[HN Gopher] NIST Privacy Framework
___________________________________________________________________
NIST Privacy Framework
Author : sacrosanct
Score : 72 points
Date : 2023-04-18 15:47 UTC (7 hours ago)
(HTM) web link (www.nist.gov)
(TXT) w3m dump (www.nist.gov)
| KennyBlanken wrote:
| [flagged]
| Raineer wrote:
| If you're going to blame NIST for what NSA did in this case -
| you might as well say "don't even trust anyone for digital
| privacy" since the NSA already collects literally everything
| from everyone.
|
| I think the implication that NIST lacks integrity is unfair.
| vuln wrote:
| "Not wittingly"
|
| https://apnews.com/article/business-33a88feb083ea35515de3c73.
| ..
| retrocryptid wrote:
| Did you read the content at the link you posted? It seems to
| imply the opposite of the comment you made.
| VWWHFSfQ wrote:
| My understanding was that NSA was the bad actor here. Not NIST.
| They intentionally withheld information about a timing
| vulnerability in an encryption algorithm that was being
| evaluated for standardization by NIST.
| mananaysiempre wrote:
| We'll see once _Bernstein v NIST_ [1] settles, though I'm
| willing to accept that was normal bureaucratic apathy and
| inertia rather than anything nefarious. Still, if we change
| "trust NIST [not to _be_ evil]" to "trust NIST's processes
| [not to be _exploitable by_ evil]", I'm not at all reassured.
| It pays to remember the backdoor was not at all unknown[2]
| even before the standard entered NIST from ANSI.
|
| Honestly, the whole debacle with making NIST be in charge of
| (civilian) cryptography makes me more than a little bit sad.
| Originally, it's a metrology institution. Metrologists
| (worldwide) are a very small circle of narrow-focused (and
| not outrageously well-paid) specialists that usually react to
| anybody being interested in their field with the kind of joy
| most often encountered in small fluffy animals. (They are
| similar to archivists, observational astronomers, or
| invertebrate biologists in that way.) Now it seems as though
| the whole enterprise in the US has become tainted by the
| association with the national security behemoth.
|
| [1] https://www.courtlistener.com/docket/64872195/bernstein-
| v-na...
|
| [2] https://blog.cryptographyengineering.com/2015/01/14/hopef
| ull... (I especially like the passive-aggressive patent)
| KennyBlanken wrote:
| If it were not for the fact that this has happened
| _multiple_ times, and that each time the cryptography
| community was openly skeptical, I could believe "normal
| bureaucratic apathy and inertia."
| tptacek wrote:
| What are the "multiple" times here?
| tptacek wrote:
| Bernstein vs. NIST is just a FOIA suit, about an open
| standards contest where all the participants were public
| academics. It's not going to uncover the next BULLRUN.
| mananaysiempre wrote:
| I don't really expect it to (and the known situation is
| bad enough already that I don't expect much would change
| even if it did).
|
| But I do hope it'll shed some light on the entanglement
| (pun not intended) between the NSA and whatever process
| drives NIST's crypto publications. There obviously has to
| be some, given the former is the US government crypto
| expert and the other is the issuer of public documents on
| US government crypto. But as a data point for NIST's
| credibility, it'd be nice to know how screwed up it is
| there. Maybe I won't learn anything about that here
| either? Dunno.
| dboreham wrote:
| Regulatory capture sausage in the making?
| javier_e06 wrote:
| From their site: "The NIST Privacy Framework is a voluntary tool
| developed in collaboration with stakeholders intended to help
| organizations identify and manage privacy risk to build
| innovative products and services while protecting individuals'
| privacy."
|
| What is a voluntary tool? Beats me. Who are the stakeholders?
| Beats me. Help organizations to manage risk. What kind of risk?
| Whose privacy? yadda yadda yadda.. Run on sentence. My take away:
| NIST needs to hire writers.
| stonogo wrote:
| "Voluntary tool" means other federal agencies are not required
| to adopt it. "Developed in collaboration with stakeholders"
| means this was not 100% internally developed at NIST.
|
| The rest of your questions are answered in the FAQ.
|
| It's not a run-on sentence; it's just a long one, and if you're
| looking for a way to ensure your users' privacy while building
| a computer-oriented service, that executive summary tells you
| enough to decide whether this is something you want to further
| investigate. Drive-by web forum commentators, in general, are
| not considered target audience for these documents.
| varunjain99 wrote:
| Maybe it was written by ChatGPT!
| gdevenyi wrote:
| Just a Bueracrat. Same thing.
| retrocryptid wrote:
| If you were there when we were writing that copy back in
| 2005, you could have schooled us in how not to write like a
| LLM that hadn't been invented yet.
|
| Also, the copy you're referring to was written by a
| contractor, not "a bureaucrat."
