Data Privacy Means Data Security (and not Data Retention)
Today is Data Privacy Day (also known as Data Protection Day), an international festival of our right to control our own personal information and to protect our communications from unchecked surveillance.
It's not been a great year for either belief. Since last year's celebration, the Snowden revelations have exposed how vulnerable private information is from unwarranted inspection by the surveillance state. At the same time, we've seen reports of incident after incident of major privacy breaches at the hands of criminals from large companies. Our personal data seems less secure than ever.
Data Privacy Day is on January 28th in commemoration of the day the Council of Europe opened the snappily-titled "Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data" for signatures. The 1985 convention dedicates a separate section to the importance of data security, saying:
Appropriate security measures shall be taken for the protection of personal data stored in automated data files against accidental or unauthorized destruction or accidental loss as well as against unauthorized access, alteration or dissemination.
"Appropriate security measures" increasingly means defending personal data not just from cybercriminals and accidental disclosure, but from a menagerie of state actors using their own considerable powers of collection. That means that these days, a company that respects your privacy should be making efforts not just to encrypt data as it flows across the Net, but also lock down the same data when it is at rest.
It also means they should be considering whether they should collecting that data at all. The Convention speaks of ensuring data collection should be "not excessive" for its purpose. But whatever the purpose, the larger the data stockpile you build, the more vulnerable it becomes.
It's expensive and difficult to keep personal data private from adversaries like Russian and Chinese hackers or the NSA and GCHQ. And it gets worse, as companies hoard greater and greater amounts of unnecessary and intrusive information. Companies may insist they take steps to protect their users' data, but the best form of data security is simply not collecting that information in the first place.
Supporting Data Privacy is something that most people can get behind, and activists and corporations alike are today happy to highlight it as a goal. Europeans have used the day to pointedly note how delayed Europe's own data protection reforms have been. The EU's Justice Commissioner, Viviane Reding, has responded with a lengthy memo spelling out their intention to pursue data protection as a policy, including Europe's intention to push back against US spying.
The aftershocks of the Snowden revelations worldwide means 2014 will be the most promising opportunity for data privacy regulation and reform in years. But without understanding that data privacy means data security, those regulations will oversee an infrastructure too filled with holes to keep data really safe. We need to make sure that encryption works, and that our governments aren't creating insecure backholes in standards and software that will eliminate what protection we can provide.
We need to also make sure that politicians don't increase the vulnerability of our data by increasing the amount of data that is kept. Already, regulators have started framing "data retention", the compulsory storage of private data for far longer than is necessary, as the solution to law enforcement and national security access to personal data. Data retention is the opposite of data protection. It raises the chances of the catastrophic loss of privacy, with no benefit for the people it endangers.
It's been a bad year for data protection. Perhaps 2014 is when we start fixing the data privacy problems that 2013 highlighted. It'll take more than one day, though, to ensure that those fixes don't make matters worse.