Microsoft has been vocal about its desire to properly regulate facial recognition technology. The company’s president, Brad Smith, appealed directly to Congress last year to take steps to manage the tech, which he says has “broad societal ramifications and potential for abuse.” Such are the company’s concerns that it even blocked the sales of the tech to California police forces. Now, Microsoft is continuing its crusade by quietly deleting its MS Celeb database, which contains more than 10 million images of some 100,000 people.
In October 2018, NIST, collaborating with public and private stakeholders, started drafting its privacy framework. The framework is intended to serve as a guide for chief information security officers (CISOs), chief privacy officers (CPOs) and other internal privacy stakeholders and is geared toward helping them improve their organizational privacy posture. Like the NIST Cybersecurity Framework introduced in 2014, organizations that choose to comply with the privacy framework can do so voluntarily.
It is expected that the framework will be presented in language that can be understood by both privacy and security professionals, as well as executives and other business stakeholders who may have no expertise in privacy, and that’s a very good thing. The roles of the CISO and CPO are evolving to have complementary concerns, which means they must work more closely together, especially when it comes to privacy and personal data protection. Technical professionals and legal professionals speak in very different language in their day-to-day lives, so when it comes to implementing an effective privacy program, everyone had better be speaking the same language to establish a common understanding of what needs to get done.
NIST has been working quickly. A request for information (RFI) to gather input and guide the development of the framework wrapped up in January, and the outline of the NIST Privacy Framework was drafted and shared in March.
This is a welcome move from NIST. I hope that information security and privacy officers embrace the framework. I also hope that the federal government issues strong privacy legislation, similar to the GDPR, that is congruent with the United State constitution. We, the people, need some relief form the wonton collection and leverage of personal…
Very few among us – maybe none – are worthy of the level of trust required to have complete access to our activities, beliefs, actions, associations and desires. Acknowledgement of this means designing the systems that store all of that information in a way that treats everyone as untrusted by default.
I’ve joked about Layer 8 with my colleagues for years. Turns out it’s a well known concept.