Consumers? Engineers? Policy makers? Who should make data privacy more rational?
Insurance. The industry that profits by selling an expensive service only to charge more once a buyer uses the service, might be the answer to managing the risks of having biometrics and other personal data online.
A podcast about public awareness and public trust has been posted by ITSPmagazine and features three people close to the topic.
The alternatives were few.
Ideas were batted around by Melissa Wingard, special counsel at the law firm Phillips Ormonde Fitzpatrick; Brigadier General Gaurav Keerthi, deputy chief executive of Singapore’s Cyber Security Agency; and Daniel Gruss, an assistant professor at Graz University of Technology.
Wingard’s talk at Black Hat was titled ‘Biometrics & Privacy: Time to Faceoff or is that FaceApp?’ In it, she urged people to attempt to understand who is collecting their biometric data, and even to read the privacy policies they agree to.
Keerthi advocated for an end to siloed thinking by, in this case, policy makers and product makers.
“Policy makers see policy problem. Engineers see an engineering problem,” he said. Policy makers have to stop getting their hands dirty and get engineering in. And engineers have to realize there is there is the hardware layer and the software layer and the user layer. Engineers have an obligation to engage with policy.
“They can’t ignore it,” Keerthi said.
Gruss, who says he is pessimistic generally about how data will be secured, agreed with Keerthi on this point while maintaining that complexity ultimately would render the idea moot.
Some time can be bought, he said, by turning inward. It is not uncommon for IT departments to isolate subsystems, localizing and containing problems the way viruses are isolated in organic bodies.
“We won’t solve the problem fundamentally. We have to live with viruses, but they don’t have to spread throughout the entire system,” Gruss said.
Wingard, who is fluent in digital security and privacy legal matters, said there is little more that anyone can expect from individuals in the matter.
She said she would be overwhelmed to have to figure out everyone who had personal information of hers, how the information was being used, if permissions could be changed and from whom to seek help in her efforts.
“If we just take Singapore, the laws for privacy and personal information are found across multiple (legislative) acts,” she said. There is the personal data act, banking act, telecommunications act and the computer misuse and cybersecurity act.
There are responsibility overlaps and gaps, and the laws have little to say about organizations in other nations that have left fingerprints on a person’s data.
Indeed, it was noted among the panelists that cybersecurity is perhaps the only industry in the world where when something unexpected happens, the customer is immediately blamed — for bad passwords, poor ability to spot a scam, buying something from a disreputable vendor and such.
Historically, caveat emptor has been a reasonable policy, but until recently, an individual typically bought a product from a local vendor. Even if that vendor was crooked, there usually was a direct line between the two parties, and losses were counted in dollars.
Personal information transactions are anything but transparent and, almost by definition, they involve layer upon layer of other buyers and sellers.
Gruss cited an example of a recent data breach that might have been inevitable.
“I’m sure they wanted to (to protect the data). They didn’t want to (improperly) store unencrypted passwords,” he said. But the complexity of systems conspired against company managers. In all the complexity, they could not understand that the data was in danger.
“We can’t control it anymore,” Gruss said, referring to the complexity.
Keerthi suggested abstracting the individual from the details of managing and monitoring personal information. Businesses could be rated based on how ethically they use personal data.
He said few people understand how a new car operates anymore. Yet they continue to buy new vehicles based on reviews and ratings. And air-conditioners are purchased based on efficiency ratings that hide from consumers how and why one model is better than another.
Gruss went back to a health care example.
“We can’t consider all the complexity involved around keeping a human healthy for many, many years,” he said. That is why there are life insurers. They are an admission that some systems are so complex that positive outcomes cannot be guaranteed.
The same is true with air travel. Insurance can be purchased to compensate from a tragic outcome that can never be ruled out.
“In maybe 10 years, 20 years, everyone will have own cyber insurance,” he concluded.