Cloud Security INSIGHTS Archive: March 2022
Seamless Security is the future
Delinea believes every user should be treated like a privileged user and wants seamless, secure access, even as administrators want privileged access controls without excess complexity. Delinea’s solutions empower seamless security for the modern, hybrid enterprise with privileged access management (PAM) solutions that define the boundaries of access. Learn More »
Privacy in a Fishbowl: iCloud controversy raises concerns about potential misuses
By Matt Gillespie
|Image Credit: Getty Images|
Particularly in the United States, privacy has too few protections, and it continues to erode.
That reality is abetted by Americans’ casual surrender of control over how their personal data is used.
Sloane Burwell, senior compliance analyst at Hacker One, makes the distinction that, “If I put my business card in some glass bowl to win a month’s worth of Starbucks, I know that when I do that, my information is going to be shared 50 times. In Europe, they’re absolutely shocked and appalled.”
At the heart of that disparity is a widely underdeveloped sense of value and ownership for personal data.
The Cost of Under-Valuing Privacy
The fishbowl scenario is essentially a transaction where personal data is exchanged for something of value (hypothetical coffee), which would run afoul of the European Union’s General Data Privacy Regulation (GDPR), but is a generally acceptable activity in the U.S. Without knowing and controlling how one’s data will be used, it is impossible to fully understand what one is giving up in the transaction.
A similar perspective might be applied to cases where users entrust photos and other information to the repositories of service providers.
The controversy over Apple’s shifting plans about whether to scan for child sexual abuse material in photos uploaded to iCloud is instructive. The technology, announced in 2021, was designed to scan iCloud accounts for images of child sexual abuse using a database operated by the National Center for Missing and Exploited Children. Flagged photos were manually reviewed before the identities of the users that uploaded them were to be turned over to authorities. Apple has since removed references to the program from its website.
Despite the laudable goal of protecting children, the technology (and others like it) continues to raise concerns about other potential uses or misuses, and not necessarily by Apple. In an environment where the owners of personal data place little value on it, scanning materials such as photos uploaded to the cloud could become widespread.
People do not widely recognize how much information can be reconstructed based on seemingly innocuous pictures, from demographics and habits to location metadata. Moreover, the potential applications of image scanning—both commercial and nefarious—are almost impossible to predict.
Those whose data might be misused have limited means to anticipate or prevent it. In particular, consumers typically lack agency in agreeing to terms with technology providers, as the opacity and changeability of EULAs makes them famously poor protection.
On one hand, Burwell noted, “You can’t give away your rights by virtue of terms and conditions,” so illegal contractual terms aren’t binding. On the other hand, John Bates, manager for cybersecurity at EY, pointed out, “We have old Anglo-Saxon legal concepts that when two parties agree to something, the courts just kind of allow it.”
That laissez faire attitude toward the ownership and control of personal data is a clear and present danger to privacy, which governments have an obligation to address. “I think it’s a fundamental decision, and countries and administrations need to make up their mind,” Bates suggested. “Is it your data? If it is your data, then do you have an absolute right to control it? If so, what are the exceptions?”Taming the Wild West
In a world where we all constantly emit data that is collected by unknown entities, not enough has been done to mandate its protection against compromise.
Data breaches would certainly expose demographic profiles and other outcomes from scanning and analytics. Unscrupulous actors would be quick to use that information for purposes that data owners would not willingly agree to.
Corporations certainly value their reputations and the damage that can be done to them by a data breach, but with every passing year, the threshold is raised for a compromise to be a significant news story.
From the consumer perspective, Bates said, “I think there’s breach fatigue, where people just say, ‘I just assume all my information is public, I’ve received so many breach notifications.’” Burwell added, “I think, unfortunately, a lot of companies just pay the fine and move on, and a lot of companies can afford it.”
The California Consumer Privacy Act (CCPA) takes useful steps toward providing a better model for pushing companies to protect personally identifiable information (PII). As Burwell noted, “They’ve already decided how much your PII is worth, and every data element has a price tag associated to it. It cleared the way to a private right of action. In other words, if your data’s been breached, we want you to sue.”
That approach of placing explicit value on personal data has implications far beyond punishing providers for data breaches. When consumers enter into agreements with outside entities where they give up control of their information, the valuation sets the stage for greater equity.
The CCPA may provide a template for sounder ways of valuing data in transactions, beginning with granting consumers true ownership.
Bates concluded, “In many regards, the California privacy law is mimicking the GDPR out of Europe, and it’s looking for a lot more fairness. Did you tell the user what they were giving up? Did you tell the user that they could change their mind? Did you tell the user how it's going to be used? Did you tell the user how long you’re going to be using it in that way?”
There is a great deal of work to be done before Americans recognize the personal and financial value of their data. The concept of ownership and the legislative framework to protect that ownership must develop together, and both are overdue.
Matt Gillespie is a technology writer based in Chicago. He can be found at www.linkedin.com/in/mgillespie1.