Privacy. Security. Risk. Conference Examines the State of Privacy Today
Bringing the IAPP (International Association of Privacy Professionals) and CSA (Cloud Security Alliance) together under one roof for an event makes a great deal of sense; kind of like combining peanut butter and jelly into a sandwich. Good by themselves, but the combination is so much better. You simply cannot have a discussion about privacy without also talking about security unless of course you live completely off the grid. And who can do that?
The keynote address last Wednesday at the Privacy. Security. Risk. 2015 event lead by Brian Krebs, Adam Tanner, and Kristen Lovejoy was especially helpful to understand how entwined security and privacy really are.
Adam Tanner, who is a Fellow, Institute for Quantitative Social Science, Harvard University and author of the book, “What Stays in Vegas: The World of Personal Data – Lifeblood of Big Business – and the End of Privacy as We Know It”, told a story of surveillance in the “old days.” He was in East Germany in 1988 and quickly realized that the Stasi, communist East Germany’s notorious secret police, were following him. Why? Was he a spy? No, according to him he was writing a Fodor’s travel guide. His point was that back then, surveillance involved several agents working together who kept detailed notes on his whereabouts, including his standing in line to buy bread, where he ate dinner and anything else they found the least bit interesting.
In today’s world, an organization like Stasi would simply monitor Facebook posts, or more draconian, acquire his credentials and monitor his email and schedule via his Outlook account. (Yes, this can happen). Mr. Tanner talked about why people give up their privacy. In his book he talks about perks available to frequent visitors to Las Vegas who are willing to let casinos know what they’re doing. In these loyalty programs, visitors agree to record (via smart cards) their activity at the various machines. What the casinos know from these recorded sessions includes how much people are comfortable losing, what their machine preferences are, etc. So, let’s say the individual is losing more than their typical limit. At this point, the casino might visit this person (they know where he/she is) and offer free tickets to a show. Suddenly, the casino has made this person happy enough to come back to lose some more another day. The visitor is happy and is willing to give up his/her privacy in exchange for free tickets, front of the line treatment at restaurants and discounts on room rates (at off-peak times) etc.
It’s not just in Vegas. We all give up our privacy for better services, the promise of better healthcare or simply to communicate what we’re doing with friends. And with businesses, the dynamic is the same. In order to offer improved, more personal services, they leverage personal customer information. The problem is that compromised personal and personal health data are a frequent byproduct.
The billion dollar question is whether we should assume that providing personal information to businesses or governments will result in that information being misused or becoming public. Kristin Lovejoy, President of Aquity (which is developing BluVector, an Advanced Malware Detection Platform) and former General Manager of IBM’s Security Services Division was the next speaker. She articulated the risk well.
Ms. Lovejoy stated that in fact, all organizations are infected. She further stated that in an average organization with 15,000 employees, 1.7 million security events occur per week. 324 of those events are security attacks. Of those, 78% are deliberate and orchestrated by motivated attackers of which 56% are outsiders and 22% insiders. Additional attacks indicate insiders colluding with outsiders. While only 2.1 of 324 actually cause damage, that’s still an alarming 2.1 successful compromises per week. How many of these compromises involve the loss of personal data? Hard to say.
The crux of the issue was brought home by Brian Krebs. He stated simply that consumer privacy is a myth. He also stated that data is the new bacon. The fact is that the more data we create, the more we crave the information. Our seemingly private information is readily available and what can’t be attained legally is all-too-easily stolen. We want our personal data appropriately secured by the organizations we entrust it to (in exchange for personalized services). And while we want to live in a terrorist-free world, we don’t want governments prying into our “private” lives. Privacy is certainly entwined with security.
While at the event, there was a “buzz” around the impending Safe Harbor pact ruling. As reported in yesterday’s Wall Street Journal by Natalia Dorzkiak and Sam Schechner, “The European Union’s highest court on Tuesday struck down a trans-Atlantic pact used by thousands of companies to transfer Europeans’ personal information to the U.S., throwing into jeopardy data traffic that underpins the world’s largest trading relationship.” Described as a “victory for privacy advocates” this decision “ruled that national regulators in the EU can override the 15-year-old “Safe Harbor” pact used by about 4,500 companies, including Apple Inc. and Alphabet Inc.’s Google, because it violates the privacy rights of Europeans by exposing them to allegedly indiscriminate surveillance by the U.S. government.”
The question is broader than this ruling. It’s not just government use of data. It’s the question of whether our data is secure, period. Can individuals worldwide trust governments, retailers, banks, healthcare organizations and more with their personal data? We have reason to be concerned.