Does the privacy of your personal information worry you?
Consider the following from Bruce Schneier’s Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World:
“Surveillance is the business model of the Internet for two primary reasons: people like free, and people like convenient. The truth is, though, that people aren’t given much of a choice. It’s either surveillance or nothing, and the surveillance is conveniently invisible so you don’t have to think about it.”
“In the 17th century, the French statesman Cardinal Richelieu famously said, ‘Show me six lines written by the most honest man in the world, and I will find enough therein to hang him.’ Lavrentiy Beria, head of Joseph Stalin’s secret police in the old Soviet Union, declared, ‘Show me the man, and I’ll show you the crime.’ Both were saying the same thing: if you have enough data about someone, you can find sufficient evidence to find him guilty of something.”
And there you have it in a nutshell. What I call the Internet’s “Privacy Enigma":
- How much information am I willing to trade off for convenience?
- Who should have access to MY information?
- Do I care whether this access is by a government or by Google? Why?
- How far am I willing to stretch the bounds of access and privacy to allow law enforcement to go after the bad guys (like ISIS)?
- Do I have any confidence that governments will stop there?
- Does sounder encryption ultimately help or hurt the bad guys?
Until recently, the protection and security of information on identifiable individuals had a relatively low profile. Most countries, regions and states have data protection legislation but they vary considerably in the level of protection decreed. Exposure of personal information or data breaches were relatively rare, and state surveillance of such information was generally covert and not acknowledged by governments.
All of this changed quite dramatically in the last few years as a result of the following tensions:
Tension #1 -- We’re Saving Everything.
The amount of personal data stored by companies and governments has soared, and the value of that data to thieves and fraudsters has multiplied as more and more personal business is transacted on the internet. Schneier provides a good summary of the dynamic at play:
“Some quick math. Your laptop probably has a 500-gigabyte hard drive. That big backup drive you might have purchased with it can probably store two or three terabytes. Your corporate network might have one thousand times that: a petabyte. There are names for bigger numbers. A thousand petabytes is an exabyte (a billion billion bytes), a thousand exabytes is a zettabyte, and a thousand zettabytes is a yottabyte. To put it in human terms, an exabyte of data is 500 billion pages of text. All of our data exhaust adds up. By 2010, we as a species were creating more data per day than we did from the beginning of time until 2003. By 2015, 76 exabytes of data will travel across the Internet every year.”
Per Schneier, “In 2015, a petabyte of cloud storage will cost $ 100,000 per year, down 90% from $1 million in 2011.” On an individual level, we are now saving all of the “stuff” that we all used to periodically get rid of because it was too expensive to save. And so are many companies and organizations.
Tension #2 -- We Actually Have Tools to Understand all the Stuff We’re Saving.
At the very same time that the volume of information being stored has soared, so too has the capability of analytics to make sense of, interpret, find, and link information that was previously incomprehensible due to its sheer volume.
There are any number of ways of demonstrating that this revolution is here and it’s real, but for me one is sufficient. Who could have imagined these Watson commercials even a few years ago?
Wow. Bob Dylan meets Hal in a commercial during a football game. Who would have thunk it? The times they are a changing.
Tension #3 -- Multiple and Inconsistent Responses to Privacy.
The Target security breach and the nearly weekly parade of similar breaches forced companies to look at new approaches to battle organized security attacks. Per AIIM, 36% of smaller organizations, 43% of mid-sized and 52% of large organizations have reported a data breach in the past 12 months. 19% reported a loss due to staff intent and 28% from staff negligence, compared to 13% from external hackers. As a result, 26% suffered loss or exposure of customer data and 18% lost employee data.
Different countries and even different states have different interpretations of what is and isn’t regarded as personally identifiable information. They have varied regulations on the obligations organizations have regarding seeking permission to hold data, keeping information secure, disclosing what they hold, how long they have held it, what it is used for, and also their obligations should they lose it. For example, an AIIM report outlined significant differences across 13 countries for storing personal information in the cloud.
