port” operationalized and extended
this into the Fair Information Practice Principles, which have been widely adopted throughout the world.
But the principles of “Collection
Limitation, Data Quality, Purpose
Specification, Use Limitation, Security Safeguards, Openness, Individual
Participation, and Accountability”
do not cover a world in which a user
may install hundreds of apps on her
smartphone, each of which requests
access to multiple permissions. And
that is only the phone: the user also
must confront her work desktop and
its browsers, her shared family tablet,
her laptop, and ...
This brief reprise of the current
communication and computing world
tells us that handling security and privacy involves understanding economics (for developing incentive schemes
to build security into applications and
to help users manage their privacy if
they so desire), anthropology (for understanding the different ways people
approach their electronic gadgets),
psychology (for developing models
that give people the computer interactions they want), design (for getting
the colors, sizes, and signals right for
people to achieve what they want), law
(for balancing different interests in
society), and so forth. While human-computer interaction has been an
established field for at least three decades, the Workshop in Economics of
Information Security is only in its 13th
year and the Symposium on Usable
Privacy and Security is just 10 years
old. And while there is a Privacy Legal Scholars Conference that focuses,
to a large extent, on digital privacy,
there is no equivalent Cybersecurity
Legal Scholars Conference. The point?
Scholarship in these human aspects of
privacy and security is nascent. That
means translation into actual use is
even more so.
Where does that put us? Being al-
ways connected is increasing and we
are moving to the Internet of Things;
both of these will create additional
privacy and security risks. It is likely
that for many people—especially
those living under repressive regimes
and those with less opportunity either
as a result of economics or because of
a lack of capabilities—privacy and se-
curity incursions will mount. In such
situations, digital communications
technologies appear to be leading to
increasingly oppressive and invasive
situations for many people.
On the other hand, there are
changes in the air. danah boyd de-
scribes how American teens have
learned to hide their actions in plain
1 the U.S. government is seri-
ously considering certain limitations
in its collection of communications,
both domestically and abroad, the
Europeans are attempting to put lim-
its on what information is available
about individuals (though the Euro-
pean Court decision on “the right to
be forgotten” decision4 seems to me
to confuse data being accessible on
the network—the real issue—with
data being linked through search
engines). There appears to be con-
siderably more interest by private in-
dividuals in securing and protecting
their data; Tor usage, for example, is
approximately twice what it was in
May 2013.c, 15
Whether the latter will be a last-
ing change is, of course, crucial. It is
a question I cannot answer. But I can
address how well this column has han-
dled broadly addressing the issues sur-
rounding privacy and security over the
last six years. And there I think the an-
swer is, “Reasonably well.”
c The reason for this is not entirely clear, since a
major spike occurred in August 2013; numbers
are substantially down from that high point.
cial science side, including on the role
of emotions in making complex secu-
10 and on the impact that
Fear, Uncertainty, and Doubt play in
determining how to fight back against
6 We have covered the
value, or lack thereof, of professional-
izing the cybersecurity workforce.
have had researchers, implementers,
engineers, computer scientists, law-
yers, social scientists of many flavors,
and management experts write—and
there have been authors from three
continents and at least 27 different
policy persuasions. I think we have
also done a reasonable job covering a
broad and complex set of topics.
With this, I hand the mantle of
Communications Privacy and Security columns to Carl Landwehr, for 30 years a
leading cybersecurity researcher. Carl
is a National Cyber Security Hall of
Fame inductee and a former editor-in-chief of IEEE Security and Privacy. Many
thanks for the pleasurable run.
1. boyd, d. It’s Complicated. Yale University Press, 2014.
2. Burley, D., Eisenberg, J., and Goodman, S. Would
cybersecurity professionalization help the cybersecurity
crisis? Commun. ACM 57, 2 (Feb. 2013), 24–27.
3. Byres, E. The air gap: SCADA’s enduring security myth.
Commun. ACM 56, 8 (Aug. 2013), 29–31.
4. European Court, Judgement of the Court, Grand
Chamber. Google Spain SL Google Inc. v. Agencia
Espanola Proteccion de Datos Mario Costeja Gonzalez,
May 13, 2014; http://bit.ly/1pr YAfk.
5. Federal Trade Commission. SnapChat Settles F TC
Charges that Promises of Disappearing Messages
were False. Press Release, May 8, 2014.
6. Florencio, D., Herley, C., and Shostack, A. FUD: A plea for
intolerance. Commun. ACM 57, 6 (June 2014), 31–33.
7. Garside, J. Vodafone reveals existence of secret wires
that allow state surveillance. Guardian (June 5, 2014).
8. Gellman, R. Fair Information Practices: A History,
Version 2. 11 (Apr. 2014); http://bobgellman.com/rg-
9. Irion, K. Communications networks tapped for
intelligence-gathering. Commun. ACM 52, 2 (Feb.
10. McDermott, R. Emotion and security. Commun. ACM
55, 2 (Feb. 2012), 35–37.
11. Mirani, L. Google’s sneaky new privacy change affects
85% of iPhone users—but most of them won’t have
noticed. Quartz (Apr. 3, 2014); http://bit.ly/1fKRDB2.
12. Narayanan, A. and Shmatikov, V. Myths and fallacies
of ‘personally identifiable information’. Commun. ACM
53, 6 (June 2010), 24–26.
13. Riley, M., Elgin, B., Lawrence, D., and Matlack, C.
Missed alarms and 40 million stolen credit card
numbers: How target blew it. BloombergBusinessweek
Technology, (Mar. 14, 2014).
14. Snow, B. and Brooks, C. An ethics code for U.S.
intelligence officers. Commun. ACM 52, 8 (Aug. 2009),
15. Tor Metrics Portal, Users; http://bit.ly/1oMOzJA.
16. U.S. Secretary’s Advisory Committee on Automated
Personal Data Systems. Records, Computers and the
Rights of Citizens, 1973.
17. Westin, A. Privacy and Freedom, Antheneum, 1967.
Susan Landau ( email@example.com) is a
professor of cybersecurity policy in the Department
of Social Science and Policy Studies at Worcester
Polytechnic Institute in Worcester, MA.
Copyright held by author.
I think we have done
a reasonable job
covering a broad and
complex set of topics.