The Ghost of Data Protection’s Past, Present, and Future

The spooky season is upon us, and I’m not just talking about Halloween. As data breaches continue to head the cyberspace discussion it’s beginning to feel like a true Halloween story. The frequent regurgitation of the phrase “data breach” feels like a tummy ache from all the leftover candy and still, we’re increasingly creating and sharing information about ourselves that is being forever archived by big data.

We share our personal information on blind trust that it won’t be compromised, however the digital world was not fundamentally designed for privacy. Most sources we’re providing our sensitive information to are not fully equipped to store that information safely and securely, so while we’re playing catch up, businesses and customers alike continuously suffer the consequences.

Comparable to Ebenezer Scrooge, Information Technology was born with good intentions, but found itself wrapped in the hype of opportunity and has grown to become profitable and convenient to most, and unfavorable to those that get caught in its wrath. As I spin the story of A Christmas Carol into a more haunted, season-appropriate version, follow me through a twisted tale of privacy’s past and present so that we may see where we’re going in the future.

PAST

It’s Halloween night and you’re at the office. Most of your peers have gone home to take their children trick-or-treating, but you’re burning the midnight oil. An ominous smoke begins to crawl the floor of the room and there’s an odor of electric spark in the air. A large, clunky object with flickering lights approaches you and introduces itself as Eniac, the object of data’s past, here to take you back to where the idea of data protection began…

In the early days, computing operations were reduced to complicated calculations, however as computers evolved, programming languages were created to translate for various services, interfaces were developed, and user interaction became possible. The possibility to utilize the power of computing for those in the field of business, rather than only scientists and engineers, became available and the field of information technology was created.

As time went on and technology capabilities expanded, public apprehension grew around the increasing use of computers to process and store personal data. There were concerns about consumer credit and unsolicited direct marketing and there wasn’t much oversight in the collection, dissemination, and analysis of personal information. Does the date October 13, 1970 ring a bell? This is the day German jurist, Spiros Simitis, pioneered the first and oldest formal data protection law in the world called the Hessian Data Protection Act.

Although Simitis’ initial ambition was to make a career in the universities sector, with his work in civil law and the conveniently timed rise of unregulated accumulation of personal data, this led to data protection to soon become the main focus of his work. Loosely in his words, it was a “reaction to the constant refinement and evolution of Information Technology.”

Although flawed, it was the first of its kind and will set the standard for all other data protection laws to follow.

PRESENT

You wake up wondering if you were dreaming. You look out the window and everything seems normal; leaves blowing on the street and people moving about in their costumes. You check the date on your cell phone and you’re exactly where you should be, but you feel like that was definitely more than a dream. Before more thought can be given, you hear the faint voice of a woman calling your name from afar. Following the source of the sound, you’re led to Alexa, the virtual assistant, who introduces herself as the object of data’s present here to show you where data privacy efforts are today…

Fast forward through a dramatic leap where PC’s are connected to each other via LANs and WANs, and the amount of data that can be created, stored, moved and consumed has massively increased. The concern now is data sharing with third-parties and information being requested and archived without relevance or reason. Data storage is cheap which means information can be collected and never destroyed when it’s no longer needed. Furthermore, data can – and likely is – being shared with businesses from all over the world, who’s perception and enforcement on personal data varies.

Awareness and progression on managing personal data is on the horizon and the discussion is growing around holding companies accountable with what, why and where data is being procured. There are currently 12 information privacy laws in place and over 80 countries and independent territories have now adopted comprehensive data protection laws. The regulation leading the charge across the world is the European Union’s GDPR, which took effect in May 2018, and has already begun enforcing protection and fines to businesses that are not in compliance.

But they have always led by example when it comes to people’s interest with their personal data. Their privacy regulations are carried out by their reference to the experiences of WWII. It was a vulnerable period in Europe where the disclosing of someone’s race or ethnicity led to charges and seizures by post-war communist authorities. Thus, following the war, citizens have been cautiously private about their information and Europe has taken steps to protect personal data from these abuses in the future.

The US, on the other hand, is uniquely opposite in its notability for not having adopted any single data protection laws on a comparable scale. Like Europe, the US has historical reasons for their approach. The US privacy legislation tends to be adopted on an “ad hoc” basis with legislation arising only when circumstances require. This approach has much to do with the American laissez-faire economics in which transactions between private parties are free from government intervention and national laws and legislation around this subject are often less pursued. As hundreds of breaches are documented every year, it goes without saying we’re losing in a footrace to a Ferrari.

FUTURE

You look up and you’re back at the office, Alexa gone. You sit in silence pondering what could’ve been done differently, and how it can be better. “Thud, thud!” You hear a heavy knock at the door. You go to answer it and see no one. You look down and a small, light blue carrier case on 6 wheels is sitting at your feet. You’re not quite sure what you’re looking at, but it addresses itself as Amazon Scout, the object of data’s future here to take you a few decades forward…

In a dystopian future, you’re standing in the street you see a digital billboard advertising fingerprint purchasing. Everything from biometric scans to constant pinpoint locations have all been compromised, shared on the dark web and can no longer be contained. Anonymity is a thing of the past and what was once considered an invasion of privacy, has now been deemed public knowledge by elected representatives. AI is formally on the production line and there are many cloned copies of people existing in the same cities. Personal information, privacy and individuality is perished, and personal danger is at an all-time high. You can no longer browse the internet, apply for a personal loan, or pick your nose in an elevator without the world knowing your every move at any given time.

Things feel uncomfortable and you’re insisting with Scout that it doesn’t have to be this way. You’re explaining that if we prioritized the issues, the future can be better. With a blank stare, Scout asks in what way can we be better. You explain that by implementing a more robust and firm standardization around data sharing, clearly outlining and requesting the least amount of data necessary required from customers, being more cognizant about the security around third-party vendors in their ecosystems, and removing personal data when it is no longer needed, is a great start to protecting consumer data.

You’re shouting excitedly and the wind is blowing loudly around you until you open your eyes and realize you’re back in your office again, and you hear a whisper that says, second chance…

Our privacy and ability to remain anonymous are vanishing. We’re sharing faster than regulations are being formalized and, in a world where third-party partnerships are rapidly expanding, the increased need for impactful action is at an all-time high. It has become necessary to put privacy over convenience for the sake of reinstating the trust, safety and security of consumer data.

BRI GROVES

SECURITY ANALYST