To continue from yesterday…

I found this book from 2009 about security – The Myths of Security. It's a fairly easy read (many chapters, but solid material and broken down into easy to understand chunks). I read most of it – really enjoyed it! It helps confirm that security has been an issue for a long time, but unfortunately, no one seems to take more interest in it – even in 2009 when the book was written.

I was at a networking event last night and happened to meet a security executive. I told him about my thoughts on privacy policies at sites and how we don't really educate users – he agreed. We are painfully behind the times in this regard, and we are in some ways harming our users by not being so direct and straightforward with them. I learned a few more details about the problems – and hope to talk to him in the future to learn more. He clarified some questions I have had about security, the Internet, the cloud, and the need to put up warning bells.

The below list was inspired from a blog comments dialog about the apathy people have towards security. I put a few thoughts together on it, and hope this generates more discussion. I think there are 4 possible reasons why there is user apathy about data security and the Internet. 

1. Protected from impact

The most common identity theft most of us have experienced has been through credit card fraud (I have been victim of this 2-3 times). This crime turns into a plain inconvenience because we have to call our credit card companies, report the theft, get a new card, and then update auto-payments with the new digits. It's just kind of annoying. Each of us personally doesn't need to fix the problem – that's the credit card company's problem. The banks have mastered this process and do a great job! 

However, beyond credit card fraud events, we haven't really experienced a big Internet security breech. I mean something like the data systems for a water supply source going down, so there is no way to distribute water anywhere. Or the system that manages street lights going down and there being no lights during rush hour in a city. Or the power grid collapsing. Or a personal health data leak from a major hospital or medical center or insurance company. We have been lucky that the flaws in these systems haven't been exploited and they have been managed so that we don't think about them.

This insulates us from thinking about the what-ifs – and in some ways, being insulated encourages us to be naive to the risks that this may cause.

2. What we don't know won't hurt us. 

We will rely on experts to tell us what we need to know (which is generally a bad approach to life, never mind how we store and manage our personal data). 

To reflect on the conversation I had last night with the security executive…he told me that there are general security issues with the overall workings of the Internet. He commented that we are using pretty much first or second generation security technology/methodology/ideas on the Internet, which is why it is so fragile. And no one changes it because they don't feel there is a need to (or shall we say, it would be too much work to get everyone aligned worldwide to make some sweeping changes).

This gets us back to the knowledge discussion. If you knew that to transfer packets of data across a network, it is cheaper and faster to unencrypted it, how would you feel about that? Or that the Internet itself needs an upgrade, being data infrastructure in general? I know I don't feel super secure. 

I work in the industry, so I know enough to be dangerous. Most people I know who work on the Internet or in computing have similar sentiments about data and security. Those outside the industry are generally fine with surrendering their data because they don't fully know the what-ifs of such a situation. They want to be educated, but don't know where to go or what to do.

This scares me for them.

3. Most of us aren't criminals and don't think this way.

If you aren't a criminal, you don't think like one.

Long ago on a flight, I happened to sit next to a criminal psychologist. Of course I was curious about how criminals think, so I pummeled the poor man with a bunch of questions.

I started to regret my interrogation when I asked him how criminals really think and he said: "When you or I walk past Macy's, we wonder what's on sale in there? What could I buy? Maybe I should buy those pants or that shawl today? A rapist thinks, I wonder if there is anyone I could approach and attack? Will the situation present itself to do this? How could I get away with that?"

Disturbing? Most definitely. (I had a stiff drink after that conversation.) But the same logic applies with security. 

Most of us go to a site and use it to buy a book, clothes, etc. Or we write a blog post, send an email, share files or thoughts.

A hacker visits a site, wonders about the security methods used, and how he could hack it. 

4. Believe we can give up personal security for safety.

If you think about this carefully, this logic doesn't make a heck of a lot of sense.

Personal security keeps us all safe. It's not something you should consider trading for "safety." I won't get into the NSA debate, but in general, once you allow anyone to view your data, you have created risk for that information to get into the wrong hands. This could happen innocently (someone looks over a shoulder, walks past a computer, etc.). It is general temptation.

You can't trust anyone's intentions, especially if that person thinks that it is ok to view information you consider private and personal. This goes back to point #3 – just because we don't think like a criminal, doesn't mean criminal minds, when tempted, don't exist.

Personal security for your data is important. It is your data to keep stored safely and securely.  

I'm curious to hear your thoughts.

I recently upgraded the OS on my Apple laptop. As I was completing the installation, some questions on the screen asked me if I was connecting to iCloud.

I have been reluctantly storing a lot more of my data to cloud storage systems. I like the cloud because it is convenient; I dislike the cloud for data security concerns. I'd feel better if I could understand exactly what is happening to my data on the way to the cloud, through the cloud, and on the way back. This isn't magic – there are systems involved for routing and parsing the data.

