The Attributer’s Blog – Private

The Attributer had the privilege of serving on the Jericho Forum during the period leading up to its closure (‘sunsetting’) in November 2013. During that latter period, we were working on a paper to set out the principles for protecting the privacy of personal data. Recently, during the time of lockdown to control the Coronavirus pandemic, The Attributer has been reminded of some of the problems that we encountered in that work. The issues are concerned with the use of photography to document our daily lives in the form of ‘selfies’ and other types of personal images.

Consider the following scenario: a family or a group of friends are on holiday in a foreign city. They visit famous landmarks such as the Taj Mahal, the Eiffel Tower, the Sydney Opera House or the Lincoln Memorial. They want to be able to say to their friends and relatives that they were there, and here’s the photo to prove it. It’s part of socialising.

That’s all well and good, unless in the background there are other people not intended to be part of the visual record, but just there by accident. The person with the picture posts it on FaceBook and there for all the world to see are the ‘extras’, in that place, at that time, and possibly in the company of other people whose association is an embarrassment. Suddenly their private outing becomes public on a global scale as they are recognised and reported in gossip columns around the world. We are thinking here of celebrities whose lives are examined in minute detail by the public. Politicians and public servants are amongst this group.

There is no malice or intent on the part of the people who take those photos and publish them on popular web sites. They own the copyright to the images and are unaware of the potential embarrassment that publication might cause. So, what can be done to protect the privacy of those ‘extras’? Whose responsibility is it to make sure that such unwanted publications do not take place? Can there be privacy protection for those individuals? Is it all at their own risk? 

In the Jericho discussions we never quite nailed down an answer to that last question, but the current trend in setting up new ‘home office’ facilities raises the a closely related question again. If you sit at home with a video image of your virtual workplace, then what materials might be displayed in the background that give away personal private details about you and your family life that you really should not be displaying? In these emergency situations people have often not given sufficient thought to the consequences of well-meaning actions. 

Then there is the issue of government intervention to control the spread of the virus. Governments are leveraging modern technology to help ensure that those ordered to self-isolate actually stay at home. In Hong Kong, new arrivals from abroad are required to wear electronic bracelets to track their movements, while in Singapore those self-isolating are contacted several times a day and required to send photographic proof of their whereabouts. In Taiwan school children are being automatically scanned as they approach the school building to monitor their body temperature and if it shows up as too high, they are being turned away for detailed testing and possible quarantine.

The legal enforcement of these measures can be accompanied by heavy penalties. For example, Singapore can use jail terms for anyone who breaks a “stay at home” order. It stripped one offender of his residency rights. Many countries in the West will find it hard to adopt such measures due to their larger populations, and greater civil liberties. However, to whatever extent a country introduces strong measures, there is also the question of how long those will remain in place and whether governments will seize an opportunity to weaken personal privacy legislation.

As with all risk management scenarios, what we see here is a complex interaction of risk factors: public health versus public freedom and personal privacy. SABSA is the framework that allows these risk factors to be played against one another with a view to optimising the outcomes, but it will also require the agreed definition of who are the policy makers and whose interests are being protected when policy is made.

The Attributer

4 thoughts on “The Attributer’s Blog – Private

Dear Attributer, thank you so much for your blog. The current situation situation is indeed a predicament, where many people endup showing much more of their living space and personal life than they are initially aware for. With colleagues working from home I noticed that another trend is to engage in video calls – previously this was not done that often, but now we see it as a way to stay in touch with each other, to look each other ‘in the eye’. Seeing the wall or view (OSINT!) behind that person is collateral to that effect. I have noticed that particularly the older generations are less aware of the uses and risks associated with technologies. I use Skype for Business, Microsoft Teams, GoToMeeting and Zoom for various purposes next to one another. For MS Teams in particular I recommend the option to blur one’s background. For Zoom, you can use an image or a video as one’s wallpaper. In our call with relatively young people, this had led to the proliferation of memes and viral video backgrounds. I recommend using any of these means to ensure the quality of the attribute ‘Private’ during COVID-19 times.

Thanks Ester. Another aspect of this sudden adoption of video calls for team work and meetings is that there are many products out there to provide these types of facilities and so users have a wide choice. I myself am familiar with WebEx and GoToMeeting but I have become aware of another product called Zoom (you mention it in your post) which appears to be very popular. I have never used it but it seems that there are some serious privacy issues with this product. In particular people report that it is possible to break into a Zoom session. Whilst people are naturally inventive and innovative in solving new problems, the security of the solutions is often not well understood. CISOs should ensure that business users are given sound, consistent advice about the potential issues and the way to avoid making poor decisions over which tools to use under stressful conditions.

Hi John, I recognize that there is a lot of criticism around Zoom. I haven’t dived in the topic myself, but some of my colleagues are investigating in from different angles. One interesting counter-argument that has been made comes from Dave Kennedy: https://twitter.com/HackingDave/status/1245536000819986432.

Although he’s more from the security space than privacy, I do feel that he is right in the sense that we should reflect on the message that we as an industry put out to the wider non-technical world. Of course vulnerabilities and unjust practices need to be addressed, but we need to be careful to not publicly bash currently ‘critical infrastructure’.

Hi Esther (spelled correctly this time 😀 )
Of course I agree that the non-technical business users need the support of the security and privacy professionals – that was rather my point. The CISO can do a lot to help the business user community to understand the issues and make the right choices without bashing the providers of useful services. I’m not bashing Zoom – merely pointing out there has been public concerns about its suitability.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.