The New Normal in
Privacy: discussion of a
dilemma
Karen Sollins
Principal Scientist, MIT CSAIL
October 2, 2014
10/2/14
Karen Sollins: Privacy
1
Consider recent examples: the
Snowden case
►
►
►
10/2/14
Technical issues
►
NSA collecting information and analytics
►
Non-governmental organizations collecting information and providing it to the
government (sometimes under duress)
►
Security is imperfect
Legal issues
►
Fourth amendment in US
►
Treaties and other geopolitical legal bindings (or not)
Social issues: What I found at the most recent IETF
►
“Snowdon” and “NSA” were all the buzz
►
Sense of always looking over one’s shoulder
Karen Sollins: Privacy
2
“Snowdon”: questions/issues
►
►
Technical
►
Analytics? Collecting for future analytical tools?
►
Scalability?
Legal
What are the social norms for privacy?
► What are the social norms for responsibility for security/privacy?
► Each international governmental organization makes unilateral decisions.
Does this scale (in Andy’s terms, not just growth)?
► Where are the stable points (in Dave’s terms) in the legal/regulatory
context?
►
►
10/2/14
Social: Is the new normal, watching over our shoulders?
Karen Sollins: Privacy
3
Consider recent examples:
Google, what they’re doing
►
►
►
Technical issue: increasing use of HTTPS
►
Last spring: gmail
►
August, 2014: positive ranking in search engines for encrypted websites.
Currently, lightweight
►
Will increase the weighting
Business issues:
►
Placement in search results
►
Pressure to encrypt using HTTPS (SSL/TLS)
►
Improve Google’s image
►
Perhaps reduce Google’s risks
Social issues:
►
10/2/14
►
Appearance that Google has the user’s interest at heart
Karen Sollins: Privacy
4
Google: questions/issues
►
Technical issues:
►
HTTPS is about authenticated and encrypted communication
►
Says nothing about content itself being encrypted at Google
►
►
10/2/14
Email “known” to Google
►
Copies of pages “known” to Google
“Traditional” Google functions uninterruped
Business issues
►
►
►
Does this change Google’s business model?
►
No: continued analysis, continued advertising and bit data functions
►
Yes: Google can trust authentication and integrity. Individuals can trust threats from
cleartext, unauthenticated mail sources.
Social issue: where is the increased privacy and where not? How to value
the effects of “Big Data”? (Unchanged here.)
Karen Sollins: Privacy
5
Consider recent examples:
Apple and iOS8
►
Technical issue:
Apple will no longer be able to “open” an iPhone.
► Anything protected by the passcode on an iPhone will be inaccessible to
Apple
► Everything in the iCloud, as well as all tracking, monitoring, meta-data
collected by Apple will not be protected.
►
►
Legal issues:
►
►
Even with legal warrants, Apple “cannot” obtain information
Social Issues:
Should we be redefining what is considered “in plain view” in light of smart
phone technology and use?
► If the user has protected his or her iPhone with a passcode, what
responsibility does Apple have for privacy of information in their services?
►
10/2/14
Karen Sollins: Privacy
6
Apple: questions/issues
►
►
Legal issues
►
If passcode locks a phone, and the police stop someone with an iPhone in use, can
they look at the phone before it locks itself, and how does that interact with the
requirement for a warrant?
►
What is “legal search and seizure” under Fourth Amendment?
►
[Orin Kerr,Volokh Conspiracy Blog/Julian Sanchez, Cato Institute]
Is it necessary (from Fourth Amendment perspective) to support the government in what it
has become accustomed to?
►
Where is the boundary between privacy and public/government need for search and
seizure? Is there ever too much crypto?
►
Courts have balanced privacy and government (social norm) requirements repeatedly as
technology has evolved. How might we rebalance now in light of smart phones?
Social issues
►
10/2/14
►
Trying to change the user’s “trust” model, but how much is this actually true?
Karen Sollins: Privacy
7
Some questions: business
issues
►
10/2/14
Google and Apple are making business decisions about the
appearance of privacy.
►
In your organization, are you also finding business tradeoffs with
respect to privacy?
►
Which kinds of information should remain in control of customers and
which in control of the service provider (whether TV/Entertainment,
user service provider, communications service provider or many
others)?
►
How does one handle the customer perception (in contrast with the
reality of what information is collected about the user and used in
provision of service and business opportunities)?
►
How is this changing with advances in technology? Social norms?
►
How do you do the cost-benefit analysis?
Karen Sollins: Privacy
8
Some questions: privacy and
governance
►
The US Fourth Amendment is very US centric.
►
In places where personal information is considered inalienably
accrued to the subject of the information, what is the balance
between that and
► The
need by government to enforce laws and regulations?
► The
need of companies to collect information in the operation of their
businesses (consider the need for network provisioning and
management, the need to determine economic interest in
entertainment products, etc)?
►
In other parts of the world, personal information is considered
under the ownership of the government.
► How
10/2/14
does this affect business models?
Karen Sollins: Privacy
9
Questions: The Internet is
global
►
If the new normal is different in different social and legal
regimes, how do we reconcile these differences across
those social and geopolitical boundaries? Are there business
models for privacy that might transcend those boundaries?
►
Are there technologies needed (or existing), that will help
us to support heterogeneity in the face of the need for a
global Internet, technically, socially, and legally?
10/2/14
Karen Sollins: Privacy
10
Your questions and answers
Karen Sollins
sollins@csail.mit.edu
+1 617 253 6006
10/2/14
Karen Sollins: Privacy
11