Dealing with Privacy, Security and IT. And trying to build bridges between these domains.
Monday, October 14, 2013
Robert's Law of security and technology progress
Robert's law of privacy & security.
"The number of advances in capabilities within the online world is proportional
to the number of issues with privacy and security."
A strong statement, some would gather, and something that would seem
counterintuative. Would not technology improve security, or as some would say
build a better mouse trap?
Let’s delve into this a little further.
We now have a number of cloud computing capabilities that improve the
ability to share resources, DropBox, Google Drive, Dump Truck to name but
three. These types of software/hardware allows us to share files among our
peers within the 'Cloud', thus allowing a more seamless experience when trying
to share presentations, school projects etc. Yet this year alone Drop Box (and
I only use this as an example as some other cloud suppliers have had security
concerns expressed about them as well) had a security issue. In a four(4)
hour period, accounts were unlocked and accessible to the general public.
Let’s take another example.
Social media. It is in the forefront of most peoples minds right now. And,
as we see, a lot of companies are embracing this new market place with vigor.
It is seen, by some, to better connect or re-connect, with friends and family.
I for one, keep in touch with relatives from Australia, Hungary and Michigan
using a combination of Twitter, Facebook and LinkedIn. Companies are jumping on
board as well, seeing the opportunity to have another marketing vehicle
in their arsenal, providing enhanced
customer service and differentiating themselves from the competition. Yet there
have been a multitude of security and privacy issues with the social media
suppliers. For example, there was the time a that a certain number of users
potentially exposed their personal identifiable information within Facebook.
Twitter, another social media darling had a number of issues
concerning security as well.
RFID = Radio Frequency IDentification.. We all use it. But what is it? It
actually encompasses a lot of different devices and uses. They include the
NEXIS card, issued by the US and Canadian governments to allow pre-screened
passengers, speedier border crossings. It allows Jane Smith to tap her credit card
on the gas pump reader to pay. it can be used to track merchandise in
warehouses etc. Yet within a very short period of time after general deployment
in the public arena security issues started to be asked/exploited in both
the public as well as informed experts hands.
So what does this all mean? Should we ban all new technology? While I am
sure there maybe some people who would say yes (as there are still some people
who believe the world is flat and Elvis is alive) that is not going to happen.
If we would have banned technology then, no computers? Or if we waited and
implemented the ban when transistors came about. or when the Arpnet/Internet
was created, or when the WWW (world wide web) etc. where would we be now?
In reality as the human race continues to explore and innovate, technology
will move forward.
So Am I advocating we just plow ahead full steam? Well.....
I think we need to recognize that with each innovation, invention etc the
security privacy landscape changes. That when we embrace the new mouse trap, we
should also realize that it brings with it potential security privacy issues
that need to be addressed.
Why is it that security (and indirectly privacy) is such an
afterthought. We introduce new ways to build a better mouse trap1 yet we do not look at what the implications for this
new technology are and what changes need to be so it is implemented safely and
securely. Companies jump on bandwagons all the time without fully engaging in a
analysis of the various issues of concern. Apple introduces a finger scanner,
yet a hack was published within the month. Banks introduced 'chip and pin'
credit cards and then tried to deny any reimbursement for fraudulently used cards.
So what does this all mean? In all our dealings, whether it is building a
new web site (Privacy by Design) or a
new technology, we should be advocating Security by Design in what ever we do.
It should not be an afterthought. We should expect that there will be issues
and not wait for some smart hacker to point out the problems. We should take
the bull by the tail and face the situation. Be proactive rather then reactive
as we seem to be most of the time. If we do this, then we will hear less and
less press releases on how some new technology was hacked and broken. And as a
result, a fix had to be developed and
deployed. Never mind the PR issues that raise their head during this event.
1 The actual saying goes like this 'If a man
has good corn or wood, or boards, or pigs, to sell, or can make better chairs
or knives, crucibles or church organs, than anybody else, you will find a broad
hard-beaten road to his house, though it be in the woods' Ralph Waldo Emerson.
I prefer the modern version for brevity, if for no other reason.