Privacy Vs Security In A Big Data World


I still havenít decided if Edward Snowden is a hero, a traitor, or a schmuck. I watched Citizenfour, the documentary that captures his story in real time, thinking it would help me figure it out, but I walked away liking him more and his actions less, and still not ready to hang a scarlet letter around his neck.

What I do know, however -- and I thank him for this -- is that Snowden helped bring the discussion of big data privacy and security to the public square -- and not just the American public square, but the global one as well. This is a good thing, because in this era of big data, not to mention the Internet of Things, we can no longer relegate this discussion to the privacy freaks and security geeks in the back room. Itís a discussion in which we all should participate.

To understand it better, letís take a brief look at some of the privacy and security issues in the context of the (big) data lifecycle.


Privacy, security, and the data lifecycle
In data security circles, the six stages of the data lifecycle are well known: create, store, use, share, archive, and destroy. While these six stages have a strong foundation in security, an interesting thing to note is the fact that the two privacy-related stages -- use and share -- are situated squarely in the middle. Is it just a coincidence that privacy is at the heart of the matter?


Create
If data is not collected and/or created, there is no need to secure it. This may seem obvious, but itís astonishing how many websites and apps forget or disregard this point. They collect it all ďjust in caseĒ Ė- with little consideration on how the data may be handled downstream.

Why this matters: Data security begins at the point of creation or collection. Organizations need to be deliberate in the data they request or receive, and individuals should be mindful of the data theyíre sharing -- whether itís sensitive data on a financial site or a viral video on YouTube. If this data is not secured, it could end up in the wrong hands.


Store
With the volume of big data being generated these days, itís not just a question of what data to store, but also how to store it all without blowing the budget. Open-source big data technologies are helping to greatly reduce the cost of data storage, both on-premises and in the cloud.

Why this matters: If an organization creates or collects data, it becomes their responsibility -Ė not the individualsí -Ė to secure and protect it from corruption, destruction, interception, loss, or unauthorized access. Some organizations take this responsibility more seriously than others.


Use
When an individual sets up a new account with an organization through its website/app, the individual is asked to read and agree to the terms of service and/or privacy policy. This legal contract typically defines how the individualís data will be managed and used inside and outside the organization. Granted, few people read this legalese, but our expectation is that the organization will use our data ďresponsibly,Ē and when this usage changes, we expect to be notified.

Why this matters: Itís the usage -- not the collection or storage -- of data that concerns most people. Itís this stage where individuals want to be in control. For example, they want to set the dial on how public or private their data should be, who can access their data, and whether their data (aggregated or not) can be sold or rented to third parties. In this big data era, when organizations donít provide this level of privacy control, they risk losing the loyalty and trust of their customers and users.


Share
Organizations continue to share data between internal systems and external partners, but with the advent of social networks and ďsmartĒ devices, sharing data has become a public pastime -- even to the point of ďselfieĒ narcissism.

Why this matters: On one hand, individuals want control on how their personal data is being used. Yet some of these same individuals show little to no constraint on what personal data theyíre sharing. Even though itís the responsibility of the organization behind the website or app to secure usersí data and respect privacy settings (if they exist), itís up to the individual to determine what and how much information theyíre willing to share. If you put it on the Internet, itís not a question of if, but when, your information may be used in unintended ways.


Archive
Between big data technologies and the cloud, itís become relatively cost-effective for organizations to store data for longer periods of time, if not indefinitely. In some cases, regulations stipulate how long certain data will live -- like in the US financial and health industries -- but, in most cases, the budget and space constraints are being alleviated.

Why this matters: Being able to store more data for longer periods of time at a fraction of the cost is an appealing proposition for organizations. The more exciting proposition, however, is the ability to analyze even more data over greater periods of time to discover new questions, patterns, trends, and anomalies. The gotcha here is: The more data an organization stores and archives, the more data it has to secure.


Destroy
If and when data is tagged for destruction, the question is to what extent. For example, if a website user requests that his account be deleted, what does this mean? Is it just the access to his account/data removed (so that he can request access later if he changes his mind) or does a deletion request trigger the destruction of all his data, including archived data? The answer most likely lies somewhere in between for most organizations.

Why this matters: Regulations and governance policies will dictate the extent to which data may be destroyed for many organizations. The data that does not get destroyed must then be secured. So using the example above, if a website user requests that his account be deleted, and he receives an email notification to that effect, what he doesnít know is what personal data, if any, still exists in the organizationís systems. He may still be vulnerable to a potential data breach, long after heís been deleted.


It cuts both ways
While a citizenís right to privacy and freedom from government surveillance has been top of mind for Edward Snowden, national security has been top of mind for the US government.

And therein lies the rub: security cuts both ways. On one hand, itís the responsibility of an organization to secure and protect any digital information it collects, stores, and transmits. But on the other hand, our governments are knocking on organizationsí doors demanding access to this protected information -- all in the name of preserving national security.

This is only the beginning. Snowden may have been a catalyst in getting the big data privacy discussion started, but itís not his to carry on and finish. Itís yours, mine, and ours.

This blog was originally posted on Brand Quarterly.

Tamara Dull,

Tamara Dull is the Director of Emerging Technologies for SAS Best Practices, a thought leadership organization at SAS Institute. Through engaging publications, rich media and industry engagements, she delivers a pragmatic perspective on topics including big data, Hadoop, open source and the Internet of Things. Tamara has been in the high tech industry for over 25 years, and has held positions in enterprise training and consulting, software development, marketing, and IT, product and executive management.

 


Privacy-security debate
  • 8/8/2016 7:41:18 AM
NO RATINGS

..

This is a useful presentation of security and privacy issues in relation to the schema of the data lifecycle, and it opens many issues for discussion.

I'll launch one issue for discussion: Edward Snowden. In my view, Snowden's actions in exposing U.S. government surveillance (and plans for expanding surveillance) of the U.S. population have been unequivocally heroic. 

I don't think government agencies and personnel necessarily have all of our best interests as a top priority. Private citizens can take actions that uphold and advance those interests, and I think Snowden did just that. 

Snowden did this at considerable disadvantage to his own personal safety and lifestyle. I hardly think this merits considering him a candidate for being labeled as a "schmuck".

..

INFORMATION RESOURCES
ANALYTICS IN ACTION
CARTERTOONS
VIEW ALL +
QUICK POLL
VIEW ALL +