VIEWPOINT - Security and Privacy Challenges in the Decade Ahead
Fred H. Cate
Predicting security and privacy challenges 10 years ahead is a daunting task, and one almost certainly doomed to failure. So I thought it might be more useful - as well as safer - to identify six issues proving problematic today, and that I believe are going to be even more vexing in the future.
1. Changing Fraud/Security Threats
I and others have argued that the current firestorm over identity theft and the role that information security breaches play in it is overblown and misfocused. But whatever the case today, there is mounting evidence that identity theft is evolving in ways that will make it more challenging and more threatening in the future.
For example, we appear to be witnessing an evolution of attack strategies that suggests the involvement of sophisticated fraud rings. A number of recent frauds reflect key similarities - i.e., common addresses, phone numbers, targets and strategies -that cause law enforcement officials to believe they are orchestrated by well-organized and financed perpetrators.
More significantly, we are witnessing the emergence of new and harder-to-detect frauds. Phishing attacks are growing rapidly in both frequency and effectiveness. As of December 2005, seven in 10 Internet users say they have been fooled by phishing messages.
"Spear phishing," which relies on contextual information to target fraudulent messages based on characteristics of specific Internet users, is proving even more effective. In one Indiana University study, the percentage of recipients of a phishing message persuaded to provide their account name and password increased from 16 percent to 72 percent when the researchers made it appear that the fraudulent message originated from a Facebook friend.
In addition, evidence is emerging of a new type of identity fraud: synthetic identity fraud. Rather than making fraudulent use of an existing credit card or bank account, or opening a new fraudulent account in the name of an unsuspecting victim, synthetic identity theft involves creating an entirely new identity. Many of our current efforts at solutions to fraud and identity theft focus on individuals (i.e., free credit reports, breach notices, dispute resolution procedures, fraud alerts). We know that individuals aren't taking advantage of these today, but they will be even less effective in the future because synthetic identity theft may not show up on anyone's credit card statement or credit report. In fact, it may not be visible for years, as thieves develop credit records for the new identities they have created.
2. Location Information
A second area of growing concern is the location information generated by cell phones, RFID tags, On-Star and other auto-based computers, and the myriad other emerging technologies that provide increasingly precise information about the user's location.
The issue is not just the risks of such information, but how to deal with privacy issues (especially if based on notice and choice) in contexts where there may be no screen, no contract, and potentially no contact with information users.
3. Information Aggregation
A third critical issue is the whole field of information aggregation and the industry of data aggregators that supports it. Data aggregation is vital for verifying consumer identity, accurately matching data with people, target marketing, and other valuable activities. The government also has identified data aggregation (and data mining) as key to anti-terrorism and anti-crime efforts. I suspect that data aggregation services will continue to grow for all of these purposes, and especially as a critical foundation for identity authentication and verification.
But data aggregation has long been a subject of controversy. Public reaction to many government proposals to use aggregated data for security purposes has been swift and critical. It challenges our traditional approach to privacy regulation, because of the difficulty (if not impossibility) of a data aggregator providing notice or an opportunity for consent to a consumer with which it has no direct relationship. As the demand for services based on aggregated data grows, our inability to manage the issues those services present today will only lead to greater controversy in the future.
4. Global Data Flows/Outsourcing
We currently use national (or even state or local) law to deal with increasingly global information flows. While the issues this raises are not new, powerful information technologies, global networks, and the multinational commerce, outsourcing and information sharing they have made possible already are causing new and more frequent conflicts among divergent national approaches to privacy and information management.
We have seen this demonstrated by the Article 25 European Union Data Protection Directive; the legal wrangling over transferring Passenger Name Records across borders for immigration, infectious disease control and anti-terrorism purposes; restrictions in British Columbia, Ontario and most recently Nova Scotia, on transferring personal data to the U.S.; and the growing political debate in the U.S. and Europe about outsourcing personal information to India and elsewhere.
These issues are critical and they only are going to become more acute as business processes and laws catch up with the increasingly global economy to require the retention and consolidation of more personal information across national borders. Consider, for example, the impact on multinational companies of the requirements of the new U.S. electronic discovery rules that take effect this month and require companies to retain and search electronic documents - wherever located - that may be relevant to anticipated or ongoing litigation.
