Full Report
Last week we presented an invited talk at the ISSA conference on the topic of online privacy (embedded below, click through to SlideShare for the original PDF.) The talk is an introductory overview of Privacy from a Security perspective and was prompted by discussions between security & privacy people along the line of “Isn’t Privacy just directed Security? Privacy is to private info what PCI is to card info?” It was further prompted by discussion with Joe the Plumber along the lines of “Privacy is dead!”
Analysis Summary
# Main Topic
The core narrative is an introductory overview of Online Privacy examined from a Security perspective, driven by industry discussions questioning if privacy is simply directed security, and public skepticism exemplified by the stance "Privacy is dead!" The focus is on the fundamental shift where modern life is increasingly *lived* online, leading to massive data collection and monetization by entities, exemplified by corporations like Google.
## Key Points
- The importance of privacy has grown due to new technologies enabling widespread data capture, but the fundamental shift is that individuals now *live* their actions predominantly online, often mediated by single service providers.
- The primary business model for highly successful modern corporations (using Google as a pertinent example) is the collection and monetization of private data.
- Privacy is defined, in part, as data subject to implied access control and authorized use. Determining which controls are reasonable or legally enforceable remains a developing field.
- The presentation detailed a taxonomy of data collection levels, mechanisms used, and resulting data leaks.
## Threat Actors
- **Governments:** Mentioned as actors with the funding and motivation to collect and collate significant amounts of information for potentially disagreeable goals.
- **Corporations:** Identified as primary actors whose business models revolve around the collection and monetization of private data (e.g., Google).
## TTPs
The report outlines various techniques used to collect or leak private data across different levels:
- **Tracking:** Cross-site tracking using tracking pixels or cookies.
- **Browser Exploitation:** Exploitation of rich browser environments, such as the simple CSS history hack.
- **Data Leakage:** Unstructured and less obvious leaks such as issues with search data (referenced the AOL leak).
- **Deanonymization:** Correlating various public data sets to de-anonymize individuals, utilizing tools like Maltego.
- **Metadata Analysis:** Unintended leaks derived from metadata analysis, such as examining Twitter and Facebook friend groups.
## Affected Systems
- **Web Browsers:** Affected by techniques like CSS history hacks that exploit rich browser environments.
- **Online Services/Platforms:** Services where actions are conducted online (e.g., Google, Facebook, Twitter) are implicated in large-scale data collection.
## Mitigations
- The presentation noted that implications and defenses were covered in only two slides and were considered an incomplete area of ongoing research.
- Implied access controls and authorized use are the concepts around which legal and enforcement discussions are developing.
## Conclusion
The analysis positions online privacy as the "next battleground." While the mechanisms for widespread data collection are mature, the legal and enforceable framework around mandated access control and data use is still evolving. Organizations and users must contend with the reality that daily life generates persistent digital trails leveraged for commercial gain or governmental surveillance.
***
# Morning News Roll-up {current_date}
## Overview
The primary news discussed is an invited presentation on Online Privacy delivered at the ISSA conference, framing privacy not just as directed security, but as a critical security concern arising from the fundamental shift of modern life being lived online and monetized by major corporations.
## Top Stories
- **Story Title 1: Online Privacy as the Next Security Battleground**
- Summary: The talk established that privacy is fundamentally about data with implied access control and authorized use. The urgency stems from the fundamental shift where significant life actions are now performed online, often through single service providers whose primary business model involves data collection and monetization.
- Source: Referenced the embedded SlideShare presentation on Online Privacy.
- **Story Title 2: Taxonomy of Online Data Collection Techniques**
- Summary: The presentation detailed methods used to capture private data, ranging from active tracking mechanisms (pixels, cookies) to environmental exploits (CSS history hack), unstructured leaks (search data), advanced correlation attacks (deanonymization via Maltego), and unintended metadata exposure (social graph analysis on Twitter/Facebook).
- Source: Section describing the taxonomy of data collection.
- **Story Title 3: Philosophical and Legal Underpinnings of Privacy Misconceptions**
- Summary: The discussion touched upon historical, philosophical, legal, and psychological concepts of privacy, advocating for Daniel Solove's work ("I’ve got nothing to hide,” and other misconceptions of privacy) as a key introductory read, emphasizing that privacy debates center on reasonable and enforceable access controls.
- Source: Discussion referencing Solove and the definition derived from entry-level work on privacy conceptions.