Privacy has very much been the buzz word for the past twelve to eighteen months. A number of significant groups have been working towards providing advice, guidance and a suitable steer in this arena - assisting government, policy makers, system developers - all levels. Security and Privacy have really begun to merge. Read on for more...

"Relying on the government to protect your privacy is like asking a peeping tom to install your window blinds"... so said John Perry Barlow.

That's a pithy view but is sufficiently metaphorical of the current public mood no doubt, and indicative of a lack of trust and confidence.However, alongside recent discussions of privacy has been alignment with transparency requirements.

If you can step back far enough (or high enough) you can see a theme - and its definitely in synch with the present public psyche. We need to be able to be clear with people about why we have their data, what we do with it, who we share it with. All of these requirements are already enshrined within the Data Protection Act and proper compliance with its eight principles would stand organisations (both public and private sector) in good stead when seeking to evidence how they manage these issues.

The BCS itself has been active in this space. The Building Trust in eGovernment Working Group has worked hard over the last 12 months and more and today, 1st June 2009, launched the Personal Data Guardianship Code. This is well worth review, in conjunction with any discussions or considerations in this space.

Earlier last month I was at an IAAC event focusing on People-Centric Identity Assurance (I think I've got that right!) and Tom Ilube of Garlik gave a great talk about the fact that people who are fully bought into the Web 2.0 world (and beyond) are akin to being "data nudists" as a result of how free they are with their information.

However, with regard to Privacy - people have previously taken the stance of "it's mine and you can't see it". Whereas now you can put photos on Facebook, blogging about stuff, tweeting your every move (texting is presumably virtually "old school" now!). All the available technology allows people to be as open as they could possibly want with what would have previously been considered to be relatively personal information. Tom suggested that perhaps the "next big thing" might be Google People...

The difference between personal and private is thinly veiled and different for everyone - its a hugely subjective thing.

Were it possible to put a mathematical equation to Privacy, given that computer scientists like their theories, then we would have something like the following:

Privacy = f (function of) T (Transparency), 1 (number of)/e(rrors), b(oundaries)) x how many C(ontrols) are in place

Privacy can be considered to be a "control" - and that is a world that security people understand - we are always looking at the best way of implementing adequate controls on the basis of appropriate risk assessment. Easier said than done. However, John Leach, a key member of IAAC, posited that an invasion of privacy should be seen as a weakness of the relevant controls. Again, this is easy language for security professionals to understand.

We continue to be experiencing a burgeoning Information Society and it is challenging to map Information Security needs effectively. Cliches apply - you cannot stop the tide; you can't put the genie back in the bottle.. but either way, the constant consideration has to be "what are you prepared to give up for the InfoSoc, at the expense of InfoSec"?

Andrea