National Privacy Day is a time to look at the current state of privacy and to set the direction and tone for the future. On January 28, 2021, let’s stop and think not just about the minimum requirements of privacy legislation but rather about the world we’re building and handing to our children.
How easy or hard do we want the collection of privacy metadata to be tomorrow, in 10 years or in 100 years? Because while we can do the bare minimum and can re-architect for the future, it behooves us to take the long view here and see privacy for what it is, how big it is and how important it is to all of us.
The constant drumbeat of breaches, including the Solar Winds supply chain attacks, is desensitizing us collectively to the importance of identity security and privacy in our daily lives. In the last decade alone, billions of identities have been stolen around the world making it safe to say that nearly everyone in the world has had their identity stolen at least once.
And for many people it has been two or three times. Hyperbole helps no one in this situation and that sort of number just sounds apocalyptic. However, it loses all meaning when most people think about how little the downside of this has affected them day-to-day.
The best way to think about the privacy issues is to imagine the world using Tinkertoy as an analogy. Tinkertoy sets are used to build structures made up of hubs and connecting rods. This is analogous to us all with the hubs or “nodes” being people, objects, computers and data and the rods or “edges” being the relationship among us like “child of,” “owned by” or “used by.”
This massive structure could be taken to a ridiculous extreme and could, theoretically, represent the entire world in a shifting, powerful construct. We have a branch of mathematics ideal for this sort of mapping called Graph Theory; and this is exactly what data aggregators like Google, LinkedIn and Facebook do -- they mine the metadata about the structure and sell it for money.
It costs money to learn about this supergraph that exists, shifting theoretically and combining us all. Some of the metadata we want available for things like public safety and law enforcement, cheaply and easily. Others, we want to share selectively with like-minded people or for products and services we like. Finally, some of it we may not want to share, could be recorded wrong or we may not even know about!
Privacy is about controlling the metadata about the “real” graph structure and Tinkertoy is the sum total of the world and all its “things.” Specifically, it’s about the rule of law and about the cost to obtain this information. We want law enforcement, under the right conditions, to get data as defined by law; but we also do not want anyone else lowering the costs of obtaining any of this information. We also want to put people back in the center, controlling the nodes and edges that are about them or related to them: their family, their friends, their interests, their things.
This might be hard for many to understand and even harder to enforce, but the distinction is important: we should not only obey the letter of the laws and regulations but should lean in and do no harm to the mission of putting the elements of the super graph in control of the metadata collected and used about them.
This is an ongoing struggle. It is vital to understand - rather than just paying lip service to - the regulatory language of the day, or progressively watch our privacy erode as we downplay its importance and become more and more desensitized by the minutiae of the latest breach.
About the Author
Sam Curry is CSO at Cybereason and is a Visiting Fellow at the National Security Institute. Previously, Sam was CTO and CISO for Arbor Networks (NetScout) and was CSO and SVP R&D at MicroStrategy in addition to holding senior security roles at McAfee and CA. He spent 7 years at RSA, the Security Division of EMC as Chief Technologist and SVP of Product. Sam also has over 20 patents in security from his time as a security architect, has been a leader in two successful startups and is a board member of the Cybersecurity Coalition, of SSH Communications and of Sequitur Labs.