Usually security implementers are aware of all the red tape they create, and evaluate the trade-offs against the value of what they are guarding. Usability and efficiency are certainly important, but it is more important that they consider the ethics of what they are building.

Employees and the public expect security to help and protect them. If too much security is applied, we are actually causing them unnecessary risks. This is just wrong.  The ethical issue is that a person is entitled to their own identity. The federal privacy commissioner is making some progress.

Most security systems are designed to store information about your identity and use that information to verify that you are the person you claim to be. I was recently asked to give my mother’s maiden name, the make and model of my first car, my favourite colour, my favourite holiday and my pet’s name. I know these will be asked if I forget my password. What I don’t know is where they store this information and who can see it. This is quite personal information that I would not necessarily tell a random person on the street. I would not tell you the answers here. Not that any of this is a state secret, but I wasn’t asking for access to a state secret either. I just wanted to view my phone bill online.

How do we decide that it is a fair thing to ask these kinds of questions to protect this kind of information? Just last fall BloombergBusinessweek published an article about the risks of using fingerprints as your access lock to your iPhone 5.

What would you have on your iPhone that is worth trading your fingerprint information? Do you keep your banking information on your phone? Not likely if you have thought this through. And if you haven’t, the IT professionals should be warning, not encouraging, you to do it. If they give you a system that you think is secure enough, you will trust it with more sensitive information. Obviously this is good for business, but as long as cell phones are portable (quite likely a long as we live) they are likely to be lost or stolen. At that point there is no time pressure, and that makes it much easier to eventually get access. The average phone user should be made aware of this.

Who is going to tell them? Part of the responsibility of building IT security applications must also be helping people learn to protect and recognize dangers to their identity. A recent Canadian security group was told that the people come first, before the IT.

Again, there is a trade-off. We must teach people about identity theft without creating fear. Fear just leads to other problems. In an Australian study, people admitted they gave false information online rather than risk their real information.

We should always be asking “Is this security really necessary?” and “How can we help people understand how much to trust the technology?”

Would you recommend this article?

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Previous articleNew topic for: So you think you can blog?
Next articleDealing with IT setbacks
Donna Lindskog
Donna Lindskog is an Information Systems Professional (retired) and has her Masters degree in Computer Science from the University of Regina. She has worked in the IT industry since 1978. Most of those years were at SaskTel where she progressed from Programmer, to Business Analyst, to Manager. At one point she had over 48 IT positions reporting to her and she has experience outside of IT managing Engineers. As a Relationship Manager, Donna worked with executive to define the IT Principles so departmental roles were defined. As the Resource Manager in the Corporate Program/Project Management Office, she introduced processes to get resources for corporate priorities. In 2003 she was given the YWCA Woman of Distinction Award in Technology.