It's over: All private data is public

By Roger A. Grimes
Created 2013-06-18 03:00AM

This is not another article explaining that Google and Facebook already know everything about us or that our governments sniff all our Internet transmissions [1]. That's true, but it's just the tip of the iceberg.

This article represents my own realization of the incredibly poor state of data security and what that means about our privacy and data privacy laws. If you're looking for an upbeat article with feel-good solutions, stop reading now.

[ The NSA upshot: We're finally taking Internet privacy seriously [2]. | Learn how to secure your systems with the Web Browser Deep Dive PDF special report [3] and Security Central newsletter [4], both from InfoWorld. ]

I'm pretty sure I'm not the first person to have this epiphany, but I'm happy enough with myself that I'm going to call this Grimes' Second Corollary. My first corollary [5] states: "Whatever is the most popular software in a particular category is also the most successfully exploited software." It's been retroactively true since 1986, though I came up with it somewhat later [6].

Grimes' Second Corollary

I feel confident enough in my second intelligent thought of the last decade to declare this revelation my second corollary.

To wit, in a world where every single entity is thoroughly hacked, it is naive to try and determine how ethical or legal it is for a particular custodial entity to hold a particular database by considering only individual circumstances or scenarios. It's wrong to ask if Google, Facebook, our government, your hospital, or your bank should be allowed to collect and store personal information about you. That's the old way of thinking.

Instead, we must ask ourselves if the database in question should be collected or created if we knew that information could be seen by the world -- because it will be or already has been.

No custodial entity can ensure the data it holds will remain private. We must instead assume that information can be stolen by unauthorized parties. If you ask security experts, every database worth stealing is already in the hands of someone who shouldn't have it. This is not wild conjecture; this is the general, well-understood consensus of the world's best computer security experts.

Yours, mine, and theirs

We need a new way of thinking until we can begin to control cyber crime, which won't happen anytime soon. We need to start thinking about any information we give as being given to the world.

For example, a hospital may have and need our medical and financial information. Yet we must, especially in today's world, assume that our hospitals have insufficient IT controls. Hackers can get that information at any time if they want it. They could sell our medical information to insurance providers and our payment records to credit bureaus, or they can give our credit card or bank account information to thieves. The formal, legal entities that collect the data are usually unaware that the information is pilfered, at least for many months or years.

Because all companies are doing a poor job at protecting data, it seems humorous to consider only whether a particular company or entity should have particular database. Simply by virtue of its collection and existence, our data is being shared by the world and the world can do anything with it.

There's a very good chance that many strangers around the world already know more about us than Google and Facebook. They may even know more about us than we know about ourselves.

Open to the world

We must determine whether or not a particular database should exist, not by a single, isolated evaluation of risk, but by a global evaluation of risk.

The norm isn't that some company's databases are stolen. Most privacy discussions should begin with the assumption that all companies' databases are stolen or are likely to be if they contain anything of value. If that assumption is correct -- and it is whether or not we acknowledge it -- then I think the answer would often be no, we should not trust most companies to hold and secure most data.

It doesn't take malware [7] or Chinese APTs [8] to steal all our secrets. Potentially every person who has legitimate access to our data can leak information.

For example, Bradley Manning is currently on trial for leaking top military secrets. If he is found guilty, he needs to go to jail. But 1.4 million people in the United States have top-secret security clearances. It's likely that at least a few -- if not more -- of them are leaking secrets, too. It can't just be Pvt. Manning. He was simply dumb enough to get caught. I've read about American spies stealing secrets for more than a decade before they were nabbed.

In the corporate world, you'd be amazed at how many staffers in a company can read, copy, or download a private database meant to be seen only by a few people. I frequently conduct data protection audits for big companies, and what I find no longer astonishes me.

On top of that, every outside company and contractor that has access to the data is a potential point of leakage. It's almost certain that one or more of those data custodians have been thoroughly compromised.

By accident or design

Often data leaks are purely accidental. Millions of people inadvertently overshare other people's personal information every year -- by posting on public websites, excessively divulging details in public documents, or leaking through a file-sharing program they installed to illegally download movies.

Do a little search engine "hacking" to find classified or top-secret information and you'll be amazed. You'll find entire state databases of financial information sitting on the Web -- for years -- just waiting to be downloaded. Spend a little time Googling for passwords and other supposedly secret information and you'll scare yourself.

Wait, it gets worse. You might think information is protected, but guess again. Most cryptographers believe that in less than one decade, quantum computing will be marshaled to crack any encryption [9]. We spend our professional lives protecting information inside of encrypted datastreams and encrypted files. One day those boundaries will suddenly evaporate. The world's governments are symmetrically recording all encrypted traffic because they know it will all be easy to read soon enough.

The truth will set you free

My intention is not to scare anyone. It's to awaken everyone. Our private data hasn't been private for a long time. The first decade of the third millennium will go down in history as a period of time in which the world's thieves stole everything.

Our laws and regulations are all written with the assumption that data custodians can protect data. That assumption is wrong. If that is so, should any entity be allowed to collect our information?

