Sophos Cloud Optix
For an alternative view on this, read our accompanying article by Naked Security’s Mark Stockley, ‘Is data privacy a more important concept than ever?’
I work in SophosLabs on the Data Leakage Prevention (DLP) team. Sophos DLP analyses the text content of documents to identify privacy- and confidential-related information before it leaves our customer’s networks.
As the DLP team leader I manage our definitions of what is classed as privacy-related information, and I spend a large amount of my time having to understand and question exactly what is and what is not “Privacy Data”.
Nowadays people post publicly on various social media sites about where they go, what they do when they’re there and with whom they do those things with.
For some people, it seems as if they put their whole lives on display.
They are often, themselves, posting the very information that organisations go to great lengths to try to protect.
So are we trying to protect privacy based on past social values? Are we old-fashioned in trying to keep a lid on the social media generation?
Social norms change over time. Attitudes to unmarried mothers, sexual preference, social mobility, religion, race and the expectations of life are starkly different from even 50 years ago.
Many changes in the past have been influenced by popularisation of new technologies, such as the printing press, motorised transport and television.
In many places, internet usage has become more universal than being able to drive a car and is therefore having an equivalent level of impact on society.
To many, not using Twitter or Facebook is seen as something from a bygone era.
Can we live without each other’s personal data?
Data that is about us, our property and our lives is shared and processed in more ways than can be calculated. From the age-old service of telephone directories to choosing the best schools, we are using information that is based on personal data or statistics.
When planning to buy a house we want to know about local crime rates, flood risks, and the quality of the schools or hospitals.
Directly or indirectly, our activities use personal-related data on a daily basis, and if enough of us were to object to our own pieces of that data being used we could impact public services, commercial businesses, research institutions, news media and much more that relies on the complex inter-weaved net of data.
Where will you hide tomorrow?
There is a lot of hype currently around devices such as Google Glass. As wearable computers become more common, surely society’s acceptance of a lack of privacy will have to follow?
Google’s StreetView has been forced to mask specific houses or even whole streets because of privacy objections.
But preventing a view of one’s house frontage doesn’t stop the layout of the grounds and contents being visible from satellite maps.
And with the first commercial video satellite system soon to go on the market, and the increase in popularity of similar publicly-available technologies, it’s likely to make the censorship of Google’s StreetView images moot.
So perhaps privacy is irrelevant now? Maybe it’s time to accept the brave new world of data freedom – to throw away our virtual modesty and feel free to expose more of ourselves to the world?
Legislated “Sensitive” personal data
When it comes down to it, is it only whether we are embarrassed about something that defines whether it is really private?
If society should become blasé even about such things as having, say, a sexually transmitted infection then would it be a breach of privacy to let that become public, even without the individual’s explicit consent? After all, would you worry now if someone blogged that you seemed to have a common cold?
In the 1950s being gay was illegal in many places and people were convicted and sent to prison for such a ‘crime’. Now if somebody were to mention to me that they are gay I would think, “So what?”.
There are pieces of person-related information that are explicitly enshrined in various data privacy legislations as “Sensitive Personal Data”. Yet the reasons for these are, hopefully, rapidly moving towards being obsolete.
These sensitive personal data items are only so due to largely historical discrimination reasons that were still a major concern when these legislations were first written.
Do they still need to be seen as “sensitive”? In fact, some special categories – such as race, gender and nationality – along with the corresponding personal data, are in most cases protected and deemed not ‘relevant’ for recording unless there is a clearly stated reason for doing so.
Take these four attributes:
- Your sexuality
- Your IP address at home
- Your race
- Your Skype address
Which is the most sensitive? Well, 1 and 3 are often given extra legislative protection over that of 2 and 4.
Disclosure of your home static IP address could make you vulnerable to crime, yet this computer equivalent of your postal address is often not explicitly mentioned in personal data privacy directives.
So what am I saying?
It’s not that I’m saying that data privacy is unimportant. Unfortunately in the real world not everyone one has evolved to the point where prejudices don’t exist. The security reasons for some data privacy is more urgent now than ever before.
But data privacy should not be done by rote, instead it should be done with thought and consideration.
As data controllers we should think beyond protecting A, B and C just because we are told to while ignoring the unmentioned X, Y and Z. As a society we need to be discussing the current privacy directives in terms of what is, or is not relevant.
And over time, as individuals, we will need to adapt our own concepts of privacy to fit closer to society’s ever evolving concepts.
There always will be someone who wants to use and abuse that information for profit and exploitation. So anyone who is a caretaker of personal data still needs to ensure that they leave decisions on what is no longer private to the data owner – the individual.
But let’s also keep our minds open that ‘personal’ is about being living, breathing people and not something to be imprisoned under lock and key.
Except for the new proliferation of data mining companies I can’t think of anyone on the planet who is interested in the cereal I had for breakfast, what I picked up at the grocery store or my bowling scores from last night.
None of the items in your list is posted anywhere **by** me, although I am sure they could be found out by someone determined enough.
I now find myself positively obsessing over what you had for breakfast. I had toast and marmite.
Perhaps they are! The supermarket which you bought the cereal from would be interested to know which branch do consumers normally purchase this particular brand of cereal from. If most people purchase brand A cereal from branch X, perhaps I should supply branch X with more cereal. An aggregation of bowling scores might indicate if my customers are professionals or casual players in bowling. This might be important to determine should I replace my bowling equipment often to better cater to my customers…will it make a significant difference to them so that they might bowl here more often?
