IT security pros have an ethical responsibility to ask if the personal information demanded of users for identity access is really needed
Usually security implementers are aware of all the red tape they create, and evaluate the trade-offs against the value of what they are guarding. Usability and efficiency are certainly important, but it is more important that they consider the ethics of what they are building.
Employees and the public expect security to help and protect them. If too much security is applied, we are actually causing them unnecessary risks. This is just wrong. The ethical issue is that a person is entitled to their own identity. The federal privacy commissioner is making some progress.
Most security systems are designed to store information about your identity and use that information to verify that you are the person you claim to be. I was recently asked to give my mother’s maiden name, the make and model of my first car, my favourite colour, my favourite holiday and my pet’s name. I know these will be asked if I forget my password. What I don’t know is where they store this information and who can see it. This is quite personal information that I would not necessarily tell a random person on the street. I would not tell you the answers here. Not that any of this is a state secret, but I wasn’t asking for access to a state secret either. I just wanted to view my phone bill online.
How do we decide that it is a fair thing to ask these kinds of questions to protect this kind of information? Just last fall BloombergBusinessweek published an article about the risks of using fingerprints as your access lock to your iPhone 5.
What would you have on your iPhone that is worth trading your fingerprint information? Do you keep your banking information on your phone? Not likely if you have thought this through. And if you haven’t, the IT professionals should be warning, not encouraging, you to do it. If they give you a system that you think is secure enough, you will trust it with more sensitive information. Obviously this is good for business, but as long as cell phones are portable (quite likely a long as we live) they are likely to be lost or stolen. At that point there is no time pressure, and that makes it much easier to eventually get access. The average phone user should be made aware of this.
Who is going to tell them? Part of the responsibility of building IT security applications must also be helping people learn to protect and recognize dangers to their identity. A recent Canadian security group was told that the people come first, before the IT.
Again, there is a trade-off. We must teach people about identity theft without creating fear. Fear just leads to other problems. In an Australian study, people admitted they gave false information online rather than risk their real information.
We should always be asking “Is this security really necessary?” and “How can we help people understand how much to trust the technology?”