Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Taking Measure

Just a Standard Blog

A Framework for Online Privacy

concept art showing profiles of featureless faces behind a filed of 1s and 0s
Credit: Lightspring/shutterstock.com

Online privacy is a growing concern. Companies are mining our personal information and preferences to sell us products and present us with other kinds of content that we will like. But as useful as the fruits of this data sharing can be, there is a dark side. Data breaches have exposed us to identity theft, extortion and made us susceptible to manipulation that goes far beyond consumer product preferences. We spoke with NIST Senior Privacy Policy Advisor Naomi Lefkovitz about online privacy and the NIST Privacy Framework a developing voluntary tool that organizations can use to better identify, assess, manage and communicate privacy risks.

What do we mean when we say “privacy” with regard to cybersecurity, and why is privacy a concern? What type of information needs to be protected, and what can happen when it isn't?

NBL: While good cybersecurity practices help manage privacy risk by protecting people’s information, privacy risks also can arise from how organizations collect, store, use and share this information to meet their mission or business objectives, as well as how individuals interact with products and services. For example, people can be unhappy with how much of their information is being collected or be stigmatized or experience other problems even when they’ve authorized the information to be disclosed. These problems can cause people direct emotional distress as well as causing them to limit or abandon their use of beneficial products and services due to lack of trust. For instance, some communities rejected smart meters that were intended to make electricity distribution more efficient because they were concerned that the data being collected about their electrical use could be used to make inferences about their behavior inside their homes. It’s very important that organizations think not only about protecting against unauthorized uses of individuals’ information, but also about how they are intentionally using this information, and the steps they can take to minimize any resulting problems that individuals might experience.

Why do we need a privacy framework? How would it be used?

NBL: It is a challenge to design, operate or use technologies in ways that are mindful of diverse privacy needs in an increasingly connected and complex environment. Inside and outside the U.S., there are multiplying visions for how to address these challenges. NIST aims to collaboratively develop the Privacy Framework as a voluntary, enterprise-level tool that could provide a catalog of privacy outcomes and approaches to help organizations prioritize strategies that create flexible, effective privacy protection solutions and that let individuals enjoy the benefits of innovative technologies with greater confidence and trust. I encourage organizations that want to get involved to visit our website.

What can people do to protect themselves? What do you do or tell your family and friends to do?

NBL: I personally think organizations have the primary responsibility to manage privacy risks because they are the ones determining how to collect, store, use and share individuals’ information to meet their mission or business objectives. That said, I do encourage my friends and family to think carefully about how and with whom they share information online. Be very vigilant about clicking on suspicious links or opening documents in emails. And no, I’m not going to tell you to read privacy notices — at least until they get a lot simpler and easier to understand!

You have had an interesting career, from French literature to law to cybersecurity. What drew you to cybersecurity? Can you talk a little more about your career path? Is this where you thought you would end up?

NBL: To be perfectly honest, at law school, I wanted to go into international environmental law to save the world. However, I initially deferred that plan to take a job as in-house counsel with a startup—one of the first e-commerce retailers (this was the mid- to late-90s). I gained a lot of great experience and learned a lot about the importance of account security and consumer protection. I like to point out that I wrote one of the first online privacy notices—it was only a paragraph long! From there, I joined the Federal Trade Commission where I worked on privacy and identity management and authentication issues. This focus on privacy and identity management prepared me to take on a detail in 2010 at the Cybersecurity Directorate of the National Security Council where I helped draft and promote the Obama Administration’s National Strategy for Trusted Identities in Cyberspace (NSTIC). Then, it was an easy hop to NIST. I started in the original NSTIC program office, but over the last few years, I have been leading the development of a privacy engineering program to help organizations implement better privacy protections into their products and services whether they’re engaged in identity management, big data, mobile, IoT (internet of things) or any technology domain.

Any last thoughts?

NBL: There’s going to be a lot of focus this coming year on the voluntary Privacy Framework that we’re developing, but I think it’s important not to lose sight of some of the foundational work on privacy risk assessment, applied privacy and standards development that we’re continuing to do. We have some new and exciting efforts coming soon. To keep apprised of our ongoing work, please visit the Privacy Engineering Program website.

About the author

Naomi Lefkovitz

Naomi Lefkovitz is the senior privacy policy advisor in the NIST Information Technology Laboratory. She leads the privacy engineering program, which focuses on developing privacy risk management processes and integrating solutions for protecting individuals’ privacy into information technologies, including digital identity services, IoT, smart cities, big data, mobile and artificial intelligence. She also leads the development team for the NIST Privacy Framework.

Comments

Naomi, Thank you for writing about privacy. It is important for us who work in the IT business and for everyone to understand and work to protect. Thank you for your work at NIST. Have a great rest of the week. Jim Larson

Hello Naomi,
What legislative agenda will you/have you or are you promoting to affirm privacy policy, especially when it comes to dealing with the aftermath of a data breach that impacts the individual (identity thefts, plain thefts, cyber financial bullying, etc)?
-Gérard Cattin

Is there information for the release date? Is it February 2019?

I commend you for you efforts. Did the privacy staff at the White House approve this draft?

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.