In my role as LegalSifter‘s chief content officer, I’ve been looking into provisions relating to information security. In the process, I’ve encountered some new jargon. (I use the word jargon as shorthand for unhelpful terms of art.) One example has stood out—the phrase principle of least privilege, sometimes truncated to just least privilege. Here’s an example:
There’s a good chance you’re asking yourselves, as I did originally, What the heck does that mean? It doesn’t help that the phrase is syntactically botched, and that one encounters variants using the plural—principles of least privilege and principle of least privileges. Sometimes you see it in quotation marks, but all that does is confirm that we’re dealing with jargon.
Here’s an early expression of the idea (found here):
Least privilege: Every program and every user of the system should operate using the least set of privileges necessary to complete the job. Primarily, this principle limits the damage that can result from an accident or error. It also reduces the number of potential interactions among privileged programs to the minimum for correct operation, so that unintentional, unwanted, or improper uses of privilege are less likely to occur. Thus, if a question arises related to misuse of a privilege, the number of programs that must be audited is minimized. Put another way, if a mechanism can provide “firewalls,” the principle of least privilege provides a rationale for where to install the firewalls. The military security rule of “need-to-know” is an example of this principle.
In MSCD 13.208, I suggest that drafters consider explaining in a contract the meaning of another bit of jargon, coupled with an interest. The same approach would make sense with principle of least privilege, and I found an example:
But you could express the concept without using jargon:
That’s what I’d do, unless people clamor that the phrase principle of least privilege is so entrenched that omitting it would raise eyebrows.
But there’s a broader issue. The examples above refer just to access to information, the idea being that an information system is more secure if you give users access to only the information they need, as opposed to giving them access to all information if they need any of the information.
But principle of least privilege could be understood as referring to broader limits. Here’s what my indulgent resource on IT matters, Neil Brown (@neil_neilzone) of decoded.legal, said in an email to me:
To my mind, the principle of “least privilege” means that each role should have the most limited set of permissions that it needs, in order to perform the role required of it. There is an overlap, but I would see the “least privilege” principle extending beyond merely access to information, but rather access to parts of a file system, and — perhaps especially — access to perform certain tasks on a computer.
For example, an account used to read information from a database does not need permission to write information to the database, or delete information from the database, let alone reset the password of other users of the database.
In a more “computer security” sense, it means giving a user of a computer the bare permissions they need, or are trusted to have. So, for example, the user account I use on a day to day basis does not have permission to install software on my computer, or make certain, risky, changes to the computer’s settings. If I want to do that, I need to log in with an account which gives me heightened privileges — for example, if I want to disable the firewall, or the always-on VPN settings, or install software.
I think there is an overlap, but that they are not quite the same.
Which goes very much to your core point, which is that, without defining these terms, or referring to an external definition which is fit for purpose, two people reading the same term could come to different conclusions as to what is required.
So instead of relying on imprecise and somewhat obscure jargon—the phrase principle of least privilege—consider being specific about what controls you have in mind.
***
By the way, if you review contracts in which information-security provisions feature prominently, you might want to check out LegalSifter’s new infosec “sifters.” Have your people contact my people. Scratch that—have them contact me!
This is a challenge with many information security terms. Infosec will tell you that the ‘jargon’ is well understood, but when you start to question your client on what they understand certain phrases to mean, in terms of the practical application of the contract, there is rarely consensus. For example, everyone thinks there is an agreed understanding of malware but malware is still software. So software designed to delete files after a certain time to manage storage constraints has both a legitimate use and a malicious one. Penetration Testing is another phrase that appears to have taken on its own definition, but as the arrests last year of cybersecurity consultants in Iowa show, what a penetration test, or security assessment, actually consists of is not always the same as between client and consultants. My other favourite, multifactor authentication. When included as requirement in a contract it should specify exactly what ‘multi’ means, by its very definition “two or more”. So are you complying by having using two independent credentials, or are you expected to have three. This may all seem like nit picking but these matter when a breach occurs (or someone is arrested!) and everyone is looking to apportion liability.