The answer is no -- and I can't blame you for responding that preventing any company from collecting our personal data would bring business and industry to a halt. I'm not the one making the rules. The laws and regulations say that data custodians must be able to protect our data. They clearly can't. They clearly haven't. Nothing they are doing to improve their security right now is making it any better in the short term.

I'm not the bearer of bad news. I'm your enlightenment. You can take the red or the blue pill. It's up to you.

This story, "It's over: All private data is public [10]," was originally published at InfoWorld.com [11]. Keep up on the latest developments in network security [12] and read more of Roger Grimes' Security Adviser blog [13] at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter [14].

Security Data Security
Source URL (retrieved on 2013-06-18 02:42PM): http://www.infoworld.com/d/security/its-over-all-private-data-public-220901
Links:
[1] http://www.infoworld.com/t/internet-privacy/the-nsa-upshot-were-finally-taking-internet-privacy-seriously-220695
[2] http://www.infoworld.com/t/internet-privacy/the-nsa-upshot-were-finally-taking-internet-privacy-seriously-220695?source=fssr
[3] http://www.infoworld.com/browser-security-deep-dive?idglg=?ifwelg_fssr
[4] http://www.infoworld.com/newsletters/subscribe?showlist=infoworld_sec_rpt&source=ifwelg_fssr
[5] http://www.infoworld.com/d/security-central/popularity-the-biggest-hack-magnet-886
[6] http://www.infoworld.com/d/security-central/macs-low-popularity-keeps-them-safer-hacking-and-malware-138
[7] http://www.infoworld.com/d/security/download-infoworlds-malware-deep-dive-report-186438
[8] http://www.infoworld.com/d/security/5-signs-youve-been-hit-advanced-persistent-threat-204941
[9] http://www.infoworld.com/d/security-central/imagine-world-no-cyber-secrets-421
[10] http://www.infoworld.com/d/security/its-over-all-private-data-public-220901?source=footer
[11] http://www.infoworld.com/?source=footer
[12] http://www.infoworld.com/d/security?source=footer
[13] http://www.infoworld.com/blogs/roger-a.-grimes?source=footer
[14] http://twitter.com/infoworld

http://www.infoworld.com/d/security/its-over-all-private-data-public-220901?source=IFWNLE_nlt_daily_pm_2013-06-18


Comments

Post a Comment

Popular posts from this blog

BMW traps alleged thief by remotely locking him in car

BMW traps alleged thief by remotely locking him in car Stealer's Wheel? Seattle police department quotes "Watchmen" movie in a recap of the recent arrest. Tech Culture by Gael Fashingbauer Cooper December 4, 2016 5:00 PM PST It's maybe the most satisfying arrest we can imagine. Seattle police caught an alleged car thief by enlisting the help of car maker BMW to both track and then remotely lock the luckless criminal in the very car he was trying to steal. Jonah Spangenthal-Lee, deputy director of communications for the Seattle Police Department, posted a witty summary of the event on the SPD's blog on Wednesday. Turns out if you're inside a stolen car, it's perhaps not the best time to take a nap. "A car thief awoke from a sound slumber Sunday morning (Nov. 27) to find he had been remotely locked inside a stolen BMW, just as Seattle police officers were bearing down on him," Spangenthal-Lee wrote. The suspect found a ke...
Read more

Report: World’s 1st remote brain surgery via 5G network performed in China

World’s 1st remote brain surgery via 5G network performed in China Published time: 17 Mar, 2019 13:12 ·           A Chinese surgeon has performed the world’s first remote brain surgery using 5G technology, with the patient 3,000km away from the operating doctor. Dr. Ling Zhipei remotely implanted a neurostimulator into his patient’s brain on Saturday, Chinese state-run media  reports . The surgeon manipulated the instruments in the Beijing-based PLAGH hospital from a clinic subsidiary on the southern Hainan island, located 3,000km away. The surgery is said to have lasted three hours and ended successfully. The patient, suffering from Parkinson’s disease, is said to be feeling well after the pioneering operation. The doctor used a computer connected to the next-generation 5G network developed by Chinese tech giant Huawei. The new device enabled a near real-time connection, according to Dr. Ling.  “You barely feel that th...
Read more

New ATM's: withdraw money with veins in your finger

New cash machines: withdraw money with veins in your finger Cash machine technology that reads the pattern of finger veins is already available in Japan and Poland   By Telegraph Reporters 6:59PM BST 15 May 2014 Cash machines could soon be installed with devices that identify customers by reading the veins in their fingers. The technology is already being rolled out in Poland, where 1,730 cash machines will this year be installed with readers, negating the need for a debit card and Pin. Developed by Hitachi, the Japanese electronics firm, the machines read the patterns of the veins just below the surface of the skin on your finger using infra-red sensors. The light is partially absorbed by haemoglobin in the veins to capture a unique finger vein pattern profile, which is matched to a profile. The technology is used by Japanese banks and also in Turkey, offering “groundbreaking levels of accuracy and speed of authentication”, Hitachi said, which in t...
Read more