| blakes wrote:
| With NIST frameworks, one needs to explore a bit. Here are some
| of the stakeholders:
|
| https://www.nist.gov/privacy-framework/request-comment
|
| And here is the PDF that should answer all of the other
| questions you have:
|
| https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.01162020.pd...
| mcint wrote:
| Excellent links, thank you!
|
| I can imagine the benefit of having this as a reference,
| instead of needing to have meetings across departments and
| levels to negotiate who's responsible for what, in an open-
| ended way.
|
| Thanks to NIST for providing a Schelling point for
| appropriate coordination to uphold privacy, and a scaffold of
| reasonable good, reasonably thorough thinking about how to
| appropriately handle privacy, and the general roles of
| everyone involved in a coherent effort inside or outside an
| enterprise. Raising the water line!
| [deleted]
| schnable wrote:
| I suspect this is a result of too many writers!
| billiam wrote:
| This one is in the tl;dr HN uninformed expert Hall of Fame. Did
| you click even one level down? NIST is a standards organization
| whose usually very careful work is to provide frameworks for
| people to make products, make business decisions, and create
| entire industries. It's not a single Github repo you can clone
| or a blog post can can dissect. The companies, researchers, and
| organizations that will use this framework understand it and
| will I am sure be able to use it and suggest areas of
| improvement.
| Kalium wrote:
| If I may attempt to offer a translation:
|
| > The NIST Privacy Framework is a voluntary tool
|
| This is something that organizations can choose to use. We are
| a standards body, not a regulatory agency.
|
| > developed in collaboration with stakeholders
|
| We actually talked to people who need and use standards of this
| sort. We integrated their feedback.
|
| > intended to help organizations identify and manage privacy
| risk
|
| The goal is to help organizations understand the chances they
| are taking with private data.
|
| > build innovative products and services while protecting
| individuals' privacy
|
| While still being able to actually make use of the data to
| accomplish goals that matter in some way.
|
| ----
|
| Basically, this is completely comprehensible to most people and
| organizations who expect to be making use of this sort of
| standard. Like any technical document, it has a specialized
| vocabulary. It is not written for, and should not be judged by,
| the prose expectations of the general population.
|
| NIST has writers. They are technical writers who are writing
| technical documentation intended for technical readers. We
| should calibrate our expectations accordingly.
| ozim wrote:
| I agree full stop. Would like to know background of parent
| poster just to understand his motivation for criticizing.
|
| Was he writing with negative approach just because he can or
| he just failed to get the meaning between the lines because
| he is not the target audience?
| Kalium wrote:
| At a guess, not the target audience combined with a failure
| to recognize it as a technical document. The latter is
| completely understandable. NIST uses words that can be
| found in daily business use, but they take on technical
| meanings.
| unethical_ban wrote:
| A voluntary tool is a tool you don't need to use.
|
| NIST is a government organization, and it helps to explain that
| this is a tool provided by government for your discretionary
| use; it is not a regulatory framework.
| retrocryptid wrote:
| It's okay, you're not the target audience. People who are
| already know the answers to these questions.
| pleasantpeasant wrote:
| Maybe they don't want you to know those things.
| ChikkaChiChi wrote:
| This is from 2020
| psychphysic wrote:
| I know we don't have much choice but is this really safe?
|
| The recent pentagon papers are nothing if not impressive of how
| deeply US intelligence is in just about every conversation that
| matters.
|
| So can we trust NIST? As far as I know there have been concerns
| in the past that they have played ball and so have private
| security firms.
|
| That said maybe a US backdoor is better than all round shoddy
| engineering?
|
| I imagine something like this would be a great way to slip in a
| weak link.
| unethical_ban wrote:
| This is a policy framework, not an encryption algorithm.
| kjs3 wrote:
| What 'choice' exactly are you being denied?
| psychphysic wrote:
| Alternative sources of advice that isn't confirmed to work
| with NSA to spy on people.
| kjs3 wrote:
| You do understand this is a non-obligatory guidance
| document, right? You can continue to not read nor
| understand it and no one will be any the wiser. The NSA
| will almost certainly not put you on a blacklist someplace
| (no promises and all that). Then you can google "privacy
| framework" to find a wealth of other non-obligatory
| guidance documents more to your liking (most of which will
| reference a NIST document or two someplace, so be careful).
| psychphysic wrote:
| I guess you're being purposely obtuse here. It's probably
| not as funny or smart as you think though.
|
| To spell it out as simply as possible for you (just
| incase) I'd sure like it if there was a privacy framework
| document not created by a likely adversary.
|
| I'm sure there is good advice in whatever documents the
| FSB or China's MSS. Create, is there an alternative
| source that could be trusted?
|
| If you don't know what the word alternative means please
| Google it.
___________________________________________________________________
(page generated 2023-04-18 23:00 UTC)