Saturday, April 6, 2013

What people in the know now know that you don't know

When I was on Rhodes recently, I marveled at how virtually every building was designed with one principle in mind:  security.  What's the biggest threat to privacy in the world today?  It's security breaches!  People in the know now worry how vulnerable the world's databases have become to security breaches.  

Shadowy armies of hackers around the world, especially in China and Russia, sometimes loosely affiliated with the governments, are succeeding in hacking the world's most sophisticated corporate and government databases.  Security experts know that it's often hard to know that you've been hacked.  I'm more worried about the companies and governments that blithely think (probably wrongly) that they have not been hacked, rather than those that have identified security breaches.  

Real people, year after year, say that identity theft is their number one privacy concern.  And usually, people become victims of identity theft after their personal data has been hacked from a legitimate controller's database, e.g., from your local hospital..  

The risks of security breach are getting worse, and will continue to get much worse for several reasons.  First, the hackers continue to get more sophisticated.  Second, there's just more and more data being collected and stored everywhere.  Third, there's a proliferation of devices being used to collect, store and share data.  Fourth, the lines are being blurred between public and private databases, e.g., between what's behind a firewall and what is not.  Fifth, the rise of social networking and mass-sharing of data.
How should the laws respond to these threats?  

First, security breach notification laws are a good thing.  They bring transparency and help people take precautions, after being told that their personal data may have been compromised.  The US has had these laws for over a decade, and Europe proposes to adopt similar laws soon.  

Second, controllers need to be held to account for having adequate security.  But we also have to be careful not to punish the victim.  In most cases of security hacks, the company/government that has been hacked is the victim of a crime.  They have often been hacked by highly sophisticated organized criminals.  The laws need to be careful not to punish the victims of such crimes, unless it can be demonstrated that they had failed in their duties to maintain adequate security.  If you are the victim of a burglary in your home, you don't expect the police to fine you for not having had adequate security protecting your house.  Ex post, you could always have had more security.  The challenge is figuring out what an appropriate level of security should be, or should have been.  

Third, governments and law enforcement need to step up their games in finding, punishing and dissuading hackers.  The Obama Administration has raised the issue of Chinese hackers at the highest levels of the Chinese government.  Today, sophisticated hackers successfully evade identification and punishment.  

Fourth, individuals need to be helped to protect themselves better.  For example, they can be educated and prodded to use stronger passwords, learn to use privacy settings, keep their systems' security up to date, etc.  

Fifth, ask yourself who's protecting you from the risks of cyberwarfare and cyberterrorism and industrial espionnage.  Are the people who are supposed to be protecting you working together effectively?

It's pretty obvious that most government and corporate controllers have weak security.  I was recently in the offices of a French government agency processing a lifetime of my personal sensitive data, and it was operating a computer system from the 1990's!.  Romanian hackers would probably need 5 minutes to steal every piece of my personal sensitive data from that system, and neither the French government nor I would ever know it had happened.  

If you care about privacy, and you're not worried about security, then you're like a baby turtle, just hatched, hurtling your way to the sea, oblivious to the seagull that's about to extinguish your young life. 

No comments: