Increasing data security? The horse has already bolted

Has the data security horse bolted?


Don’t want your data getting shared around in cyber space? Don’t put it there in the first place, argues Gregory Kris

Parliament’s Intelligence Security Committee (ISC) have just released their annual report that says that cyber protection needs to become more aggressive and that the UK should declare cyber war on states and criminals who target the country, by using aggressive (and occasionally covert) retaliatory strikes.

This sounds like a great 1980s movie, like War Games (spoiler alert: the password is ‘Joshua’) or Hackers starring a young Angelina, but instead of the enemy being big hairy men from the Kremlin, it’s faceless enemies of the state, hell bent on causing mayhem from their bedrooms. cf; Lulz Sec, Anonymous or any of the other disruptive Antisec hacker groups.

As a result of this Hollywood indoctrination,  coupled negative news stories and apocryphal stories of  widespread identity theft, there’s a pervasive and somewhat justified fear that these groups, and 419 scam artists ( - is a great way to waste 30 or 40 minutes over lunch) are after our personal details in order to ruin our lives.

The arguments for increased data protection are strong and reasonable, and it’s wise to take as many precautions as you can. But you can go too far the other way.

My friend’s mum, for example, will not give her son her bank account number over the phone, just in case someone is listening in on her phone calls. I pity the master criminal whose job is it to listen in on Mrs Jenkinson’s phone on the off chance that she’ll let that vital snippet of information slip.  But if he’s been listening carefully and taking notes over the last 20 years, he should be able to piece it together based on the cryptic clues she’s been leaving.

So here are some thoughts on why increased data security may be undesirable:

Secure doesn’t mean Secure

If an individual sees that a site is PCI compliant, Thawte certified, or advertises that they have terms that note that ‘we will not share your data with anyone’, then the natural assumption is that ‘this site is secure’. This is not always the case. Even sites compliant with the new EU data protection rules promise to deliver more than is practical. By taking responsibility away from individuals and replacing it with a legal framework, they may create unreasonable expectations for privacy and a false sense of safety and security online.

The right to know

It’s been postulated that data is the oil of the information age. How much oil do we need to keep the wheels of society turning? In some instances, the ‘right to know’, may be more important than the ‘right to not share’.

The truth is out there

Once the genie is out of the bottle, it’s hard to put him back in again. When dealing with data, as soon as it’s out there, someone will take it, use it, re-distribute it, and even resell it.

It then propagates across the web, or is archived, cached or replicated further. If you say something in the web, then it’s very hard to ‘un-say’ it. Data protection rules that allow you to remove your own data are impractical and may be ineffective.

Can businesses afford data protection?

Implementing data protection can be costly – especially retro-fitting data protection and security when the laws change. This extra expense in the current climate is not at all desirable, and individuals might reasonably expect that corners may have been cut or businesses haven’t got the budget to get round to it yet.  So the price of data protection may be the death of a number of small businesses, which is not going to help the economy.

Frankly, the wisest way forward may just be the simplest:

Be responsible for your own data

The net is like a megaphone and anyone who is part of it, can chose to listen in to your conversation. Anyone who posts, writes, inputs or participates online, is at risk of having their details discovered or uncovered.

But rather than blaming the online businesses and destinations, or refusing to engage in the digital age, individuals should take greater responsibility for the personal data they upload online. Nobody is forcing individuals to upload personal information to social networking sites. If they don’t want their information out there – then don’t share it.

Gregory Kris is an original dot-com CEO, selling his first digital business, a social network, in 2000. Since then he has run and sold two start-ups, advised on numerous others, and invested in a couple more, with varying results. A firm believer that ‘data is the oil of the digital economy’, Greg is currently CEO of Decibel, the music metadata specialists, and has been called ‘Europe’s first Digital Data Baron’. You can follow him on twitter at @gregkris or email him