Keeping Information Security Simple – Privacy – Free isn’t free: If you aren’t paying for it, you and your data are the product being sold!

Letter from the CISO, Vol 1 Issue 8

Washington University Community:

This is the National Cybersecurity Alliance’s Data Privacy Week (, and because security is closely related to privacy, I thought I’d say a few things about it.

The “right to privacy” was defined by Justice Louis Brandeis in an 1890 article as the right “to be let alone,” making it a relatively new concept from a legal point of view. It significantly precedes the host of technological threats presented by ever-present personal computers, mobile devices, network-connected cameras, microphones, and sensors.

While I am an Information Security guy, I’ve spent a lot of time worrying about privacy and have served as the Data Protection Officer for half a dozen companies. The good news is that there are many laws and regulations that help protect us from excessive invasions of our privacy. The bad news is they form a patchwork of protections and gaps that vary between countries like the United States where we generally regulate privacy by industry (think HIPAA for healthcare, FERPA for education, COPPA for children, FCRA for financial credit reporting, etc.), and European Union countries, where the right to privacy is considered a fundamental human right and the regulations are much more comprehensive (see the EU General Data Protection Act – GDPR).

There are foundational privacy principles that underpin all of these protections, such as a legal requirement to notify people about what you are going to do with their data and a legal obligation to adequately protect it.

If you have responsibility for protecting privacy, there are lots of materials available from the International Association of Privacy Professionals at

Recognize the problem!

Recognizing a problem is the first step toward being able to address it. The trap many of us fall into (over and over again) is that we don’t see the problem, much less acknowledge it.

”Free isn’t free!” is the most important thing to know about privacy when it comes to software and internet services. In other words, if you aren’t paying for it, you and your data are the product being sold!

Back in 2018, Facebook CEO Mark Zuckerberg explained to Congress that Facebook’s service was free because “we sell ads.” Facebook knows a lot about you from what you and your friends put in your Facebook profiles, what you post and like on the platform, and from the cookies they collect for you showing many of the websites you visit. This is supposed to help them (and others) show you more appropriate and targeted ads, but this is often really annoying and sometimes downright creepy.

In the annoying category is when you are shopping around for a new dishwasher, find and order one, and then have ads for dishwasher show up for weeks afterward, even though your new one has already been installed! In the creepy category are stories of people receiving advertisements for diapers and baby products before they even know they are pregnant.

But what should we do?

For a list of simple steps to take to protect your privacy, please see the article “How to Take Back Control of Your Data This Data Privacy Week” in this issue of SECURED! at

If you are interested in learning more about privacy, the University’s HIPAA Privacy Office has lots of great information at

The aforementioned International Association of Privacy Professionals ( is also an excellent source of information, as well as education and professional credentials.

While some people argue that “privacy is dead,” Wash U’s very own Neil Richards, Distinguished Professor in Law and author of “Why Privacy Matters,” argues that it is really up for grabs. See a brief interview at

Thank you for reading and being part of the University’s Information Security (and Privacy) teams!

Good luck and be careful out there!

-Chris Shull, CISO