In security, we talk about trade-offs all the time. Recent events have highlighted that whether or not we are doing it consciously, we are making decisions about security versus privacy versus convenience daily. The examples are seemingly limitless, and how we feel about them can change very quickly.
I am one of many folks who take advantage of centralized storage that can be accessed from many different devices. This use of cloud for convenience is very common; from iCloud to Evernote. How often, though, do we weigh the trade-off between convenience and security? Would you put personal information in a note that you can access from your phone, tablet, and laptop? When we embrace new technology, we don’t often invoke healthy paranoia.
It’s hard to forget the first time I noticed advertisements displayed while looking at Gmail were keying on the content of my email. That feeling of having someone looking over my shoulder as I read and composed emails could best be described as ‘creepy’. What’s interesting is the discomfort faded very quickly. Something that only a few short years before would have had me running away is now commonplace. For convenience, we accept that we’re digitally dissected by companies that provide us with free services (at least free in the monetary sense).
At some point, we gave-up privacy for convenience, and now we think nothing of using Facebook, Gmail, and other free services. Most of us aren’t aware we made the decision, but we most certainly did. A good question to ponder is: has this left us more vulnerable? The recent Associated Press (AP) Twitter account hack is an interesting example. The attackers posted ‘news’ about a bombing at the Whitehouse, which created reverberations in financial markets. Indeed, it seems obvious that our thirst for instant and convenient news has created new vulnerabilities. It is possible that someone could take advantage of such an incident by shorting stocks, thereby profiting on sudden, though short-lived, drops in stock prices. The next logical step is to actively induce such an incident. As I monitor news feeds in near real-time, I see there is speculation about this very incident. I’m keenly aware of the contradiction of pondering this point, while refreshing a web browser frame every five minutes.
Is there any upside? Certainly, I haven’t lost an email on Gmail, ever. Availability varies across services, but generally, I’m not locked-out of my data (notes, personal email, or whatever else) very often. It’s somewhat more likely that I’ve forgotten the password that I used to secure an encrypted file I’ve dropped on a cloud service. On the other hand, unless I take additional steps such as encrypting and password protecting, there is a risk that a data breach can result in my data being compromised. The mortgage papers that I used to keep in a safe at the bank were all but impossible to steal. However, if I needed to check them, it was a hassle. Now I can scan and upload a copy that is simple to check from just about anywhere and at anytime. To gain convenience, I’ve accepted some risk that they may be found by folks who certainly wouldn’t be able to get them from a bank vault.
Another example is security cameras in London. That they are everywhere must mean that people, rightly or wrongly, perceive that they provide some value (security) despite a loss of privacy. Or another example of tradeoffs are things like many of the loyalty programs, we have also traded privacy for something that we perceive as being valuable.
In fact, watching the behavior of teenagers online leads me to believe that they don’t weigh privacy and security against convenience because they have absolutely no expectation of privacy. I have shaken my head at what younger family members will post online, yet I accept that it’s normal. To them, advertisements in Gmail aren’t creepy because, well, they’ve always been there. These are the people who in a decade or so will be handling data for organizations. I’m not quite old enough to entirely bemoan that the younger generations ‘just don’t get it’, but I’d be lying if I didn’t admit that the thought concerns me.
In this increasingly connected and cloudy world, we now see amazing things. I am struck at how connected we are via Facebook, Twitter, news feeds, and so on. It seems that as soon as a celebrity missteps, the world knows about it, however dubious the value of having such information may be. On the other hand, I was struck by how quickly police narrowed-in on the two suspects in the recent Boston Marathon attack. Surely the connectedness and availability of information played a positive role.
With public cloud computing and associated technology, companies are also making trade-offs. You could say that once the CEO decided that being able to check corporate email from a tablet is a must-have, a trade-off between securing corporate email and convenience has been made. Security will, of course, try to keep-up (quick, encrypt the tablet, enforce a password policy – now he’s reaching for his smartphone – oh no, he left his laptop at the airport!).
While large, established organizations may be somewhat more cautious, start-ups increasingly leverage public cloud. If you want to appear big the day after your new company launches, you leverage hosted email, public cloud for your website, human resources software as a service… the list goes on and on. In making these business decisions, are companies aware of the trade-offs, or is it simply the way things are done now? Having worked in security for some time, I propose individuals and organizations are doing the best that they can to keep-up with the pace of life, and pondering the security implications is viewed as slowing things down. We in security may not agree, but it’s the new reality.
We also rarely ponder data ownership. Information that is developed about me via a loyalty program, for example, and mined using Big Data techniques, is information about me, but it’s not my information. I have signed it over to the loyalty program, even if I don’t understand the consequences. This is different from other areas where we have firmly assigned ownership and responsibility (healthcare and finance come to mind). In these areas, the consequences of lost data affect me, but it’s the institutions holding the data that are responsible for its wellbeing, and there are strict rules built around how the data can be used. While I might think of my shopping habits as a fingerprint that is unique to me, it doesn’t belong to me. If I’m walking down a London street, images of me aren’t mine; the email that I send and receive on an Internet email site isn’t mine, and so on. Again, we in security may not agree, but that’s the reality.
In the end, as individuals and as organizations, we often err on the side of convenience over security and privacy. It has become so widely accepted that only the largest data breaches seem to get much attention outside of security circles. We think nothing of giving-up control of our data multiple times each day. Most people don’t want to be thought of as luddite curmudgeons, and most businesses don’t appreciated being characterized as glacial in their adoption of new technology. Maybe, though, we have gotten a bit ahead of ourselves and need to regain our appreciation of the tortoise versus the hare. After-all, what’s not to like about a boring bank or a dusty book made out of paper, at least until you need cash at midnight or leave your book at the airport?
Related Reading: Privacy Statments – Where Size Matters