Companies could do a better job describing what they do with our data. (Ok, Box.net does. If there are others, let me know.)

On the screens during the upgrade, Apple wrote that the data would be encrypted and saved/stored. But what should that mean to me? I know my data will be placed on servers, storage, and backup systems along the way.

• Where will this data live?
• How will it get from place to place?
• Will it be encrypted?
• Will it ever be unencrypted?
• Is there a way to hack into this?

I mean, a bunch of celebrities got their photos hacked on iCloud. Why couldn't my info be hacked too?

I think we trust most cloud companies simply because they claim they are the "experts." Most of us don't understand the intricacies of data security and protection, and it can be overwhelming. Rather than trying to learn the information, we will often accept what an "expert" tells us because it is easier – mentally and emotionally – although this approach comes with great risk.

From childhood, we are trained to believe "experts" if a subject is too complicated. However, these experts can often over simplify processes and downplay risks/problems. This happens frequently when corporations try to sell a product. They try to make that product simple and easy to understand, but some key details could be left out of the discussion, which if included, could raise some concerns.

If you don't know what you don't know – you don't ask, which means you still don't know. This means that you don't know enough to even learn what's right.

Health insurance is a great example of this.

Health insurance is complicated. In one study, 3 out of 4 claimed they felt confident knowing what their plan was all about, when in fact only 1 in 5 could accurately calculate the costs to visit a doctor with that plan. (I'm not kidding!) Transparency could fix the problem, but the industry is so full of jargon, generally intimidating, and frankly, not entirely trustworthy. We take them at their word, because again, you don't know what you don't know, so you can't ask and you can't learn any different. 

But we all know what happens when we "trust" anyone with data, money, health. It doesn't always work out for the best. (Remember the mortgage crisis, the dot-bomb crisis, etc.)

The devil is in the details; we need to understand the details in order to understand the best way to work with a system.

Data security is probably the most important element of the Internet of Things movement.

(Personally, I hate the term Internet of Things the same way I hate the term "evergreen content." It's like a new generation of Web-Folk stumbled upon an idea that has existed for years, gave it a name, and now it's a new, exciting movement. What is up with that?)

The vision of the Internet of Things has existed for years – remember the Internet fridge from LG in 2001? The only difference as to why this is so hot now, is that it's more technically feasible and accessible with the emergence of mobile devices and wireless access. It's a truly wonderful vision, but if you get into the details, it quickly becomes a scary (honestly, apocalyptic) vision if data security isn't fully addressed. 

Here's a great example I found at Tech Target about how much the details matter in data security with the Internet of Things:

…consider what happened to Affinity Health Plan of New York. In 2010, the CBS Evening News acquired a network-connected photocopier that had been previously leased by the company. The copier was equipped with an internal hard disk and contained protected health information for over 300,000 people. The Department of Health and Human Services fined the company $1.2 million for allowing the data to be exposed.

Although there is probably no need for backing up the contents of a digital copier, this incident serves to illustrate the fact that network-connected devices can sometimes contain substantial amounts of data. For example, some security systems are equipped with hard disks and store everything from video data to employee door-access logs. IT pros must identify the devices that store data internally and then determine if that data needs to be backed up, and how to do so.

–Brien Posey, How the Internet of Things will impact backing up data, TechTarget

That copier-device should have been identified as a data storage device, and the data should have been protected and then swiped when decommissioned. Any one of us could be one of those individuals with exposed health data.

Imagine if some copy clerk was able to see if/when you had chlamydia, cancer, or any other private illness. Sure, he doesn't know who you are on the street, but he has seen your personal information. It's an anonymous violation of your privacy.

In the wrong hands, this isn't just a problem. This is a disaster. 

All it takes is a snippet of your private, personal health records to replicate your identity. The research tools to find your complete identity are public and the work to accomplish identity theft is mainly in the research. This is why data security is so important – just a little bit of information goes a long way. It is truly frightening to learn what's easily accessible. 

As an example, think about how you may go online to trace who called you using only a phone number. Or how you may Google a guy (or girl) before a date to make sure he is who he says he is. These are harmless identity searches, but identity searches nevertheless.

Now, think about identity searches using the mind of a criminal who wants to use your information to benefit himself.

All he needs is one piece of personal info. The next thing you know, you have maxed out credit cards you never applied for and have a foreclosed house in the Bahamas, even though you can barely pay rent. And no one believes that you didn't do it. Heck, the identity thief even knew about your parrot, Larry, those red heels you bought last week, and the real reason you were on penicillin 5 years ago.  

This brings us back to the discussion, why we should care about security (but we don't). More tomorrow.