Why IT security pros can be scarier than the 'bad guys'

Forget about hackers and phishers. Big business wants your personal data, and your privacy is just a hurdle to be surmounted.

I thought I harbored a healthy amount of paranoia before I went to this week's RSA Conference for IT security professionals in San Francisco. But now I'm just plain scared--and not about hackers and phishers, the perennial bogeymen of the Internet underground.

No, the people who scare me even more are the security professionals who work for big business. They want my online data, your online data, everyone's online data. And they want it more than even the bad guys who make headlines.

Big business isn't evil incarnate, and the companies clamoring for our data aren't the agents of destruction who would steal our identities for profit or erase our family photos just for kicks. But to the business leaders at e-commerce sites, social networks, and even banks, online privacy is something that must be managed at best, and mitigated at worse.

It's an annoyance that must be dealt with. It's something that gets in their way.

They want our data so they can track us, categorize us, and use what they know about us to sell us something--or sell what they know about us to someone else. Or, as Trevor Hughes, the President and CEO of the International Association for Privacy Professionals (IAPP), told me directly, "Your data is the currency of the information economy."

And our online activity is minting more money all the time.

Our data is hard currency

It took just one shocking hour at the RSA conference to destroy every naive hope I might have had about online privacy. Hughes spoke to a large audience of IT professionals tasked with managing customer and user data, and named what he considered to be the hot-button privacy issues of the year: location data, facial recognition, and Do Not Track, among others. He also touched on more sweeping topics like federal regulations and public policy.

I was intensely interested in all of these issues as an active, web-surfing individual, but I also quickly realized that the other attendees in the room looked at these issues from the other side--from the perspective of their companies, which gather customer data and use it for business opportunity.

Their job is not to worry about protecting our privacy, but to worry about navigating privacy regulations, and protecting themselves from lawsuits and fines. One thorny example Hughes cited was the mobile privacy guidelines paper released by the California Attorney General's office earlier this year, to supplement the California Online Privacy Protection Act (COPPA). In a message accompanying the guidelines, Attorney General Kamala Harris encouraged mobile app developers to adopt a "'surprise minimization' approach...to alert users and give them control over data practices that are not related to an app's basic functionality or that involve sensitive information." Easier said than done on the small screens of mobile platforms, said Hughes: "That user interface is incredibly limited."

Your location, your activity, your face: all fair game

Hughes also delved into issues surrounding "contextualization"--using your online data to customize "content" (read: advertisements) to your browsing habits and personal demographics. Obviously, contextualization is already a widespread (and profitable) business tool, as anyone who's experienced targeted ads on Google already knows.

The data set used for contextualization is diving ever deeper, though. "Context will put the debate on targeted ads on steroids," Hughes told the crowd. "Not only are we going to have the sensitivity of where you've been online, but where you are in the world, and what you are doing and thinking."

Oh, but it gets better. Facial recognition, anyone? You can tell your friends not to tag you in their photos all you want, but that's small potatoes.

"We will see the anonymity of crowds dissipate," Hughes said, predicting that photos taken by other people, or by cameras installed in public places, will be used to find you wherever you are. Remember the Where's Waldo? children's books, where you had to find Waldo among huge crowds in famous places around the world? Who knew that the happy, wool-capped Waldo would be the harbinger of privacy problems to come.

Do not track me... please?

When the Obama Administration introduced its Consumer Privacy Bill of Rights in February, 2012, the bill cited "privacy-enhancing technologies such as the 'Do Not Track' mechanism" as safeguards against many of the tactics that Hughes' audiences members would like to preserve. Choose not to be tracked, and web sites wouldn't be able to collect information about you. It's the ultimate protection, right? No, think again.

"Do Not Track is a very, very complicated and challenging issue," Hughes said. Indeed, there's no standard implementation for data tracking from browser to browser, and that's an inconvenient truth for anyone who would need to implement Federal policy (which hasn't yet been passed). But for Hughes, the real problem for privacy professionals is, "how do you switch it off or maintain it switched-off."

Yes, you heard right: Do Not Track would be just another hoop that big business needs to jump through--or circumvent entirely.

Unfortunately, for now, businesses that want to track our data don't even have to worry about the technical vagaries of Do Not Track. "None of this has the force of law yet," said Hughes. "Without the ability of regulators to enforce, we may not have any enforcement at all. Do Not Track may not have any consequences."

You can see where this is heading. And Hughes confirmed as much: "Some organizations have come out and said they will ignore Do Not Track."

Giving away your online data--willingly

Unless you're some sort of virtual exhibitionist who actually wants to sacrifice online privacy for fun and profit, data tracking should scare you. But it's also important to remember that the basic operating principles of our open Internet--an Internet where very expensive content is given away for free--require a certain amount of data sacrifice.

Indeed, if you want all the complex, nuanced benefits of social sharing, you have to actually share yourself. And you're probably already doing this, sacrificing your data quite willingly.

Ted Schlein, of venture capital firm Kleiner Perkins Caufield Byers, brought up this paradox while speaking at a cybersecurity session at RSA. "People kind of care about privacy, and then they don't," he said. "Facebook has a conversation about a new privacy policy, people get excited about it, and then Zuckerberg says something, and they calm down."


He's right, of course. Periodic privacy imbroglios haven't slowed the popularity of social networking sites, photo-sharing sites, and apps like Foursquare, even though all of these services gather information about us in order to grow revenue. Pinterest was recently valued at $2.5 billion--not because it's making any money, but because its users are enthusiastically pinning products to their pages, making them ripe for retail sales pitches. Their data is the currency.

Big business is working over-time to collect data about us, and the more time we spend online, the more opportunities we give them to do so. So in the end, I wonder whether it's scarier that businesses are collecting our data, or that we're so willingly letting them do it.

Show Comments