Washington, DC - Online privacy is a growing concern. Companies are mining our personal information and preferences to sell us products and present us with other kinds of content that we will like. But as useful as the fruits of this data sharing can be, there is a dark side. Data breaches have exposed us to identity theft, extortion and made us susceptible to manipulation that goes far beyond consumer product preferences. We spoke with NIST Senior Privacy Policy Advisor Naomi Lefkovitz about online privacy and the NIST Privacy Framework, a developing voluntary tool that organizations can use to better identify, assess, manage and communicate privacy risks.
What do we mean when we say “privacy” with regard to cybersecurity, and why is privacy a concern? What type of information needs to be protected, and what can happen when it isn't?
NBL: While good cybersecurity practices help manage privacy risk by protecting people’s information, privacy risks also can arise from how organizations collect, store, use and share this information to meet their mission or business objectives, as well as how individuals interact with products and services. For example, people can be unhappy with how much of their information is being collected or be stigmatized or experience other problems even when they’ve authorized the information to be disclosed. These problems can cause people direct emotional distress as well as causing them to limit or abandon their use of beneficial products and services due to lack of trust. For instance, some communities rejected smart meters that were intended to make electricity distribution more efficient because they were concerned that the data being collected about their electrical use could be used to make inferences about their behavior inside their homes. It’s very important that organizations think not only about protecting against unauthorized uses of individuals’ information, but also about how they are intentionally using this information, and the steps they can take to minimize any resulting problems that individuals might experience.
Why do we need a privacy framework? How would it be used?
NBL: It is a challenge to design, operate or use technologies in ways that are mindful of diverse privacy needs in an increasingly connected and complex environment. Inside and outside the U.S., there are multiplying visions for how to address these challenges. NIST aims to collaboratively develop the Privacy Framework as a voluntary, enterprise-level tool that could provide a catalog of privacy outcomes and approaches to help organizations prioritize strategies that create flexible, effective privacy protection solutions and that let individuals enjoy the benefits of innovative technologies with greater confidence and trust. I encourage organizations that want to get involved to visit our website.
What can people do to protect themselves? What do you do or tell your family and friends to do?
NBL: I personally think organizations have the primary responsibility to manage privacy risks because they are the ones determining how to collect, store, use and share individuals’ information to meet their mission or business objectives. That said, I do encourage my friends and family to think carefully about how and with whom they share information online. Be very vigilant about clicking on suspicious links or opening documents in emails. And no, I’m not going to tell you to read privacy notices—at least until they get a lot simpler and easier to understand!
You have had an interesting career, from French literature to law to cybersecurity. What drew you to cybersecurity? Can you talk a little more about your career path? Is this where you thought you would end up?
NBL: To be perfectly honest, at law school, I wanted to go into international environmental law to save the world. However, I initially deferred that plan to take a job as in-house counsel with a startup—one of the first e-commerce retailers (this was the mid- to late-90s). I gained a lot of great experience and learned a lot about the importance of account security and consumer protection. I like to point out that I wrote one of the first online privacy notices—it was only a paragraph long! From there, I joined the Federal Trade Commission where I worked on privacy and identity management and authentication issues. This focus on privacy and identity management prepared me to take on a detail in 2010 at the Cybersecurity Directorate of the National Security Council where I helped draft and promote the Obama Administration’s National Strategy for Trusted Identities in Cyberspace (NSTIC). Then, it was an easy hop to NIST. I started in the original NSTIC program office, but over the last few years, I have been leading the development of a privacy engineering program to help organizations implement better privacy protections into their products and services whether they’re engaged in identity management, big data, mobile, IoT (internet of things) or any technology domain.
Any last thoughts?
NBL: There’s going to be a lot of focus this coming year on the voluntary Privacy Framework that we’re developing, but I think it’s important not to lose sight of some of the foundational work on privacy risk assessment, applied privacy and standards development that we’re continuing to do. We have some new and exciting efforts coming soon. To keep apprised of our ongoing work, please visit the Privacy Engineering Program website.