Why IT security pros can be scarier than the 'bad guys'

Forget about hackers and phishers. Big business wants your personal data, and your privacy is just a hurdle to be surmounted.

I thought I harbored a healthy amount of paranoia before I went to this week's RSA Conference for IT security professionals in San Francisco. But now I'm just plain scared--and not about hackers and phishers, the perennial bogeymen of the Internet underground.

No, the people who scare me even more are the security professionals who work for big business. They want my online data, your online data, everyone's online data. And they want it more than even the bad guys who make headlines.

Big business isn't evil incarnate, and the companies clamoring for our data aren't the agents of destruction who would steal our identities for profit or erase our family photos just for kicks. But to the business leaders at e-commerce sites, social networks, and even banks, online privacy is something that must be managed at best, and mitigated at worse.

It's an annoyance that must be dealt with. It's something that gets in their way.

They want our data so they can track us, categorize us, and use what they know about us to sell us something--or sell what they know about us to someone else. Or, as Trevor Hughes, the President and CEO of the International Association for Privacy Professionals (IAPP), told me directly, "Your data is the currency of the information economy."

And our online activity is minting more money all the time.

Our data is hard currency

It took just one shocking hour at the RSA conference to destroy every naive hope I might have had about online privacy. Hughes spoke to a large audience of IT professionals tasked with managing customer and user data, and named what he considered to be the hot-button privacy issues of the year: location data, facial recognition, and Do Not Track, among others. He also touched on more sweeping topics like federal regulations and public policy.

I was intensely interested in all of these issues as an active, web-surfing individual, but I also quickly realized that the other attendees in the room looked at these issues from the other side--from the perspective of their companies, which gather customer data and use it for business opportunity.

Their job is not to worry about protecting our privacy, but to worry about navigating privacy regulations, and protecting themselves from lawsuits and fines. One thorny example Hughes cited was the mobile privacy guidelines paper released by the California Attorney General's office earlier this year, to supplement the California Online Privacy Protection Act (COPPA). In a message accompanying the guidelines, Attorney General Kamala Harris encouraged mobile app developers to adopt a "'surprise minimization' approach...to alert users and give them control over data practices that are not related to an app's basic functionality or that involve sensitive information." Easier said than done on the small screens of mobile platforms, said Hughes: "That user interface is incredibly limited."

Your location, your activity, your face: all fair game

Hughes also delved into issues surrounding "contextualization"--using your online data to customize "content" (read: advertisements) to your browsing habits and personal demographics. Obviously, contextualization is already a widespread (and profitable) business tool, as anyone who's experienced targeted ads on Google already knows.

The data set used for contextualization is diving ever deeper, though. "Context will put the debate on targeted ads on steroids," Hughes told the crowd. "Not only are we going to have the sensitivity of where you've been online, but where you are in the world, and what you are doing and thinking."

Oh, but it gets better. Facial recognition, anyone? You can tell your friends not to tag you in their photos all you want, but that's small potatoes.

"We will see the anonymity of crowds dissipate," Hughes said, predicting that photos taken by other people, or by cameras installed in public places, will be used to find you wherever you are. Remember the Where's Waldo? children's books, where you had to find Waldo among huge crowds in famous places around the world? Who knew that the happy, wool-capped Waldo would be the harbinger of privacy problems to come.

Do not track me... please?

When the Obama Administration introduced its Consumer Privacy Bill of Rights in February, 2012, the bill cited "privacy-enhancing technologies such as the 'Do Not Track' mechanism" as safeguards against many of the tactics that Hughes' audiences members would like to preserve. Choose not to be tracked, and web sites wouldn't be able to collect information about you. It's the ultimate protection, right? No, think again.

"Do Not Track is a very, very complicated and challenging issue," Hughes said. Indeed, there's no standard implementation for data tracking from browser to browser, and that's an inconvenient truth for anyone who would need to implement Federal policy (which hasn't yet been passed). But for Hughes, the real problem for privacy professionals is, "how do you switch it off or maintain it switched-off."

Yes, you heard right: Do Not Track would be just another hoop that big business needs to jump through--or circumvent entirely.

Unfortunately, for now, businesses that want to track our data don't even have to worry about the technical vagaries of Do Not Track. "None of this has the force of law yet," said Hughes. "Without the ability of regulators to enforce, we may not have any enforcement at all. Do Not Track may not have any consequences."

You can see where this is heading. And Hughes confirmed as much: "Some organizations have come out and said they will ignore Do Not Track."

Giving away your online data--willingly

Unless you're some sort of virtual exhibitionist who actually wants to sacrifice online privacy for fun and profit, data tracking should scare you. But it's also important to remember that the basic operating principles of our open Internet--an Internet where very expensive content is given away for free--require a certain amount of data sacrifice.

Indeed, if you want all the complex, nuanced benefits of social sharing, you have to actually share yourself. And you're probably already doing this, sacrificing your data quite willingly.

Ted Schlein, of venture capital firm Kleiner Perkins Caufield Byers, brought up this paradox while speaking at a cybersecurity session at RSA. "People kind of care about privacy, and then they don't," he said. "Facebook has a conversation about a new privacy policy, people get excited about it, and then Zuckerberg says something, and they calm down."


He's right, of course. Periodic privacy imbroglios haven't slowed the popularity of social networking sites, photo-sharing sites, and apps like Foursquare, even though all of these services gather information about us in order to grow revenue. Pinterest was recently valued at $2.5 billion--not because it's making any money, but because its users are enthusiastically pinning products to their pages, making them ripe for retail sales pitches. Their data is the currency.

Big business is working over-time to collect data about us, and the more time we spend online, the more opportunities we give them to do so. So in the end, I wonder whether it's scarier that businesses are collecting our data, or that we're so willingly letting them do it.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about BillByersFacebookGoogleRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Melissa Riofrio

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place