In Europe, legislation to protect personal information originated in the OECD in 1980. The ideas were taken up by the EU Data Protection Directive in 1986, but were interpreted differently across European states - and have been ever since. The US endorsed the OECD recommendations but did not implement them, creating further discontinuities to the global legal framework. In 2012 the European Commission published a draft European General Data Protection Regulation (GDPR) which will be mandatory throughout the EU and the EEA. Although much delayed, it is expected that a final version of the GDPR will be signed off early in 2016, and will become mandatory in 2018. Per a recent AIIM survey, for 45% of organizations, privacy rules are changing faster than they can change their systems.
Tensions #4 and #5 -- The Snowden Revelations and the ISIS Threat.
In the midst of this storage and analytics revolution and the resultant attempts by governments to deal with these forces, two additional external forces have raised the stakes even higher. A drive by organizations and individuals to protect and encrypt private information was a natural reaction to the Patriot Act, to the Snowden revelations and to what these revelations said about the ability of governments to access private information.
Per the Washington Post:
“There are two basic ways people use digital encryption. The first is to lock up data ‘at rest,’ or when you're trying to protect information that's stored somewhere, such as on your computer or your smartphone. You can think of it sort of like a combination safe for your data. In most cases, you use a password or passcode to unlock it. This kind of protection is especially useful if a device gets lost or stolen because it means that whoever gets a hold of it won't be able to dig through whatever personal information might be stored on it.
The second is to secure data ‘in transit,’ or when you're trying to protect information as it travels across the Internet. Here, you can think of encryption as sort of a decoder ring: The two sides of a digital conversation exchange keys that let them understand what each side is saying but prevent others from being able to understand it.”
There has been much controversy of late about the necessity and convenience of using encryption to protect data – partly due to governments in the US, Canada and the UK seeking to preserve the ability of intelligence agencies to monitor and intercept communications, whilst acknowledging the need for all organizations to comply with their data protection and commercial security obligations.
Traditionally, it has been simpler not to encrypt general content as it can disrupt search mechanisms, and create password issues when sharing amongst multi-discipline project teams. However, with the increase in cloud content management services, encryption by default has become a desirable feature, although unless the keys are held by the user, rather than the service provider, it only offers protection from a bulk failure of the host security, rather than built-in security for any individual document. Encrypting all content stored on laptops, USB drives and phones makes much more sense, as bulk data loss is quite likely to occur.
After being burned in the Snowden revelations, private companies also announced policies to inform their customers when they were under government surveillance. Per Techspot in a December 2015 article, “Last week, it was reported that Yahoo had become the latest company that promised to alert users who it suspected were being spied on by state-sponsored actors. Twitter, Facebook and Google had previously assured their users that they would also warn them of any potential government spying.”
As individuals and corporations implemented more advanced encryption capabilities to protect their information, governments began to get concerned about being shut out of these systems, a tension exacerbated by the use of encryption technologies by ISIS.
Again per Techspot, “UK ministers want to make it a criminal offence for tech firms to warn users of requests for access to their communication data made by security organizations such as MI5, MI6 and GCHQ (the Government Communications Headquarters).”
Per the Washington Post, “over the past year, the U.S. government has been mired in a debate over encryption, one that some intelligence and law enforcement officials have tried to rekindle in the wake of the recent attacks in Paris and San Bernardino, Calif. In a televised address...President Obama even alluded to the issue, saying he 'will urge high-tech and law enforcement leaders to make it harder for terrorists to use technology to escape from justice.' And now, the chairman of the House Homeland Security Committee is calling for a commission on encryption and security threats.”
Watch this space. I am convinced that ultimately, all of the conversation about information governance will ultimately be subsumed into the conversation about information privacy and security.
These are some of the security and governance issues we'll be discussing at AIIM16. Join us.