Information privacy is the claim of individuals to determine what information about them is disclosed to others and encompasses the collection, maintenance, and use of identifiable information. Privacy is an important value in a democratic society. For individuals, it enhances their sense of autonomy and dignity by permitting them to influence what others know about them. For associations, privacy enhances the ability of individuals to function collectively by permitting the association to keep deliberations and membership and other activities confidential. For society, privacy fosters individual and associational contributions to society, promotes diversity, and limits undesirable conduct and abuse of authority by government and other institutions.
This post is a brain dump for my ideas for designing a new, community driven (#open) certification. I’d like to eventually make this a program that is actively maintained by the Open Knowledge Foundation and licensed under the Creative Commons.
First, checkout this 5-minute video presentation from the Chaos Communication Congress where this idea spawned:
The PCP is a policy for communication service providers who seek to respect the privacy of their user-base. It includes a set of modules that cover various aspects of the server configuration and three levels in each module which provide more and more privacy.
I’d like to adapt their work, specifically, to create an open framework that would be made up of a spectrum of policies and procedures for auditing and implementing privacy-centric services for information hosting providers. So, if you’re a blogger or an internet service provider, you would use this specification to audit yourself, make specific changes to your network or hosting infrastructure, then precisely outline such capabilities, publicly. This would be a voluntary and trust-based process, being that service providers will be their own auditors.
Their existing work:
Open Privacy Specification
Collaboratively build an open framework for a broad range of internet-based information service providers with the objective of creating and maintaining specific policies, procedures, and certifications for objectively controlling personal information.
Fundamentally, maintaining individual privacy requires accessibility to control the confidentiality, integrity, and availability of specific information. Information that cannot be controlled by a services user must be defined and made publicly available, with detail, without compromising the security of the information hosting provider.
The purpose of the Open Privacy Specification is to:
- define the relative privacy expectations between the information hosting provider’s service and the services users;
- design and implement services that safeguard the services users whenever possible against voluntary and involuntary compromisation;
- provide the services users meaningful information about their ability to maintain their privacy while using said services;
- implement routine processes and secure controls via standardized policies and procedures;
- implement a standardized public disclosure document outlining the information service providers metric-based capabilities and limitations.
Certifications will be built around service capabilities and information management infrastructure.
Service capability examples include:
- Pertinent regional laws (when available)
- Organizational management (as permissible)
- Automated and manual processes (as permissible)
Information management infrastructure examples, standardized around the OSI model, may include:
- Physical, data link, network, transport, and session layers:
- Upstream providers capabilities and limitations
- Hardware configuration, capabilities, and limitations
- Network configuration, capabilities, and limitations
- Presentation and applications layers:
- Operating systems configuration, capabilities, and limitations
- Software applications configuration, capabilities, and limitations
Future revisions of specific policies or procedures should be adaptable to existing information assurance frameworks, such as PCI-DSS, COBIT, NIST, or ISO/IEC 27002, etcetera. At the moment, I’m thinking about sponsoring a hack-day event to launch the initial draft with the University of Washington. I think it would be a solid start. As always, feel free to share any commentary.