuals, privacy is much murkier. Let’s posit that there are two kinds of private information — that which is legally protected and that which is ethically private. Let’s start with legally protected information.
Legally protected information is defined by laws and statutes at both the state and federal levels. Organizations are obligated to protect information that falls under privacy laws. For example, there are numerous laws regarding Personally Identifiable Information (PII), including how it can be collected, stored, and used. The entire lifecycle of such data is controlled. PII is directly related to a property of data called identifiability (a future post will discuss the various properties of data from a privacy perspective).
The more readily information identifies an individual, the more legally private it is. While the idea of PII is straightforward, things can get sticky quickly. For example, an organization that operates in multiple states or economies may have to follow separate laws depending on where the data is collected and stored.
If multiple pieces of information can be combined to identify an individual, this combination should be treated as PII. For example, many companies ask for the last four digits of a user’s Social Security Number (SSN) in the United States. However, SSNs were never designed to be a private identifier. The first five digits of the SSN are assigned based on the place and date of birth, while the last four are (generally) assigned sequentially.
Hence, if someone knows the user’s place of birth, date of birth, and the last four digits of their SSN, they can determine the user’s entire SSN. Because the SSN is often used as a unique identifier in many financial transactions, knowing a person’s SSN can lead to a wholly stolen identity.
Hence, the date of birth, place of birth, and last four numbers of an SSN are, combined, PII — and legally protected information.
It’s much harder to define privacy at a personal level because just about everyone has different ideas about what they consider ‘private’. Remember that person you dated in the fifth grade? You probably wanted everyone to know about it back then. Today it might just be embarrassing.
A simple rule for private information at a personal level is this — anything that can be used to modify an individual’s behaviour if disclosed. That is, private data is any data that could interfere in a person’s decision-making process if it is disclosed.
If all this seems to set the standard high — that’s because it does.
And all of this should help us realize that trying to manage privacy to legal standards is almost impossible. Instead, we all need to look at privacy from the perspective of doing what’s ethically right and reducing risk.
Relationship between privacy and security
Before we leave the background and start looking at practical implications for the network engineer, we need to consider one other question — what is the relationship between privacy and security? We often think of security as something we ‘just do’, as it stands alone as a sort-of checkbox in network architecture, design, and operations. As the old saying goes, ‘everything is interconnected;’ security and privacy are connected.
Specifically, security serves two essential functions: preserving privacy and ensuring access.
When you think of security and access, you should consider things like Distributed Denial of Service (DDoS) and ransomware attacks. Both seek to disrupt an organization by denying access to their resources.
The only other real purpose for security is to protect information. We often think of this in terms of protecting organizational information — but through this series, we’re going to discover that security needs to be expanded to protect individual user privacy.
Russ White is a Senior Network Architect at Akamai Technologies.
This post is adapted from a series at Packet Pushers.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.