Privacy and Need-to-know
19 June 2007
It's rather frustrating to see
how many people dismiss the concept of discretionary information release as an issue which only the tin-foil-hat and "naughty" communities are concerned. Perhaps I have too narrow a view since I tend to look at things from an enterprise/government point of view, but we're not just dealing with the commercial space, are we?
I spend a great deal of my day (everyday) trying to explain the need for such concepts within the DoD. An intrinsically hierarchical group where every agency assumes they may have carte blanche access to peer and subordinate agencies, there is little true federation. To share data, it normally requires one organization or another to surrender control over their information, leading to power struggles of epic proportions.
When you finally get them to sit down at the table, the concept of cooperative data exchange (rather than the forced or ransacked types) are usually foreign concepts. If not, they are typically jaded because of similar over-promises in the past which ultimately led to the above situation. Eyes cut at one another suspiciously. When they finally acquiesce (due to political or financial pressure) they instinctively demand to release as little data as possible. A desire to know and retain oversight over the data is being "surrendered" about their users when they use external resources, and to have a clear audit/accountability trail for external users who access their resource is quite common.
Note that exact same things are usually demanded when most people talk about
privacy, except the here we call it "need-to-know". Need-to-know used to simply apply to release of well-defined and labeled information; within the enterprise, however, this concept has reached a new level. All information is regarded as sensitive until deemed otherwise. Sometimes it's because they have legitimate security concerns, other times it just because of stubbornness.
So the issue that the Government (with a capital "G" this time) is often cited for shortfalls, cross-organization information sharing, is unfortunately tied to this problem in my opinion.