There is a fight for information coming. It will be as if large as dinosaurs were in battle to the death. 

They will be fighting over you.

dinosaur

My first wife was fond of saying:Great minds think alike. Simple minds rarely differ.” I know she didn’t author it. But it seems to be appropriate in how we as individuals deal with big data.

George Carlin: “Never underestimate the power of stupid people in large groups.”

The thing about dinosaurs is this; you don’t want to be in the arena where dinosaurs are fighting – or mating.

We have a cognitive dissonance in knowing the dinosaurs (big data) are stomping in our area, and realizing the danger they pose (personal data security).

I am old enough to remember that about a decade ago the Techno buzz term – du jour was “Meta Data“. Skip five or so years forward and the then Techno buzz term was “Web 2.0.” Today it is “Big data.

What these terms have in common, is they are largely the same thing. They are just different views of data turned information, information turned intelligence.

On the internet everyone is a provider of that data, meta or otherwise. That makes individual providers a collective titan. The aggregation and analysis is big data, the other behemoth.

Don't worry, be happyMae Chapman published “Don’t worry; we won’t get hacked.” A great commentary on the caviler attitude some have to the collection and securing of that data. She reports that sadly, there is a trivialization of data security that is woven into corporate culture. Whether of intent, laziness, economics or simple ignorance, it permeates the internet like roaches in a ghetto . You can’t always see it, but you can’t permanently eradicate it either.       Note: Mae’s report is recommended reading.

The post pushed my big red button – the one that says: ‘DO NOT PUSH. EVER!’

There is a pending struggle between the owners of the information and the aggregators. It is like a big debt with a due date approaching that needs to be paid. Yet no one wants to discuss the reality; it will default.

The battlefields will be fought along these lines:

Who owns the data?

When you apply for medical services you need to provide personal information, medical, family, economic and etc. The federal government has legislated the limits and penalties for use and misuse of that data. Your medical information is yours, that is clear. Does this set a precedence?

Banks and insurance companies have a history of protecting confidential information. It is their fiduciary responsibility, complete with legal recourse. Does this set a precedence?

But what about Google, Uber, Facebook, Twitter and all the other sites which collect data? Do they own it? How can they use the data? Does this set a ‘too big to fail’ precedence? Or can aggregators hide behind a click of a tacit approval button?

What data can they collect without the data creator’s direct and passive permission and knowledge?

A couple examples: When you take a picture with your cell phone, the amount of data the EXIF data is embedded in the file. It can make troyyou vulnerable to security issues such as a stalker or thief. When you log into a website you give up your phone manufacturer, model, geolocation, time of day, plus you may also give up your personal data from LinkedIn, G+, Facebook and Twitter all without your direct consent. (Have you ever read a privacy policy change lately?)

Troy Hunt did a great technical piece on the issue of data collection. It deserves a followup. It’s really frightful how much data we unknowingly and freely give away. But awareness doesn’t mitigate or attenuate the issue. Rather, awareness amplifies it.

Are copyright laws applicable to web data? Consider this:  should you take my picture, you own the authorship rights to the photo even though it is my face. When facial recognition software is used  from photos on Facebook are copyright laws broken? In such cases who then owns or is protected when a Facebook face is used for criminal activities? When your ‘face is stolen’ is it Facebook, the photographer or the criminal who is responsible for reparations?

Does that extend to the authorship rights of data entered in web forms? If there is no value passed does it represent a contract or a work for hire? Or can the site claim they ‘paid’ you with services?

What responsibilities do data collectors have to protect the data?

Is there a standard for security? When a data breach occurs what responsibility do they have? There isn’t even a legal standard requiring reporting of a breach. No standard format and no central clearing house. This will be an issue only when the citizens decide to take action and force their legislators.

What recourse or redress do those affected have?

Target0014

http://www.reuters.com/article/2015/03/19/us-target-settlement-idUSKBN0MF04K20150319

In the case of corporate governance, Sorbanes Oxley provides some guidance but not much related to security. HIPAA provides some for medical. Lawyers and accountants have strict fiduciary rules to follow  as part of their license . But what about the retailer down the street? Must each breach be litigated separately? What about breaches that are not reported?

In the case of Target there is a class action lawsuit... settled at $10 Million for some 70 million consumers ($00.14 per person, before legal fees?) Gee… Wow…. OMG….

Will there be federal or state agency to assist private companies who are breached? Perhaps an FBCI or Federal Bureau Cypercirme Investigation.

If someone walks into your business and robs you, the police are there to investigate and prosecute. Even if you forgot to lock the doors of your shop, there is help. If someone hacks your server and steals intellectual property do you have some police authority to assist?

In physical criminal and civil you always have private resources to hire, but in the case of IP, ones and zeros, the owners of that data and the aggregators of that data have little help from the government.

What of the owners of the source information? Can you call the police to report that the thieves which hacked BOA and stole information that belongs to you? Do the end cybercriminals need to make reparations to you directly?

Who is responsible for the dysfunctional security?

This is not as obvious a question as it may seem. Consider this: Back in the day, IBM had so much clout that people would buy IBM over the alternatives with this thinking: “if I buy an alternative and it fails I am to blame, if I buy IBM and it fails its IBM’s fault.” There is a lot of that simple minded thinking going around right now about cybersecurity.

compilersIf the aggregator buys ‘certified security’ from a 3rd party, is the vendor or its certifying agency equally liable as the aggregator? Who is responsible when there is shared culpability?

On Dark Matters, Tim Kertis does an excellent job, albeit technical and detailed, of pointing out that vulnerabilities may be simply a byproduct (unintended consequence) of sloppy compilers and sloppy coding. Or perhaps its just bad design. The details he offers went largely over my head, but it is certainly a valid and exceptionally well documented and considered argument.

Other faults may lie with ignorant or incompetent systems administrators, cheap management not updating the hardware or software infrastructure, or the hardware and software vendors. Maybe it is we who use the internet who do things that we should do for ourselves. By that I mean do we need to be connected 24/7? Are we aware of the consequences?

There is a saying: “Ignorance is no excuse in the eyes of the law.” Is that transferable to the internet? What will Lady justice say to the “I didn’t know” defense?  She is blindfolded anyway, so what can we actually expect ?

To be sure: You and your data are part of this fight. That is because the prize is your data. This ‘battle of titans’ will be all about YOU.

What do you think the issues are?

What do you think the solutions are?

Have you been a victim? If yes share your thoughts and story, perhaps it will help others and raise the impetus for our legislators to do something meaningful.

Please comment and share this post with your friends so they may be aware of how to protect themselves and follow us.

BPID is on a mission to eliminate the password in 2016. Our asymmetrical  data system makes eliminating the password possible without compromising security or convenience. Stay aware of our progress, please join us by signing up for our news at bpidsecurity.com.

KONICA MINOLTA DIGITAL CAMERAPaul Swengler is the CEO and principal of Bulletproof ID a password-free login. He can be reached through www.bpidsecurity.com and can be found on twitter @bpids