Is Privacy an Illusion?

PRISM/Rainbow tables

What do you see?

In the last few week, we have seen how Governments are interested in watching, some call it spying on it’s netizens. There has also been a number of privacy advocates that have sounded the klaxon at the perceived level of spying by governments. These were governments that were supposed to have safeguarded the liberty of it’s citizens and allies. However, several leaks showed that the citizens are being relentlessly spied upon in several ways.

Ask politely, and citizens worldwide will share their personal data with everyone through social media, describing all aspects of their life and even play online games that highlight their psychological profile. Smart data analytics can reveal lot more about potential political dissidents than a standard survey. Yes, many of us have no concern what can be done with the data, but I seriously think that we have to consider the risk element of what we write on Social Media and how we write it.

Free email systems are not ‘free’ the words and text that you write are analysed, mined and further dissected only to be sold to the highest bidder. How else could large datacentres afford to give your ‘free’ email. Same goes for file-sharing services. If you wanted to be anonymous your could use an anonymous client, but how do you know which clients are run by governments and which are not? Large companies have had to include back-doors to be allowed to conduct business in the country.

Certain supermarkets now perform heat-map analysis on which aisle you use based on your WIFI signal pattern, and yet some others are rumoured to ‘follow’ your RFID tag as you wander around the store, thereby providing information to analysts to predict your next move and decide how to position your next big buy. Remember the story of the teenage girl who was pregnant but the local supermarket knew about it much before her own father did? So in short; we are all tracked, mobile phones signals, wifi, login times, uploads, geo-tagging and so on. Will we have any privacy? I seriously doubt it? Can unscrupulous data admins, government officials blackmail you with your own personal data, of calls that you made to your girlfriend that your wife doesn’t know about? or about places that you were not meant to be at or others did not know about.
Person of Interest anyone?

Advertisements

i-spy

Use a privacy screenSitting in the train from London to Manchester yesterday, my passenger an HR Manager in a leading UK Bank pulled out her laptop and started reviewing the numbers for her department, a spreadsheet that contained details of a month-on-month comparison for the business and made for very interesting reading. Next she started on the report that gave me a detailed understanding of the business model and the financials which according to me was very confidential and should have not been out in the open.

This report mentioned a few names that were based out of the practise in Mumbai and indicated the next moves that involved promotions and team details. Not being content with this, I accessed the internet and figured out her role in the organisation, her colleagues(named in the emails) and their roles within the department and the nature of the business. As the journey progressed, I also was able to review a tribunal case that was in progress of an individual within the organisation.

I am sure that this bank does have a great information security program and regularly holds security awareness within departments, but one does not have to enter the building to get data, this data is provided to the external world by the employees themselves. Employees want access to the data and want to be a part of the mobile workforce, but then this exposes an organisation to great security breaches. I’m sure that a privacy screen would have helped in this case and would have been a very effective solution.

Just for a moment imagine that I was a news reporter, or had a malicious intent; further digging could have yielded more useful information. I have informed the bank that their security awareness should improve.

Employees must understand that with great freedom comes great responsibility.

EU Data Protection Act – Ready, Get Set, Go

Image

A balancing act-EU Data Protection regulations

70% of EU citizens are worried about the misuse of their personal data. There are several changes proposed to the regulatory landscape. The old rules were framed circa 1995 when the internet was albeit new and in its infancy.

The new data protection act will give EU citizens the right to access, change or delete their data. Just over a quarter of social network users (26%) and even fewer online shoppers (18%) feel in complete control of their personal data. Most interestingly, it will include ‘the right to be forgotten’. If the controller has made the data public, it must take all reasonable steps, including technical measures to inform third parties that the individual requests that the data be deleted. Imagine the effort required by social media sites that have shared your information to other ‘apps’ and businesses for a fee. The right to be forgotten has several caveats which may prove to be an Achilles heel for those invoking this right.

  • 74% of Europeans see disclosing personal information as an increasing part of modern life.
  • 43% of Internet users say they have been asked for more personal information than necessary.
  • Only one-third of Europeans are aware of the existence of a national public authority responsible for data protection (33%).
  • 90% of Europeans want the same data protection rights across the EU.

Interestingly, EU rules will apply to companies not established in the EU, if they offer goods or services in the EU (or monitor the online behaviour of citizens). This means that foreign banks (from outside the EU) will be subject to these laws, data for these institutions currently reside in data centres outside the EU.

Privacy to the data is to be built in by design and default, movement of data outside the EU only to countries with adequate protection.  What defines ‘adequate protection’?  Again, this will impact the BPO industries and web-hosting providers whose data centres reside outside the EU.

An EU citizen will have to consent explicitly for data processing rather than assumed. What mechanisms are to be provided for this? And how will a citizen be sure that the request has been complied with to the letter?

Companies will have to notify individuals of serious breaches within 24 hours, this was not forthcoming in a breach of security of the world’s largest professional network as we have seen recently.

Data Protection Officers to be mandatory, and will need to be an expert , should be involved in a timely manner, must receive proper support to perform tasks.

On a more serious note, firms face being fined up to 2% of their global annual turnover if they breach proposed EU data laws. This is severe, steep and dissuasive. Companies should ensure that compliance in necessary and should take steps to address the changes.

Proposed timeline

  • 2 years to complete the legislative process,
  • and further 2 years as with any proposed regulation,
  • not before 2015 (est.)

Further reading
European Commission (Protection of Personal Data – Justice)
EU data protection law proposals include large fines
How to prepare for proposed EU data protection regulation