« It’s the Network, Stupid | Main | Mobile Musings »

April 29, 2008

Personal Responsibility

During the Berlin deep dive, an idea surfaced that we hadn’t seen since the Media and Content focus area of 2007. It’s the idea that individuals should be able to control their personal information, the data that companies buy and sell thousands of times over in an effort to market to us more effectively.

Depending on the purpose, this data might include mailing address, email address, telephone numbers, age, sex, income level, employer, purchasing history, credit card number, social security number, bank accounts, etc. In other words, it’s pretty personal stuff…and valuable. When we discussed ownership of this data in the Media and Content deep dives, it was in the context of allowing individuals to better control what content and advertising they receive. One male participant lamented the fact that he frequently received discounts for feminine hygiene products.

But in Berlin, the discussion revolved around improving security by giving individuals more control of what information is released, to whom, and for how long. This, several participants reasoned, would reduce the risk of having that information stored ad infinitum on hard drives around the world. Because, as one diver put it, “electrons are very patient. Once it’s out there, it’s out there.”

Many agreed that in the Information Age, we have all gotten extraordinarily adept at putting our information out there. But we’ve no idea how to get it back. Or how to ensure its accuracy. Several participants suggested some kind of data retrieval service, through which you could reclaim information that was once yours to give. Perhaps the most compelling idea, however, was the suggestion that any time you enter your personal information into a database, you could assign an expiration date to it, ensuring that at a prescribed future date, that information would be destroyed.

These are all great ideas, but at some point the conversation became more about civil rights and less about security. By that I mean, does anyone think that giving the billions of individuals on the planet control over their personal information will make us collectively more secure? In fact, you could make a pretty compelling argument to the opposite effect; that individuals have proven themselves to be poor stewards of their own information, and that the continued popularity of phishing scams is exhibit A.

Of course, this doesn’t mean that we should all throw our hands up and resolve ourselves to corporate ownership of all personal data. But it does mean that we need to be thoughtful about how we approach big issues like this. We have already discussed the strategy of pushing more of the responsibility for security to the edges of the network, i.e., individuals. But can we all really be trusted with that kind of responsibility? Isn't that why we outsourced security to government in the first place? Because, as one participant so eloquently put it, "the problem is humans." Therefore, if security is the end, is personal ownership of data the proper means? And if not, what is?

Once again, the GIO has succeeded in raising more questions than it answers.

April 29, 2008 in Security and Society | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8345313a569e200e5520357028833

Listed below are links to weblogs that reference Personal Responsibility:

Comments

Society is more secure, I would argue, if individuals dont routinely leave their personal data all over the place every time they transact online.

When you say the problem is humans and - elsewhere - that we outsource the problem to government where are you saying responsibility ends up? With machines? We'd live in a strange world if it were run by people hardwired to think that way.

I take your point about Exhibit A. Perhaps Exhibit B is the litany of corporate and government data breaches. You might argue we should stem the losses, but another question is why does so much unnecessary data reside there anyway - hence minimum disclosure, deletion, and the good things that user centric identity and Project Higgins make possible.

Of course there is a link between security and human rights. They're inextricable. I think it's fair to say [ I havent done a census on this] that human threats to security (ie not natural disasters) are typically rooted in injustice and inequality. That's not to condone inexcusable behaviour, or to say that all poor people or deprived people are destined to behave badly - the vast majority dont.

It's just that if your starting point is "we're all in this together" and you map out who is suffering injustice and inequality which we could rectify, you come to a very different view of what we need to do to maintain our security.

That's why I reckon a deep-dive view of the security market would take an holistic, evidence-based view of the with more focus on cost-benefit than on what Bruce Schneier calls security theatre.

I don't think violence brings justice anywhere.

And the more times I'm bodyscanned, CCTV surveilled, searched, have to take off my shoes and give up my water bottle to go on a plane etc the less supportive and co=operative I feel and the more convinced I am we should take the holistic view.

It woud be a fun project to "market size" the US and global networked or sustainable security market for IBM (perhaps as part of your contingency planning in the event of an Obama presidency). Any takers?

Posted by: William | Apr 30, 2008 12:50:41 PM

The comments to this entry are closed.