The story of data, Part 4: Will it ever be truly secure?
Breaches. Hacks. And a growth industry in data protection services. Still, most experts are skeptical that data can ever really be safe from infiltration.
As we’ve discussed in prior installments of this series on data, last year saw more breaches than ever before. And just this year, we’ve been consumed with news stemming from revelations that data firm Cambridge Analytica used data from Facebook to target as many as 87 million users for political purposes during the 2016 US election campaign.
Data is an inherently vulnerable thing. Numbers and words, bits and bytes: It can have great power, but it is continually in peril of being exposed by bad actors — or just bad data management.
Increased data security is a desired outcome of the General Data Protection Regulation (GDPR), which came into full effect last week. This European law governs the handling of European Union members’ personal data, no matter where it is. But it has far-reaching implications as companies all over the world scramble to determine how it will affect them. It’s too soon to tell what kind of effect it will have, but we are watching closely.
Blockchain’s big promises
Many security experts think that blockchain technology is the holy grail for data security. Its shared public ledger would seem to provide a level of transparency that data management sorely needs.
We are starting to see some solutions, but most are still in the planning stage. Last year, Zug, Switzerland revealed a partnership with Uport, creating the first publicly verified government-issued ID system on blockchain. The platform gives citizens access to government services on the Ethereum, which is apparently just the beginning of plans to implement the technology. According to a blog post by Uport:
Not only does digital citizenship enable more trust between citizens and government agencies, but it also opens up new and significant opportunities for improved digital interactions between people and governments. For Zug, there are plans to offer an e-Voting initiative in Spring 2018. These are very exciting times.
Still, some say that the amount of energy required to run blockchain is untenable and will doom the technology. What we do know is that there’s a lot of money and innovation happening in this space; whether it lives up to its promises remains to be seen.
Machines are not the issue
Customer data platform ZyloTech’s CEO, Abhi Yadav, says data will never be secure, “however, we are certainly moving towards far better data governance and a security-conscious world.”
Yadav says that even though the use of artificial intelligence and machine learning makes data more vulnerable, machines are still the superior choice for data handling.
“Machine-to-machine data handling is much more secure than human data handling,” Yadav said. “It’s relatively reliable and protects against human error … Automated data platforms that unburden data and marketing teams from the tedious and time-consuming parts of their day-to-day data to-dos are the new trend. This frees teams up to focus on higher value things like campaigning, research and segmentation.”
No such thing as zero risk
Ann Cavoukian, a privacy expert who popularized the idea of privacy by design, told me that a world where data is completely secure and free of risk is impossible, and it doesn’t make sense to aspire to that ideal.
“The myth of zero risk is that there is no zero risk anywhere in the world,” Cavoukian said. “You know, you send your kids to school, you tell them to look both ways [when] they’re crossing the road. You pray that they’re safe. But things happen, unfortunately.”
It’s better to use proven processes and tools and drastically reduce risk, something Cavoukian says is possible.
“We can reduce the risk of privacy harm to less than .03 percent, which is less than the likelihood of being hit by lightning if you go outside when it’s raining. I think most people would consider that to be really good odds,” Cavoukian said, adding that currently available encryption methods such as public key and end-to-end are very secure protocols.
“Are they perfect? Could they ever be hacked? Anything can be hacked, but they resist most attempts. So yes, you can have secure data, you can preserve privacy, just don’t be unrealistic. And having an expectation of perfection, because that doesn’t exist anywhere,” Cavoukian said.
Security protocols exist: Use them
I asked Cavoukian if she thought that companies were using any of the sophisticated encryption methods she mentioned.
No, they’re not. And that’s the problem. You’ve got all of these unbelievable data breaches happening on a daily basis, massive data breaches — I lose track of how many there are.
There are just so many and it’s absurd because I’m betting that if you go in, you will see that the data were never encrypted. There were never strong security protocols attached to the data. You have to have a little bit of effort upfront to secure the data and to make it inaccessible except to the people within the company who are required to process it.
Consumers don’t seem to care
The truth is that despite the data breaches, despite the data scandals, consumers continue to trade away their privacy for convenience at an alarming rate. Just a little over a month after the Facebook/Cambridge Analytica story broke, Facebook posted $12 billion in revenue growth and a slight spike in daily active users. Until consumers start holding companies responsible for data security, businesses have little incentive to make it a priority.
It’s possible that GDPR and Europe’s subsequent e-Privacy regulation will help to usher in more security by demanding that data handlers adopt more customer-forward policies and procedures. Just last week, Vermont became the first US state to pass a law tightening the reins on personal data brokers with new rules and more stringent oversight. And a proposed California ballot initiative would give consumers the right to ask businesses what personal data are being collected about them and how it’s being used and allow them to opt out of further collection and usage.
Cavoukian summed it up: “Lots of things can happen to data. That’s why you have to go to great lengths to secure the data. And that, largely speaking, isn’t happening.”