31

I'm reading the CISSP official study guide and quote

In addition to verifying the reliability of security controls, an assessment should consider whether security controls affect privacy. Some controls may improve privacy protection, whereas others may in fact cause a breach of privacy.

What kind of security control would cause a breach of privacy? The book didn't mention any examples. Does anyone know?

Kolappan N
  • 2,692
  • 15
  • 29
daisy
  • 2,067
  • 7
  • 31
  • 44
  • 3
    Since you ask that at the most basic level, is it not clear that whatever the detail security controls must first ask 'Who are you?' and then do something with the response? – Robbie Goodwin Oct 16 '23 at 23:52
  • 3
    "How could a security control introduce a privacy issue?" - Imagine being required to provide your social security number verbally to the clerk at the movie theater so that they can check the domestic terrorist registry whether you're permitted to buy a ticket. – MonkeyZeus Oct 17 '23 at 13:07

5 Answers5

59

Many security controls around authentication require you to collect additional data from the users, which has privacy implications. For instance:

  • If you require an email address to sign up, you need to store that.
  • If you use SMS for a second factor you're requiring all of your users to provide their mobile number.
  • If you verify users' identity (for example asking them to provide a passport scan or a selfie), you need to process and store (at least temporarily) those documents.
  • If you use biometrics for authentication, you have to store some of that information.
  • If you try and detect unusual sign-in or activity, you need to keep a profile of what "normal" looks like for that user.
  • If you block "suspicious" IP addresses such as those related to VPNs or Tor, you may force people to use their real IP address (which you then collect).

There can also be significant privacy issues if you require users to install "security" applications to use your service. For example, all the banks that used to encourage (or require) people to install Rapport, or the banks who require you to install their mobile application for MFA (rather than supporting an open standard such as TOTP), or Microsoft encouraging people to use their own Authenticator app.

And in a corporate setting, there's often a conflict between visibility, logging and privacy. For example:

  • If your proxy does TLS interception, you're breaking the privacy of any sensitive information that goes through it - but if you don't then you're missing malware.
  • If your endpoint security software logs every website that's accessed, you're compromising the privacy of those pages.
  • If you log the contents of POST requests you can end up storing all kinds of sensitive data, but if you don't then you might miss malicious requests.
Gh0stFish
  • 10,932
  • 2
  • 35
  • 36
  • 14
    This is IMO the best answer so far. Privacy concerns aren't limited to some intricate attack on protocols - they can be as simple as collecting phone numbers or other personal identification. – Colonel Thirty Two Oct 16 '23 at 16:51
40

A good example of a security control that opened the door for a privacy issue is HSTS.

HSTS allows a domain to include a header in a HTTP response to instruct a browser to always make subsequent requests to the domain by HTTPS. The goal here is to ensure that the browser always connects to the site by HTTPS, so as to prevent sslstrip and similar type of attacks.

However, it turns out that by carefully manipulating HSTS on a relatively small number of domains (or subdomains), a malicious website can use HSTS to create 'supercookies' that can be used to uniquely fingerprint each web browser that visits the site.

See https://news.sophos.com/en-us/2015/02/02/anatomy-of-a-browser-dilemma-how-hsts-supercookies-make-you-choose-between-privacy-or-security/ for a good write-up on the details of how HSTS is misused for this purpose.

mti2935
  • 23,468
  • 2
  • 53
  • 73
13

One example is a 2FA system that reveals part of the user's phone number, even when the password is wrong. Yes, I actually have used a system like that.

Solomon Ucko
  • 259
  • 2
  • 7
  • 3
    Note that privacy issue exists whether the information is shown to users or not - just act of collecting is a privacy issue. What you are talking here is leaking information which is more serious than what I believe OP is asking about. – Alexei Levenkov Oct 18 '23 at 18:29
2

This is widespread in countries with strict privacy laws and when these are applied in a company context. A typical example of such a country is Germany.

Any system (including security ones) you deploy there that has a link with employees must be approved by the representatives of the personnel. You need to negotiate an arrangement (that looks like a written contract) where everything related to the privacy of users is described.

In particular, any systems that can track users' activity (or lack of activity, or the nature of activity) are closely looked at and there are protections for the employees that are written as part of the arrangement above.

WoJ
  • 9,038
  • 3
  • 34
  • 55
1

While you already accepted a very good and quite detailled answer, let me try to add another one, commensurate to the level of the question:

What kind of security control would cause a breach of privacy?

"Security" has, amongst others, these uses:

  • Protect some information from being seen by any but the intended parties.
  • Prove the identity of one of the intended parties to the others (authentication).
  • Prove that one of the parties is allowed to do or see something (authorization).
  • And plenty of others.

In many cases, authentication and authorization do not necessarily need to go together to make a system work as intended. If a security control manages to handle authorization without authentication, then, great!

Examples:

  • The infamous example of the (real or fictional, I don't know) Swiss bank which lets a customer into their vault only based on them knowing some secret password (not their identity). The security control is simply the knowledge of the password.
  • A user of a leased car with a payment card for gas can use that card, together with a PIN, to pay the gas bill, without the identity of the user playing any role (here, the security control is the combination of physical possession of the card, and knowledge of the PIN).
  • Modern schemes like OAuth or SAML make it possible for an application to let only privileged users in without knowing anything about those users. For example, you can log into a random small web site using your Google or Facebook account - the web site does not need to know anything about you as a person; it can trust Google's or Facebook's account database that it's really you. This scheme is a little more involved, it has different systems with different roles (i.e., keeper of your private data; keeper of the information that you have access to some resource; and a system for checking that from the point of view of a 3rd party app; these can be very different systems, so in theory not even the keeper of your private data gets to know which apps you are working with by separating out the system that matches that stuff).

To circle back to your question: any security control which is not like that, in spirit, would breach your privacy. If you have to give your personal name, audibly, at the doctor's office, then everybody around you will know that you have a reason to be at that doctor. If you need to give your real name whenever creating an account at a website, preferably with your bank information too, then that web site has a nice little collection of data about you, that it absolutely would not need otherwise. If you had to give your real name to the Swiss bank, it would make it much harder for you to manage your hard earned money without having to pay pesky taxes... and so on and forth.

AnoE
  • 2,389
  • 1
  • 10
  • 12