I was recently invited as a panelist expert at CIO Forum (the VIP event for selected CIOs within EMC World, Las Vegas), in duo with RSA’s chairman Art Coviello. We were interviewed by CBS News’s famous correspondent Richard Schlesinger.
The topic Art Coviello wanted to talk with me about is « intelligence-driven security », as RSA’s vision is now empowering storage and big-data, to collect as much data as possible from different sources, analyse them and try to detect abnormal digital behaviors, on servers or networks.
I strongly agree that for now, the only realistic way to detect APT is by doing so. All the infosec industry starts realizing that detecting anomalies on a single device such a PC with an antivirus or isolated detection systems isn’t enough against new forms of cybercrime, and that signature-based detection is just becoming unpractical. Even Symanted told publicly a few days ago that the legacy antivirus concept was dead.
Obviously, that kind of data collection and deep-packet inspection means a total loss of privacy as users are being continuously monitored. Thanks to Richard Schlesinger, I was able to develop this important topic, and how IT industry could help to improve privacy while preventing cybercrime.
I quoted the just-released White House report on Big-data and privacy, explaining that even Obama’s governement started realizing it was becoming hazardous to let private companies and the government do big-data analytics on people as they do it now and in the future. The report gives several recommendations (starting p.68) about what to do, and notably by protecting children, preventing discrimination, and extend privacy to non-U.S. citizens, which is a really good step forward (but those are only recommendations for now).
I also explained that the reason all non-U.S. citizens are so angry about U.S. Government and private companies collecting data, is that we (Europeans) do not have the same definiton of Privacy. In the States, and contrarily to popular belief, people do care about privacy, but not the same way as us. In Europe, privacy is about personal data collection. In the US, privacy is about personal data divulgation. Which is totally different, because it means americans do tolerate the data collection and analysis of their data and behavior, but are in the same position as europeans if for any reason this data (or related data) is disclosed against their will.
That explains a lot the reason why so many US projects at Google, Facebook, Apple, and everywhere else don’t really care about the negative impact of data collection and analytics : they focus on IT security to protect that data and the resulting analysis, and keep claiming that they really care about privacy. Which is right at some point, because privacy is -for them- only related to unintended divulgation of personal data. That also explains why strong leaders such as Art Coviello, and his company RSA are pushing forward the intelligence-driven security model : for them, doing so is not directly related to privacy, since data collected is not supposed to be disclosed but only serves at detecting and remediating cyber-risk. Like as in an antispam, that scans emails to detect anomalies, but on a much more larger scale as it embraces the whole Internet. So they really feel doing things rights, and I believe their sincerity on that point, when they say they don’t intend to harm people’s lives, but try to protect them (even if the way to achieve it is not the right one, as the consequences can be dramatic).
So the issue is « only » related to a difference of what privacy is really about.
I used a analogy with people : when you fall in love, your blindly trust your partner. If he or she betrays you, it’s a major desillusion that can definitely harm the relation and could take years to forget (or can never be rebuilt), as trust is destroyed. People fell in love with Internet, so they blindly trust it (the reason they put so much private info everywhere, starting by search engines). So Internet has the moral duty not to betray them as it has a special relationship with everyone of us, as would have any partner we love.
All companies, institutions and governments making the Internet happen should act in accordance with this principle.
I’d suggest a few clues to start moving forward, that may help :
- Establish and enforce transparency. Transparency about data collection and usage. Citizens and users should be able to easily get full answers about « What », « How », « When », « How long », « For what purpose ».
- Bring a right to be forgotten concept. Citizens and users should be able to opt-in and opt-out whenever they want, without question being asked or unattended consequences.
- Protect against discrimination. Big data should help people, not induce negative effects. Citizend and users should be safe that them, their children, and in general everybody’s collected data shall only be used in a respectful way in mind, not only at the time it’s being collected and processed, but also during the whole data lifecycle.
- Consider negative long-term consequences. Citizens and users should be safe and confident whenever their data is collected, during their entire life. Any collected data and analysis have to be designed in accordance with the fact that such collected or generated data must be safekeeped at least during the whole life of the individuals (which can be > 100 years).
Those principles are not only to protect personal data, but also to sustain our Digital Economy. We all know how nad were the consequences of the NSA revelations over the US Digital industry. Many people and institutions went reluctent to use services or store data in the States, because most citizens, even in the States, felt betrayed.
The solution is to safekeep trust. I’ve changed my Twitter profile as I now no longer use the term « security » in my description : Building trust is much more powerful for me, as it embraces both security and privacy. Bringing trust to individuals and all Internet users, whether or not they are people or companies or institutions, is having the right balance between security (to protect data) and privacy (to protect people).
Thank you for reading. Spread the word, and feel free link to this page or quote the contents. Because trust matters !