The Techcrunch Disrupt NY 2016 gathering was this week, a time that’s marked some pretty interesting times in privacy and security.
At the start of the week I came across this survey – the CIGI-Ipsos Global Survey on Internet Security and Trust 2016. Everyone loves an unwieldy title, and this report had some fascinating results.
57% of global citizens are more concerned about their online privacy than a year ago.
Just under 80% are concerned about being monitored, and 83% have changed their behaviour because of these concerns about being monitored (I found it quite fascinating that Japan had a very low % for this at 49%).
Q4. How else have you changed your behavior? (Please select all that apply.)
That’s pretty amazing, and shows the amount of public interest in security, privacy and how much opportunity there is in having a security services based industry.
Keep those stats in mind as we wrap up Disrupt NY. On May 9, a great discussion was held on the stage with Marten Mickos from Hackerone, and Nate Cardozo from the Electronic Frontier Foundation (EFF, who by the by have one of the daggiest logos you could possible commission in Word. I love it). They raised some incredible discussion points, emphasising just how we were bare understanding the impact of devices, the legal support needed for this, and the culture of corporations to be open to having their systems open to the prying eyes of the web – whether beneficial or malicious. The vulnerabilities inherent in corporations and systems that have so rapidly been opened up to the harsh world of the Internet of Things and user privacy.
They also raise the concept of the privatisation and corporatisation of privacy, as well as a fascinating point about how the access to excellent encryption and the right to personal privacy is actually creating a new class divide between the have and have nots of being able to afford security.
This is actually a completely fascinating concept in the ongoing debate and raises some very relevant points in the examination and healthy debate. It also then segues into the next video from Disrupt NY, with General Michael Hayden on stage.Hayden, a former Director of the NSA, and CIA, has an excellent presence and sense of openness about the need for security and balancing privacy with encryption.
There’s a sense in his words that he’s tempering his idealism of protecting the USA with the reality that the agencies and people in power (he is quite cynical of the Presidential candidates’ abilities to deal with the complexities of the responsibilities of the office of President). He also flags the idea that unbreakable encryption is unavoidable, with the thought that there are ways to get necessary data without breaching the privacy of the content of the device. He leans towards the usefulness of metadata – an approach that sounds like it leans more towards the Australian government approach of data retention policies.
There are 2 interesting points that ranged out from this. While it definitively protects a person’s privacy (on paper, and despite what the conspiracies say), the argument against metadata as investigation are that it leads towards guilt by association.
The second, and more intriguing part for me, is that metadata is incredibly powerful. Metadata, and I’m saying this from experience, can contain pretty much everything that you have in the content, minus the useless bits. In other words, through clever metadata schema development, you could atomise an entire conversation into a collection of keywords, analysed time/date/place, emotions and behavioural data and more, that are not ‘content’, but ‘context’. Does this then sit outside the encryption structure and privacy implementation of the device, or network, or corporation?
There’s the makings of a new challenge in there. Can a user legitimately claim a right to privacy to when they had a conversation, above and beyond what that conversation was about.
We saw this challenged briefly when a California court obtained a warrant for a woman to unlock their phone using their fingerprint, while it’s generally recognised that you cannot force that person to use their PIN. The justification is that the fingerprint is physical evidence, while the PIN is knowledge. When the fingerprint becomes the equivalent of the PIN, what are the lines? With TouchID now in use by around 90% if iOS users, this presents and interesting new risk for users. TouchID may be more individually secure and convenient, but more legally risky.
Ha, could we identify criminals or someone with something to hide by their lack of TouchID?
What a concept.