NIST’s privacy framework lets privacy tell its own story

Online privacy remains unsolved. Congress prods at it, some companies fumble with it (while a small handful excel), and the public demands it. But one government agency is trying to bring everyone together to fix it.

As the Senate sits on no fewer than four data privacy bills that their own members wrote—with no plans to vote on any—and as the world’s largest social media company braces for an anticipated multibillion-dollar privacy blunder, the US National Institute of Standards and Technology (NIST) has published what it calls a “privacy framework” draft.

Non-binding, unenforceable, and entirely voluntary to adopt, the NIST privacy framework draft serves mainly as a roadmap. Any and all companies, organizations, startups, and agencies can look to it for advice in managing the privacy risks of their users.

The framework draft offers dozens of actions that a company can take on to investigate, mitigate, and communicate its privacy risks, both to users and executives within the company. Nearly no operational idea is left unturned.

Have a series of third-party vendors in a large supply chain? The NIST framework has a couple of ideas on how to secure that. What about countless employees with just as many logins and passwords? The framework considers that, too. Ever pondered the enormous meaning of “data security” for your company? The NIST framework has a couple of entry points for how to protect data at rest and in transit.

Though wrought in government-speak and at times indecipherable nomenclature (suggested company actions are called “subcategories”), the 37-page privacy framework, according to one of its authors, has a simple and equally elegant purpose: It could finally let privacy tell its own story.

“To date, security [professionals] are telling a dramatic story. ‘We had these threats. Look what happened to these companies here,’” said NIST Senior Privacy Policy Advisor Naomi Lefkovitz. “But privacy [professionals] are over here saying ‘Privacy is a very important value,’ which is true, but it’s not quite as compelling when resources are being allocated.”

Lefkovitz continued: “We want privacy to be able to tell an equally compelling story.”

If successful, the NIST privacy framework could improve user privacy within organizations across the United States. It could better equip privacy officers to convince their companies to bulk up internal controls. And it could create an agreed-upon direction for privacy.

There are, of course, obstacles. A voluntary framework is only as successful as it is attractive—overly ambitious guidelines could turn the framework into a dud, tossed aside by the companies that handle the most user data.

Also, the framework should work in coordination with current data protection laws, rather than trying to overwrite those laws’ requirements. For example, as companies have built up their internal controls to comply with the European Union’s sweeping data protection law, the General Data Protection Regulation, a new approach to privacy could be seen as time-consuming, costly, and unnecessary.

Despite the potential roadblocks, NIST has been here before. Six years ago, the government agency was tasked with making a separate framework—one for cybersecurity.

The NIST cybersecurity framework

In 2013, through Executive Order 13636, President Barack Obama asked NIST to develop a strategy on securing the nation’s critical infrastructure from cyberattacks. This strategy, or framework, would include “standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.” It would be voluntary, flexible, repeatable, and cost-effective for organizations to take on.

On February 12, 2014, NIST published the first version of its cybersecurity framework. The framework’s so-called “core” includes five functions that a company can take on to manage cybersecurity risks. Those functions are:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

Each function includes “categories” and “subcategories,” the latter of which are actually outcomes that a company can try to achieve. It may sound confusing, but the framework simply organizes potential cybersecurity goals based on their purpose, whether that means identifying cybersecurity risks, protecting against those risks, detecting problems when they arise, or responding and recovering from them later on.

Several years, multiple workshops, more than 120 submitted comments, and one major update later, the framework has proved largely popular.

According to annual surveys of cybersecurity professionals by the Information Systems Security Association and Enterprise Strategy Group, the NIST cybersecurity framework has taken hold. In 2018, 46 percent of the survey’s 267 respondents said that they had “adopted some portions or all of the NIST cybersecurity framework” in the past two years. That same response showed up as a top five cybersecurity measure in 2017 and 2016.

In April 2018, when NIST released the cybersecurity framework’s Version 1.1 update, the US Chamber of Commerce, the Business Roundtable, and the Information Technology Industry Council all spoke in favor, with the Chamber of Commerce calling the framework “a pillar for managing enterprise cyber risks and threats.”

For NIST, the challenge will be translating these successes to privacy.

“Privacy is, if anything, more contextual than security, and therefore, it makes it very difficult to make one-size-fits-all rules and expect to get effective privacy solutions,” said Lefkovitz. “You can certainly get a checklist of solutions, but that doesn’t mean you’re providing any privacy benefits.”

