CIO Folder: Data awareness — will we ever learn?
The current scandal involving Facebook and Cambridge Analytica throws the significance of personal data — and indeed all data — into the spotlight. Again. The vulnerability of all data in the digital ether of today is also highlighted. Again.
It reminds us of the inestimable campaign and canvassing value of the political register, the unique and up-to-date printed list of all eligible voters in electoral districts and constituencies by Roinn an Rialtais Áitiúil [now the DHPLG]. Although they were — and are — only legally displayed for individual consultation in relevant local official buildings (County Council offices, Garda stations, libraries) somehow every organised political party got hold of copies, sometimes pristine and fresh from the press. Data leakage from the beginning of Irish democracy. Nothing new.
“The trouble is, people tend to take their consumer habits to work. Which is why so many lapses in corporate security are down to human error. Let us be blunt: ignorance. Passwords on sticky notes or sharing with team mates is the direct equivalent of security doors left propped open on warm days”
The fact that the printed copies were only officially available on those terms was one of the earliest personal data protection rules of the Irish state. This was an official gesture in reality, since clandestine copies were sought and obtained by every political party. Before the dawn of photocopying, individual electoral district registers were laboriously hand-copied by the local canvassing teams. There are two rumours persist to this day in rural local politics: everyone knew which printers had the contracts, so a few bob ensured ‘extra’ or ‘proof’ copies. The other was that fierce political rivalry did not stop election agents from exchanging local electors’ information — cheaper than paying the printer. Or sharing the cost.
Oceans of data
Digital data is the same. Did Facebook reveal valuable compound data for Cambridge Analytica between electoral registers, registered Republicans (or the only other national party) and personality or beliefs? Plus ça change… Clouds hold oceans of data (mixing metaphors is traditional in IT) but they are vulnerable to the same ancient human traits, faults and — let us acknowledge — ‘traditions’. It is more difficult today, but that perpetual combination of curiosity and cupidity will often uncover socially interesting gossip, scandal or news of criminal conspiracies. Data value takes many forms. Sometimes it is information for blackmail or manipulation, or for selling on, or sometimes it is actually money.
In our cloud world, social media are close to and frequently indistinguishable from banking and buying/selling online and even state services. How many innocents use the same password for anything online and enter their dates of birth whenever requested?
We have gone through a cultural sea-change while generating those oceans of data. Within living memory, all recorded data was visible — although business and banking and state records were in physical files in filing cabinets. Today, ‘file’ is a metaphor for data of commonality of subject matter. In the old days, a file was a container for a single set of documents. To get more than one topic in you had to insert copies or cross-reference.
Today’s generation does not get that discipline or logic. The ‘search’ function is all. But some data is too sensitive to expose to a general search function, Google, Bing or similar, or a tailored private solution in a government department or a big corporation (we will not say anything about PULSE, that 20-year old selectively available system). But the real point is that more and more we have to classify what data we expose to public, corporate search functions or tightly controlled access privileges. Intelligence agencies, to use a dramatic example, deliberately conceal or obscure Top Secret data, though one doubts they actually use that fictional popular terminology.
Take personal data. For decades we have been using ‘Mother’s Maiden Name’ as a standard ‘security’ measure, because by convention it is different from your own paternal surname and known only by extended family and small communities. Besides, it evolved in the era of written documentation. Today your mother’s family name is searchable on Facebook, Wikipedia if you are famous enough, or local papers — marriage or death notices or indeed general news. So, ‘Mother’s Maiden Name’ is a seriously weak security factor online; and is used generally by banks and other institutions. Pathetic and a façade of quasi-security that is about as effective as a Yale lock — or indeed a latch, for those who remember that technology.
Date of birth is another questionable factor. It is an essential constituent part of identity proof, especially if you have a name like Mary Murphy or Jean Dubois. But it should not be a defining element in security. Once again, think Facebook.
The blame is not entirely on people but on the businesses. They are generally terrified of making sign-up and transactions difficult, knowing the attention span and fickleness of the mass of online consumers. That trait is manifested especially in consumer-oriented online services, notably the ones targeting younger markets. Banks and payment organisations can ‘sell’ security precautions, to a degree, but fierce global competitors want to generate the least web grit possible. Or legal.
But all of that is consumer stuff. The trouble is, people tend to take their consumer habits to work. Which is why so many lapses in corporate security are down to human error. Let us be blunt: ignorance. Passwords on sticky notes or sharing with team mates is the direct equivalent of security doors left propped open on warm days.
What do we do about it? We need a movement — and leaders. The GDPR legislation coming in next month is a giant step forward, together with the mandatory position of Data Protection Officer. The threshold for the appointment of a DPO is high-ish, spanning all public bodies, regardless of size, and organisations which process personal data on a large scale or concentrate on sensitive information such as health.
This is an opportunity for a new movement to promote increased care of personal — and indeed all — data. We have all grown careless, because this a digital culture and all we humans thrive on stability and peace and no visible risk. Trouble is, in digital there is no visible risk. Victims of crime, individuals and businesses, learn to be wary. But that does not permeate through society. We talk about the incidents and scandals but then continue to be as casual and careless as usual.
Society does digital as it does driving: the general standard is OK, but we have more than our fair quota of corner cutters and unlit vehicles in pelting Irish rain, mobile phone users and the new phenomenon of large hot coffee drinking at the wheel. Too many kids think driving is the same as console games.
It is generally the same online and we need a safety campaign. One suspects we are to have a GDPR awareness campaign by the government or the Data Protection Commissioner but that is not the answer. We need to involve schools, particularly second level where the majority are given their own devices for the first time. Across the business sector, SMEs are particularly important because they often do not have an IT manager, much less a DPO.
The cyberthreats out there are being largely ignored by simple ignorance, from government or at least our politicians. The exceptions, notable for their professionalism, are the digital multinationals and financial and online services in Europe. Some big names have grown through the ‘free service and we’ll use your submitted data to make money’ formula. It is a legitimate commercial proposition. The snag, as always, is that the majority of the market does not even read the Ts & Cs. But cybersecurity per se is tight and well managed in all those enterprises.
But our political, social and business leadership is generally unaware of the huge looming threats — or apathetic. So, we will not have a national campaign to highlight digital dangers and educate and train the populace in best online practices. Even a national data theft scandal would peter out in a few weeks.
Will we ever learn? Maybe, is the most optimistic prospect.