Does Confidentiality Still Matter?

Thursday, September 02, 2010

John Verry


To an "old school" infosec practitioner (like myself) confidentiality is the most emphasized element of the CIA triad (integrity/availability) because the risks associated with the failure to provide confidentiality are usually the biggest and the regulations can be the stickiest (e.g., PII, PCI, HIPAA).

"New school" practitioners are likely to view things a bit differently. When you have grown up with "where you are/what you did/who you did it with" posted for the world to see on MySpace/ Facebook ... the boundaries between private and public are pretty thin.

Rather than ramp back, many are continuously broadcasting their whereabouts and activities using Four Square and Twitter.  GenY folks are just not all that concerned about confidentiality ... because they are not that concerned about privacy.

My conversations with GenY have altered my views on privacy quite a bit.  So has my work as a social engineer.  So has the fact that I have had my Personally Identifiable Information disclosed by multiple retailers and a mortgage company. 

In short, the Genie is already out of the bottle and there is no way to get the cork back in.  If you don’t agree with me, Google yourself, and take a look at tools like,, and

If you’re anyone who has at least partially embraced the internet -- birthdates, mortgages, judgments, addresses, your work history, your military records (including serial number), Social Security Numbers, purchases you made on Amazon, your woeful performance in your fantasy football league, posts you made on the dementia message boards -- are all just a click away.  

So if our "private" information is now "public" do we really need confidentiality?  Does it really matter if someone knows my Social Security Number? Driver’s License Number? Address?

Sadly it probably still does -- because those items are often inappropriately used as a form of authentication.  However, as GenY folks take more prominent roles in politics and information security I would not be surprised to see some big changes.

Most notably a de-emphasizing of confidentiality and an emphasizing of authentication and authorization. 

It's an interesting (even if preliminary) point to ponder ...

(originally posted at

Possibly Related Articles:
Privacy Social Networking
Post Rating I Like this!
John Verry If you happen to find the article -- would love to read it. Your right about there potentially needing to be a shift in the way we think. It's an interesting time to be doing what we do ...
Pete Herzog I think in a lot of ways, we've gone through this already as a society- or at leas some of us have. I'm talking about celebrities. What we'll see is not more authentication or authorization (as we've seen with stolen sex tapes and nannies spilling it all) but rather currently boutique services that provide special types of anonymity and deniability. You see, the biggest loss is not our privacy, as celebrities can tell you, but the recording of this loss in ways one does not want to have to deal with (D. Hasselhoff's drunken phone calls recorded and posted to the net). What this causes is a certain loss of deniability for which new services emerge ("No, Dean Wormer, I was not drinking a real beer in that picture because it was a staged shot for a series on student alcoholism as this photographer will attest to." you say slipping the photographer $10). However, even celebrities know how to draw the lines between private, a little public and a lot public. They show usually only what they want to show and deny the stuff they missed. Most of the public will learn this as well eventually.
John Verry De-authentication?? A new information security requirement? :>)

I am planning on writing a blog on the information security implications of naming your child. Your concept of "plausible deniability" was part of my thought process ...
Terry Perkins As an "old-timer", I'm having a hard time with this shift in thinking. However, I do see the need for it.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.