Allow me to nitpick for a moment: There’s a difference between data and information.
Data are the facts or details from which information is derived. As such, standalone pieces of data are rarely useful. It’s not really information until data points are connected with context to tell a story.
In the military, they call this a compilation of information, where individual pieces of data in themselves are unclassified, but when multiple pieces of data are put together, they paint a picture that could be considered Top Secret.
This nuance is more relevant than ever as the world continues to undergo what is broadly referred to as “digital transformation”—the movement of services, processes, and social, personal and business activities into cyberspace.
Most would agree that, for the most part, this movement is an advancement that enhances our lives and frees us to focus on other things. For companies, services like cloud sharing mean employees can access important documents anywhere. Electronic medical records improve hospital efficiency and open up physical space previously needed for storing files.
Consumers receive the benefits of new services, whether it’s finding a product online that would have taken days to track down physically or transferring funds without driving to the bank. People who haven’t seen each other in 20 years suddenly can reconnect. People who were adopted can find long-lost parents or relatives. The convenience and connections offered by digital transformation have become integral to our society and our economy.
But with each new digital industry, process or service comes a new data source that can be compiled and cross referenced. Thus, for all its benefits, digital transformation is also introducing new ways to see into people’s lives, activities and business operations. Data points that, in themselves, would never have been considered personally identifiable information can now be connected and correlated, creating a level of personal and business risk with potentially negative outcomes.
Malicious entities today are sophisticated enough to leverage that information in ways that were never anticipated, correlating data to draw conclusions. Machine learning can be applied across thousands, even millions, of data elements to anticipate details that humans wouldn’t necessarily see on their own.
The potential consequences of these capabilities are serious. In late 2017, a military analyst noticed that data from the Strava fitness app revealed sensitive information about U.S. military bases. A “heat map” from the service’s fitness data—all voluntarily supplied by users—showed patterns of runs and marches that may have compromised top secret military facilities around the world.
In a similar case in the consumer realm, Under Armour’s MyFitnessPal service was compromised earlier this year. The company’s popular fitness tracker handles routine information like names, addresses and ages, and it tracks users’ diet and exercise—the kind of information that seems benign on the surface but can be used for targeted marketing campaigns or even phishing and social engineering attacks.
Today on social media, there’s a wealth of that same kind of seemingly harmless information. Where do you get coffee every day? What airlines do you choose? What apps are you using? Where do you work?
In some ways, this is far more dangerous than what would originally be considered personally identifiable information, but there’s no regulation that says that any of it needs to be secured—plus most of it is being provided voluntarily.
Personally, I’m using more than 100 apps that do different things. And I don’t want to give up any of them. The goals of digital transformation—making people’s lives more convenient, giving businesses and government entities new tools to connect with people—are ultimately productive.
But for those of us in the security industry, we need to think about the negative consequences of how this data could be used. As digital transformation continues, our reclassification of what we consider personally identifiable or sensitive should evolve with it.
As every new service comes online, the data set becomes larger and the ability to correlate with a growing number of data sources becomes easier, exponentially increasing the value of the information and the potential ways it can be used against you. Protecting people, businesses and institutions in this new world means understanding the nature of each digital data source and the motivations of those who may seek to compromise it.