Who is Looking At Our Data and What Are Our Options?

Who is Looking At Our Data and What Are Our Options?

January 7, 2020
Michael Brown Headshot
Michael Brown Managing Partner

The general perception of the public is that the government and, more specifically, the National Security Agency (NSA) should have the purview to investigate terrorism even if it intrudes on privacy:

Interestingly, people seem to have differing opinions regarding phone and email, yielding one to conclude that perhaps people have a different sense of privacy and ownership between the two mediums.

Young people tend to value data privacy more than older folks, thought not to a particularly high degree:

Finally, privacy concerns take a backseat to the economy:

This slew of data tells us that, for the most part, citizens are weighting data concerns as a lower priority than the economy, and certainly second to preventing terrorism. With more of our personal data being widely distributed and accessible on Facebook, LinkedIn, Twitter and other online services, it is apparent that we have become desensitized to allowing online services have free range with our data. Further, people in general did not seem particularly shocked by the existence of a program that allows the government to take a peek at all of this data that we generate. What they might be more angered by is the limited care taken with the data.

There have been several articles written about how the data is collected, analyzed and then disposed of — words such as inefficiency and ineffectiveness have been thrown around often. What makes this situation slightly ironic is that the defining factors of web 2.0, i.e., mass proliferation of data, broadband for everything, and increased computing power, has created and exacerbated these issues. Thus, we no longer needed to store our data on our physical premises and can do so online, with great convenience and accessibility everywhere.

So what are our options? There have been calls for all data to be encrypted to keep away from prying eyes. As described by Ben Adida, there are three options with respect to encryption: 1) full-strength, randomly generated, user-managed key; 2) password-derived key; and 3) server-side security. The first has the greatest security, but is the most difficult to use and new devices require coordination with existing devices. If the devices break, there is no way to recover the data. The second has a key generated from an user’s existing password, and is therefore less secure. New keys can be generated from the existing password, but if the user loses his or her password, the data is gone. The third is the least security because keys are managed on the server-side. Security is much lower here and insiders have access to data, but users are able to recover their passwords. Most of the internet now relies on server-side security, hence our current issues.

Most people assume that they own all of the data that they generate that is stored in the cloud. As it turns out, this differs based on cloud provider. Much of our data is trapped within its current application and not really accessible by us — is this better than having it on our hard drive? This also ignores the meta-data created through the analysis of your data that is challenging to get our hands on. The data here is also potentially accessible by third parties other than those whose applications you are using. The intent here by service providers is not malicious, but instead they try to derive value from your using their service. If it is extraordinarily easy for you to leave the service, it is challenging for them to provide a meaningful level of value.

In the end, it does not appear as though users are concerned to a great degree about these issues. While encryption may be an option, one suspects that user convenience supersedes these concerns. If a device or service had to be tossed when users lost their keys or passwords, that would not work particularly well. Therefore, any solution needs to keep data recovery in mind, perhaps through alternative verification methods. And, of course, it needs to be more secure than current server-side methods and be able to prevent insiders and government from accessing your data. Thus, we can sum this by saying that any new encryption solution needs to have the following characteristics:

  1. Able to be retrieved; and

  2. Not accessed by insiders, government or hackers.

That being said, given current consumer sentiment, will there be a desire to change?

Sources:

http://www.people-press.org/2013/06/10/majority-views-nsa-phone-tracking-as-acceptable-anti-terror-tactic/

http://techcrunch.com/2013/06/09/waiting-for-prometheus/utm_source=feedly&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

https://stample.co/login

http://www.marketwire.com/press-release/media-advisory-a-circuit-breaker-prisms-impact-on-privacy-confidentiality-cloud-email-1799633.htm

http://benlog.com/articles/2013/06/07/what-happens-when-we-forget-who-should-own-the-data-prism/

http://benlog.com/articles/2012/04/30/encryption-is-not-gravy/

http://www.computerworld.com/s/article/9223479/When_your_data_s_in_the_cloud_is_it_still_your_data_

http://techcrunch.com/2013/06/10/survey-majority-of-americans-think-nsa-spying-is-more-important-than-privacy/utm_source=feedly&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

Related Blogs

Moore’s Law Repealed?

Since about 1980 we’ve gotten used to a ridiculous pace of technological innovation. At least as concerns processing power, it’s likely we just can’t keep up this pace of advance without a near-reinvention of the modern CPU. Chew on this: between then and 2005, the…

April 12, 2015 Read More

Thoughts on the Mandiant Acquisition

Most folks saw the news on Friday about FireEye’s acquisition of Mandiant for $1b+ in cash and stock. This is a huge deal in the security space and one that has gotten a lot of attention given the combination of two prolific industry folks, Kevin Mandia and…

April 13, 2015 Read More