Privacy & security
Core Concepts¶
- Privacy
- The right to be let alone. Freedom from interference or intrusion. Freedom from observation, usually for an individual person. Information privacy is the right to have some control over how your personal information is collected and used. 1
- Security
- Keeping an organization’s data safe and preventing an adversary from doing bad things to its resources or infrastructure. 1
- Privacy vs. Security
- Data privacy is focused on the use and governance of personal data — things like putting policies in place to ensure that consumers’ personal information is being collected, shared and used in appropriate ways. Security focuses more on protecting data from malicious attacks and the exploitation of stolen data for profit. While security is necessary for protecting data, it’s not sufficient for addressing privacy. 2
Person Identity Management¶
Core Principles¶
Barath Raghavan and Bruce Schneier 1
You've decoupled properly if you're comfortable sending your messages with your adversary's communication system.
You've decoupled properly if you're comfortable using cloud services that have been split across a noncolluding group of adversaries.
Security-first design:
- Threat modeling 3
- Least privilege 4
- Defense in depth — zero trust 5
- Secure defaults
- Regular updates and patching
Privacy paramount:
- Wearer owns measurements of the wearer's body
- Caregivers are custodians
- System operators are custodians
- Control belongs to the user
KISS ("Keep it simple, stupid!"): 6
- Keep security simple enough that it does not pose a barrier to adoption.
- Make security easy enough that people can do what they already do.
-
Barath Raghavan, Bruce Schneier. "A Bold New Plan for Preserving Online Privacy and Security". IEEE Spectrum, 5 November 2023. https://spectrum.ieee.org/data-privacy ⧉. ↩↩↩
-
International Association of Privacy Professionals. "What is Privacy". Website, accessed 6 March 2024. https://iapp.org/about/what-is-privacy/ ⧉. ↩
-
Wikipedia. "Threat model". Website, accessed 8 March 2024. https://en.wikipedia.org/wiki/Threat_model ⧉. ↩
-
Wikipedia. "Priciple of Least Privelege". Website, accessed 8 March 2024. https://en.wikipedia.org/wiki/Principle_of_least_privilege ⧉. ↩
-
Wikipedia. "Zero Trust Security Model". Website, accessed 8 March 2024. https://en.wikipedia.org/wiki/Zero_trust_security_model ⧉. ↩
-
Wikipedia. "KISS principle". Website, accessed 8 March 2024. https://en.wikipedia.org/wiki/KISS_principle ⧉. ↩