‘Privacy by Design’ is not just for companies
NOTE: This column is written for The Daily of the University of Washington, and was originally published HERE.
We live in the age of massive data breaches. From Yahoo compromising all its users to Equifax compromising the data of nearly half the country, our recent past is littered with examples of entire systems failing us. But security and privacy work upward from the user and downward from the systems. As responsible as companies need to be, we, as student consumers, ought to be aware of the information we give out and how we “design” our privacy as well.
A relatively new paradigm called “Privacy by Design” offers companies a few rules of thumb to ensure security. Deloitte, a large audit, consultating, advisory, and tax service firm, defines Privacy by Design as “a framework based on proactively embedding privacy into the design and operation of IT systems, networked infrastructure, and business practices.” With principles like “leading with privacy as the default setting” and “maintain visibility and transparency,” the framework pushes companies and providers to aim for more secure systems.
Unfortunately, experts are unsure to what extent this can be achieved, given the current state of affairs, and whether even that achievement will improve things.
“I could argue that there is no app that has no vulnerabilities,” said Barbara Endicott-Popovsky, executive director at the Center for Information Assurance and Cybersecurity and lead instructor for the Certificate in Information Security & Risk Management at the UW. “The underlying technology for the internet is insecure as designed.”
She said this is because the internet’s current Transmission Control Protocol/Internet Protocol (TCP/IP) protocols were initially built for a trusted network of academics and military personnel. Endicott-Popovsky asserted that even when the internet started growing in the ’90s, people “lacked the imagination” to understand the consequences of the underlying technology when applied to a global network with criminals and state-sponsored actors.
Further, the regulations underlying security and privacy are different in different countries.
“We don’t live in Europe, we live in America,” said Annie Searle, lecturer at the UW iSchool and principal of ASA Risk Consultants. “What data is protected vociferously in Europe is not protected here.”
It doesn’t help that regulations are always behind the times and that hostile actors are always one step ahead. This means that even if Privacy by Design was magically implemented tomorrow on every app around the world, the vulnerabilities would stay.
In addition to existing threats and regulatory inertia, the rise of the Internet of Things (IoT) is an additional cause for concern. The IoT essentially consists of a network of connected devices with electronics and Wi-Fi embedded into all of them. As it is, we have phones, watches, laptops, and tablets connected to the internet. It’s also fridges, thermostats, cars, coffee makers, cameras, VR headsets, remotes, and other everyday devices that are increasingly connected to the internet. Many of these are insecure. Last October’s massive internet outage was caused by security vulnerabilities in IoT devices like closed-circuit TV cameras, DVRs, and routers.
So regulations are slow, the underlying technology is inherently vulnerable, perfect compliance doesn’t guarantee security or privacy, and things are all set to get worse. Is there an element in the system that can be designed better to improve things? It’s we students who have to be more responsible with our information consumption.
“Human behavior is the most important element in designing privacy,” Searle said.
Endicott-Popovsky agreed, and in discussing students at the UW, called out our information behavior.
“What I see in general is a lack of awareness of just how vulnerable we are online,” she said. “These technologies we develop have not earned the blind trust that many invest in them.”
This isn’t to say that having a password other than “password” will magically make us invulnerable or that the larger technological forces will in any way be retarded. A sophomore in the gender studies or even the computer science and engineering department can do little to stop the next big IoT hack.
But maintaining a basic level of security for ourselves and our devices can go a long way. Endicott-Popovsky’s recommendations are threefold. She asked students to raise their awareness by visiting the page of the UW’s Office of the Chief Information Security Officer, which includes several best practices for students to follow. She also suggests that when students are taught engineering, they should incorporate cyber security by design into their work to ensure a generation of builders who consider security and privacy to be inherent rather than extraneous in what they do. Finally, she recommends students take the UW Continuum College EdX course “Essentials of Cybersecurity.”
Searle was more direct in her recommendations.
“In thinking about how to design one’s own privacy, it’s better to think about routines to keep your information private,” she said.
She recommends students always update their software, enable secure, encrypted browsing (using https instead of http in your browser), actually going through the security settings on Facebook, avoiding giving third-party access to sketchy “Which Harry Potter character are you?” quizzes, backing up data regularly, and investing in a good anti-virus software.
It seems obvious now, but we’re in a situation where we’ve been conditioned so much by the convenience of our devices that we don’t consider how we’re making ourselves vulnerable. Companies will rise, and they will fall. Some will be held accountable to the highest degree, most (like Equifax) will not. We cannot individually affect the larger waves of technological development, but we can take care of our own data a little bit better.
“As a society, we can no longer turn a blind eye,” Endicott-Popovsky said.
That’s true, and soon we may not be able to afford it either.