ThreatMetrix Cautions President and Participants at Cybersecurity Summit
Posted February 13, 2015
ThreatMetrix’s Alisdair Faulkner Warns of a Possible “Privacy Pearl Harbor” Should Collecting Personal Info for Security Destroy Privacy
The long awaited presidential summit on cybersecurity taking place at Stanford University in Palo Alto, California brings together experts from industry, hi-tech, and law enforcement as well as consumer and privacy advocates, law professors who are specialists in the field, and students.
In its announcement of the Cybersecurity Summit, The White House says the Obama administration is pursuing five key priorities that will strengthen [the U.S.] approach to cybersecurity threats by:
- Protecting the country’s critical infrastructure — our most important information systems — from cyber threats.
- Improving our ability to identify and report cyber incidents so that we can respond in a timely manner.
- Engaging with international partners to promote internet freedom and build support for an open, interoperable, secure, and reliable cyberspace.
- Securing federal networks by setting clear security targets and holding agencies accountable for meeting those targets.
- Shaping a cyber-savvy workforce and moving beyond passwords in partnership with the private sector.
One key issue not touched upon in the White House announcement is the issue of privacy.
Alisdair Faulkner, ThreatMetrix chief products officer, warns about losing privacy to gain security
In light of President Obama’s visit to Silicon Valley, now is a better time than ever to address online security and privacy. Collecting an unreasonable amount of personal information will lead to a “Privacy Pearl Harbor.”
How much information collection is too much?
Threat intelligence sharing is necessary but only to a certain extent – businesses must make sure that reasonable security is not an unreasonable privacy invasion. There needs to be a reasonable amount of digital identity verification such as verifying one’s location or phone number when using a banking app. However, some businesses, including ride sharing services and major banks, have access to information about your entire location and activity history each time you use the app. With so much information stored on users’ mobile devices and in specific mobile apps, this often leads to an unreasonable privacy invasion beyond what is necessary for security measures. Instead, the recent influx of data breaches and privacy concerns calls for industry-wide authentication guidelines that do not compromise privacy.
Anonymized shared intelligence: authentication and privacy
To maintain a balance between privacy and security, businesses should leverage anonymized shared intelligence, behavior-based identity proofing and context-based authentication. At a minimum, industries operating online should self-enforce standards for controlling access to customer data from both insider and outsider theft without invading privacy.
Protecting customer and corporate identities
In addition to balancing privacy and security, businesses need to focus on protecting data in use in addition to data at rest. Data in use refers to customer or corporate identities that are used following a data breach without the individual’s knowledge. A key requirement for data protection is for businesses to ensure personally identifiable information is screened against unauthorized use prior to being processed. This can be done through device identification, malware detection and anonymized trust federation.
For more on preserving privacy while maintaining security, see: