Privacy vs. SecurityDo today's models work with the Internet of Things and its cousin, big data? By: Brian Dean - Principal Security Consultant
Rarely can consumers or even security professionals properly articulate the differences between privacy and security. This article will define each, but more importantly, it will provide a rationale for building both into emerging technologies. This is a business imperative as the burgeoning "Internet of Things" reaches 50 billion data collection points in the next few years. (1)
Privacy is often defined as having the ability to protect sensitive information about personally identifiable information, while protection is really a security component. Others define it as the right to be left alone. Still, this doesn't cover today's privacy in a data-centric world, hence the confusion. In the industry, privacy really focuses on the following concepts:
- What data should be collected?
- What are the permissible uses?
- With whom might it be shared?
- How long should the data be retained?
- What granular access control model is appropriate?
We typically define security as the protection against unauthorized access, with some including explicit mention of integrity and availability. Security controls are put in place to control who can access the information, while privacy is more granular, controlling what and when they can access specific data. For example, if you bank with a national financial institution, all of the tellers in the country may be provisioned (i.e., granted security access) to access your account detail. This provides the flexibility for you, the customer, to visit a branch in your hometown, a branch on the west coast during a business trip or a Florida branch when vacationing. But privacy is another layer. While the teller may be provisioned to view all customers' account detail, privacy only allows access when a business need exists; such as a customer walking into a branch in another city to access their accounts. But privacy disallows that same teller viewing their neighbors account balance or perhaps the balance of a famous person, just because they are interested – despite their access privileges granting them access.
So the business application of the terms privacy and security are very different, with significant overlap. The old adage reads, "You can't have privacy without security, but you can have security without privacy." Let's exam why this might be true, but first address the amount of data being compiled, the improved abilities to leverage that data for business decisions, and new internet-enabled devices that are collecting the data – often without consumers' knowledge.
Even Innocuous Data Collection Creates Vulnerabilities
Today we are collecting data at an unprecedented rate. The volume, velocity, and variety of data being gathered through the internet and other technologies is estimated to be over 2.5 quintillion bytes of data a day – that's 2.5 followed by a staggering 18 zeros! (2) IoT privacy and security concerns start with the new and creative modes of data collection. The IoT, from smart watches to interconnected home security devices, offers innovative channels for data collection that were until recently imperceptible.
Existing privacy and security notions may be inadequate for the ubiquity and invisibility of data collection technologies. For example, the same data many fitness wearable devices collect and use to help consumers monitor their heart rate and track of their daily exercise routine could also be aggregated, correlated, shared, and retained to build a very intimate picture of individual's daily health habits, vulnerable to misuse. Tracking a workout program may be helpful in improving your health, but your life insurance companies might find this information useful when underwriting a term life policy.
However, too often privacy and device security are afterthoughts, as they increase development costs, lengthen testing, and slow speed to market. For example, recently exploited DVD and digital video recording devices enabled attackers to turn practically an entire company's product line into a botnet attacking United States based companies' internet infrastructure. (3) For this particular example, the devices had the password hardcoded into the firmware, so the passwords were publicly documented and could not be changed. This lax security could enable someone to breach privacy, by using a default password to gain access to the video camera remotely. Engineering security controls into the devices, sometimes called Security by Design, would have better secured these devices, the data they collect, and consumers. The capturing and sharing of all of this information, often monetized by businesses, is a threat to privacy; albeit often lucrative for business and bad threat actors.
The policy landscape remains fragmented as regulators grapple with the ubiquitous nature of the IoT, the promise of convenience, and lucrative business model; all through the lens of consumer indifference. Without client demand for privacy and security, businesses have little incentive for building these into their products.
Who is Responsible for Protecting Personal Data?
So what does this mean for U.S. consumers, businesses, and legislatures? While the political landscape is undergoing an evolution of sorts, political action committees and deep pocket businesses will likely continue to discourage new U.S. privacy legislation, but security legislation will gain traction over the next several years. The E.U. along with other countries will continue to evolve their consumer protection, including comprehensive privacy and security legislation.
U.S. consumers will need to be more diligent in protecting themselves. While we know few read the terms and conditions when it comes to apps and websites, to protect their own privacy, consumers might need to be more discerning about who they grant access to their information. Consider security implications and data encryption options when making purchases that store personal data. Businesses can elect to adopt privacy by design (e.g., capture less data) and security by design methodologies (e.g., use strong passwords that must be changed by the consumer), not because it's lucrative or required by statute, but because it proactively helps protect consumers. Perhaps this will be seen as a compelling market differentiator, but until such time, expect the proliferation of IoT and big data to continue unabated. Data stores will grow exponentially as will the sophisticated data correlation algorithms.
As IoT interconnectivity and our reliance on derived data increase, hopefully to will our sophistication to properly collect, use and protect the data. Otherwise, expect businesses to find new lucrative ways to monetize the data and threat actors to find new ways to exploit vulnerabilities to harvest huge data stores. Privacy and security must work in tandem to protect big data, because once the Genie is out of the bottle, it may be impossible to put back.
 The Internet of Things – Sizing up the Opportunity, McKinsey and Company, http://www.mckinsey.com/industries/high-tech/our-insights/the-internet-of-things-sizing-up-the-opportunity
 Hacked Cameras, DVRs Powered Today's Massive Internet Outage (10-16-16). Retrieved from https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/