by Frank Catalano
Happy Data Privacy Day! The first round of credit card numbers is on me!
Yes, this is Tuesday, Jan. 28 really is Data Privacy Day in the U.S. and Canada, commemorating the 1981 signing of Convention 108, an international treaty dealing with privacy and data protection. (In Europe, where it originated, it's known as Data Protection Day.)
Safeguarding one's personal data may seem Sisyphusian in the wake of enterprise-level consumer breaches like those recently at Target and Neiman Marcus. But if you, like me, are concerned, I’ve found it helps to unpack the concept of good personal data hygiene into three elements, each with increasing levels of individual control.
After all, to paraphrase and extend Joseph Heller’s Catch-22 observation, if everyone truly is after your personal information, paranoia is just a good strategy. (No matter how much one might whine about password problems.)
Allow me to over-simplify.
1) Security. This is how well-protected the data is wherever it is stored, largely a technology issue. You, personally (unless you work for the NSA), pretty much are SOL on this, unless you understand data transfer protocols, encryption standards, authentication methods, and can direct which of each is used by an organization that holds your personal information.
Forrester Research recently weighed in on the authentication (that is, proving to the system that you are who you say you are, and that you have the right to get in) part in a dizzying-yet-compact report, “Employee and Customer Authentication Solutions,” that bluntly states, “Current user authentication methods are failing organizations badly.” Rather than concluding that entropy will win, it hopefully points to a “massive third generation of innovation” including the rise of smart mobile device methods, and the concept of “responsive design” for authentication that takes into account how someone is accessing the system, any contextual clues as to legitimacy, and overall risk.
It’s somewhat like how TSA determines a traveler is qualified for an expedited security PreCheck, but without the full-body-massage fallback.
Individuals have – and want – more influence here. Nonprofit Common Sense Media this month released a national survey that shows, for example, 90% of U.S. adults are concerned about how “non-educational interests” might be able to get to and use personal information about students. Whether those “interests” actually could get or use it (or even want to) is a separate but equally important matter. Still, another study done by Fordham University notes that a “sizeable plurality” of school districts using web-based services for student data had contract gaps, such as missing privacy policies. (Interestingly, Microsoft helped underwrite this study.) Not to mention that kids interact with consumer sites and apps outside of a school environment.
Apparently a few parents and school administrators may need to study up on tech, or perhaps contract law. As might anyone who relies on another party to store personal information, to make sure assumptions are backed up by documented assurances.
3) Practice. The third element effectively is a mash-up of the first two: how well they are implemented under real-world conditions. And here is where the individual is in the most control and, if recent reports on self-inflicted injuries are any indication, is the most screwed.
A summary of the 2013 IT Risk/Reward Barometer from ISACA (an association of information security professionals) finds that while nine out of ten of us worry that our information will be stolen, half of us use the same two or three passwords across multiple accounts and websites.
While it’s true that many sites don’t make remembering strong passwords easy due to maddening inconsistencies across sites and even across platforms used for a single account, there is no excuse for using, say, what security firm SplashData called the Worst Password of 2013 (123456) or any of the runners-up (password, 12345678, qwerty). These are actual user passwords revealed as the results of data breaches. You know who you are.
It’s similar to how some website administrators never changed the default webserver login from “admin,” and then wondered why their sites were hacked. That happened, too.
So is there any hope that developments in security can help address practice, the weakest individual human link in personal data safety? Especially since we are, by nature, lazy and easily bump up against what we consider tolerable demands on convenience and memory?
“When technology arises that offers direct privacy and security benefits that individuals value, along with removing user experience friction in achieving it, then we’ll see uptake,” observes Eve Maler, who, as principal analyst for security and risk, co-authored the recent Forrester Research report. Responsive design in authentication is one reason for optimism: “The whole goal is inconveniencing the good guys the least, and the bad guys the most,” she says.
Some of those technologies will include our current BFFs, smartphones (such as approaches like PassQi’s, which uses iPhones, QR codes and bookmarklets to authenticate us with sites we choose – and gently advises us to avoid bad or duplicated site passwords). Just remember to also lock said smartphone’s screen, too, with a thumbprint or PIN.
But personal information is not safeguarded in isolation. Rock-solid technology and vigilant practice fails when confronted with a leaky policy for privacy. If you don’t address all three, you’re not really addressing it at all.
Or, to paraphrase another great literary figure, Pogo: We have met the enemy when it comes to personal data safeguards. And he is us.