I’ve noticed a couple of times lately that as people discuss talking about security incidents, they don’t only default to the idea of anonymization, they often insert an “of course” after it.
But today I want to talk about the phrase “anonymized, of course”, what it means, why people might say it, and how members of the New School should tackle it when it comes up.
First, let’s look at what it means to anonymize aspects of security breaches. That means that we take an incident and hide to whom it happened, the way we do with a small subset of other crimes, primarily rape, but also sometimes defamation. This is good insofar as it inhibits silly finger-pointing and name-calling. But it also stops learning. I can’t go listen to a talk from the CISO of PwnedCo and see what I might learn from what he talks about and what he doesn’t talk about. I can’t see that an award went to the CEO of Comodo, right before they were pwned, and adjust my opinions accordingly.
In other words, anonymization breaks feedback loops.
But that’s probably not what people mean when they say “anonymized, of course”. So what could they mean?
- First, it may be an acknowledgement of today’s reality: we have little to no information sharing (never mind publishing). Anonymized may, for a while, be the best we can do. Heck, it may be the best we can ever do. I think we can do better, and “we can’t do better” is a testable hypothesis which fails pretty regular testing. Those of us in the New School think we should learn something when our hypotheses fail.
- Second, it may be an attempt to reassure listeners that the speaker is not some crazy radical New School type who wants to do the inconcievable. Excuse me, “inconceivable.” They know that it’s just never worked that way, and feel a need to re-assure themselves and/or others of that obvious reality.
- Third, it may be an attempt to delay argument over how much data should be published. Sometimes postponing argument is helpful for moving a project forward overall, other times it’s politics in the worst way.
- Fourth, it may be an attempt, conscious or unconscious, to define the boundaries of acceptable debate to exclude the idea of sharing information that includes names. I find this last form, especially in its conscious form, to be the most objectionable. I don’t object to debate, or even rhetoric in its better forms, but attempts to define things as outside what reasonable people can discuss are outside what reasonable people do with reasonable arguments.
So what do we do for each of these meanings?
Acknowledgements of reality are reasonable. However, they have a nasty habit of reinforcing and validating the reality they acknowledge. That can be useful as a matter of transmitting knowledge or approaches. It can also be harmful when what’s reinforced really isn’t reality. (“Of course, the Earth is flat, so you’ll fall off the edge.”) Both this and conscious attempts to align with the old school ways that have kept us superstitious for so long deserve a gentle challenge. Perhaps something in the form of “Do we really need to anonymize this data?”