How to totally screw up privacy, while pretending to do privacy

Security and privacy aren’t new. Security professionals have been beating the same drum for a decade, and yet security continues to be an afterthought for many organizations and developers, and the actual goal is frequently obscured by smoke and mirrors attempts to achieve it. 

This article is inspired by events that happened to me this morning, so let me start by telling that story:

My wife reserved a book through our local county library. She received an email saying that the book was available, and was being held at the desk. I was heading out, and going in the direction of the library, so she forwarded the email to me and asked me to pick up the book for her.

I assumed I would walk in and say “We got an email that the book your’re holding for us is available,” and they would get it, and then I would check it out using my own library card. Instead, the librarian asked for my wife’s library card. I said I didn’t have her card, but I did have the emai if that would help–I thought she was just trying to find a way to pull up the title in the system so she could go find it.

Nope. She informed me that I have to have her library card to check the books out. I suggested that the library should find a way to link the cards for a family so that we can all access the same stuff, and she explained to me that they can’t let me know what titles my wife has reserved or check them out without her card. It’s a privacy thing.

Oh. OK. So, to protect my wife’s privacy I’m not allowed to know what titles she has reserved, or do her the favor of checking them out. But, if I have her library card in my possession, suddenly that’s no longer a concern?

True story, bro.

Now, back to the point. This is an example of trying to enforce privacy protection, but doing so with a flawed policy that just makes things more difficult for everyone without actually protecting privacy.

I can understand that there may be privacy issues involved. A husband could be checking out books about how to file for divorce, or a wife might check out a book on how to protect herself from an abusive spouse. I get it. If the goal is to honor and protect that privacy, though, how is it OK for me to know what books my wife has checked out, or to check out the books she has reserved just because I have her library card? Does the library believe that I can somehow forward myself the email notification that the book is available, but that it’s not possible for me to be in possession of her library card without her knowledge and consent?

The fact of the matter is that the library has no authentication or verification system in place. Even if the library policy was smart enough to require that the individual come and pick up their own books, I could take my wife’s library card from her purse, give it to any adult female, and have her check out the book(s) for me. Anyone could walk in with my library card and check out books as me, or with my wife’s library card and check out books as her. They don’t check ID or ask you to prove who you are in any way.

How are you protecting or enforcing privacy at your organization? Is it a superficial attempt at pretending to protect privacy–like our public library uses–or do you have tools and controls in place that actually authenticate the user’s identity to ensure positive verification and make sure that privacy is actually protected?

By the way–just in case you were wondering–the book my wife had on hold was just a book from the “Magic Treehouse” series for one of my kids to read. 

UPDATE: The “privacy” at my library is worse than I thought. It turns out that reserved books are not held behind the desk. They’re on a shelf anyone can get to, in alphabetical order with the name of the person who reserved it on a piece of paper held by a rubberband.

I’m sure glad they’re going to such lengths to protect our privacy. 

To put this in context, it would be like an organization requiring a user login in order to actually edit data, but having all of the data stored in the open where anyone can view it, and anyone can see who owns it or who else is viewing it. And, all that’s required to “log in” and gain complete access is a username–without any password, or any additional authentication to validate the identity of the person entering the username.