Delivering On Data Privacy and Security
The last 18 months has made it very difficult for any Western Governments to suggest that they are entirely innocent when it comes to exploiting our universal connectivity for state or commercial aims.
The Edward Snowden revelations were shocking in detailing the willingness of national security agencies to conduct mass surveillance and we have pretty much accepted that everyone is spying on everyone. This has potentially very worrying consequences for the consumer, who is potentially vulnerable and has very little means of recourse.
Certainly, the actions of the European Union in changing data protection laws, the proposed Investigatory Power Bill in the UK and the Cybersecurity Information Sharing Act (CISA) in the USA are designed to update legislation to keep in step with today’s Internet, but I believe that it is technology, not legislation that holds the key to improving security, data privacy and getting away from the culture of mass surveillance.
When we consider the future of data privacy in the context of national and cybersecurity the key demand should not be universal access, because of a misguided belief that if you’re doing nothing wrong you have nothing to hide. The start point should be the complete opposite and the question that should be asked is, “What if you couldn’t spy on me?”
Mass Surveillance doesn’t work
Even though security services argue mass surveillance enables even greater intelligence and faster response times to threats, we have very little, if any, proof it works. The Anderson Report in the wake of the Snowden revelations touches on this point: only one thing is certain. Mass surveillance guarantees information belonging to every citizen around the world could potentially be stored and analyzed by a Government body. This is a fundamental abuse of human rights.
That aside, is it even a valid approach to cybercrime and anti-terrorism?
Governments are only chasing a small group of individuals and experience suggests that the volume of data gathered, as well as the techniques used to analyze it, do not necessarily equate to more effective intelligence.
Sadly both the Charlie Hebdo attack and the Boston bombing show that even in countries where the security services already have sophisticated surveillance equipment and perpetrators are known to authorities it does not lead to better intelligence. From a technical perspective the problem is that traditional methods of data analysis seek to find patterns or a well-defined profile from a regular volume of events, in order to identify predictable patterns.
Tragically these terrorist attacks are so rare and unique that they are atypical, and do not comply with traditional prediction analytics. Indeed one would argue that most self-respecting cyber-criminals and terrorists would not allow themselves to be exposed via Internet-connected technologies, precisely because they know the security services are watching.
As Bruce Schneier, the respected security technologist, says of the obsession with mass data collection:
“When you’re looking for the needle, the last thing you want to do is pile lots more hay on it. More specifically, there is no scientific rationale for believing that adding irrelevant data about innocent people makes it easier to find a terrorist attack, and lots of evidence that it does not.”
Old-Fashioned Cyber-Security does not work either…
Many commentators are agreed in saying that trying to build firewalls and defensive mechanisms does not keep out the cyber criminals. Every day organizations that supposedly have huge budgets to protect sensitive data are falling victim to new cybercrime.
The reason is simple. We are more connected than ever before, meaning there are more access points and vulnerabilities than ever before. There is no way companies can use old fashioned castle and moat approaches toward data protection. If we are to remain connected 24/7 we have to think differently about protecting data and our proposition boils down to letting individual pieces of data roam freely on the Worldwide Web.
This is an oversimplification, but ultimately our approach breaks up individual pieces of data and adds layers of encryption protection which means it is even harder for criminals or state actors to even identify data, never mind use it. Ultimately, we are suggesting a move to a decentralized Internet architecture, where all our data resides on the world’s unused computing resources, a crowd-sourced Internet if you will. An approach where only the owner of the data will be able to put the individual pieces back together, reconstituting them into human readable form. However, this approach requires consumers and organizations to break free of the traditional thinking about cyber-security and be willing to release their data into the wild.
Give the User Control
Of course the intelligence and security agencies will say that if an individual has total control of his or her data, then the bad guys will get away with crimes that cannot be traced. However, catching criminals cannot be carried out using data alone and it requires a mixed strategy of both physical and online detection if it is to succeed. Certainly that requires more resources, but removing the agencies reliance on data will force a rethink in approach and potentially lead to greater innovation in the fight against such crime.
Indeed returning control to the user will also force a more enlightened approach and better behavior from corporates. If the user is in total control of his or her data that means information could be released anonymously without fear of repercussions. At a time when being a whistle blower is a costly business it would mean organizations could not intimidate individuals to keep quiet and would have to become more diligent in good corporate practices.
In the paradigm of a decentralised and crowd sourced infrastructure, giving the user complete control should not be considered a bad thing, rather a force for good. Data privacy will actually become a tool for individuals to protect their identities and even hold others accountable. Instead, in today’s model data privacy is a barrier to online commerce, national security and catching the bad guys — it’s no wonder consumers feel under such pressure to acquiesce to requests for their information.
Originally published in InfoSecurity Magazine: http://www.infosecurity-magazine.com/opinions/delivering-on-data-privacy-and/