What is Privacy?
Privacy concerns continue to increase and broaden. It’s a complex, boring, multi-faceted, and critical topic. For the past several years, organizations have been grappling with the information that firms like Google and Facebook collect in exchange for the free services they offer.
Trading our personal information for rewards predates the Internet. The most prevalent is loyalty programs. What is new is the information within our digital trials now provide unprecedented clarity into our lives. The Internet browser and smartphones, both critical to life as we know it, are big culprits.
Google and Facebook are very clear about trading free robust services in exchange for their ability to collect personal information. What is not particularly clear is what these firms do with this information other than sell targeted ads. Many people accept this trade, accepting relevant ads as a general upgrade over random ones without realizing other potential uses the information offers. The notion of privacy is quickly eroding on and offline.
Our detailed information is being collected from an increasing number of sources. We are party to the crime by self-identification of transactions through things like frequent member clubs, browser histories and cookies, and our own mobile devices that know too much.
The smartphone changed everything; it knows our contacts in general, our specific communication circles, our habits (where we walk, drive, shop, etc.), and our whereabouts. Smartphones not only know where we are, but often where we are headed. The classic film noir line “where were you last Tuesday night?” won’t appear in future mysteries.
What consumers do with their devices shouldn’t concern the enterprise, but it does. One of many ramifications attributed toward BYOD. Spyware on (mobile) devices doesn’t restrict snooping to the user’s personal content. Smartphone users are all but powerless to limit the tracking that various apps do. Only some offer an opt-out option. The WSJ sampled 101 apps and found:
“56 transmitted the phone's unique device ID to other companies without users' awareness or consent. Forty-seven apps transmitted the phone's location in some way. Five sent age, gender and other personal details to outsiders...Forty-five of the 101 apps didn't provide privacy policies on their websites or inside the apps at the time of testing. Neither Apple nor Google requires app privacy policies.”
All this personal snooping created an opportunity for Microsoft which launched a campaign called Your Privacy is Our Priority. The firm positions several of its key services such as Skype and Outlook.com as more private than competitive offerings (from Google).
With the unraveling NSA/Prism/Snowden scandal, the Guardian has now reported that Microsoft isn’t the best partner for privacy. The Guardian said Microsoft is working closely with government snoops. New documents suggest Skype was tightly integrated into Prism with the result of significantly increased monitoring of voice and video communications.
In response to the allegations, The firm stated: “Microsoft does not provide any government with blanket or direct access to SkyDrive, Outlook.com, Skype or any Microsoft product.” It is reassuring, but still unsettling. This NSA stuff is so sensitive that one never knows if a gag order is preventing the full truth from revealing itself.
Compromised communications are a real threat to the enterprise, and encryption may be prudent. How and what gets encrypted depends on who the eavesdropping threat comes from. 256 bit encryption can keep out most thieves. If it’s the government that concerns you, it is a bit trickier (see related post).
Most government encryption standards are unlikely to keep the NSA out. A few encryption solutions that can are:
- Silent Circle
- Off the Record Messaging
There are numerous encryption options available at the gateway and mobile device level, but most adhere to government approved technologies.
Encryption is an option, but remember much of what the NSA is accused of collecting can’t actually be encrypted (telephone metadata, email headers, phone CDRs, hosted email messages, social network activities).
Cryptographically secure messages are a lot easier in theory than in practice. Most organizations can’t confirm if backdoors exist into their software applications. Something we are regularly reminded of every time new security vulnerabilities are found in previously assumed safe software.
Privacy is positioned to be the next big thing in enterprise communications. It could even conceivably reverse the trend toward cloud services.