« Top Ten Things Everyone Should Know About ITIL | Main | What's So Smart About BI? »

January 22, 2006

No Place To Hide

Wiretaps, viruses, and instant global lies. We're definitely in the Age of Insecurity. The hugely shrunken world we live in is not really shrunken at all, but instead the opposite -- it's zoomed in. As we find life increasingly attached and vulnerable to the microscopics of reality, the world and its complexity get incalculably bigger instead of smaller.

Our instinct to see ourselves at the center of reality is thus amazingly if not bafflingly persistent.

For example, when our personal "security" is breached, we say our secrecy is pierced , our privacy is invaded , or our anonymity is lost ... Ironically, customer relationship management (CRM) is perhaps the most aggressive abuser of our notion that being the center of things is secure. How so? Just set your PC volume low and watch this 2 minute demo from Adcritic.com.

I.

On a daily basis, whether online or on foot, when we employ anonymity, privacy or secrecy, we like to speculate that the environment around our effort will cooperate with our intention.

Over time, willful naievete about that is merely childish and yet potentially dangerous.

On the other hand, careful research beforehand can give us a shot at reducing the speculation to a well-founded assumption by guiding us to better preparation for contingencies.

Yet unless told otherwise by someone we're willing to believe, we stubbornly go into situations with the idea that we have a "right" to maximum invisibility and can just ramp it up or down as we happen to like.

We hate to have our motives questioned "unnecessarily" -- we feel that we shouldn't have to justify or "earn" the desired degree of invisibility by revealing what we might do with it before we actually have it.

Of course the big catch to that is in whether we agree that our own degree of privilege should be no more than anyone else's in the same circumstances.

And for the most part, we don't. No one expects that to happen anywhere except in a frontier. We want different people, with their different agendas, to have different privileges.

Stuck with where we are, we should at least start the negotiations with being sure that we know what we're really asking for.

Then, we start applying that clarity to the task of making a policy.

II.

In policy, we run up against the issue of entitlement, which means clearing up the confusion about freedoms, liberties, and rights.

We normally like to use them all at our convenience, as justifications for what we want. We use them as if they were our tools in our personal toolbox. But in that attitude, there is some degree of illusion.

We can detect this with a little vocabulary change. That is, in the environment that we target, we instead find our potential actions unrestricted, restricted or approved without regard to what we want. This trio of circumstances stretches, respectively, not only from the least specified situation to the most specified, and from passive allowance to active promotion, but also from the most autonomy to the least:

- Freedom refers to the absence of any restrictions.
- Liberties refers to the tolerances for what we are "allowed" to do.
- Rights refers to the postive confirmation of what we are "permitted" to do.

How do those experiences relate to our anonymity, privacy and secrecy?

What bothers us the most is if a party other than ourselves, at their discretion instead of ours, makes a decision that limits our range. (When we make a policy, we are the "other" party to those that we feel should comply.)

We might therefore instead be wary of:
- a loss of freedom,
- a contraction of liberties, and
- a refusal of rights.

When we don't get what we want, there are two different things being challenged: our authorityand our autonomy.

It's unpleasant to have either of them in debate; but, it is useful to know that sometimes we can have less of one and more of the other without necessarily sacrificing a satisfactory outcome. The issue is to predictably get what we really need, without it being at the unfair expense of others.

To see that this is true, we create policies as a set of understandings that identify the important combinations of autonomy and authority by which we want ourselves and others to abide.

Policies associate privileges and responsibilities, in a way that foretells what kind of influence we will have in a given environment. While not always the case, it is reasonable to usually expect that accepting responsibilities is a way to merit privileges. For that to work, the responsibilities need to be spelled out in a way that clearly describes the particular environment.

Restoring a sense of order and safety is something we want to do by rule rather than by force; but for that to work we have to agree on the rules and they have to be followed.

III.

Using the above generic table, we can envision a specific circumstance or environment such as an apartment building, in which the landlord is an owner , the manager is an agent, and the tenant is a guest. Most notably: these roles are designated with responsibility to the environment, not to each other. But the roles can inherit benefits from the environment because everyone is doing their part correctly.

The result of creating a policy is that we formalize security.

Our issues with personal security -- in terms of having protected anonymity, privacy or secrecy -- are actually particular to the stakeholder role that we assume in the environment. Other parties in the environment want to know if our mode of actions -- anonymous, private or secret -- is still supporting the responsibility that they assume we have taken on with our role. In the end, we don't have a blanket protection of anonymity, privacy or secrecy; instead, we need a contract with other parties that appropriate protection will be provided if we declare our roles and follow the rules. Although this contract needs to be negotiated, once there the biggest concern is about whether either party, us or them, will violate the terms of the contract. Suspected violators lose protection.

In sum, this points out four risks to security.
(1) Lack of explicit policy (either by design, or effectively through neglect)
(2) Uncertainty about what roles have been accepted
(3) Intentional disregard for responsibility
but also
(4) Abuse of authority.

Plenty to think about, but not much new, even in the outrageously expanded world.

Posted by Malcolm Ryder at January 22, 2006 7:12 AM

Trackback Pings

TrackBack URL for this entry:
http://www.malcolmryder.com/cgi-bin/mt-tb.cgi/195

Comments

Post a comment