Security Education

When Information Shouldn’t Be Free

I had an interesting conversation the other day. It was one of those conversations that forced me to re-evaluate some assumptions I didn’t even know I had.

Don’t you just love those kinds of conversations?

I had mentioned to a friend that I worked for OCLC. The company is well-known in central Ohio, so folks have an idea of what we do. My friend asked what I did there.

“I’m the Manager of Global Security,” I said. I’ve worked for companies with a national (US) scope before, but I’m still a little uneasy with the “Global” part of my title. I’m constantly asking myself if there’s something we’re missing in terms of protecting Confidentiality, Integrity, and Availability (CIA) — and what forms danger might take in locales I’m not familiar with.

So I was completely unprepared for his response.

“Security? For libraries? Don’t they give information away?”

I see library support systems from the inside out. My friend saw it from the outside in — starting with the kiosk to look for materials.

Two thing occurred to me.

First, we must be doing a decent job with our security if it’s so transparent! My friend didn’t think twice about using his library card to check out a book — or give any thought to what that card represented.

Which brings me to the second thing: Yes, information should be free — except when it shouldn’t be. Bibliographic data? Let’s get that out there. Let’s make searches intuitive and easy and fast. More relevant data is better.

But what about my friend’s name and address? Phone number? Other personal information that he might have given his local library branch?

That information should absolutely not be free.

The posts on this site that talk about writing secure applications? The work of institutions like the National Institute of Standards and Technology? It’s all about letting pubic information be public and private information stay private. And while I acknowledge that it’s hard keeping high volume public data systems running (what with designing for scalable high availability and all), I think it’s a bit harder to maintain that high volume for private transactions like making sure it’s my friend using his library card, and not some scammer.

Part of what makes keeping private information private is that so many forces in the technology space want to use private information for their own purposes. Fortunately, there’s an effective way to counter that goal.

I agreed with my friend that bibliographic data should be free. And then I asked him how important it was to him to keep his private information private — like the information the library had about him. Like the information that made it possible for his library card to work.

Put that way, he got it immediately. And I wasn’t the only one who had a changed perspective by the end of the conversation!

Terrance A. Crow is the Senior Security Engineer at a global library services company. He holds a CISSP and has been writing applications since the days of dBASE III and Lotus 1-2-3 2.01.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.