Understanding Privacy

By

Well , most people started talking about privacy only after GDPR came into existence. However , Samuel Warren and Louis Brandeis published “The Right to Privacy” in 1890 in the Harvard Law Review. They set forth the definition of privacy as “the right to be left alone.” This definition , although written in the context of the physical world can easily be extended to the digital world. Through this blogpost , lets try to understand the definition of privacy and its types. We will also explore the origins of privacy so as to better enable to understand the various laws and resolutions passed in this regard.

Section 1 of the California Constitution says ,

 “All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring , possessing and protecting property, and pursuing and obtaining safety , happiness and privacy.”

Hence , privacy has been defined as the desire of the people to freely choose the circumstances and the degree to which the individuals will expose their attitudes and behaviour to others.

Privacy can be defined in many ways. There are 4 categories or classes of privacy.

  • Information privacy - Concerned with establishing rules that relate to the collection and handling of personal information. Financial information , medical information etc are examples of this. Most of the debate nowadays is related to information privacy.
  • Bodily privacy is focussed on a person’s physical being and any invasion thereof. Can include drug testing , body searches , abortion etc.
  • Territorial privacy is focussed on placing limits on the ability to intrude into another individual's environment. Can include location gathering , video surveillance etc.
  • Communications privacy includes protection of the means of correspondence. Includes telephonic conversations, email and other forms of communication behaviour.

Fair Information Practices (FIP)

These are the guidelines for handling , storing and managing data with privacy , security and fairness in an information society that is rapidly evolving.

Here are the principles :

  • Rights of individuals
  • Controls on the information
  • Information Lifecycle
  • Management

Let us understand them in detail.

With regards to the rights of individuals , companies must address the following

  • Notice
  • Choice and consent
  • Data subject access

Consider an e-commerce portal who is collecting various kinds of information about the individual. This portal should inform and take consent from the customer that it would be collecting the information and for what purpose. They must also provide an individual with access to the collected information for review and update,

The second FIP relates to the controls which the collecting entity has applied to ensure that the information is secured and available only to authorised individuals. It also relates to the quality of the information collected. Collected information must be accurate , complete and only to be used for purposes mentioned in the notice.

The third FIP relates to the lifecycle of the information. This includes collection , use and retention and disclosure. Collection must only relate to the purposes mentioned in the notice. If an organization collects location information for the purpose of providing the list of nearby hotels in the area, it should collect only for that purpose.

Usage and retention of such information should be limited in nature. If the location information is used for identifying as to where the individual lives and then using that information to sell him insurance or any other services ,  it is in violation of the notice according to which the information’s purpose was defined.

If the information is to be disclosed to a third party , then it must be used only for the purposes as mentioned in the notice with the implicit or explicit consent of the individual.

The final principle of the FIP is Management. This relates to

  • Organizations must clearly define , document , communicate the privacy policies and procedures
  • Second , they must put mechanisms in place to ensure that what is said is actually being followed.

In the next blogpost on privacy , we will learn about the regulations related to the FIPs.

Comments

Post a Comment

You may also like to read...

Identification, Authentication, Authorization, and Accountability

By
Image
The 4 steps to complete access management are identification, authentication, authorization, and accountability. Many confuse or consider that identification and authentication are the same, while some forget or give the least importance to auditing. These are four distinct concepts and must be understood as such. Identification Whenever you log in to most of the websites, you submit a username. In case you create an account, you are asked to choose a username which identifies you. This username which you provide during login is “Identification”. It is simply a way of claiming your identity. From an information security point of view, identification describes a method where you claim whom you are. If you notice, you share your username with anyone. Your email id is a form of identification and you share this identification with everyone to receive emails. This means that identification is a public form of information. Authentication So now you have entered you
Continue Reading...

Access Control Models - DAC, MAC, RBAC , Rule Based & ABAC

By
Image
Identity and Access Management is an extremely vital part of information security. An access control model is a framework which helps to manage the identity and the access management in the organization. There are 5 main types of access control models: discretionary, rule-based, role-based, attribute-based and mandatory access control model. Every model uses different methods to control how subjects access objects. While one may focus on rules, the other focus on roles of the subject. As a security professional, we must know all about these different access control models. While one company may choose to implement one of these models depending on their culture, there is no rule book which says that you cannot implement multiple models in your organization. These models are built into the core or the kernel of the different operating systems and possibly their supporting applications. Every operating system has a security kernel that enforces a reference monitor concept, whi
Continue Reading...

How to Pass SSCP Exam in the First Attempt

By
Image
Systems Security Certified Practitioner (SSCP) exam is offered by (ISC)2 . When I prepared for this exam, there was hardly any material for preparation or blog posts to help me understand the experience of this exam. In this blog post, I will try to explain to you how to study for this exam and the experience of this exam.  Before I begin, let me congratulate on your journey to becoming an SSCP. Although this certification may not be highly recognized as the CISSP certification, still it shows your employer and the world that you are really interested to pursue your career in this field. You become a practitioner in this field. What is SSCP? You would like to read CISSP vs SSCP in case you want to have a comparison between the exams. SSCP is a 3-hour long examination having 125 questions. You are required to score a minimum of 700 out of 1000. 25 questions are not graded as they are research oriented questions. It is important to note that since these questions are
Continue Reading...

Understanding Security Modes - Dedicated , System high, Compartmented , Multilevel

By
Image
Imagine a system that processes information. This information is classified in nature. When we say, its classified, it means that the information has been labeled according to the data classification scheme finalized by the organization. This scheme can be company specific, such as public, internal and confidential or military/government specific such as Confidential, Top Secret, Secret, Public. As a general user or a security professional, you would want that proper controls to be implemented and the system to be secure that processes such information. Imagine a scenario where such a malicious user tries to access this information. What clearance must this person have? Will he/she have access to all classified levels? Hey!!, stop imagining. Let’s discuss something else now. Hold on, I know, I had asked you to imagine the scenario above. But answers to all your questions would follow, so keep on reading further. We need to learn and understand a few terms before we are ready
Continue Reading...

Cloud Computing - The Logical Model

By
Image
At a high level, both cloud and traditional computing adhere to a logical model that helps identify different layers based on functionality.  The four layers are : Infrastructure: The core components of a computing system: compute, network, and storage.The foundation that everything else is built on. The moving parts. Metastructure: The protocols and mechanisms that provide the interface between the infrastructure layer and the other layers. The glue that ties the technologies and enables management and configuration. Infostructure: The data and information. Content in a database, file storage, etc. Applistructure: The applications deployed in the cloud and the underlying application services used to build them. For example, Platform as a Service features like message queues, artificial intelligence analysis, or notification services. The security at different levels is mapped to the different layers. The application security is managed at the applistructure layer while the data sec
Continue Reading...