In the previous posts in this series, I concluded that privacy is everyone’s responsibility, that IP addresses (and a lot of other information network engineers handle) are protected information, and while processing packets probably doesn’t trigger any privacy warnings, network logging should and does.
In this post, I want to start answering the question — okay, what do we do about this? I want to dissuade you from one line of thinking from the beginning.
When most folks look at privacy, they ask: ‘What can I do to cover myself legally?’ In other words, most folks set compliance as their primary goal. Focusing on legal defensibility is the wrong way to look at privacy, or rather, the wrong end of the stick.
When you report your first data breach (and it will be when rather than if), you can repeat ‘We were legally compliant with all the relevant laws and regulations’ all you want. It’s not going to help if some regulator decides you’ve taken a cavalier attitude towards user privacy, and it’s not going to help keep your company’s brand intact. Implementing controls to toe the legal line probably won’t even save your job.
Instead, focus on reducing risk and doing the right thing by your users — reduce risk rather than legal liability.
Before thinking about practical solutions, we must build a mental map of how data interacts with privacy. To get there, we need to work through two things — the lifecycle of data, and the need to define some fundamental privacy rights and responsibilities.
The data lifecycle is simple. Operators collect, disclose (intentionally or unintentionally), process, retain, and destroy data. That’s it — there are only five things every system does with data. We can fail to respect user privacy in every one of these stages fully; I’ll talk about best practices in a later post.
Seven privacy rights
Users have seven rights related to private data.
- Right of access. Users should be able to see any data collected about them. We tend to think of folks posting information about themselves to social media networks, but this applies to information a network management system is storing, for instance, about a user’s regular access patterns.
- Right of reification, which means they have the right to correct information you’re storing about them. This right usually wouldn’t apply to network logs or networking-related data. Network management systems don’t typically combine information from multiple sources (such as credit reporting agencies) to build a ‘fuller picture’ of the user.
- Right of deletion. The right of deletion would generally apply to network logs when a person leaves a company, or perhaps even when they change positions within a company.
- Right of restriction, meaning they can choose with whom the collector shares information. Data transfer to third parties in cloud-based network management systems might be the primary place this applies to network operations.
- Right of portability, which means information about them can be moved from one service to another at their direction. Just like the right of reification, this doesn’t seem applicable for network operations.
- Right against automated decision making, which means they can use the service without having their information used to target advertising or to influence their decisions. This right doesn’t seem broadly applicable to network operations.
- Private right of action. Users can take separate legal action against the network operator or provider regardless of whether some regulatory agency steps in to correct a situation. Corporate networks probably restrict users’ private right of action through an employment contract. The private right of action might apply to service providers, however.
As you can see, network operators will be more concerned about privacy in some parts of the data lifecycle than others, and some user rights will apply while others don’t. In some cases, network design and operations will assist applications by restricting access to data, while in others, network operators are logging and holding data subject to these concerns. In all these cases, however, network operators should be working to reduce the risk of exposing users’ private information, causing harm to the users and the organization.
In the next post, I’ll work through some best practices for the points in the data lifecycle and user’s rights that directly apply to network operators — particularly when logging and managing logged data.
Russ White is a Network Architect at LinkedIn.
This post is adapted from a series at Packet Pushers.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.