ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > Is Maintaining Privacy an Uphill Battle?

Is Maintaining Privacy an Uphill Battle?

C. Warren Axelrod, Ph.D., CISM, CISSP
| Published: 8/1/2016 8:07 AM | Permalink | Email this Post | Comments (1)

Since the advent of the World Wide Web a quarter of a century ago, advocates have lamented the loss of privacy year after year without there appearing to have much impact. In fact, the privacy problem seems to be getting much worse by the minute as more information about ourselves and our activities becomes available to practically anyone with access to the web.

However, the situation may not be as bad as many contend, since personal information falls into several categories, not all of which need to be held to the same high standards.

The most sensitive data from an individual’s perspective are so-called nonpublic personal information (NPPI) or personally identifiable information (PII) and personal or protected health information (PHI). Compromise of these categories of data, which include date of birth, US Social Security and drivers’ license numbers, bank account numbers, and the like, can lead to identity theft, which may then result in intolerable fraudulent activities.

The next level of concern is for confidential information, e.g., merger and acquisition information, secret recipes, the unauthorized disclosure of which may result in damage or harm to the well-being of data owners if it falls into the wrong hands.

The next category is information about activities, the unauthorized revelation of which could be harmful and even fatal, as in the case of the Ashley Madison breach.

Next is the gathering, use and disclosure of personal activity information that has little or no likelihood of doing us harm, but may be irksome, annoying, or inconvenient, as with pop-up ads and email and text solicitations. That is not to say that seemingly innocuous events will not, under certain circumstances, have serious negative consequences, as with phishing for example.

And finally there is information (e.g., text, images) about us and our activities that we willingly divulge and that we, indeed, want to be made available to a broad audience. This information represents huge troves of extremely valuable data about what we search for, what we buy and so on. The information must be of great value to third parties as it generates billions in profits for the likes of Google, Facebook, LinkedIn and Amazon.

But here is the problem:  If we are seemingly willing to “give away” so much information in exchange for mere convenience, minor rewards or casual social interactions, why are there such outcries by privacy advocates and lawmakers? Well, part of the answer is that we do not distinguish adequately among the various data categories listed above, with the result that some data are protected well beyond what they might justify and other data are ignored when it comes to protection.

These distinctions account, in large part, for the apparent confusion and lack of ability to control access to and use of such information. Unauthorized disclosures are one thing, unintentional releases of information another and intentional disclosures yet a third. Problems arise when you lump these all together.

If we are to have any expectations of controlling privacy, we need to be aware of the value of privacy to each and every constituency and write and enforce effective laws that must include serious consequences for noncompliance for each category based on the information’s sensitivity, legality, impact and importance.

Read C. Warren Axelrod’s recent ISACA Journal article:
The New Age of Near-zero Privacy,” ISACA Journal, volume 4, 2016.


privacy is something personal and universal at the same time

Great article, but the main question remains: how much privacy related information are people giving away without knowing the impact in 1, 5, 10, 15 years.  It is interesting to see how much media are using the internet in order to find pictures of persons from the past (being new Olympic Champions, terrorist victims, presidential candidates, etc.)  Most people do not know the impact of sharing information (text, images, video, vlogs, blogs, ...) in the future.  This is why the decision to revoke easy/direct access to certain sensitive information from the past should be feasible at all organisations.  Anyway, the debates will continue and that is a good thing. 
Marc Vael at 8/10/2016 7:47 AM