Early returns: 2014 blogs focus on Snowden-linked security issues

InsightaaS perspective: I am an active blogger in the IT Solutions Exchange LinkedIn forum sponsored by Dell (Dell is also the sponsor of InsightaaS.com’s IT Management & Control section). I recently submitted a new piece based on several recent items posted to the InsightaaS Across the Net section, which appears at the bottom of each page on this site.

Across the Net isn’t meant to be thematic — it’s simply a guide to the best posts that I see as I review the sources I respect most in the industry. In fact, I try to ensure that there is appropriate balance by including blogs representing many different viewpoints: IT thought leaders (ranging, in recent month, from the members of the Enterprise Irregulars, Horace Dediu of ASYMCO and Andrew McAfee to experts working for IT firms, like VMware’s Chuck Hollis, and Paul Lewis and Hu Yoshida of Hitachi), and experts on social issues connected with technology such as Michael Geist, Jonathan Koomey and Nicholas Carr. I also try to stay current with posts from sites dedicated to specific subjects (such as Naked Security, Cloud Ave, Cloud Tweaks, Dean Bubley’s Disruptive Wireless, 9to5 Mac, I am OnDemand), and to look at recent posts from a number of analyst firms, including Gartner, Forrester, Wikibon, Ovum and Cutter (we have permission to post items from 451 Research, my personal favourite, directly to the main section of this site).

By design, then, there really shouldn’t be a common thread linking Across the Net content. However, I noticed that three of the first six posts for 2014 concerned privacy and security, and that this theme has been common in the IT Solutions Exchange forum as well, raised in discussions and posts by group manager Laura Jeffery and by commentators like Lynn Greiner, Brian Bloom, and Finn Lovsted.  Clearly, there is a great deal of focus on security as we move into 2014. In this item, we look at some recent posts on this topic, and on how they connect to the broader IT, business and consumer communities.

Michael Geist pic
Canadian professor and digital rights advocate Michael Geist

In the Chinese zodiac, 2014 is the year of the horse. In the IT community, though, early evidence suggests that 2014 will be the year of worrying about security, and related issues like privacy and compliance.

A scan of recent posts suggests that important voices from across the blogosphere are concerned with the business and social implications of security policy. Some of the items that have emphasized important aspects of security/privacy practices include:

Michael Geist: The Shameful Canadian Silence on Surveillance (http://www.michaelgeist.ca/content/view/7051/125/). Geist’s "The Shameful Canadian Silence on Surveillance," follows on several other items — including important coverage of the newly-introduced Bill C-13, which was highlighted on InsightaaS in November — to draw attention to Canadians’ muted response to attacks on their privacy and digital freedoms. According to Geist, while the U.S. government (prompted by the Snowden leaks) and telecom carriers are moving to more transparency and limitations around online snooping, the Canadian government is introducing legislation (Bill C-13) to expand its cybersurveillance powers, and Canadian telcos (which will receive "complete immunity from any civil or criminal liability for such disclosures" with C-13) are not echoing American approaches to providing more clarity with respect to requests for disclosure of personal information.

Sample quote: "Canadians deserve to know more about government surveillance activities, more about whether Canadian oversight is sufficient, and more about how companies such as Bell, Rogers, and Telus handle their personal information."

Naked Security: NSA sweeps up hundreds of millions of text messages daily (http://nakedsecurity.sophos.com/2014/01/17/nsa-sweeps-up-hundreds-of-millions-of-text-messages-daily/). Naked Security — a news/blog site hosted by security vendor Sophos - follows a theme that appears in the Geist post, and continues through most of the other articles cited here: the Snowden disclosures have had a major, negative impact in our perception of online security. In this post, Lee Munson, founder of Security FAQs, reports on UK coverage of information disclosed by Snowden. Munson states that the Dishfire program "has been in operation from at least May 2008 and, by April 2011, was intercepting 194 million text messages per day." The post states that Dishfire represents a proactive approach to surveillance: the program is described as collecting "pretty much everything it can" as opposed to merely collecting communications data from current surveillance targets, which provides support for future investigations — "for the development of new targets" — since "it is possible to examine the content of messages sent months or even years before the target was known to be of interest."