Then again I believe in this age, most, if not all companies significant in size will do some form of data mining on their customers to have an edge over the competition. 🙂
It’s not just the cereal you had for breakfast it’s the times you shop, what you buy, how it changes over time, what promotions you responded to when they mailed you etc.
You can tell if somebody is pregnant from the way their shopping habits change. It’s not a leap to imagine you can tell if somebody is getting a divorce or if the kids have just left home. You can probably coordinate data from different stores and take a rough stab at where people live or when they’re on holiday.
Big data is not about the individual data points like what cereal you ate today, it’s about the emergent properties of having massive numbers of data points.
There is more than one reference in this article to the strange amorphous, anonymous entity known as ‘society’. To use a fuller quote by Margaret Thatcher: “…who is society? There is no such thing! There are individual men and women and there are families and no government can do anything except through people and people look to themselves first.”
In other words, it is for individuals to decide what is to be private, and for the government to provide suitable legislation. Collectively we as individuals can – and should – discuss the issue of privacy. But imho privacy must never, ever, be driven by fashion.
Just because the Facebook generation think nothing of posting their personal details online does not mean that such an attitude should become the norm and that organizations need do nothing about protecting a person’s data. Equally, is must remain an infringement of a person’s Rights – and thus illegal – if someone posts without permission private data that is not their own.
Privacy must remain the default, and it is for the individual to decide what they choose to reveal. That way, everyone is catered for.
Well done , you have hit the nail right on the head. Privacy is a personal matter and choices made by others should not effect what is acceptable to those who cherish their privacy. Tell the world on Facebook etc , anything you want ,if you’re silly enough, but don’t let your trumpeting affect my rights
I also agree strongly with this sentiment myself, in case anyone thinks otherwise.
The “person” should consciously decide what is, or is not, “personal”. Unfortunately people, particularly youngsters, are making this decision by unconscious actions.
The original concept of Social Media is a fine one but I don’t think it is necessarily a safe one, which is a shame. And some of the implementation of social media systems where they slurp up your email address books are in my mind very dangerous.
I think this post is really confused, in part because you don’t define what you mean by privacy. A common misconception is that privacy is about secrecy. It’s not. It’s about control of information about oneself. (see Alan Westin’s classic 1967 definition.)
In the swim suit photo you posted it is not necessarily the case that people wearing next to nothing on the beach have any less privacy than the Victorian’s wearing massive full-body suits. In fact,you could argue that the people in the age of bikini have more privacy because they have much more control over how little or much skin they want to expose to public view than the Victorian beach goers did.
The issue is rather different when you come to computerized data. Back in the Victorian era and really up until the 1950s data about people was in filing cabinets. It was difficult to collect, combine and process. So by default individuals had a lot of control (relatively speaking).
That’s not the case now. We’re all disclosing information about ourselves constantly and that data is often being accessed and used for purposes we have little or no control over. If I don’t want my location tracked I can give up using a cell phone, driving a car (to avoid license place scanners and the chips embedded in the tires etc.) but how practical is that if I’m not inclined to be a hermit? The disclosure isn’t really voluntary.
The flip side of all this, which you don’t mention, is that as an individual I have little control over data about myself but someone does: corporations and government agencies. What data these organizations have access to and what they do with it is often secret and therefore not subject to public accountability (except when the data is leaked, often in violation of the law). A society where individuals expose massive amounts of information about themselves to secretive state and corporate institutions and in which individuals exercise little control over than information is not a free society.
Questions like “Is data privacy an out of date concept?” is the equivalent of asking “is the concept of state accountability an out of data concept?” or “Do you want to be powerless and live live in a world something like those imagined by Huxley, Orwell or Zamyatin?”
Not providing a definition of “privacy” is deliberate as one of the points of the article is to discuss what that definition should be, as opposed to what is defined in legislations first drafted during the 80’s.
This is something you have done nicely, so thank you.
Another point is that we should consider what information should currently be treated as particularly important to our privacy, i.e. what could be seen as an intrusion to what we feel as private?
Again thank you 8¬)
For instance you mention location tracking, and protecting geo-location data is something that has been explicitly raised as a concern by some of our customers. Whilst, other than compliance purposes, I am not aware of protecting race or gender information having been raised as a concern by our customers. Though our customers are businesses, so their concerns may be biased to security and privacy compliance rather than personal privacy in it’s own right.
We are not about to stop protecting ethnicity information. But questioning what should be protected is important, as is reviewing the relative importance of types of personal data.
But I am also a real ‘person’ in my own right who beliefs in privacy. As such I currently do not have a FaceBook account and warn my grand-kids to be careful in how they use it.
I dont use any socialmedia, i may be on facebook once every few months when i got too bored. I appreciate that companies look into my interests and habits so that i get information’s and offers tailored to me. I dont have anything to hide, and when i have crucial data I encrypt it.
If were going to go with “society” then there can’t be any strict policies for privacy. How many actors get chased with flashing cameras? How many bloggers are looking for a story?
I think privacy is outdated from the aspect of “Hey I don’t you to know how old I am.” You should be more concerned with keeping electronic transactions you do private than your age when you post on facebook or some other media site.