[HN Gopher] NIST Privacy Framework ___________________________________________________________________ NIST Privacy Framework Author : sacrosanct Score : 72 points Date : 2023-04-18 15:47 UTC (7 hours ago) (HTM) web link (www.nist.gov) (TXT) w3m dump (www.nist.gov) | KennyBlanken wrote: | [flagged] | Raineer wrote: | If you're going to blame NIST for what NSA did in this case - | you might as well say "don't even trust anyone for digital | privacy" since the NSA already collects literally everything | from everyone. | | I think the implication that NIST lacks integrity is unfair. | vuln wrote: | "Not wittingly" | | https://apnews.com/article/business-33a88feb083ea35515de3c73. | .. | retrocryptid wrote: | Did you read the content at the link you posted? It seems to | imply the opposite of the comment you made. | VWWHFSfQ wrote: | My understanding was that NSA was the bad actor here. Not NIST. | They intentionally withheld information about a timing | vulnerability in an encryption algorithm that was being | evaluated for standardization by NIST. | mananaysiempre wrote: | We'll see once _Bernstein v NIST_ [1] settles, though I'm | willing to accept that was normal bureaucratic apathy and | inertia rather than anything nefarious. Still, if we change | "trust NIST [not to _be_ evil]" to "trust NIST's processes | [not to be _exploitable by_ evil]", I'm not at all reassured. | It pays to remember the backdoor was not at all unknown[2] | even before the standard entered NIST from ANSI. | | Honestly, the whole debacle with making NIST be in charge of | (civilian) cryptography makes me more than a little bit sad. | Originally, it's a metrology institution. Metrologists | (worldwide) are a very small circle of narrow-focused (and | not outrageously well-paid) specialists that usually react to | anybody being interested in their field with the kind of joy | most often encountered in small fluffy animals. (They are | similar to archivists, observational astronomers, or | invertebrate biologists in that way.) Now it seems as though | the whole enterprise in the US has become tainted by the | association with the national security behemoth. | | [1] https://www.courtlistener.com/docket/64872195/bernstein- | v-na... | | [2] https://blog.cryptographyengineering.com/2015/01/14/hopef | ull... (I especially like the passive-aggressive patent) | KennyBlanken wrote: | If it were not for the fact that this has happened | _multiple_ times, and that each time the cryptography | community was openly skeptical, I could believe "normal | bureaucratic apathy and inertia." | tptacek wrote: | What are the "multiple" times here? | tptacek wrote: | Bernstein vs. NIST is just a FOIA suit, about an open | standards contest where all the participants were public | academics. It's not going to uncover the next BULLRUN. | mananaysiempre wrote: | I don't really expect it to (and the known situation is | bad enough already that I don't expect much would change | even if it did). | | But I do hope it'll shed some light on the entanglement | (pun not intended) between the NSA and whatever process | drives NIST's crypto publications. There obviously has to | be some, given the former is the US government crypto | expert and the other is the issuer of public documents on | US government crypto. But as a data point for NIST's | credibility, it'd be nice to know how screwed up it is | there. Maybe I won't learn anything about that here | either? Dunno. | dboreham wrote: | Regulatory capture sausage in the making? | javier_e06 wrote: | From their site: "The NIST Privacy Framework is a voluntary tool | developed in collaboration with stakeholders intended to help | organizations identify and manage privacy risk to build | innovative products and services while protecting individuals' | privacy." | | What is a voluntary tool? Beats me. Who are the stakeholders? | Beats me. Help organizations to manage risk. What kind of risk? | Whose privacy? yadda yadda yadda.. Run on sentence. My take away: | NIST needs to hire writers. | stonogo wrote: | "Voluntary tool" means other federal agencies are not required | to adopt it. "Developed in collaboration with stakeholders" | means this was not 100% internally developed at NIST. | | The rest of your questions are answered in the FAQ. | | It's not a run-on sentence; it's just a long one, and if you're | looking for a way to ensure your users' privacy while building | a computer-oriented service, that executive summary tells you | enough to decide whether this is something you want to further | investigate. Drive-by web forum commentators, in general, are | not considered target audience for these documents. | varunjain99 wrote: | Maybe it was written by ChatGPT! | gdevenyi wrote: | Just a Bueracrat. Same thing. | retrocryptid wrote: | If you were there when we were writing that copy back in | 2005, you could have schooled us in how not to write like a | LLM that hadn't been invented yet. | | Also, the copy you're referring to was written by a | contractor, not "a bureaucrat." | blakes wrote: | With NIST frameworks, one needs to explore a bit. Here are some | of the stakeholders: | | https://www.nist.gov/privacy-framework/request-comment | | And here is the PDF that should answer all of the other | questions you have: | | https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.01162020.pd... | mcint