For Data Privacy Day we should take the time to look at the current state of privacy and set the direction and tone for the future. Today, let’s stop and think not just about the minimum requirements of privacy legislation, but rather about the world we’re building and handing to our children. How easy or hard do we want the collection of privacy metadata to be tomorrow, in 10 years or in 100 years? Because while we can do the bare minimum and can rearchitect for the future, it behooves us to take the long view here and see privacy as a major and important challenge for all of us.
The constant drumbeat of breaches, including Solar Winds, desensitizes us collectively to the importance of identity security and privacy in our daily lives. In the last decade alone, billions of identities have been stolen around the world, making it safe to say that nearly everyone in the world has had their identity stolen at least once. And for many people it has been two or three times. Hyperbole helps no one in this situation and that sort of number just sounds apocalyptic. However, it loses all meaning when most people think about how little the downside of this has affected them day-to-day.
Imagine the world using Tinkertoy as an analogy for privacy. Tinkertoy sets are used to build structures made up of hubs and connecting rods. Think of the hubs or “nodes” being people, objects, computers and data and the rods or “edges” being the relationship among us like “child of,” “owned by” or “used by.” We could take this massive structure to a ridiculous extreme and could theoretically represent the entire world in a shifting, powerful construct. We have a branch of mathematics ideal to this sort of mapping called Graph Theory. It’s all about mining metadata about the structure and then selling it for money, exactly what data aggregators like Google, LinkedIn and Facebook do.
It costs money to learn about this super graph that exists, shifting theoretically and combining us all. Some of the metadata we want available for public safety and law enforcement, cheaply and easily. Others, we want to share selectively with like-minded people or for products and services we like. Finally, some of it we may not want to share, could be recorded wrong or we may not even know about.
In a perfect world, privacy controls the metadata about the “real” graph structure and Tinkertoy becomes the sum total of the world and all its “things.” Specifically, it’s about the rule of law and about the cost to obtain this information. We want law enforcement, under the right conditions, to get data as defined by law; but we also do not want anyone else lowering the costs of obtaining any of this information. We also want to put people back in the center, controlling the nodes and edges that are about them or related to them: their family, their friends, their interests, their things.
While it’s hard for many to understand and even harder to enforce, it’s an important distinction: we should not only obey the letter of the laws and regulations, but should “lean in” and “do no harm” to the mission of putting the elements of the super graph in control of the metadata collected and used about them. It’s an ongoing struggle that’s vital for us to understand rather than just paying lip service to the regulatory language of the day or progressively watching our privacy erode as we downplay its importance and become more and more desensitized by the minutiae of the latest breach.
Sam Curry, chief security officer, Cybereason