Privacy in the era of big data and cloud

Privacy is simply defined as a state in which one is not observed or disturbed by other people. Taking this definition further is Article 12 of the Universal Declaration of Human Rights which states: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

UN General Assembly, Guidelines for the Regulation of Computerized Personal Data Files, 14 December 1990, state that “data likely to give rise to unlawful or arbitrary discrimination, including information on racial or ethnic origin, colour, sex life, political opinions, philosophical and other beliefs ... should not be compiled”.

Most recently, the OECD updated its guidelines governing the Protection of Privacy and Transborder Flows of Personal Data (2013). In regards to the Security Safeguards Principle: “Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.”

In regards to Openness Principle: “There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.”

Within the revised guidelines is the introduction of data security breach notification laws supporting the “Security Safeguards Principle” which requires data controllers to inform individuals and/or authorities when a security breach has occurred. This is potentially a game changer, these laws are usually justified on the grounds that data controllers have little incentive to disclose breaches voluntarily given the possible harm this can cause to their reputation.

Requiring notification may enable individuals to take measures to protect themselves against the consequences of identity theft or other harms. Notification requirements may also provide privacy enforcement authorities or other authorities with information to determine whether to investigate the incident or take other action.

This will apply to all players big and small who collect any form of personal data, physical or digital.

A question we should ask ourselves is what prompted OECD to change its guidance in 2013? The answer is simple, data leaks—too many of them. Have a look for yourself at some of the biggest data breaches visualised here. Adobe was hacked and lost 38 Million records as recently as September 2013, and if you combine the number of personal records lost, hacked, accidentally published or leaked due to an inside job across Sony, Evernote, Facebook, iSoft, Vodafone, Twitter, Apple, LinkedIn, over the past 2 years the number of accounts is in excess of 300 million records.

Today we live in a connected world and the age of “big data” spear headed by Facebook, LinkedIn, iSoft, Twitter and numerous other social media and commercial cloud based software, where online and electronic transactions are the order of the day and all transactions are stored by entities both government and corporate with whom we interact.

Increase in the use of big data provides interesting new insights on everything from shopping patterns to predictions on health of the population and financial risks based on consumer earning vs spend.

The phrase "scientia potentia est" (or "scientia est potentia" or "scientia potestas est") is a Latin aphorism often claimed to mean "knowledge is power". Big data provides ingredients to harvest knowledge and, like a bank vault database that stores personal information, multiple facets of personal information can be targeted by forces of good (government and corporates) and forces of evil (criminals and terrorists) to undertake activities to further their own agendas—all without the complete knowledge of the individual. The responsibility and accountability of safeguarding these big data vaults, at this stage, is a bit grey. What is not grey is the risk of a compromise.

Whilst the promise of big data is all about predictive analysis and assisting human lives by making them simple, it also poses major privacy concerns for the average person. The ability for companies and governments to gain an insight into your personal lives through collecting, processing and analysing your social media, health and financial data could spell trouble if incorrect assumptions are made about, for example, your health or financial records.

What if results of analysis are used to form notions regards the way individuals behave and interact under the guise of improving the understanding of customer and citizen behaviours? This, in turn, supposedly assists in the provision of improved services, but could this be the start of a Minority Report type experience, where someone knows of something even before you do?

Scary huh!

From where I see it, big data and cloud have introduced threat vectors across the domains of legal, public policy, constitutional rights and ethics, all of which are areas of specialist knowledge and deep research. A lot remains to be explored as a whole. Coverage of no one particular domain will provide the solution but instead, a synthesis of approaches will be needed to introduce a working platform that provides clarity of what privacy really means in the era of big data and cloud.

Show Comments