Today I watched a streamed view of the ‘Cyber crime defence and privacy [PDF]’ panel hosted by NICTA Networks Research Group and UNSW CSE. The panelists included Vijay Varadharajan, Gene Tsudik, Tim Strayer, Richard Bergman, Malcolm Crompon and David Vaile. Eminent dudes all of them - ask Google.
The discussion covered much ground, from the usual concerns about Privacy in a world of ubiquitous surveillance, to the uncertain future of the Do Not Track debate.
My highlights of the day:
I appreciated Malcolm Crompton’s summary of where we are at with Privacy legislation at the moment: very process oriented rather than outcomes oriented. The focus must shift towards Prevention, Detection and Response mechanisms.
I agree wholeheartedly, and so does the professional privacy community, judging by the fact that the new IAPP qualification of Certified Privacy Manager (CIPM) is very focussed on this paradigm.
He believes (as do many others) that de-identification is technically no longer possible, but that a combination of law (policy) and technology may contain the problem. Perhaps… but we are largely in new territory here, and we’ll need all the tools we can muster to contain this beast (law, technology, ethics, business rules, enforcement, detection mechanisms, self-preservation… the list goes on).
David Vaile made the point that Trust in the online space is radically in question. Nobody who has heard about the NSA revelations can deny this.
I think this lack of trust currently aimed at governments, is inflicting significant collateral damage onto commercial entities. They should continue to address this trust issue openly, rather than pretend it’s not affecting them.
Gene Tsudik’s self-described 'rant’ identified (I think correctly) that the surveillance we endure online is not that dissimilar to the surveillance we endure in the analogue world (this might surprise some who do not think we are surveilled offline). That said, many would contend that there is a difference (digital records are easier to store, manipulate, duplicate, disseminate, aggregate, analyse). He also described personal genomics and The Cloud as the privacy nightmares of tomorrow, hinting at floating data centres (presumably in international waters) of no fixed jurisdiction as being in the works.
While Gene Tsudik decried the inadequacy of the static nature of laws versus the dynamic nature of technology, Malcolm Crompton defended the law’s static nature as its core benefit, providing stability.
A couple of other items came up:
Most of us know that attempts to create standards around Do Not Track failed in the recent W3C process.
Malcolm Crompton made mention of the 4A’s framework for privacy program management (Analysis, Authority, Accountability and Appraisal) - another one familiar to anyone who has studied for the CIPM certification, or worked in Privacy.
This loose romp through the security and privacy jungle was well worth suffering through the poor online stream format. It was a bit like watching a live stream of a lunchtime lecture at the Harvard Berkmann Centre for the Internet and Society, which are equally clunky but intellectually satisfying. Even if the newly re-badged UNSW Cyber Law and Policy Community would appreciate that comparison, I would still recommend attending these events in person in future.