💾 Archived View for jsreed5.org › log › 2022 › 202203 › 20220309-social-least-privilege.gmi captured on 2023-01-29 at 02:45:45. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2022-06-03)

-=-=-=-=-=-=-

Social Least Privilege

2022-03-09

---

Information security has a concept called "least privilege". The idea is that when a user needs to access a system for some purpose, the administrators of that system should grant the user the minimum number of permissions necessary to fulfill that purpose. It's a relatively simple method of reducing the ways a user could harm the system.

The crux of the concept is that the user is only entering the system in the first place because he or she has a specific, limited set of tasks to perform. The list of allowed actions for that user is finite, and it makes sense to block the user from performing other actions because they fall outside the list.

Least privilege assumes a default position that a given user is not allowed to do anything at all. From that starting point, rules are explicitly set that allow the user to perform one action or another. As a regulatory scheme, I think of least privilege as a form of "positive regulation": any regulation can only allow a behavior, and anything not explicitly set by regulation is disallowed. This is in contrast to "negative regulation", in which the default position is that all activities are allowed and regulations can only define disallowed behaviors.

Laws and statutes tend to embody negative regulations. Specific acts are enumerated and declared unlawful: drunk driving, money laundering, drug dealing, whatever the offense may be. The direct implication is that actions not listed as unlawful are otherwise lawful. Recently, however, our cultures and our legislatures have been embracing positive regulations: only certain forms of payment accepted, only certain foods allowed in schools, only certain vaccination statuses allowed in entertainment venues, etc.

Here I put aside the specific liberal/conservative paradigm of the United States, which has many unrelated connotations. I've observed that negative regulations tend to be a hallmark of a generally liberal society. People are essentially free to do as they please, and only specific actions that inhibit other people's freedoms are disallowed. On the other hand, positive regulations seem to be characteristic of a conservative society. Finite boundaries are set as to what are socially-acceptable behaviors, and all else is prohibited.

Which social paradigm is better? There are many proponents of each side, and they tend to have very strong opinions on the matter. But the fact that people are so divided on the issue is, to me, itself an indication that the question has no simple answer.

I acknowledge the utility of positive regulations in matters of business and especially government powers, but I prefer negative regulations in the laws that govern everyday life. In life, people don't have only one task they're meant to do and nothing else--they often want to live full, rich lives with a myriad of experiences. To that end, sometimes I find the increasing popularity of positive-regulation concepts in society rather concerning.

---

Up One Level

Home

[Last updated: 2022-05-23]