To share or not to share, that is the question and the answer is heavily dependent on the information in question, the context of the sharing, and whom you ask. ‘Loose lips sink ships’ is a term that refers to maintaining operational security by refraining from disclosing operational information through casual conversations (or other information sharing channels). Transparency is a key requirement imposed upon many organizations by mandate and is, in general, considered a good trust and public relations stance. Everyone has a ‘right to privacy’ based on established law even if there are many exceptions and work-arounds to that right. Let me delve a little deeper into each of these three terms and sone things to consider when evaluating whether information should be shared or protected. This post does not have any intention of suggesting any laws, regulations, best practices, or compliance requirements be ignored or undermined. This post is intended to provide an opinion on the daily practical operations of sharing information and not a strategic or compliance view of information sharing.
‘Loose lips sink ships’ is a term that has been around for many many decades and hails from a time when intelligence gathering heavily relied on first-person eaves dropping or social manipulation. It’s from the days when the Brits trained their intelligence officers to be chimney sweeps so they could listen to confidential conversations of German military officers. Despite being passed down from such a technologically basic time the term still has a basis in truth. Casually speaking (or emailing) about sensitive operations can permit adversaries to gain direct knowledge of operations that can be attacked. This is why polyinstantiation was developed. With polyinstantiation, personnel and systems that have a lower security, sensitivity, or trust rating receive a version of operational information that is not correct while the correct information is retained by higher security, sensitivity, or trust holding personnel or systems. In this way any leaks of information can be tracked to a specific trust, security, or sensitivity tier and only the most trusted tier can leak legitimate information. A practical example of this concept in action exists in the US Marine Corps. The “Lance Corporal Underground” (often the butt of many jokes) is when scuttle is passed about without being verified and often the information is extremely incorrect. This polyinstantiated information (or disimformation in some circles) is passed to feed the curiosity of lower-grade less trusted ranks while maintaining operational security. Loose lips sink ships unless they are speaking polyinstantiated operations. Whereas loose lips refers to operational strategically and tactically sensitive information transparency entails the release if information for mass consumption.
Transparency is required by mandate for a wide variety of organizations and is considered a good practice for the remainder (depending on whom you ask). When we speak about transparency it is essential to determine the depth of information that must be made available to be transparent while also ensuring information that could compromise operations is secured and protected from sharing. Yes, having a solid governance program can facilitate this requirement; however, within the governance program the delineation between sensitive and general information can be difficult to delineate. That is where this section is intended to be considered. The purpose of transparency is to provide such great detail that an ‘outsider’ or ‘independent third-party’ can evaluate if any misuse, abuse, or other unsavory operations are taking place without knowing the exact tactics used by the organization. A practical example would be the Department of Homeland Security publicly disclosing that it has conducted mass deployments of cellular signal interception technologies, how many devices have been deployed, how often the devices are deployed, redeployed, or moved, the purpose, scope, and limitations of the interception operations while maintaining operational secrecy about how the devices operate, the exact, precise location of devices, and the exact targets of any ongoing investigations. Currently DHS is not transparent about its mass surveillance activities. This may be due to the fact these activities may be legally questionable given the United States’ wire tapping laws and the legally enforceable ‘reasonable expectation of privacy’.
In the United States everyone has a reasonable expectation of privacy with caveats. One of those caveats occurs when an organization uses a logon or warning banner that clearly informs the user they have no reasonable expectation of privacy. So, there are no limits (in the United States) about what data can be collected and maintained about citizens (with nearly no exceptions). Only after every metric, datapoint, and indicator is collected about a subject (you) do any laws come into effect. The only way the laws are enforceable is if you know whom is stealing your data and how that data can be sold. There are no laws that prevent organizations from aggregating large volumes of data on a subject then ‘anonymizing’ it, selling the ‘anonymized’ data to anyone they choose, then having the purchaser use advanced capabilities to ‘deanonymize’ your data. This is especially dangerous when a single parent organization maintains separated daughter organizations that offer the sale of different sets of anonymized data that can be deanonymized to build complex and invasive documentation about you. Going back to transparency, as organizations are forced to be more transparent (or are increasingly exposed by competitors) questionable and invasive privacy practices that favor data mining and hoarding will most likely diminish consumer and stock-holder confidence in organizations. Privacy laws aren’t relevant of privacy information is not maintained.
So, loose lips sink ships unless they scuttle polyinstantiated data. Transparency is a requirement and a best practice. People have a reasonable expectation of privacy unless they are told they don’t and privacy laws don’t take ‘anonymized’ data into consideration despite the advanced techniques used to deanonymize your personal details and data.