In January, NSA contractor Edward Snowden made contact with The Guardian and the Washington Post and by now we’re all familiar with the revelations of state-sponsored surveillance he revealed. Primarily concerned with the US government, and secondarily with the UK government, Snowden’s leaks also implicated other governments including Spain, France and Germany. Everyone, it seems, was spying on everyone else.
In December, InfoWeek’s Robert Cringeley published a column headlined “Welcome to the Internet of things. Please check your privacy at the door.”
Information Week’s Kristin Burnham wrote: “Facebook privacy changes seem to never end, which can make tackling your privacy settings a daunting task.”
Just last month the Dutch Data Protection Authority found Google to be in violation of its data protection law.
At various points throughout the year, newspaper headlines screamed out about data breaches:
- Conventioneers’ credit card data stolen in Boston
- Kaiser Permanente Notifies 49K Patients of Data Breach in Anaheim
Adobe, Evernote, LivingSocial and Yahoo! Japan were also hit by major data leaks. Trend Micro chief technology officer Raimund Genes even predicted an increase (to one a month) of “major” data breaches in 2014.
All of this could lead us to believe that 2013 was the Year We Lost our Privacy. But we’d be wrong.
It was 14 years ago, in 1999, that then Sun Microsystems CEO Scott McNealy said “You have zero privacy anyway, get over it.” The next year, according to one of the documents released by Snowden, a report by the NSA about its mission for the 21st Century notes: “The volumes of routing of data make indexing and processing nuggets of intelligence information more difficult. To perform both its offensive and defensive mission, NSA must ‘live on the network.'” McNealy was either right, or prescient. The loss of privacy is not new. The knowledge of the loss of privacy is, perhaps, what’s new to many people. Rather than labeling 2013 as The End of Privacy, we’d do better to refer to it as The End of Innocence.
So what can we do?
In the fall of 2012, before any of the Snowden revelations, I wrote: “Thirteen years after McNealy’s proclamation we still are trying to keep at least some parts of our lives private. We also seem to believe that there is a technological solution that will help us maintain our privacy. That’s not going to happen. Get over it. In fact, technology is a greater aid to those looking to violate our privacy than to those looking to protect it.” That’s certainly proven to be true.
Many people and companies, over the past year, have offered new, innovative and (sometimes) weird ways to protect your data and privacy. Most, if not all, have been shown to be flawed when trying to protect against state-sponsored surveillance. Should we stop looking? No, while we may never be able to stop the intrusion of state-sponsored surveillance, we can keep the criminals – who don’t have the same resources – out, and that’s a desirable result.
Many tech companies (such as Google, Microsoft, Apple, Yahoo!, etc.) are petitioning and lobbying governments to put an end to state-sponsored mass surveillance. Of course, most of those governments already have laws in place to control this – they just either aren’t enforced or are interpreted in convoluted ways. Should the techs stop doing this? Probably not, as it does keep the issue in front of everybody.
The big takeaway here is that state-sponsored surveillance didn’t start in 2013. Neither did data breaches. If you’ve come this far without leaking data and without being visited by the spooks and spies, then either you’ve been doing the right thing or you’ve been very lucky. Hopefully you’ve been keeping your protections up to date, and you haven’t been drawing attention to your activities. Remember, there’s been no new loss of privacy, only the discovery of what went before.
But you really can’t afford sit back on your laurels, patting yourself on the back because nothing bad has happened to your organization. You need to keep moving forward, doing what needs to be done to continue to protect your assets, the data and information that gives your enterprise value.
Here at KuppingerCole we take data security and privacy very seriously. We think you need to consider the full lifecycle of information, from creation through to its final disposition. We call this Information Stewardship (see “From Data Leakage Prevention (DLP) to Information Stewardship”) and following its guidelines will keep you from an overactive paranoia about your data and information.
If you haven’t already, you need to move from a technology-centric idea of security to an information-centric approach. The basic objectives of information centric security are:
- Availability: individuals are able to access the business data and applications they need to perform their business functions when and where they need it, and without delay.
- Integrity: individuals are only able to manipulate data (create, change or delete) in ways that are authorized.
- Confidentiality: data and applications can only be accessed by authorized individuals and these are not able to pass data to which they have legitimate access to other individuals who are not authorized.
While many of the suggestions for encryption of your data, specifically to thwart state-sponsored surveillance, that were made this year were both cumbersome and doomed to failure, that doesn’t mean protecting your data through encryption is unnecessary. In fact, we believe that ubiquitous encryption should be a goal for 2014. In his recently released look ahead (“Information Security Predictions and Recommendations 2014”), Martin Kuppinger notes: “When looking at the Information Lifecycle, information frequently is left unencrypted and unprotected in various stages, such as processing.” He adds, “Organizations must have a strategy for ubiquitous encryption, including a strategy for managing and storing the secrets.” There are a lot of people, besides the spy agencies, that want to access your information. That’s were you need to focus your security attention.
There’s a lot more of course, and we’ll be telling you more in the coming year. But if you start working now, you may be able to call 2013 the year you began to protect yourself and your organization.