As we move on with our lives, creating new footprints and making new waves, we are also leaving a trail of information about us that may be collected, stored, accessed, used and shared with entities that we may or may not know about and may not feel comfortable or safe doing so. This, of course, should not absolve the information ecosystem from its obligations to report unlawful activities to law enforcement agencies.
Privacy is a right1 that is core to our existence and it should complement, not come in conflict with our equally important need for security and well-being. Both can and must co-exist together, to preserve the value of our lives and dignity as citizens, and as producers and consumers of products and services.
However, stampeding on these very rights has become a norm for criminal minds and their motivators.
The recent reporting2 by Yahoo that personal information of its 500 million users was compromised and yet remained undiscovered for about 2 years, is another stark reminder that information producers, distributors, processors, and consumers are all vulnerable to dastardly stealing attacks that attempt to reap fortunes through sheer exploitation.
As individuals and entities struggle to preserve and present their own unique and true identity in an era marked by virtualization of capacities and capabilities, the wicked rewards for impersonating and/or defacing seem to be even more attractive to criminals.
The economic impact of such acts is remarkable.
According to a 2016 report3 published by IBM and Ponemon Institute, average cost of data breach for companies involved in the study, has increased to about $4 Million, with each lost or stolen record costing about $158. The report also claims that for regulated industries such as Healthcare, education and financial services, this cost was way above this average. Moreover, about half of data breaches were caused by malicious and criminal attacks.
Responding to such breaches effectively is often limited by the potential delays in detection and reporting. For instance, the mean time to discover such incidents as per the above-mentioned report was in excess of 200 days, or put differently, this would be the time to complete roughly about 60 million4 transactions on Bitcoin.
Future design of applications must, therefore, take a preventive approach first, where the designers focus on discovering and sealing the vulnerabilities to minimize exposure to breach possibilities.
We would, of course, need an effective incident response mechanism in place, with appropriate investments in infrastructure and resources, but mitigation approaches must be preceded by those for prevention or transfer of risks.
So, where can we begin to form a privacy-centric design approach? Here are 8 initial steps:
- Document and categorize the various information types, its ownership, purposes and authorized uses including the sensitivity of such information.
- Map the information pathways from their source to consumption and seek to protect them through standard best practices implementation of information security principles. That is to ensure that each access attempt is verified for its authenticity and authorization, and flow of information remains available with its confidentiality and integrity preserved.
- Map all the processes, components and users that do one or more of acquire, store, access, process, and share or distribute operations on any given type of information. Repeat the mapping exercise for each information type.
- Consider the sensitivity of the information and assess the impact of its breach for each.
- Use above impact analysis, to determine and document the restrictions if any, which should be enforced for each operation above, for each type of information as documented earlier.
- Translate these into validation rules.
- Prepare to test against each such validation rule.
For a formal and exhaustive description of privacy frameworks, the one by Data Security Council of India (DSCI)4 can be referred to. Additionally, OECD5,APEC6 and ISO 290107,can serve as independent references.