It's over: All private data is public

By Roger A. Grimes
Created 2013-06-18 03:00AM

This is not another article explaining that Google and Facebook already know everything about us or that our governments sniff all our Internet transmissions [1]. That's true, but it's just the tip of the iceberg.

This article represents my own realization of the incredibly poor state of data security and what that means about our privacy and data privacy laws. If you're looking for an upbeat article with feel-good solutions, stop reading now.

[ The NSA upshot: We're finally taking Internet privacy seriously [2]. | Learn how to secure your systems with the Web Browser Deep Dive PDF special report [3] and Security Central newsletter [4], both from InfoWorld. ]

I'm pretty sure I'm not the first person to have this epiphany, but I'm happy enough with myself that I'm going to call this Grimes' Second Corollary. My first corollary [5] states: "Whatever is the most popular software in a particular category is also the most successfully exploited software." It's been retroactively true since 1986, though I came up with it somewhat later [6].

Grimes' Second Corollary

I feel confident enough in my second intelligent thought of the last decade to declare this revelation my second corollary.

To wit, in a world where every single entity is thoroughly hacked, it is naive to try and determine how ethical or legal it is for a particular custodial entity to hold a particular database by considering only individual circumstances or scenarios. It's wrong to ask if Google, Facebook, our government, your hospital, or your bank should be allowed to collect and store personal information about you. That's the old way of thinking.

Instead, we must ask ourselves if the database in question should be collected or created if we knew that information could be seen by the world -- because it will be or already has been.

No custodial entity can ensure the data it holds will remain private. We must instead assume that information can be stolen by unauthorized parties. If you ask security experts, every database worth stealing is already in the hands of someone who shouldn't have it. This is not wild conjecture; this is the general, well-understood consensus of the world's best computer security experts.

Yours, mine, and theirs

We need a new way of thinking until we can begin to control cyber crime, which won't happen anytime soon. We need to start thinking about any information we give as being given to the world.

For example, a hospital may have and need our medical and financial information. Yet we must, especially in today's world, assume that our hospitals have insufficient IT controls. Hackers can get that information at any time if they want it. They could sell our medical information to insurance providers and our payment records to credit bureaus, or they can give our credit card or bank account information to thieves. The formal, legal entities that collect the data are usually unaware that the information is pilfered, at least for many months or years.

Because all companies are doing a poor job at protecting data, it seems humorous to consider only whether a particular company or entity should have particular database. Simply by virtue of its collection and existence, our data is being shared by the world and the world can do anything with it.

There's a very good chance that many strangers around the world already know more about us than Google and Facebook. They may even know more about us than we know about ourselves.

Open to the world

We must determine whether or not a particular database should exist, not by a single, isolated evaluation of risk, but by a global evaluation of risk.

The norm isn't that some company's databases are stolen. Most privacy discussions should begin with the assumption that all companies' databases are stolen or are likely to be if they contain anything of value. If that assumption is correct -- and it is whether or not we acknowledge it -- then I think the answer would often be no, we should not trust most companies to hold and secure most data.

It doesn't take malware [7] or Chinese APTs [8] to steal all our secrets. Potentially every person who has legitimate access to our data can leak information.

For example, Bradley Manning is currently on trial for leaking top military secrets. If he is found guilty, he needs to go to jail. But 1.4 million people in the United States have top-secret security clearances. It's likely that at least a few -- if not more -- of them are leaking secrets, too. It can't just be Pvt. Manning. He was simply dumb enough to get caught. I've read about American spies stealing secrets for more than a decade before they were nabbed.

In the corporate world, you'd be amazed at how many staffers in a company can read, copy, or download a private database meant to be seen only by a few people. I frequently conduct data protection audits for big companies, and what I find no longer astonishes me.

On top of that, every outside company and contractor that has access to the data is a potential point of leakage. It's almost certain that one or more of those data custodians have been thoroughly compromised.

By accident or design

Often data leaks are purely accidental. Millions of people inadvertently overshare other people's personal information every year -- by posting on public websites, excessively divulging details in public documents, or leaking through a file-sharing program they installed to illegally download movies.

Do a little search engine "hacking" to find classified or top-secret information and you'll be amazed. You'll find entire state databases of financial information sitting on the Web -- for years -- just waiting to be downloaded. Spend a little time Googling for passwords and other supposedly secret information and you'll scare yourself.

Wait, it gets worse. You might think information is protected, but guess again. Most cryptographers believe that in less than one decade, quantum computing will be marshaled to crack any encryption [9]. We spend our professional lives protecting information inside of encrypted datastreams and encrypted files. One day those boundaries will suddenly evaporate. The world's governments are symmetrically recording all encrypted traffic because they know it will all be easy to read soon enough.

The truth will set you free

My intention is not to scare anyone. It's to awaken everyone. Our private data hasn't been private for a long time. The first decade of the third millennium will go down in history as a period of time in which the world's thieves stole everything.

Our laws and regulations are all written with the assumption that data custodians can protect data. That assumption is wrong. If that is so, should any entity be allowed to collect our information?

The answer is no -- and I can't blame you for responding that preventing any company from collecting our personal data would bring business and industry to a halt. I'm not the one making the rules. The laws and regulations say that data custodians must be able to protect our data. They clearly can't. They clearly haven't. Nothing they are doing to improve their security right now is making it any better in the short term.

I'm not the bearer of bad news. I'm your enlightenment. You can take the red or the blue pill. It's up to you.

This story, "It's over: All private data is public [10]," was originally published at [11]. Keep up on the latest developments in network security [12] and read more of Roger Grimes' Security Adviser blog [13] at For the latest business technology news, follow on Twitter [14].

Security Data Security
Source URL (retrieved on 2013-06-18 02:42PM):


Popular posts from this blog

Report: World’s 1st remote brain surgery via 5G network performed in China

Visualizing The Power Of The World's Supercomputers

BMW traps alleged thief by remotely locking him in car