‘Irresolvable tension’ exists in data retention, conference told

Experts say governments want to collect data, but are not focused on adequately protecting it

Cryptographers wait for their panel to begin at the RSA Conference Photograph: The New York Times Service
Cryptographers wait for their panel to begin at the RSA Conference Photograph: The New York Times Service

An “irresolvable tension” often exists between the desire of government bodies to collect and use personal data, and the need to adequately protect that data, say experts.

According to a panel on the second day of the RSA Security Conference, government bodies also are unaware of all the data they are collecting because it isn’t properly tracked or inventoried.

In addition, many private organisations, research groups and other bodies are eager to obtain these large data sets, but generally have not thought through privacy concerns or management, said the participants in a session entitled "Government in the Crossfire: Data Privacy in an Era of Growing Cyberthreats".

"In order for us to approach how to manage [DATA PRIVACY], we need to know where it is," said Flint Waters, state chief information officer for the state of Wyoming.

READ MORE

Data gathering

Agencies have a long history of mandating various types of data gathering “and we truly do not know what has been gathered.”

Wyoming was preparing legislation to change this and require datasets be inventoried, he said.

Road toll authorities also have gathered large data sets that they have resisted destroying, because they've never had access to such a range of data and now want to mine it, said Lee Tien, senior staff attorney with the Electronic Frontier Foundation.

For example, data from Fastrak devices used to automatically pay tolls has been of interest to law enforcement but they’ve had no specific reason for holding it.

“We asked, ‘well, why are you holding all this trip data from Fastrak?’, and they said, well, just in case,” Mr Tien said, noting this view was a major problem across agencies as well as companies.

However, JR Reagan, global chief information security officer with Deloitte, said that general privacy policies were too broad to cover the more nuanced uses people might desire their information to be used for, for example to to receive specific services.

‘Yesterday’s privacy constructs’

“We fall into the trap of thinking all issues are resolved around privacy if we solve for the bad thing,” he said, noting that to often we are “trying to apply yesterday’s privacy constructs to a digital world that keeps moving faster. We actually need to have different constructs to manage the data differently. We need to move away from these blanket policies around privacy, so data can be used for uses that you would like, but also be protected.”

One problem with government discussions of privacy and security - such as the current US case where the FBI is pushing Apple to give access to a terrorist's iPhone - is that they are seen as separate when they are actually closely intertwined, said Mr Tien.

“It doesn’t make sense to talk about either without talking about the other, especially as people see privacy as security in many ways,” he said.

In the Congressional hearings for Apple versus the FBI, a lot of people were resisting any sort of suggestion that there’s any sort of tension between privacy and security.”

Instead, the government has framed the discussion as differing approaches to a security debate, he said.

Conundrum

While Mr Reagan argued that privacy is essentially contextual, Mr Tien said he could not see technology solving that conundrum any time soon - for example, that people might someday be able to tag their own information to allow it to be used in different ways in different contexts.

A large problem was potential misuse, or abuse of such data by law enforcement, which can be very hard to uncover.

“They’re capturing data and leveraging it against other data sets only they have access to,” said Mr Waters, noting he comes from a law enforcement background.

“Then the data goes to private companies. In going to private companies, we’re seeing partnerships we’ve never seen before”, and the implications haven’t been adequately analysed.

“I don’t see any solutions, except for all sides to accept there are problems. Denial is the step where we’re at. There are a lot of folks that don’t want to acknowledge that there’s a privacy problem in the first place,” said Mr Tien.

Karlin Lillington

Karlin Lillington

Karlin Lillington, a contributor to The Irish Times, writes about technology