The NIST privacy framework

The NIST privacy framework draft, published last month after a 48-day open comment period, is modeled closely to NIST’s cybersecurity framework. The privacy framework, just like the cybersecurity framework, has a core that includes five functions, each with its own categories and subcategories, the latter of which, again, actually describe outcomes. The privacy framework’s five core functions are:

  • Identify
  • Protect
  • Control
  • Inform
  • Respond

Again, companies can voluntarily use the framework as a tool, choosing the areas of privacy risk management where they need support.

For example, a company that wants to identify the privacy risks to its users can explore its inventory and mapping processes, supply chain risk management, and governance, which covers a company’s policies and regulatory and legal requirements. A company that wants to protect against privacy risks can look at achieving a number of options, including insuring that both remote access and physical access to data and devices are managed. Companies could also, for example, make sure that data is destroyed according to company policy.

The privacy framework has been well received, but there are improvements to be made.

“I think the draft is good as a starting point,” said Amie Stepanovich, US policy manager for Access Now, a digital rights and free expression advocacy group that submitted comments to NIST about the privacy framework. “It is a draft, though.”

Stepanovich said she liked that the privacy framework draft will be revisited in the future, and that it does not try to present a “one-size-fits-all” solution to privacy. She also said that she hopes the privacy framework can dovetail with current data protection laws, and not serve as a replacement to much-needed data privacy legislation.

Stepanovich added that the privacy framework’s focus on the user represents a potentially enormous shift for privacy risk management for many companies. Currently, Stepanovich said, privacy risk operates on three levers—legal liability risks, public relations risks, and future regulatory risks. Basically, companies calculate their privacy risk based on whether they’ll face a lawsuit, look bad in the newspaper, or look so bad in front of Congress that an entirely new law is crafted to rein them in.

The focus on the user, Stepanovich said, could meaningfully communicate to the public that their data is being protected in an all new way.

“The trust that people can have in companies—or data processors—will not come from legal compliance, because nobody says ‘Trust me, I do exactly what I have to do to not be sued,’” Stepanovich said. “If [data processors] are going beyond what needs to be done to serve interests of people who may be put at risk through their behavior, that starts to look like something people will pay attention to.”

But going above and beyond the current legal compliance landscape could actually be a roadblock for some companies.

When NIST opened its email box up for public comments, one major lobbying group suggested a list of “minimum attributes” to be included. The Internet Association, which represents the public policy interests of Google, Facebook, Uber, Airbnb, Amazon, and Twitter, just to name a few, asked that the framework have “compatibility with other privacy approaches.”

For many of the group’s represented companies, legal compliance is part of their privacy approach, and NIST’s privacy framework draft proposes a few outcomes that do not entirely line up with current legal requirements in the US.

For example, the privacy framework suggests that companies could structure their data management to “protect individuals’ privacy and increase manageability.” Some of the ways to do that, the privacy framework suggests, are by giving users the control to access, alter, and delete the data stored about them.

But a company that adheres to those suggestions could potentially face questions about how to fulfill certain government requests in which US intelligence agencies demand a user’s online messages or activity as part of an investigation.

Another “minimum attribute” proposed by the Internet Association is also missing from the draft: “Common and Accessible Language.”

A similar matter proved a pain point for Stepanovich, who is not associated with the Internet Association.

“This is not a draft document that people can easily understand,” Stepanovich said. She compared the privacy framework draft to, somewhat surprisingly, the hit ABC drama “Lost,” a circuitous six-season television show that included a disappearing island, time travel, and storytelling techniques such as flashbacks, flash-forwards and, remarkably, what can only be described as “flash-sideways” moments into a parallel, maybe-Heaven dimension.

“This is the ‘Lost’ problem,” Stepanovich said. “’Lost’ lost viewers every season because you couldn’t start watching it in season three and have any clue—it required watching every episode, and it kept getting more complicated, providing no entry point.”

TV analogies aside, Stepanovich’s bigger point is this: With no entry point for non-techies, the individuals who could be most impacted by this privacy framework will miss out on the opportunity to shape it.

“It shouldn’t just be cybersecurity, those who focus on tech, because tech is not necessarily the most at-risk community here. LGBT [individuals], civil rights [defenders], immigrants—populations who have a higher stake in the privacy conversation,” Stepanovich said. “If it is too difficult for us to understand, it is impossible for those groups to get in there and have the resources to devote to this issue. They need to be there.”

Beyond the draft

NIST’s privacy framework draft is just that, a draft. The agency scheduled a webinar for May 28 and a public workshop in Boise, Idaho, on July 8 and 9. Registration is free. A preliminary draft is expected in the summer, with Version 1.0 to be published in October.

Until then, everyone is invited to share their thoughts with NIST about what they expect to see from the privacy framework. We at Malwarebytes know you care about privacy—you’ve told us before. Feel free to tell your story about privacy. It could help shape the topic’s future.