Sample quote (from Stephen Deadman, group privacy officer and head of legal for security, privacy and content standards at Vodafone group) "What you’re describing sounds concerning to us…We’re going to be contacting the Government and are going to be challenging them on this. From our perspective, the law is there to protect our customers and it doesn’t sound as if that is what is necessarily happening."

Errata Security: Why we have to boycott RSA (http://blog.erratasec.com/2014/01/why-we-have-to-boycott-rsa.html). The IT community reacted especially to Snowden’s revelations that the National Security Agency (NSA) has penetrated many IT suppliers, working to insert trap doors into IT systems that it can subsequently use to spy on the users of these products. Errata’s Robert Graham says "The Snowden leaks make us suspicious of other companies, like Google, Yahoo, Apple, Microsoft, and Verizon, but only with RSA do we have a 'smoking gun'. In some cases the companies had no choice (Verizon). In other cases, it appears that rather than cooperating with the government, the companies may in fact be yet another victim (Google). RSA is the standout that deserves our attention." He urges a boycott of RSA’s conference, and he — along with CSO Online, which is keeping an RSA 2014 Boycott scorecard — is insistent that RSA be held accountable for working with the NSA.

Sample quote: The word to describe those who do business with the RSA, even while criticizing their backdoor, is "collaborator". This was the word used by the French ("collabo") to describe the members of the Vichy government who aided the invading Germans. Instead of giving up their positions of power, wealth, and prestige, members of the French government just kept doing their same job. Their reasoning was that they were really anti-German, but that they could do more good for the French people inside the occupation government than without. The French didn't buy this reasoning, and neither should you.

Cutter Consortium: Big, Bad Data? (http://blog.cutter.com/2014/01/14/big-bad-data/). Finally, we have one post that worries about privacy without (much) reference to Snowden. In Big Data, Bad Data? Cutter Consortium fellow Ken Orr looks at how data usage erodes public trust in suppliers. Orr begins by ruminating on a New York Times article about "department stores tracking their customers by using their wireless devices, using their movement through their stores to predict what they were interested in and what they bought." As he notes, the implication that this is an example of Big Data is mistaken — there is "nothing necessarily big about the data involved here," as a relatively small amount of data is needed "in order to track the potential customers, what they might have looked at, and what they bought." The issue, Orr believes, is not the size of the data, but "the question of ‘unauthorized’ or ‘incidental’ data collection." Orr notes that "While people may agree that a store might better be able to support their current or future customers by doing this kind of collection and integration of personal credit data, we know (with another nod to l’affaire Snowden) from recent experiences with government surveillance that this information is or can be used to manipulate people beyond what the public expects."

Sample quote: "Each time I go to a website and am intercepted by a ‘you have been picked to be part of an important survey’ screen, I attribute this to either the marketing department of the website that I want to visit or to Google or to whichever search engine that got me there. And I get just a little angrier at the website for abusing my time and information."

Netting it out

My post on the Dell IT Solutions Exchange forum closes by stating that "this kind of reading isn't light, or necessarily uplifting - but it's important." Another article on InsightaaS — the 451 Research piece "Opportunities and chaos ahead — 2014 previews, part 3" notes that "A discussion of the governance aspects of an IT project can cause eyelids to droop, having an almost narcoleptic effect. IT has been steadily losing control of the various aspects of data management as user-initiated IT efforts slip beyond their grasp, while incurring ever-greater costs. A lack of visibility, coupled with expanding privacy regulations, should squeeze enterprises into taking governance more seriously in 2014." If the posts here can be taken as indicative of a trend, it appears that the industry is already rousing from this slumber.