- From:
- To:
- Subject: [projectvrm] "Trust" [was: NY Times article: Personal Data and Privacy...]
- Date: Sat, 11 Oct 2014 13:39:00 +1100 (EST)
- Importance: Normal
On 11 October, 2014 7:21am Johannes Ernst wrote:
>
>> If, on the other hand, they hired, say, the EFF, to go through their
>
>> security / privacy architecture and implementation with a fine comb twice
>
>> a year ...
>
>
>
> This is not something the EFF does today nor would it if approached, but
>
> do folks
>
> think this is something the EFF should do? Seems like being an auditor is
>
> a much
>
> different business than being an advocacy organization with a tech
>
> capacity.
>
>
I only meant to say that many people -- myself included -- would *** trust
>
*** a statement
>
by the EFF about some organization's (particularly government's) security
>
and/or
>
privacy practices, while this would not be true about many other org's that
>
typically audit....
[emphasis in last sentence added by me]
I can't help but note the strange use of the word "trust". You're talking
about trusting an organisation do do something it cannot actually do. That's
kind of academic isn't it?
We were asked to consider if audit is something the EFF perhaps should do.
But what happens to the "trustworthiness" of a body like the EFF if it was to
be convinced to start doing something that it has never done before? I
should say I am no fan of the audit industry. I am not at all convinced that
existing commercial privacy audits and trust marks are any good either.
There's another topical case where "trust" has been exposed. We're supposed
to trust Open Source software right? Yet the terrible Heartbleed bug in the
Open SSL library resulted from a coding error (really, a high school level
programming blunder) which went through the Open SSL Foundation peer review
process unnoticed. AFAIK nobody has worked out exactly what happened but it
is entirely possible that no meaningful code review was done at all before
the affected code was released.
The term "trust" is almost useless to characterise what we need and what
think we're getting from a software development process.
We really need to stop over-using "trust". As the old Italian proverb goes,
it's nice to trust but it's better not to. Let's get precise. What we need
is accountability, verifiability, liability and so on.
More by me:
http://lockstep.com.au/blog/2011/01/10/reading-peter-steiners-dog
http://lockstep.com.au/blog/2014/04/14/heartache
Cheers,
Steve.
Stephen Wilson
Lockstep
http://lockstep.com.au
Lockstep Consulting provides independent specialist advice and analysis
on digital identity and privacy. Lockstep Technologies develops unique
new smart ID solutions that enhance privacy and prevent identity theft.
- Re: [projectvrm] NY Times article: Personal Data and Privacy - and VRM topics - A European point of view, (continued)
Archive powered by MHonArc 2.6.19.