Saturday, 9 March 2013

What has surgery got to do with information privacy?

I'm addicted to books and reading and Amazon knows this - I'm willing to give up quite a lot of my privacy for good book suggestions. I went to Amazon to find a copy of Atul Gawande's The Checklist Manifesto and ended up buying his other two books as well: Better and Complications. I received them two days ago and I've finished Checklist and Better and just starting on Complications - compulsive and utterly fascinating reading about Gawande's insights into his work, surgery and medicine in general.

So why is a computer scientist reading this? Simply because we need more discipline and communication in this field. Surgery has cottoned onto this and is following the safety-critical practices of aviation to improve.

Performing audits, especially those which require a deep look inside a system such as privacy or security is remarkably similar to surgery.

We receive a system for audit, sometimes we get a description and a good idea of what to do, sometimes not. We need to diagnose the system, quite literally probing and performing tests and hoping we don't miss something: an insecurely calculated hash or a hidden transformation of an IP address into a location etc.

We then report back to the system owner with our diagnosis and treatment: hash this, destroy this data, stop collecting x,y and z, add this to the T&C's, add an opt-out, go for a security check etc etc...

We don't always know what we'll find until we open the system up. And like surgery, opening a computer system up is just as painful for the patient as well as the engineer.



2 comments:

Aurélie Pols said...

It's an interesting analogy, I've never thought of it like that, thank you for sharing.
The big difference being that the life threat of the patient is still more often than not subjective, depending upon how important an issue privacy is considered by a companies' management.

Having said that, it's true that you tend to poke at the most familiar holes, those you've encountered before and sometimes miss something. Just like a patient might show signs of fever after surgery, which might be deemed normal by the surgeon. Experience therefore remains of essence and follow-up as well, certainly in the light of expanding data capture and evolving technologies and legislations.

Does that mean we should all also take an oath? ;-)

Ian said...

Take an oath? Well, why not? ;-)

I know that some US states restrict the use of the title to those suitably qualified for example.

And as software or system engineers do we not have a duty of care to our customers, in much the same way as other professionals (eg: doctors) do?