I've now been a CISSP since 2014 and have had the opportunity to attend a privacy and security conference hosted in the city where I live, a number of times. This conference has always brought in really knowledgeable people across a varied number of industries as well as public and private sector groups. Two memorable speakers (speaking right after each other, imagine)were Michael Hayden and Cory Doctorow, and their talks were insightful.
While the presentations into the ever changing security landscape were valuable to me, I felt especially lucky to get a better understanding of privacy and the many dimensions I wasn't previously aware of. This brings me to the point of this post.
While I appreciate that the internet and many related technologies weren't originally architected to provide or protect privacy, I have come to value my privacy when online and take steps to protect it. In researching how to protect my privacy I came across a series of articles written by Sebastian Greger (who I'll link to below). The subject of his articles is on 'privacy aware design' and the overall idea is that websites that host things like Facebook 'Like' buttons are sponsoring unwarranted mass survelience by sending user data back to Facebook. The general idea with Facebook Like buttons is that they can retrieve the IP address of a visitor, whether you use Facebook or not (and you don't need to click the Like button), and lookup the account or just record it. By doing this Facebook can track users around the internet without your consent or knowledge. And just think of how many Facebook Like buttons are out there.
What Greger proposes is an alternative to this that doesn't involve tracking users but only results in the posting a 'Like' of that page on Facebook or Google or Twitter or whatever. Since as it turns out these sites do support alternatives.
So, being so appreciative to Greger I thought I'd put his solution to the test and write to a website I frequent and ask if they would consider switching. The website I chose hosts a podcast of someone I consider to be thoughtful and principled enough for this to make sense.
Now, while they didn't reply to my email or confirm they were going to make this change, they did recently did launch a major revision to their site and the alternative 'privacy aware' design was incorporated. So kudos to them.
The website in question is www.samharris.org, and his new website really does look and work well, especially without the Like buttons.
The reason I'm sharing this with the CISSP community is in the hope that this is of value to you, that becoming aware that alternatives exist and that you might consider writing to websites you visit to ask them to consider these privacy aware alternatives.
For your reference, I'm including the text of the email I wrote to Sam Harris.
Regards, Paul
=======
[email text]
Regarding 'privacy aware design' and alternatives to unwarranted mass surveillance
Hello,
My name is Paul and my profession is working as a privacy and security administrator. Since starting this type of work over 8 years ago, the world was a different place and I've come to be aware and concerned about privacy and what control I have over it. I've also come to be quite concerned about unwarranted mass surveillance, a topic that you've covered in your podcasts. This is why I'm writing to you.
After listening to many of your podcasts I suspect (and hope)that you might be open to consider making a change to your website that would replace the use of social media buttons that contribute to the tracking of users without their consent.
After visiting your website I noticed a number of JavaScript files from social media sites (Twitter, Facebook) as well as google analytics get loaded. All of these files support a service to your website visitor, while at the same time also track these users across the internet even if they don't have an account with any of these social media networks.
Fortunately in 2017 there are many privacy minded organizations and individuals who have attempted to address this situation and come up with alternatives that protect the privacy of visitors to your website.
A blog post written by Sebastian Greger from 2014 addresses this topic quite well and also provides two examples of alternatives to social media buttons. There are many other alternatives that have been developed, and I'm sure the web designer you work with might also have ideas.
https://sebastiangreger.net/2014/03/privacy-aware-design-social-media-buttons/
So my ask to you is, if you believe and agree that unwarranted mass surveillance should not be supported, then please consider making changes to your website with an alternative to social media buttons that perform unwarranted mass surveillance.