Unmanaged data collection under fire

Amongst the key themes covered at the recent Connect 2014 event in Melbourne were the Internet of Things and machine-to-machine communications.

CSO Australia spoke with AVG's Michael McKinnon and Hacklabs' Chris Gatford about the data security and privacy issues these new trends present.

Play a game of buzzword bingo at any technology event this year and you're guaranteed to get a hit with the Internet of Things. While it's obvious that more and more end-point devices are being connected to the Internet, there are some deeper issues in play.

McKinnon, a security adviser with AVG, said he was surprised at how pervasive this degree of connectivity already is.

"One of things that's become apparent to me is that it's a lot deeper than many people think," he said. "For example, traffic management systems. You drive down the highway and think 'I'm just driving my car'. But the reality is that running alongside that highway are fibre optic cables that are linking camera management systems, speed sensors in the road, number plate recognition, electronic signals and signs, and all these things connect back to central control rooms".

These vast volumes of data present some challenges to the security community. While any one data point on its own is not very valuable, the accumulation of huge amounts of data and their correlation with other information can provide a surprisingly detailed picture of our lives.

"One of the main issues remains the integration of the data. We've still got data that is siloed in separate locations. But what happens when some of these systems start to really converge. Inevitably we're going to see some challenges," McKinnon said.

There are many instances of data being collected for seemingly little reason.

Chris Gatford, a director and penetration tester with Hacklabs, said, "One of the things I'm really looking forward to is controlling some of the blatant data capture that seems completely irrelevant. My favourite bugbear is the capturing of drivers' license information when you go into the pubs and RSLs".

He highlighted that one of challenges is behavioural. Many organisations have been collecting this data for a long time for no demonstrable business purpose. But, as they've being doing it for a long time they don’t yet see why this might be an issue.

"It's this mentality that is going to be hard to change," he added.

There's a mentality that says collecting data is a good idea just in case you need it but McKinnon says that this is "contrary to any best practice privacy principle".

"One of things coming out of the recent privacy reform is that companies need to be looking at all their web forms, everywhere that they're collecting information and they should only be collecting what is going to be used that will have a fundamental impact on a upcoming business decision," McKinnon explained.

McKinnon says that there's a need for a more detailed and granular discussion as the specifics about the data being collected is often glossed over.

"For example, with the privacy reforms, there's now a schedule that outlines things Centrelink customer reference numbers that are now declared by the government to be specific fields in your database that you are not allowed to keep unless you're a specific authorised entity," he said.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags privacyInternet of Thingsmachine to machine

Show Comments