Security is a very wide subject. If we pare it down to cybersecurity, it still covers everything from the wanton damage of IT systems to espionage to data breaches. Security touches all points in a system, from the human operator out to the Cloud and beyond. Cybersecurity is a fundamental aspect of an identity system. In fact, it is arguable that public-facing verified identity systems, especially those that transact valuable data, are especially subject to cybersecurity risk management. However, in good news, although we have had many cybersecurity attacks in recent years, with 2017 ‘hall of cyber-shame’ having new plaques for Uber, Yahoo, and Equifax, we are beginning to make some headway in terms of fighting back.
Organizations like OWASP, with their ‘Top Ten’ security awareness projects, are keeping us informed about the greatest risks. And new technologies are coming down the line to help us arm our organizations against even highly sophisticated attacks; Gartner saying that technologies such as deception, Software-Defined Perimeters, and Cloud Access Security Brokers are fast becoming our weapons of choice.
As we begin to tackle cybersecurity with aplomb, we now have the specter of privacy rearing its ugly head - as if we don’t already have enough to do. As we batten down the security hatches, what are we doing about privacy?
Who Cares About Privacy Anyway?
If you mention cybersecurity, people generally sit up and take notice. We have all heard about identity theft or data breaches and the horrors that entails. But mention privacy and many people will answer with “I have nothing to hide, so why should I worry”. Recently, the privacy debate was given more exposure with the Snowden disclosure on mass surveillance - the revelation that Verizon was handing over all customer phone records to the NSA, probably hitting home most keenly. But there is still some confusion over what privacy is and if it really matters to an individual. Privacy is multifaceted and layered. It is about ourselves and the data that describes ourself and our life. Digital privacy spans all touch-points of our online life and can be in the form of individual data endpoints or disparate information that is ultimately aggregated. It can inform a marketer of your annual salary, a government service of your political affiliation, or a criminal your whereabouts at any given time of the day.
In the midst of the confusion over what privacy actually is, it’s understandable that attitudes towards digital privacy vary. In a survey by UK industry watchdogs, Ofcom, they found that 27% of users will enter false information in online forms to protect their identity. Many other studies have plotted privacy attitudes against age, gender, and culture, each showing variations in viewpoint. One study looked not only at attitudes towards personal privacy but also the impact of those attitudes on the privacy of others too. Privacy has a very wide reach. Information about your lifestyle and habits could be easily translated into personal information of relatives, a spouse, or friends. The reach of privacy is far and wide and with social media, this creates circles, within circles of revelation and disclosure.
Respect for Privacy
Not caring about privacy has some serious repercussions. Aside from having to comply with the privacy registrations inherent in the GDPR, there are personal issues at stake too. Some issues related to privacy exposure include:
- Harassment - an example would be where you have given a donation to a cause and detractors of the cause then got hold of your email address and sent threatening emails
- Inside knowledge of lifestyle - used by marketers to send you unsolicited product details
- Surveillance - as seen in the Snowden files
- Misuse of information - an example could be an insurance company using un-consented data from a health wearable to determine your policy details. Another could be a text message being used to send illicit photos of a partner.
- Unsolicited approaches - by companies or individuals after they have found your data online
The bottom line, however, is that one person’s privacy is another person’s free for all. We don’t all have the same view of what we consider to be private and personal - the use of social media sites attests to this. Sometimes, however, this is also down to education and experience. Before the major data breaches of the last few years, cybersecurity was not seen as a major issue by the average person in the street. Privacy may well find it goes through the same lifecycle of understanding and acknowledgment as more personal privacy abuses happen.
Privacy is not security, but security can impact privacy. The two are often conflated, but they need to be addressed as separate, but related issues. Privacy is going to become as hot an issue as security is now. Architects of identity and ID data systems need to be highly cognizant of this. And, as we develop smart cities which are built upon the capture and aggregation of data across all aspects of our lives, privacy will become a commodity - and ownership disputes will abound. In the end, building identity data systems that incorporate a model of privacy, based on consent and acknowledgment, will be a basis for managing the potential privacy nightmare to come.