Request For Research Presentations For the PrivacyCon Conference
Submission Letter #2 Title: FTC Conference on Privacy and Security: Challenges, Responsibilities, and Way Forward Privacy and security are ultimately public policy domains. In preparation for public policy debate and determination, the landscape must be framed in the sometimes unpleasant realities of current technology and practice that call out for industry challenges, government responsibilities, and revised expectations going forward. Publicly airing these realities may arouse skepticism among some, strike panic among others, and prompt just a ho-hum reaction from still others. Advocates of the status quo attempt to convince us that privacy fears are unwarranted and misplaced. Victims of the OPM Cyber attack might argue otherwise. Dealing with the stresses surrounding privacy and security where privacy is the freedom and ability to reveal oneself selectively and security is the condition of being protected against danger or loss, we find that both are reasonable goals but on a collision course nevertheless. Is it possible to have both privacy and security? Whereas Cyber Security is reasoned about in terms of trust in systems, the collision between privacy and security revolves around trust in people. Here the question is one of civility where civility is comprised of the sacrifices one makes for others. For example, are businesses and the public willing to sacrifice privacy by sharing encryption keys with government or is government and law enforcement willing to sacrifice access to encrypted data and information? The slow walking investigation of the Hillary Clinton email and server suggests the politicization of the same federal agencies involved in the data encryption key controversy where trust in the people in government is lacking. That leaves trust in systems to reliably manage a government data encryption key database, bringing to mind again the OPM attack and the failure of government systems. And then there is this; privacy is inexorably linked to Cyber Security. Here the minimum Cyber Security practice set includes the following: 1. Don't use the Internet for data and information you can't afford to lose. 2. Adopt three factor authentication. Adopt data encryption. When it comes to Cyber Security, it's not about money and it's not about Silicon Valley cafe amenities and automation. More broadly, it's about know how and will in meeting industry challenges and accepting government responsibilities. 1. Industry challenges demand renovating the rotten core of the software profession and its Cyber Security practice and shifting the onus for privacy and security from supplier to consumer. 2. Government responsibilities include removing government obstacles to consumer self-help and unleashing new Cyber weapons for privacy and security governance. 3. The Way Forward calls for adopting new and useful Cyber expectations for both industry and government.