If a Tree Falls in a Forest, Is Your Privacy Violated?Optio Labs
This week, Congress voted in favor of the Cyber Information Sharing Act (CISA), which means that privacy rights have come into the spotlight. CISA allows private companies to share threat intelligence and other information with the federal government in an attempt to prevent data breaches. In theory, agencies working together (FBI, DHS, etc.) with private companies will become stronger than a single organization attempting to deflect organized cyber crime. In essence, by sharing private threat information with the government, they are hoping to make us more secure.
“If a tree falls in a forest and no one hears it, does it make a sound?” has implications for the security world. If you have no idea your data has been leaked, is it still a violation? (hint: of course it is)
The Real Stranger Danger
Between Facebook, Instagram, Twitter, and other social networks to online data storage and file sharing tools like Dropbox; the personal and business world is increasingly merging. Individual bits and pieces of our online identities are indexed and cross-linked, whether it’s your name, address, purchase history, credit history, phone number, travel preferences, employee history, or even down to your activities, likes and dislikes.
The fact is, whether you experience it or not, a complete stranger can follow your digital footprints every day, living your life vicariously at the end of a web connection. This is creepy, alarming, and not at all what people have come to expect as a standard of privacy.
While much of the world is comfortable sharing their thoughts on social networks and in a public forum, those same people would be appalled at how much information can be gathered about them with a little effort. There’s a fine line between defining consumer privacy rights and defining meta-data collection parameters that know a little bit about all of us.
Despite privacy advocate objections, CISA passed the Senate 74-21. CISA may have the effect of enabling an expanded program of quiet government collection on individual’s data. While the legislation states that data being shared can be stripped of PII, we have to wonder how easy it would be to put it together again to identify individuals and all of their activity.
We’re also concerned about the government’s ability to keep our data safe. The last five years have demonstrated a series of enormous breaches to supposedly secret and valuable government data stores. From WikiLeaks to Edward Snowden, to the recent Office of Personnel Management (OPM) breach of millions of very sensitive government worker records; the government’s record of protecting their own data is not good. How do we know the new CISA repositories are going to be any better protected?
We are believers in working to improve security and privacy for individuals and businesses. There is a huge potential benefit to sharing best practices and threat information within the industry, government and academic communities. However, let’s be realistic and admit that no-one has such perfect personnel, processes, and systems in place that they are immune to any threats.
Placing consumer information in a giant CISA repository is as much an invitation to attackers, as a tool for defenders. Let’s hope the next tree we hear falling is not an announcement that the CISA system has been breached.