Want data privacy? Work on data security first
I’ve been suggesting for a while that Data Privacy Day, which came and went Jan. 28 without much of a ripple (little to no mention of it in a mainstream media that, in my corner of the world, was obsessed with an impending snowstorm), should be renamed Lack of Data Privacy Day.
For two reasons. The most obvious, which gets the most attention, is the continuing erosion of personal privacy, examples of which were served up over the past couple of weeks without any apparent awareness of the irony of the timing.
Star security blogger Brian Krebs reminded us in mid January that, starting this summer, the only way for taxpayers to create an online account with the IRS will be through ID.me, “an online identity verification service that requires applicants to submit copies of bills and identity documents, as well as a live video feed of their faces via a mobile device.”
That’s right — the feds intend to collect digital images of all our faces. What could go wrong?
And U.S. Transportation Secretary Pete Buttigieg, just one day before Data Privacy Day, released a road safety planpromoting the use of “speed safety cameras” — an automated system of enforcing speed limits that, if his goal becomes reality, would mean you can’t go anywhere in a vehicle without being under government surveillance. For your safety, of course.
That may be a while coming — at the moment, eight states have laws prohibiting speed cameras, although another 18 allow them.
The less obvious (but just as important) reason is that no matter what laws exist restricting data collection, storage, and use, data won’t remain private if it’s not secure. And as we see every year from reports on data breaches, data security remains a problem.
A couple of recent reports found that software vulnerabilities and data breaches were at record levels in 2021. And those statistics were just from the ones that got reported publicly.
Indeed, while there is room for debate over what constitutes invasion of personal privacy, there shouldn’t be any disagreement that data in the hands of others, whether in the private or public sector, should be secure. Yet too often, it isn’t.
Start with security
In our connected world, your age, gender, what you buy or sell, where you go, who you see, what you post on social media, what you study, what you believe, what you wear, what kind and how much exercise you do, how healthy you are, your relationships, where you work, what you earn, and more — it’s all online.
So if you want data privacy, you need to talk about data security first, and then do something about it. One of the earliest and still one of the most famous privacy laws on the books is the EU’s General Data Protection Regulation. Note that “protection,” not “privacy,” is the operative word in the title.
The good news is that there definitely is some talking going on. The bad news is that a lot of the doing remains undone. Boris Cipot, security engineer with the Synopsys Software Integrity Group, noted that there are encouraging signs of greater awareness about the need for better data security, ranging from President Joe Biden’s Executive Order on Improving the Nation’s Cybersecurity to the trend of more companies moving to keep their software patched and up-to-date with a comprehensive inventory of components called a software Bill of Materials (SBOM).
“However, on the side of really doing something to make things better I don’t have the feeling that there’s a big rush,” Cipot said. “Yes, there are ideas on what must happen but it’s more a checklist than guidance on how to achieve data privacy and protection.”
“For example, ordering companies to create an SBOM isn’t enough. There must be clear guidance on what it will look like — what is a complete SBOM and how the information needs to be handled.”
Less data, less risk
This doesn’t mean current privacy laws have no security value at all. One of the best things most of them do is limit data collection and storage. And the less data that needs protection, the better.
Cipot is among numerous experts who have noted that without restrictions, companies tend to collect customer data indiscriminately and keep it indefinitely. “Some user data that is stored by some companies doesn’t even have a relevant need today as it dates several years back,” he said.
Market forces can also create incentives for data security and privacy. Tim Mackey, principal security strategist within the Synopsys Cybersecurity Research Center, said that since most business activity involves personal data, even if it’s just a credit card transaction in a shop, “businesses that fail to properly manage the data their customers willingly share risk damaging their reputation and by extension breaking the trust their customers have placed in them.”
That trust, he added, is “much easier to break than to build, or rebuild.”
Still, even with catastrophic breaches every year that compromise the personal data of hundreds of millions to billions of people, consumers show little sign of curbing their sharing, or oversharing.
Paul Ducklin noted on the Sophos Naked Security blog that, “many of us actively enjoy using online services — especially social networks — and making online friends. Loosely speaking, we’re happy to trade information about our own lives in return for insights into, and engagement with, the lives of other people.”
It’s just that most of us don’t think about the reality that we may be trading information with people looking to steal our identities and money.
All of which means that improving data security, and therefore data privacy, requires an “all-hands” approach, from individuals, organizations, and government. Fortunately there is good advice on all those fronts.
First, you really do have some control of how many details of your life end up online. Keep in mind that nothing online is “just between you and me” or a few friends. It’s between you and billions of people, many of whom might not have your best interests at heart. The less you share, the less there is to get compromised.
Then there are security fundamentals. If you use passwords, make them long and complex, and don’t use the same one for multiple sites. Use multifactor authentication when it’s available. Be wary — even a bit paranoid — of phishing scams and don’t give out any personal information or click any attachments in a communication you didn’t initiate.
Ducklin recommends taking the time to understand and configure available privacy controls in the apps and online services you use.
He notes that this isn’t always easy, given that they are “often scattered liberally across numerous Settings pages.”
“[But] don’t be afraid to dig through all the options — you may be pleasantly surprised at some of the controls available — and don’t just rely on the default settings,” he wrote. “Try turning off as many data sharing options as you can, and only turn them back on if you decide you really want and need them.”
Keep data collection to a minimum and don’t store it longer than necessary. Mackey notes what should be obvious. “The only data contained in a data breach is data that was available to breach, so it stands to reason that an abundance of customer data and profiles increases the interest cybercriminals might have in targeting specific businesses,” he said.
But the data that remains in a company’s hands needs rigorous protection. Cipot said that protection should include proper encryption, proper access controls, and access monitoring.
“Separation of data and also the systems that store it is important,” he said. “User profile data and the password should be kept longer, so it needs to be handled differently than other data that should be deleted maybe in one week.”
Data privacy is obviously on the radar of governments around the world. The National Law Review reported that according to one estimate, “by 2023, 65% of the world’s population will have its personal data covered under modern privacy regulations, up from 10% in 2021.”
It also listed 13 countries including the U.S., plus the EU, that have privacy laws taking effect this year. Four U.S. states have privacy laws taking effect within the next 18 months, and another dozen states have privacy legislation pending.
And on the data security front, among the directives in the Biden executive order is that within 10 months of the order (May 12, 2021), civilian federal agencies must buy only products that meet certain cybersecurity standards — although there is some wiggle room built in that allows agencies to request an extension. That’s known as “procurement leverage” — the hope is that if vendors have to comply with more rigorous standards to sell to the government, they will provide the same for their private sector customers as well.
Finally, the White House Office of Management and Budget announced late last month its intent to have the federal government adopt a “zero-trust” security model within the next two years.
The concept takes President Reagan’s “trust but verify” motto up a notch, where local devices and connections are never trusted and verification is required at every step to gain any access.
While that is a welcome development, the feds are a bit late to the party — John Kindervag, then an analyst with Forrester Research, created the model in 2010. And it will be a while before it can be implemented at the federal level, according to the Cybersecurity and Infrastructure Security Agency, which said in a draft of its “Zero-Trust Maturity Model” that “the path to zero-trust is an incremental process that will take years to implement,” and that “legacy infrastructure and systems may not support a zero-trust implementation.”