Most importantly, the approach of using national trade barriers and bilateral agreements to address these concerns is unlikely to prove a useful model for the future.
5. National Security/Law Enforcement
The fifth privacy/security issue that I believe will dominate debate for the next decade concerns how the government should use personal information to enhance national security and what limits law should place on that use.
Following the terrorist attacks of September 11, 2001, we have witnessed a significant escalation in government intrusions into personal privacy and considerable erosion in the legal protection for privacy and the government's respect for privacy, all justified on the basis that it is necessary to protect national security and secure critical infrastructure.
These developments, and the apparent threats to national security, have contributed to undermining rational policymaking. In one three-month period, for example, Congress enacted legislation both prohibiting and requiring data mining to fight terrorism. Yet we still have no consensus on whether data mining to prevent terrorism is legal, effective, or consistent with American values concerning privacy.
Similarly, the government's intense interest in accessing personal data for national security and law enforcement purposes has brought the U.S. into increasing conflict with Canada, European nations and other allies. It also has highlighted the volume of personal data available in the private sector and the absence of any legal constraints on the government accessing those data.
It is difficult to imagine a more pervasive or critical set of issues. The stakes could hardly be higher: on the one hand the prevention of terrorist attacks; on the other, the erosion of the most fundamental privacy rights and the other civil liberties that necessarily depend on them.
The final privacy/security issue that I would highlight is the question of accountability. This is really a cross-cutting issue that has been raised by many existing privacy and security controversies: whatever the rules protecting privacy and security, how do we ensure accountability?
Despite the prevalence of this issue, I don't think we are moving any closer to resolving it. Users of personal information - whether in the public or private sectors - frankly are not very interested in meaningful, third-party accountability. And many of the accountability tools we have seen to date - class action lawsuits, pile-on investigations by federal and state regulators, statutory penalties where no tangible harm has occurred and wide-ranging data protection commissioner inquiries - are so costly and unrelated to meaningful privacy or security protection that it is not hard to understand that reluctance.
The absence of rational, effective accountability systems undermines privacy and consumer confidence.
Resolving these issues will not be easy. Privacy and security laws in the U.S. vary widely, create different rules for the same data held in different sectors, conflict across state lines and are overseen by a dizzying array of federal and state agencies. It makes little sense today, and will make even less sense as technological and other developments make the collection and use of data more integrated and seamless to consumers.
Until we make better sense out of our privacy and security framework, and the key legal principles that undergird it, we have little hope of addressing the more vexing issues on the horizon.
Creating a more rational framework will require moving beyond the notice and choice approach which we currently appear to be so enamored. We know that very few people read notices of exercise choice over how their information is used. A privacy system based on notice and choice isn't likely to work any better in the future, especially in the face of new technologies and applications that make information collection and sharing easier, essential and more invisible to the consumer.
Rather than clinging to notice and choice, or expanding it (as we seem determined to do by adopting consumer notices as a measure to deal with security breaches), it is time that we recognize that privacy requires more effective protection. We don't use notice and choice in other areas of consumer protection. You can't choose to be defrauded or to be the target of bait and switch sales practices. We will never make a serious step toward addressing the critical privacy and security issues outlined above until we let go of our reliance on notice and choice.
Finally, we must be aware of the shifting nature of privacy norms. Privacy and security must always be considered in the context of other values and consumer desires (i.e., convenience, safety, affordability, etc.). The balance among these competing interests is always in flux and our approach to protecting privacy and security must take that into account.
But we also must be aware of the risks of getting used to less privacy and security, especially in the public sector. As many people have noted throughout history, privacy is easy to give up, but hard to reclaim.
Fred H. Cate is a Distinguished Professor and Director of the Center for Applied Cybersecurity Research at Indiana University, and a Senior Policy Advisor in the Center for Information Policy Leadership at Hunton & Williams. He may be reached by email.This article is excerpted from his remarks on Security and Privacy Challenges in the Coming Tech-ade at the Federal Trade Commission hearings, "Protecting Consumers in the Next Tech-ade."