While admitting his own boss occasionally goes off the deep end when commenting on privacy — or the lack thereof — Sun Microsystems Inc.’s John Gage gave a poignant demonstration at a recent Toronto security and privacy conference on how fleeting personal privacy may become.
Using a feed from Keyhole.com, a recent Google Inc. acquisition, Gage, vice-president of Sun’s science office, took attendees on a satellite tour from North Korean nuclear facilities to the hills overlooking Hollywood in a matter of seconds. Gage’s point was that privacy has taken a big hit in the past few years as the technology to gather information has dramatically improved (Keyhole gets its data from private satellites that orbit the globe) while not becoming any more secure (he cited the case of Bank of America losing backup tapes filled with a more than a million customers’ personal information).
Charles Salameh, president of Bell Security Solutions Inc., agreed that times are tumultuous. “We have been living in a world dominated…by threats and fears,” he said.
As for Gage’s boss, Sun’s CEO Scott McNealy has been quoted in the past saying that privacy is no longer possible and that people should get over it.
Conference speaker Ann Cavoukian, Ontario’s privacy commissioner, agreed with Gage that the post 9/11 world has made privacy invasion much more palatable to the public. “It was unpatriotic to talk about privacy” after 9/11, she said, though admittedly there is some irony in this change of heart south of the border.
Americans traditionally are suspicious of government, but after 9/11 the public turned to the government for reassurance. The American propensity to be suspicious of authority turned to the private sector.
“There was significant consumer backlash” to the collection of data, she said.
E-commerce, which was supposed to rival bricks-and-mortar, never came close to hitting analysts’ projections. In the U.S. e-commerce represents 1.6 per cent of all commerce, she said. In Canada it is a feeble 0.8 per cent.
It is for this reason that the private sector, both north and south of the 49th parallel, needs to take customer privacy very seriously . Whether consumers shop online or not, those that feel a company has compromised their privacy will avoid dealing with that company in the future.
While admitting a sound privacy policy will not affect more than one-third of customers (10 per cent don’t care about privacy, while the 35 per cent she called privacy fundamentalists never trust companies), Cavoukian said there is a strong business case to go after the middle ground, those she calls privacy pragmatists. These people, while caring about privacy, like the convenience of online shopping and banking.
But they need to be treated with care. To do so, companies must understand that their own corporate structure may inhibit customer privacy protection, she said. Many companies make the mistake of making the CIO responsible for privacy. Since the traditional CIO role is to exploit data for business advantage, there is a natural conflict of interest when he or she also oversees privacy. To avoid this, an enterprise needs a dedicated chief privacy officer.
But privacy does not operate in a vacuum. “You can not have privacy without security,” Cavoukian said.
Salameh agreed that security is taking on a more prominent role in corporate decision-making as personal data is being increasingly virtualized. Things like identity theft become more and more of a problem as companies try to protect customer information. “That (digital) version of yourself can be kidnapped,” he said.
Cavoukian agreed that identity theft is a growing problem. “It is growing by absolute leaps and bounds.” There were just over 31,000 reported cases in the U.S. in 2000, versus almost 650,000 last year, she said. In Canada the complaints almost doubled in a year — 7,629 in 2002 to 13,359 in 2003.
Whether it is identity theft or some other form of data loss, the cost is very real. Salameh said two-thirds of Canadian companies have lost money due to ineffective security. Internal hacks are several orders of magnitude more costly than outside jobs, averaging over $2.5 million per incident.
But the overarching factor facing all companies will be their ability to comply with government regulations, be it Canada’s PIPEDA, the U.S.’s Sarbanes-Oxley or European-led Basel II. “This kind of security compliance can no longer be on a company’s wish list,” Salameh said. The possibility of lawsuits is real if companies are negligent when disclosing customer information, he said. The responsibility to protect data will venture past the four corporate walls and will include contact with all third parties that “even touch” personal customer data, he added.
To protect data, Salameh said security companies are doing everything from creating psychological profiles of hacker tendencies to designing systems with built-in early warning capabilities.
But none of this is going to get easier as more and more appliances are built with computers, said David Perry, global director of education with Trend Micro Inc. Everything from cars to cell phones to door locks are computerized today, Perry said. “It is difficult to put a cap on the number of vulnerabilities on system(s) like that.”
Regardless of how companies and governments deal with the increase in virtualized data, the hit on personal privacy may be fatal. As it turns out — much to attendees’ chagrin — McNealy may be right about personal privacy being a thing of the past.
Even Gage, more or less, acquiesced. “Everything is visible, publicly available. Nothing is invisible,” he said, “which means you can never sunbathe in the nude — it’s over.”
Quick Link 051989