wrote: | Excellent links, thank you! | | I can imagine the benefit of having this as a reference, | instead of needing to have meetings across departments and | levels to negotiate who's responsible for what, in an open- | ended way. | | Thanks to NIST for providing a Schelling point for | appropriate coordination to uphold privacy, and a scaffold of | reasonable good, reasonably thorough thinking about how to | appropriately handle privacy, and the general roles of | everyone involved in a coherent effort inside or outside an | enterprise. Raising the water line! | [deleted] | schnable wrote: | I suspect this is a result of too many writers! | billiam wrote: | This one is in the tl;dr HN uninformed expert Hall of Fame. Did | you click even one level down? NIST is a standards organization | whose usually very careful work is to provide frameworks for | people to make products, make business decisions, and create | entire industries. It's not a single Github repo you can clone | or a blog post can can dissect. The companies, researchers, and | organizations that will use this framework understand it and | will I am sure be able to use it and suggest areas of | improvement. | Kalium wrote: | If I may attempt to offer a translation: | | > The NIST Privacy Framework is a voluntary tool | | This is something that organizations can choose to use. We are | a standards body, not a regulatory agency. | | > developed in collaboration with stakeholders | | We actually talked to people who need and use standards of this | sort. We integrated their feedback. | | > intended to help organizations identify and manage privacy | risk | | The goal is to help organizations understand the chances they | are taking with private data. | | > build innovative products and services while protecting | individuals' privacy | | While still being able to actually make use of the data to | accomplish goals that matter in some way. | | ---- | | Basically, this is completely comprehensible to most people and | organizations who expect to be making use of this sort of | standard. Like any technical document, it has a specialized | vocabulary. It is not written for, and should not be judged by, | the prose expectations of the general population. | | NIST has writers. They are technical writers who are writing | technical documentation intended for technical readers. We | should calibrate our expectations accordingly. | ozim wrote: | I agree full stop. Would like to know background of parent | poster just to understand his motivation for criticizing. | | Was he writing with negative approach just because he can or | he just failed to get the meaning between the lines because | he is not the target audience? | Kalium wrote: | At a guess, not the target audience combined with a failure | to recognize it as a technical document. The latter is | completely understandable. NIST uses words that can be | found in daily business use, but they take on technical | meanings. | unethical_ban wrote: | A voluntary tool is a tool you don't need to use. | | NIST is a government organization, and it helps to explain that | this is a tool provided by government for your discretionary | use; it is not a regulatory framework. | retrocryptid wrote: | It's okay, you're not the target audience. People who are | already know the answers to these questions. | pleasantpeasant wrote: | Maybe they don't want you to know those things. | ChikkaChiChi wrote: | This is from 2020 | psychphysic wrote: | I know we don't have much choice but is this really safe? | | The recent pentagon papers are nothing if not impressive of how | deeply US intelligence is in just about every conversation that | matters. | | So can we trust NIST? As far as I know there have been concerns | in the past that they have played ball and so have private | security firms. | | That said maybe a US backdoor is better than all round shoddy | engineering? | | I imagine something like this would be a great way to slip in a | weak link. | unethical_ban wrote: | This is a policy framework, not an encryption algorithm. | kjs3 wrote: | What 'choice' exactly are you being denied? | psychphysic wrote: | Alternative sources of advice that isn't confirmed to work | with NSA to spy on people. | kjs3 wrote: | You do understand this is a non-obligatory guidance | document, right? You can continue to not read nor | understand it and no one will be any the wiser. The NSA | will almost certainly not put you on a blacklist someplace | (no promises and all that). Then you can google "privacy | framework" to find a wealth of other non-obligatory | guidance documents more to your liking (most of which will | reference a NIST document or two someplace, so be careful). | psychphysic wrote: | I guess you're being purposely obtuse here. It's probably | not as funny or smart as you think though. | | To spell it out as simply as possible for you (just | incase) I'd sure like it if there was a privacy framework | document not created by a likely adversary. | | I'm sure there is good advice in whatever documents the | FSB or China's MSS. Create, is there an alternative | source that could be trusted? | | If you don't know what the word alternative means please | Google it. ___________________________________________________________________ (page generated 2023-04-18 23:00 UTC)