At the Ars Frontiers event in Washington, DC, I had the privilege of moderating two panels on two closely linked topics: digital privacy and information security. Despite significant attempts to improve things, conflicting priorities and inadequate policy have weakened both privacy and security. Some of the same fundamental issues underly the weaknesses in both: Digital privacy and information security are still too demanding for average people to manage, let alone master.
Our privacy panel consisted of Electronic Frontier Foundation deputy executive Kurt Opsahl, security researcher Runa Sandvik, and ACLU Senior Policy Analyst Jay Stanley. Individuals trying to protect their digital privacy face “a constant arms race between what the companies are trying to do, or doing because they can, versus then what people are saying that they either like or don’t like,” Sandvik explained.
The panelists pointed out the gap in how privacy is treated in the US compared to Europe and elsewhere. “In a lot of places, privacy is considered to be a human right,” Opsahl said, “not a transactional concept that you pay with things for your privacy.” According to Opsahl, the transactional nature of how privacy is treated in the US “risks commodifying an essential part of who you are and what your being is.”
Stanley described the US as “among the most wild, Wild West countries in the world” regarding privacy. “We’re the only major country that doesn’t have an overarching privacy law,” he said. “That matters a lot… if you don’t have a national standard [for privacy], then there’s not stability of expectations.”
On the other hand, one of the problems of information security is that expectations have been too stable. In our infosec panel, Cisco’s Wendy Nather, security researcher Vineetha Paruchuri, and Scythe VP of Operations Elizabeth Wharton talked about the fundamental structural problems in how we approach information security, how software is made, and who gets entry into the information security field.
Nather—head of the advisory chief information security officer team at Cisco—noted that while technology has become more and more democratized, the way we think of information security is still stuck in the top-down world. “Security should be manageable and understandable by everybody in the context of what they’re doing,” Nather said.
Nather, Paruchuri, and Wharton all dove into the fundamental problems with how security policies are crafted and how software is developed. “Today we don’t have a manufacturing model of software development,” Wharton said. “We have a literary model where everybody is doing their own artistic thing.” Paruchuri hit on the importance of what gets labeled as “soft skills” in information security that are often given short shrift by information security managers.
And all three panelists discussed the otherwise rational business decisions that often lead to information security disasters simply because of how difficult doing proper information security has become. “There are multiple ways which we could make it easier,” Paruchuri noted, including using technology to simplify human choices affecting information security.
Listing image by iStock / Getty Images Plus
https://arstechnica.com/?p=1856854