by Vint Cerf
In an idle moment, I began thinking about privacy in the digital world. The terse observations below are, in the words of Alan Alda, “Things I Overheard While Talking to Myself.”
Transparency – reasonable expectation that users are provided knowledge of what data is retained, how it is used, whether it is shared, with whom and under what circumstances.
On this point, OECD has observed that the answers to these questions should include government access as well as access by other private sector actors. The recently announced Trans-Atlantic Data Privacy Framework has helped renew discussion around how the practices of one state, in relation to government access to data, impact the protection of fundamental rights in another. And while we wait on that final agreement between the EU and US, it’s heartening to see efforts like the OECD’s work on codifying principles around government access to personal data held by the public sector continue to proceed. Such efforts are critical when it comes to ensuring that the rule of law, alongside individual privacy and security, are contemplated amongst countries with shared democratic values.
Auditability – reasonable expectation that users can get access to retained information for purposes of validation or corrections. This property induces a need for strong authentication of identity because users would not want unauthorized access to the data associated with them that is retained and used by an application provider.
A related form of audit involves logging of access to information for purposes of discovering unauthorized access: when, by whom and how. This is generally good business practice for organizations that hold information that should be access controlled.
Anonymization – If user data is shared, users might reasonably expect to know whether it is anonymized by aggregation and to what degree.
Protections – Users might reasonably want to know how their information is protected. Is it encrypted while stored and how are the keys protected? Is it protected when in transit? Parenthetically, there is a strong preference in Internet circles to make use of cryptography to protect web-exchanges using the HTTPS protocol, TCP and Transport Layer Security and, more recently, the QUIC protocols developed by Google and standardized by the Internet Engineering Task Force. Some systems allow users to provide keys so that the information is protected even from access by application providers let alone other users.
There is understandable debate about government access to data that has been encrypted in the context of law enforcement. That debate continues and highlights tensions between protection of user privacy and protection of citizens from harmful or criminal behaviors shielded by cryptography.
Transborder data flows – the ability to move data around is vital to world commerce. In some cases, the data is itself the valuable commodity such as books, movies, music, software, scientific data, and virtually anything that can be digitized. That includes such things as electronic mail, personal files, photographs. In recent weeks, agreements have been reached between the US and the EU regarding assurances that personal data is adequately protected as it moves between legal regimes. Cryptographic protections are especially relevant since they can be used to protect data during transport and at rest. The vital question, always, is “who has access to the protecting keys and under what conditions”.
Control – One of the popular ideas under discussion in some circles is the ability of users to control when, how and to whom their information is disclosed. A sort of cartoon scenario is that the user’s information is in a box, access to which is controlled by the user. The user can issue tokens to other parties that allow them to get access to specific information. One might imagine a token for “postal address” or “phone number” or “validated age” for example. The attraction of this cartoon model is that users can change what is in the box and all accesses with the appropriate tokens will get the updated information. Of course, the devil is in the details. How does the guardian of the box know whether the token bearer is the legitimate holder of the token? What happens after a legitimate token holder obtains the data? Can that party be trusted to protect the information? How is it protected? It is easy to see how this can turn into a complex and recursive question. Most users don’t have the time and energy or expertise to research such questions so that leads to another desirable property, certification.
Certification – On the presumption that most users do not have the time or expertise to evaluate how well the desirable properties outlined above are realized by application providers or other actors holding their information, it is attractive to have testable criteria for evaluating how well trusted parties implement the properties we associate with protection of information. This is a non-trivial task and organizations such as the US National Institute of Standards and Technology have written many guides to the protection of information including the evaluation and use of cryptographic methods, implementation of security features, criteria and processes for evaluating the security of complex systems and certification practices. Widespread agreement on pragmatic procedures and criteria for the certification of the security of information processing systems can give users a reasonable indication of the safety of their information. While this practice can help to assure users of protection against unauthorized access, it is still important for users to know under what conditions access will be authorized.
Strong authentication – Most users would like to be assured that another person cannot easily pretend to be them and take unauthorized actions on their behalf such as making purchases, making withdrawals from bank accounts, and making unauthorized statements that will be attributed to them. Strong authentication methods including two-factor authentication to gain access to accounts are important mechanisms for protecting users from impersonation. I cannot over-emphasize this point. Impersonation is a huge threat, not only to privacy, but also to safety and security. Impersonation is how many systems are broken into by exercising unauthorized powers. Tangentially, it is worth mentioning that so-called “deep fakes” are becoming a serious concern. Even if they can be exposed as fake through analysis, casual observation of a photo, video, or voice recording can spread misinformation and disinformation quickly enough to cause a great deal of damage even if later exposed as fake. I consider this to be an unsolved challenge in a rapidly evolving digital environment.
Anonymity – For many actions in the digital world, it does not seem necessary for user identity to be authenticated or even known. There are so-called “whistle blower” situations where identity puts the whistle blower at risk. A problem with anonymity is that users may take harmful actions without risk of accountability if they are able to act anonymously. Without diving into a lot of detail, I would observe that anonymity in a digital world may be harder to achieve than might be expected. Perhaps pseudonymity can be a substitute for many cases. As an example, our automobile license plates are essentially pseudonyms for the owner of the car. Some law enforcement members have the authority to penetrate the veil of pseudonymity for purposes of enforcing traffic laws. Of course, the owner of the car may not be the driver, but that is why we are also typically required to carry a driver’s license that also serves to identify us to the traffic cop that stopped us for speeding.
Accountability – There are two aspects to this concept that are worthy of consideration, the first desirable property is that parties responsible for protecting privacy should be held accountable for loss of privacy if by their actions or lack of action, privacy is breached. The flip side of this concept is that parties engaged in deliberate privacy-breaching behaviors also need to be held accountable.
It is a global digital world in which we live. The Internet and the World Wide Web are but two manifestations of the digital phenomenon. Smart phones, Internet of Things, autonomous vehicles are part of this digital environment. The protection of privacy is a challenge that extends well beyond the borders of any country and induces the need for cooperation across borders. In some sense, that is exactly what this discussion is about. What desirable properties can we collectively invent and implement to make a safer digital world for all of us? That is the question.