You need to know the eight ‘fair information practice principles.
Dr. Carolyn Turbyfill
On February 2, 2012, the White House issued an Executive Order “Improving Critical Infrastructure Cybersecurity”:
This order contains warm and fuzzy language about protecting the use and retention of personally identifiable information, referring specifically to: the National Strategy for Trusted Identities in Cyberspace: http://www.nist.gov/nstic/
FAIR INFORMATION PRACTICE PRINCIPLES
Fair Information Practice Principles” means the eight principles set forth in Appendix A of the National Strategy for Trusted Identities in Cyberspace:
“Appendix A – Fair Information Practice Principles (FIPPS)
To truly enhance privacy in the conduct of online transactions, the Fair Information Practice Principles (FIPPs) must be universally and consistently adopted and applied in the IdentityEcosystem. The FIPPs are the widely accepted framework of defining principles to be used in the evaluation and consideration of systems, processes, or programs that affect individual privacy.
In brief, the Fair Information Practice Principles are:
• Transparency: Organizations should be transparent and notify individuals regarding collection, use, dissemination, and maintenance of personally identifiable information (PII)
• Individual Participation: Organizations should involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the collection, use, dissemination, and maintenance of PII Organizations should also provide mechanisms for appropriate access, correction, and redress regarding use of PII
• Purpose Specification: Organizations should specifically articulate the authority that permits the collection of PII and specifically articulate the purpose or purposes for which the PII is intended to be used
• Data Minimization: Organizations should only collect PII that is directly relevant and necessary to accomplish the specified purpose(s) and only retain PII for as long as is necessary to fulfill the specified purpose(s)
• Use Limitation: Organizations should use PII solely for the purpose(s) specified in the notice. Sharing PII should be for a purpose compatible with the purpose for which the PII was collected
• Data Quality and Integrity: Organizations should, to the extent practicable, ensure that PII is accurate, relevant, timely, and complete
• Security: Organizations should protect PII (in all media) through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure
• Accountability and Auditing: Organizations should be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements
Universal application of the FIPPs provides the basis for confidence and trust in online transactions.”
SO WHAT?
Is all or most of the US government complying with these principles? I don’t know. I do know that information is power and that information that is collected and retained for one reason can give rise to unintended consequences.
Watching the coverage of the PRISM surveillance projects logging the phone numbers and length of calls made in, to or from the U.S., I looked up the Patriot Act: http://www.fincen.gov/statutes_regs/patriot/ to investigate possible root causes of the current situation. Unfortunately, I could not decipher the Patriot Act due to a tortuous set of references and substitutions, i.e.
“SEC. 103. INCREASED FUNDING FOR THE TECHNICAL SUPPORT CENTER AT THE FEDERAL BUREAU OF INVESTIGATION.
There are authorized to be appropriated for the Technical Support Center established in section 811 of the Antiterrorism and Effective Death Penalty Act of 1996 (Public Law 104–132) to help meet the demands for activities to combat terrorism and supportand enhance the technical support and tactical operations of the FBI, $200,000,000 for each of the fiscal years 2002, 2003, and 2004.
SEC. 104. REQUESTS FOR MILITARY ASSISTANCE TO ENFORCE PROHIBITION IN CERTAIN EMERGENCIES.
Section 2332e of title 18, United States Code, is amended— 1) by striking ‘‘2332c’’ and inserting ‘‘2332a’’; and (2) by striking ‘‘chemical’’. “
For those of you with Eidetic memory, I invite you to explain the Patriot Act to the rest of us.
Bio:
Dr. Turbyfill has been head of engineering organizations and software architect with 20+ years of experience in: Security (Cyber and Physical); Risk Management; SDLC; Development Methodologies; Enterprise Products and Services; Compliance; Database, Strategy and Roadmaps; management of multiple groups in domestic and international locations; startups and turnarounds. Dr. Turbyfill has a consistent track record of delivering quality products within budget and on time and has consistently built leading edge technologies and products including:
- First database benchmark using experimental design techniques, the Wisconsin Benchmark;
- One of the first wireless LAN’s with radio, antenna and IP Layer encryption;
- First Firewall Appliance, SunScreen SPF 100 which also included a certificate authority and one of the first commercial IP Layer VPN’s, SKIP;
- First round-trip email marketing systems with interactive Java applets;
- First Managed Security Service at Counterpane Internet Security;
- First virtualized automated test environments for application stacks, the StackSafe Test Center.