When the House of Representatives recently voted to overturn a proposed ruling that would have limited internet service providers’ ability to share and sell customer data, cries of “foul” were heard throughout the privacy and security practitioner communities. Privacy wonks are more likely to remain aggravated over the decision, but security practitioners have moved on in the month+, turning their attention instead to pressing matters which fit squarely into the “security” box. The problem with this, as with software development and the supply chain, is that security cannot extricate itself from issues not immediately under security’s direct authority. Uncontrolled proliferation of data puts both organizations and consumers at greater risk of loss, abuse, or destruction. Privacy and security are, therefore, not an “either/or,” but something that requires closer collaboration.
Consumers in the U.S. are conflicted about privacy. On the one hand, many believe it is citizens’ inalienable right to privacy (it’s not). On the other, it’s not uncommon to hear even the most privacy-minded complaining that privacy is all but a lost cause in today’s technology- and surveillance-heavy world. To the latter point, consumers do, absolutely, willingly surrender personal information in exchange for use of a website or app, when purchasing goods online, when filling out webforms, etc. Consumers may not be focused on the “giving up” part when they want access to something, but it’s no secret that data are king in today’s corporate world, and most companies with any kind of online presence have the lengthy terms and conditions to prove it.
Who wants to read twelve pages of terms and conditions to download a free app or buy a new pair of shoes? No one. Categorically no one. Except, maybe, lawyers. Shawn E. Tuma, who is a cybersecurity and privacy attorney himself, says that companies aren’t to blame. “The real problem,” he says, “is that people in the U.S. are not as concerned about privacy rights as EU citizens seem to be,” referring to the newly implemented General Data Protection Requirements (GDPR). The GDPR comes on the tails of many years of privacy legislation in the EU and is designed to not only allow consumers more direction over the use of their personally identifiable information (PII), but also requires companies to put improved security controls and policies in place, in theory, diminishing the probabilities of data breach. The idea is that if citizens and companies are working together on data oversight, the outcomes are better.
In the U.S., though, we don’t maintain the Right to be Forgotten and companies make it very difficult for consumers to understand the extent of how PII is used, sold, or secured. “We value convenience more than privacy,” says Tuma, adding that, “We could say that the right to sell our personal information needs to be an extra step.” That extra step, however, isn’t something that most people are willing to take. Despite security’s attempts, two-factor authentication and password managers are slow to catch on among the non-security set. People aren’t likely to check a site’s security and privacy settings even when a notice is sent out; it’s only after a user experiences something negative (like seeing themselves tagged in an unflattering picture on Instagram) and posts about the experience on social media that people act enraged.
How often does that rage turn into action, though? Not very, says Tuma. “Privacy,” he says, “starts with the people and it has to start with the people. People want all kinds of stuff but are they willing to spend an hour and go talk about it and do something about it? Not usually. At present, [to the average person], privacy and security are viewed as a burden.”
Tuma is optimistic, though, that at some point this is going to change: “Over time we’re going to see breach class action lawsuits gaining in success. No ships have been sunk yet, but we’re going to see a greater number of hits with more courts understanding the nuances, and the law will evolve in a direction where these lawsuits will be more successful.” In just the last month several major consumer brands have reported large-scale breaches, and we’re waiting to see the fallout (if any). If Tuma’s predictions come true, this spells necessary change on the security front.
The world, of course, is no stranger to breaches, but at some point consumers are going to become fed up. It’s one thing to have one’s credit card stolen, not be responsible for any charges, and need to start using a new card. It’s another thing when your internet service provider sells or shares consumer data to a third party that suffers a breach and suddenly millions of internet users’ personal habits are up for viewing on Pastebin. Or your GPS app leaks data and now every place you’ve traveled in the last 12 months is traceable by anyone with an internet connection.
We haven’t yet seen an abundance of this type of breach, but it’s coming. Though data are what make today’s businesses go ‘round, security needs to be cognizant of the fact that more unrestricted data equals greater risk to the organization. “That’s the privacy office’s job” isn’t going to cut it in the long run. It’s incumbent upon privacy and security teams together to explain to the business the perils of liberal data collection and use. It’s then security’s charge to architect systems to better handle the amount of data stored and transmitted. Though areas like IoT and DevOps are more intriguing, a focus on good, old data protection practices is necessary given the possibilities of malfeasance or even simple accidents.