That we are living through a data explosion today is not news. Costs associated with data storage continue to drop. It is easier and easier to store data for longer and longer periods. And the technology driving all these changes doesn't like data to sit still - what else can be done with this data? What new combinations of this data will lead to new insights, to new products...and to new problems?
The surveillance economy is crashing into more and more of these centralized data stores. We hand over bits and pieces of our personal information to vendors every time we transact. Even for those who recognize this is happening, it's something unexceptional, even routine. What does "privacy" really mean in today's world?
Privacy is frequently lined up against security in a zero-sum game. But these two concepts are not mutually exclusive. Finding an appropriate and workable balance should always be the goal. As such, there are tremendous opportunities for innovation. It's a serious, timely and huge problem, especially as we recognize that these privacy challenges radiate across multiple dimensions: technological, legal, societal, economic, political, regulatory, and more.
How to maintain security and privacy together is a problem that cuts across industries and use cases - and MACH37 can be a proving ground for your product or idea that addresses this challenge.
If you are a technologist at heart, there is a wide array of theoretical and applied privacy-enhancing technologies (PETs) which can be deployed to keep private information private. Homomorphic encryption permits computation to be performed directly on encrypted data, without decrypting it first, thus keeping any sensitive data secure at all times. Differential privacy adds statistical noise to large data sets to obfuscate any one individual's details, in an effort to frustrate re-identification attacks. Zero-knowledge proofs allow an entity to prove possession of a secret to some other entity, without having to reveal the secret itself. Secure multiparty computation splits any computation across more than one entity, so that no single entity has a view into the entire data set. Federated learning sends data science models to the (many) places where the data lives, rather than bringing all the source data to a single centralized location. Data synthesis creates artificial data, designed to mimic but not reproduce existing "real" data, so that no sensitive information is present in the data set.
Or perhaps you are more of an architect, someone who understands the technology but also needs to create solutions that respect how that technology navigates the regulatory and governance requirements of the real world. The legal regulations GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) have been front and center in the data privacy world over the past several years. How do you build solutions that empower the business to fully leverage and maximize the use of the data it collects, while at the same time preserving certain rights for those individuals whom the data represents? It's like threading a needle, except that the needle tends to move a bit with every new regulation which arrives on the scene. Just like building security into a solution from the very start is always preferable to bolting it on later, building privacy into a solution starting at the initial requirements stage is always easier than trying to retrofit it. The "Privacy by Design" approach and its seven foundational principles is a great place to start thinking about this challenge.
Or maybe your focus is that of the advocate weighing the risks posed by today's surveillance economy. And of course, there is a government surveillance component to this concern as well. The Snowden disclosures showed very clearly that governments around the world can draw powerfully accurate conclusions from metadata alone. After all, in a letter-and-envelope analogy, if I can extract actionable information from the outside of the envelope, is it really a problem if I can't read the letter itself? A lot of legislation on the books today focuses on protecting the contents of the letter, and not on the metadata sitting in plain sight on the envelope in transit. Are there solutions today which do a good job educating the public or an employee population about privacy risks at work and at home? Whomever figures out how to meet the needs of both governments and individuals alike will have a winning solution.
Interested in digging into one or more of these areas? Don't start your journey without first building out a solid foundation of knowledge. Addressing these privacy challenges cannot be achieved through raw technology alone, especially as the regulatory environment continues to expand around the world. And blindly deploying technology to remedy an issue introduced by technology is not a step that tends to clean things up, but rather further muddies the water.
Some books I typically recommend for someone wanting to learn more about privacy and its large family of adjacent issues include Susan Landau's Surveillance or Security? (eavesdropping and modern communications), Bruce Schneier's Liars and Outliers (how do you establish trust in an untrusted environment), and Daniel Solove's Nothing to Hide (privacy and the Fourth Amendment). Schneier is a public-interest technologist with deep roots in cryptography, and Landau and Solove are leading academics in the surveillance and privacy space – but all three of these recommended books are written for wider (non-academic) audiences. And if you'd like something more directly focused on practitioners, start with William Stallings' Information Privacy Engineering and Privacy By Design, which combines the regulatory goals and technical realities of building out a privacy program.
Regardless of where you start - as a technologist, an architect or an advocate of privacy - don't forget that a central tenet of the MACH37 experience is that proposed solutions should not be wandering around in search of problems to solve. Think about how your solution either solves a business problem, or opens up a new avenue to address larger societal challenges. Privacy needs your help!
Ben Smith (@Ben_Smith) is Field Chief Technology Officer with NetWitness, an RSA business. He brings more than 25 years’ experience in the information security, risk management, networking and telecommunications industries; his prior employers include UUNET, CSC, and the US Government, along with several technology startups. Smith holds industry certifications in information security (CCISO, CISSP), risk management (CRISC), and privacy (CIPT); he is an acknowledged contributor to NIST SP 1800-1, -3, and -7; and he serves as an appointed member of the Cybersecurity Canon Committee. He is a patent holder, a published contributor of four of the "97 Things Every Information Security Professional Should Know" [O'Reilly, 2021] and previously served as a corporate representative to the National Cybersecurity Center of Excellence (NCCoE). He has been a MACH37 Stars Mentor since 2014.