Shostack + Friends Blog Archive


"Anonymized, of course"

I’ve noticed a couple of times lately that as people discuss talking about security incidents, they don’t only default to the idea of anonymization, they often insert an “of course” after it.

But today I want to talk about the phrase “anonymized, of course”, what it means, why people might say it, and how members of the New School should tackle it when it comes up.

First, let’s look at what it means to anonymize aspects of security breaches. That means that we take an incident and hide to whom it happened, the way we do with a small subset of other crimes, primarily rape, but also sometimes defamation. This is good insofar as it inhibits silly finger-pointing and name-calling. But it also stops learning. I can’t go listen to a talk from the CISO of PwnedCo and see what I might learn from what he talks about and what he doesn’t talk about. I can’t see that an award went to the CEO of Comodo, right before they were pwned, and adjust my opinions accordingly.

In other words, anonymization breaks feedback loops.

But that’s probably not what people mean when they say “anonymized, of course”. So what could they mean?

  1. First, it may be an acknowledgement of today’s reality: we have little to no information sharing (never mind publishing). Anonymized may, for a while, be the best we can do. Heck, it may be the best we can ever do. I think we can do better, and “we can’t do better” is a testable hypothesis which fails pretty regular testing. Those of us in the New School think we should learn something when our hypotheses fail.

  2. Second, it may be an attempt to reassure listeners that the speaker is not some crazy radical New School type who wants to do the inconcievable. Excuse me, “inconceivable.” They know that it’s just never worked that way, and feel a need to re-assure themselves and/or others of that obvious reality.
  3. Third, it may be an attempt to delay argument over how much data should be published. Sometimes postponing argument is helpful for moving a project forward overall, other times it’s politics in the worst way.
  4. Fourth, it may be an attempt, conscious or unconscious, to define the boundaries of acceptable debate to exclude the idea of sharing information that includes names. I find this last form, especially in its conscious form, to be the most objectionable. I don’t object to debate, or even rhetoric in its better forms, but attempts to define things as outside what reasonable people can discuss are outside what reasonable people do with reasonable arguments.

So what do we do for each of these meanings?

Acknowledgements of reality are reasonable. However, they have a nasty habit of reinforcing and validating the reality they acknowledge. That can be useful as a matter of transmitting knowledge or approaches. It can also be harmful when what’s reinforced really isn’t reality. (“Of course, the Earth is flat, so you’ll fall off the edge.”) Both this and conscious attempts to align with the old school ways that have kept us superstitious for so long deserve a gentle challenge. Perhaps something in the form of “Do we really need to anonymize this data?”

2 comments on ""Anonymized, of course""

  • Chandler says:

    You forgot #5, the Law Department won’t let them speak on record.

    Pretty much any corporation today has some mix of extremely restrictive confidentiality agreements that we must sign as a condition of employement, absurd “Social Media Policies” and other forms of speech inhibition. If I were to speak about a breach and name my employer by name, I would find myself fired and probably served for violation of those agreements in short order.

    I’ve talked to General Counsels about this issue, and while they care deeply about the topic, their concern is strictly limited to ensuring that an incident isn’t used as the basis of a shareholder or investor lawsuit. They see no benefit and feel that it’s actually contrary to their obligation of Fiduciary Responsibility to allow these sorts of disclosures.

  • Very interesting observation.

    I think it’s #2 and #4. If I say “anonymized, of course” I am not merely asserting the boundaries of what is reasonable and assuring you which side I am on, but I am placing the audience with me. Effectively “We here all think alike on this issue, others may differ.” Isn’t this an us/them divider statement?

    Will see if I can think of other us/them examples in common use in securtity. There are a lot of us/them divides. Us is generally the collection of right-thinking fellow travellers that I hang out with. Them can be cybercriminals, researchers who don’t “of course” anonymize data, anyone in my management chain who “doesn’t get it” and questions the need for whatever expenditure I am advocating, wild-eyed Newschoolers, users………

Comments are closed.