Tuesday, March 20, 2018

Europe Is Far Ahead of US In Data Protection

   On May 25th of this year a shift in data protection practices and policies will be required throughout the business world as the European Parliament regulation known as General Data Protection Regulation becomes enforceable law.  Even businesses operating outside of Europe will be affected if they have customers who live in Europe.  This kind of law has been long overdue in the US.  If businesses in the United States wish to remain competitive they should heed the principals of the General Data Protection Regulation or GDPR.
   In the United States, the ramifications of Supreme Court decisions have severely limited privacy protection. When considering the vast troves of information held by corporations and government, such limited protection means almost nothing is confidential.  Legally, within the United States information has no privacy protection when provided to a third party like Facebook, Google, Yahoo, telephone company and even your bank. There are exceptions for a limited and specific type of information such as Social Security Numbers, Credit Card account numbers, and medical information. Outside those narrow parameters, all other data can be shared with others without requiring your consent.  It doesn’t matter if that breaks the social protocol of confidentiality; it is legal and can be done. What’s more, private information, such as medical conditions, has been determined by someone’s shopping habits, location information, and phone call logs. Internet users lack of awareness of the aforementioned does not mean those users condone having their information, which was provided in confidence, shared with anyone and everyone indiscriminately.
   With a millennium of social protocol, people assume that information shared with an individual or organization means that the receiving party will respect the privacy of the giver of that information.  The collectors of our Internet activities are no longer benign advertisers interrupting our viewing or listening with advertisements.  Our information has been thrown into the oven of massive databases where our activities are analyzed.  That analysis eventually leads to conclusions.  From conclusions come decisions upon which action is taken. There is always a danger when analysis, conclusions, and decisions are done in the dark by mostly large institutions that have power and profit as a motive.
    The openness that is the notable characteristic of the Internet is being subverted by opportunists using that very openness to promote their own interests in secret using expropriated information as a means of control, manipulation, and exploitation, which is at odds with the very reason users are drawn to the Internet. What people know about criminals breaking into databases is just the tip of the iceberg. The privacy invaders that have emerged could be characterized as Virtual Peeping Toms, Cyber Criminals, Spys For Hire, Blackmailers, Data Snatchers, Bait and Snitch Data Sellers, Black Market Data Brokers, and Surveillance Spooks.  They all view information in whatever form - be it text, database, video, audio - as a means to an end.  They collect it, sell it, broker it, and most definitely use it.
   The information that is used always benefits the user of the information, and most notably at the expense of privacy and an individual’s self-determination. Internet users have difficulty imagining how their personal information could be used other than to provide a service. They have no clue as to the multiple uses of information beyond its original intended use.  Some may be devastated to find out the re-purposing of their data by unknown third parties has very real consequences impacting their lives in subtle ways. Others understand that misuse and abuse of information will lead to real harm.  This is why 93% of adults say that being in control of who can get information about them is important according to a Pew Research poll.
  One method to prevent harm is to restrict access to information to only those you trust.  However, in the United States of wild west of data protection common sense has been brushed aside.  The computer security experts tasked with protecting data are often plagued with conflicts of interest. In the parlance of information security, the acronym CIA has been the CYA for computer technicians for decades.  For clarification for the uninitiated, CIA does not stand for the Central Intelligence Agency which admittedly is the more infamous “CIA”.  The acronym is known as the triad of information security: Confidentiality, Integrity, and Availability.  For too long computer security technicians have focused on data integrity and system availability as the CYA for their job security.  After all, end users do notice when systems are down or data is incorrect.  But, violation of confidentiality may only be known when private information falls into the wrong hands, and that information is abused or misused.  Since data is simply copied when an information breach occurs there is no service disruption.  It lacks the immediacy of a system crash and therefore has been treated with a lower priority.
   Given the current political climate in the United States, it appears that the GDPR is our best hope to improve the dismal state of data protection.


Post a Comment