Privacy is a critical area for IT, and as social media and mobile extend potential privacy invasions into areas once considered safe, reasonable safeguards must be taken. But it has to be acknowledged that many restrictions — you’re not allowed to save this or to track that — are simply not going to work. If data can be accessed, it will be used and retained, and no rules or laws to the contrary will make any difference.
Two recent events make it clear how such attempts are futile. In Germany, a country where privacy is generally valued much higher than in the U.S., a mini-uproar erupted when the government was asked to not store the IP addresses of web visitors. A European Union court ultimately told the government it could go right ahead and save the addresses. And if the court had gone the other way, are we supposed to believe that thousands of government employees would have simply done without the data?
Then there was the dust-up when law enforcement started using a social media monitoring tool to pursue alleged criminals.
I understand the sensitivities involved, but tools and data that are generally accessible to people can’t be put into a box that’s off-limits to government, corporations or law enforcement. Restricting access to private data — think tax returns or medical exams — is a very different issue.
Data is sort of like the dinosaurs in the movie Jurassic Park as described by mathematician Ian Malcolm when he pushes back against park management for attempting to control dinosaur breeding: “The kind of control you’re attempting simply is not possible. If there is one thing the history of evolution has taught us it’s that life will not be contained. Life breaks free, it expands to new territories and crashes through barriers, painfully, maybe even dangerously.”
Data is no more controllable. Once data enters the internet, it will be accessed and logged and stored and analyzed and compared with a billion other pieces of data. You can’t legislate data access away.
This is why we need to rethink privacy expectations and make them more realistic. It’s often been said that privacy doesn’t exist anymore. That’s not true. But what is true is that a massive number of things that could be considered private 20 years ago no longer are.
Often, we have no one to blame other than ourselves. Years ago, Social Security numbers were considered sensitive and private. Then companies and schools started asking for them routinely and they became a makeshift identification number.
As that data became easy to find in web searches, Social Security numbers were no longer private. Impact: In 1970, asking for a Social Security number could be a reasonable identity verification. Today, not so much. And given how remarkably difficult it is to change one’s Social Security number, it is a huge privacy and security problem.
In the world of online payments, we have a similar example: The CVV. Those are the numbers on the back of Mastercards and Visas (on the front for American Express) that are not embossed. This goes back to the days when payment cards were run through a sliding mechanism that left an imprint on a carbon paper receipt. The CVV didn’t appear because those numbers weren’t raised. The original rationale? Because it would never appear on a receipt, merchants online could ask for the CVV as proof that the person was holding the actual card, as opposed to a receipt that he or she had fished out of someone’s trash.
But now that e-commerce sites routinely ask for the CVV, that data no longer means anything. It doesn’t mean that you have the actual card. It could simply mean that one of the umpteen million e-tailers that had that number has been breached. So, again, we have a number that at one point was private and meaningful and is now close to pointless.
Let’s go back to what we now consider private. Medical exams? As electronic medical record requirements spread, hospitals and doctor’s offices are outsourcing them to specialists. And those specialists may not be especially security-aware, or willing to pay the money to get help.
In short, expect your latest EKG or eye exam to be in the files of Eastern European cyberthieves.
What about tax returns? How many of those returns are in the files of Intuit, which helps people automate tax records? Breaking into the IRS may be difficult (OK, probably not, but let’s pretend), but accessing files from Intuit or its subcontractors should be far easier. And how about offsite backups?
Enough doom and gloom. Is there anything today that still is private? Yes. Ideas and thoughts that you dream up but never put into your computer or mobile device. For the moment, those are private.
Why for the moment? I am a big fan of Siri, the A.I. assistant in iOS. Whenever I have a question, I simply say, “Hey, Siri” and ask it. Think about that. That means that Siri’s microphone is constantly listening, awaiting that command. What is to prevent Apple from making use of what it hears while waiting? Or an identity thief who breaks into that mobile device?
For that matter, what about the internet of things? How many science fiction fans aren’t worried about their smart refrigerator, thermostat or security system noting everything they are doing?
Anything recorded or analyzed can be accessed. A few things are private today, but we may soon need safe rooms where all electronics are banned just to have a private conversation.
Maybe people are right. Privacy may not exist anymore.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.