Security Experts:

Private I's and Prying Eyes: Balancing Transparency and Access with PII

Privacy Is Impossible Without Security, and Security is Being Challenged By the Privacy Requirements of Transparency and Access.

You can have security without privacy, but you cannot have privacy without security. This means you can have excellent security, let’s say, in the workplace, if you make everyone work without clothes on a system without Internet access as you log every keystroke they make and record their phone conversations. But this environment would be somewhat lacking in privacy.

To have privacy, you must have security to protect things you wish not to share from those who are interested. A simple form of security to maintain privacy is the window curtain. Privacy relies heavily on security. But the relationship becomes strained when it comes to transparency and access.

Privacy and SecurityTransparency and access mean that people should be able to see what information is collected about them and be able to update or delete this information. Last February, the White House released the Consumer Privacy Bill of Rights that included the principles of transparency and access. In July, the Commerce Department started holding meetings to decide concrete enforcement terms for the Privacy Bill of Rights with a focus on creating a consumer data transparency code of conduct for mobile apps. California’s Attorney General’s office is going after app developers that don’t have privacy statements and clear descriptions of how data is collected and used.

Transparency and access are rising in priority in the US and in the EU. The EU, while it is not law yet, would have transparency and access go so far as to grant people the right to be forgotten. This idea, being socialized currently by Viviane Reding, the Vice President of the European Commission, would mean that Google and Facebook would have to dump a person’s personal information on demand. Unsurprisingly, they are not huge fans of this.

How Does this Affect Network Managers and Security Professionals?

Implementing the systems required for transparency and access creates a host of technical challenges. For example, allowing consumers access to their information means that network managers have to develop and implement policies and procedures to allow access and modification. This leads to a huge authentication issue. Is it your customer, partner or employee wishing to see their information or is it someone posing as one of these persons? Imagine there is a boat with holes below the waterline for the propeller and the rudder. Holes like this are, of course, necessary but each additional hole, like water intake to cool the engine, means one more way for water to get in.

Now, think of this in terms of your network. Consumer access will create a huge hole below the waterline. And the way you implement the access needs to be transparent and user-friendly for the consumer. It can’t be a treasure hunt to find and modify information.

What Should You Be Doing?

Start thinking now about what information your company has that could be considered personal information. First of all, what is personal information? Under the California Online Privacy Protection Act, personally identifiable information includes first and last name, physical or email address, telephone number, social security number, or any other identifier that permits the physical or online contacting of a specific individual. Second, do you collect any of this data? If so, where do you store it and how would you give a customer access to this info, allow them to correct misinformation, and possibly remove this information from your database?

How Is This Really Going to Play Out?

While I think security professionals need to prepare to be a part of the transparency and access solution, the implementation will be limited and the right to be forgotten will have an even more narrow scope. What is coming, instead, is a higher expectation that companies: 1) know what information they are collecting, where it is stored, how it is used and whom it is shared with, 2) describe all of this in understandable language for the user, and 3) have a rock solid plan for ensuring information is aggregated and made anonymous in a way that even disclosure will not automatically lead to financial harm or personal embarrassment to the data subjects. This last one is no easy task in the age of Big Data pinpoint profiling. Companies are going to be faced with the choice of greater transparency and access (creating holes below the waterline) or re-thinking the way they collect and use information in order to de-link it from the individual.

Privacy is impossible without security, and security is becoming more of a challenge with the privacy requirements of transparency and access. For companies concerned with the security burden of implementing transparency and access and loath to allow folks to be forgotten, the solution will be to devise new ways to collect enough information for the business purpose but not so much that the data subject has cause for financial or personal concern. Companies that solve this dilemma will see their futures rise above others.

view counter
Gant Redmon, Esq., is General Counsel & Vice President of Business Development at Co3 Systems. Gant has practiced law for nineteen years; fifteen of those years as in-house counsel for security software companies. Prior to Co3, Gant was General Counsel of Arbor Networks. In 1997, he was appointed membership on the President Clinton’s Export Counsel Subcommittee on Encryption. He holds a Juris Doctorate degree from Wake Forest University School of Law and a BA from the University of Virginia, and is admitted to practice law in Virginia and Massachusetts. Gant also holds the CIPP/US certification.