A variety of new technologies — intrusive, mobile, ubiquitous and inexpensive — are causing immense societal and business disruption. There are great privacy concerns regarding each of these devices by themselves and more importantly in their synergistic combinations. In many cases, the legal and community sectors lag behind these developments as well, and we cannot fully address their technical aspects or social implications.
Sound familiar? We’re not describing the phones, drones and clones problem of 2015. Rather, the above describes the privacy and technology problems that many of our great-grandparents faced and resolved in the early 1900s.
History Repeats Itself
A hundred years ago, the beneficial and democratic aspects of technology and industrialization caused certain technical powers to pass from the very rich to the middle class. For example, the inexpensive box camera with rolled film caused a sensation regarding its portable and ultrapersonal nature: “What, you dare to take pictures of me, my spouse and my teenage children while we are strolling in the public park, and you bring these very likenesses into your own home?”
The telephone was similarly discouraged by many: “Must you interrupt the sanctity of our home by the infernal jangling of that bell and your unwelcome voice; even worse, at a time of your own choosing?”
Similar controversy could arise from the automobile: “We expect our children to spend their evening’s entertainment within our town, not out of it!” and from the daily newspaper: “My police summons for this minor charge need only be mentioned in the police station blotter, not seen on my neighbor’s doorstep the next morning!”
Privacy Problems Continue Today
Many, but certainly not all, of today’s privacy issues arise from the fact that technology continues to democratize that which was previously highly concentrated. For example, in the past in the U.S., a governmental agency could have readily ascertained whether a particular individual committed a minor infraction within its borders because it had visibility into all of our approximately 3,100 counties and their myriad of towns. But typically, this was only done in certain law enforcement situations, and doing so had a significant cost with respect to time, communications and human effort.
Today, the Internet — widespread, well-read and time-independent — has both democratized data access and expanded the potential for illuminating even minuscule past embarrassments. That evidence, while public, may once have been hidden in obscure, marginally accessible files.
In 2015 and beyond, it is particularly important to differentiate the issues of information security and privacy. Security and privacy serve related but very different goals. Information security is primarily concerned with protecting information’s confidentiality, integrity and availability (CIA). In both the customer’s and client’s environments, privacy may be considered the expectation of careful and ethical access, retention and use of personal information of many types and sensitivities. A person’s information must ultimately be viewed and used only in ways known to and acknowledged by the individual to which it pertains.
The Security Conundrum
Thus, it is conceivable that, if wrongly deployed, an enterprise could have comprehensive, effective information security without personal privacy. But it could only have adequate privacy if it already had a firm base of security. When used together effectively, adequate security and appropriate privacy, or cognitive privacy, lead to a business and societal goal of customer, regulator and public trust.
Although some may (incorrectly) view the many emerging governmental privacy mandates and other potential security and regulatory impacts as being unusual or unforeseeable events, in fact they are completely predictable. It is equally foreseeable that similar privacy expectations will increase in frequency and depth in the future. And in many cases, regulators are a metaphor for what customers and other stakeholders now legitimately expect.
It is urgent to be in a posture of continual compliance readiness. For privacy, this can be achieved via many means, including better organization of existing discrete data, usable alerting and logging elements, software control techniques and rigorous data and access management. In short, there must be an accurate understanding of privacy posture at all times and at all appropriate management levels.
Finding the Right Solution
How do we resolve these issues? Just as was done by our forebears, the very real expanding privacy problems of the 21st century — including misuse of information, intrusiveness, ubiquitous and improper distribution — may be addressed by both enterprises and individuals. Providing world-class capabilities to tangibly enhance privacy via encryption, access controls, fraud countermeasures, and many other products is an excellent first step toward reconciling strong security and privacy.
An important initiative may arise from IBM’s many innovations in the realm of cognitive privacy. We have emerging capability to use our technologies to help address, detect and prevent privacy concerns such as improper cross-border data flows or illegitimate access to personal data. Other cognitive privacy techniques and values can preclude both the appearance and perception of privacy problems, particularly in new cloud and mobile implementations. But the main goals continue to be appropriate personal appreciation and business enablement.
Hopefully, through the use of these techniques, effective information security and data privacy — and, most importantly, customer trust — will be the result of an enterprise’s sound business, regulatory and technical initiatives and innovations.