Privacy Harms

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

Privacy Harms takes the view of the Subject in a privacy Exploit.

Context

  • Normally the Privacy Risk of any transaction is measured in terms of the risk to the Enterprise that holds the user data.
  • This page is about the risk to the Subject of the data that is disclosed.
  • The Exploit of using the Subject's private data can be any of a variety of entities, inlcuding the Entity that acquired the data from the Subject.
  • As in many web transactions, the benefit of the transaction typically accrues to the Enterprise and the cost to the Subject.
  • Since the primary focus here is harms that occur to natural persons, the security model is focused on the natural person.
  • Shakespeare has Othello say:
Who steals my purse steals trash; ’tis something, nothing;
Twas mine, ’tis his, and has been slave to thousands;
But he that filches from me my good name
Robs me of that which not enriches him
And makes me poor indeed. 

Taxonomy

  • Cyber risk is the intersection of assets, threats, and vulnerabilities. It’s the potential for loss, damage, or destruction of an asset when a threat takes advantage of a vulnerability. or Risk = {Asset Value} x {expected chance of exploit}. That equation only works in the Enterprise.
  • Enterprise in this paper means either of (1) the data controller, (2) the data processor, (3) the data issuer, or (4) the attacker, which in this case covers all of the other entities that my benefit from having the Subject's data. (n.b. Some may quibble that the issuer is just another processor, but I believe it is instructive to treat them separately here.)
  • Subject is the natural person that the data is about. (All the harms described here are related to natural persons.)
  • Payor is the entity that bears any monitary cost of an exploit. This may be the Subject, the Enterprise, or some third party payor, like an insurance company.
  • Asset is the term used by Enterprise risk models. That is somewhat unnatural in the context of a natural person even though it is a common way for a security professional to address the problem.

Assets

  • My good name
  • My health and happiness
  • The health and happiness of those that are important to me
  • My cash in hand (i.e. liquid assets)
  • My real assets (some might put this higher in the list than others.)

Harms

Tracking user preferences was a good idea until the ad industry realized how important it was to identify a receptive audience. Face it, we all like to have an Internet that is responsive to our own preferences, so why is privacy on the internet such a problem? Basically because human greed wipes away all common good. The Tragedy of the Commons seems to require the an unbridled capitalism use up any common good that can be legally exploited.

  • There are multiple ways to talk about the harms of privacy invasions. On can start with the act of collecting user information as is done by the Me2B alliance. Me2B Privacy Harms
  • This page looks at the place where a privacy violation actually impacts the Subject as that is where the Subject may first realize the impact of their loss of private spaces.

References