Online security is only successful if every company does its part.
That was the message of Edward Snowden’s keynote conversation at the SXSW Interactive conference this week, conducted via (highly protected) video link. I was one of the thousands of tech professionals who made up the audience for his first live video appearance, which focused on the need for stronger security practices in the face of government surveillance. “We rely on the ability to trust our communications,” Snowden argued. “Without that we don’t have anything. Our economy cannot succeed.”
I’ve done some pro-vaccination work in my professional life, and Snowden’s exhortation reminded me of nothing so much as the argument for vaccination. That’s because like the effectiveness of online security as Snowden described it, the effectiveness of vaccination depends on herd immunity: as long as enough of the community is vaccinated, diseases like measles and rubella are unheard of. But herd immunity only works if everybody does their part: if too many people depend on their neighbors’ vaccination rather than vaccinating themselves, we get disease outbreaks instead of a healthy community.
Just as all members of a geographic community benefit from widespread vaccination, all members of the business community benefit from widespread immunity to government (or competitor) surveillance. The ability to keep communications private allows employees to innovate and collaborate, without their ideas getting scooped by competitors. Private web browsing allows talented professionals to find and apply for your job openings, without fearing that their current employer will notice. Private payment systems allow customers to buy your products, even if they are personal or embarrassing.
But, as with herd immunity, the benefits of privacy are available only if a critical mass of companies and individuals make the effort to protect it. Widespread adoption of privacy tools sustains the market for strong encryption and security software – a field that demands constant innovation to stay ahead of both hackers and government surveillance. Widespread adoption of privacy practices ensures that companies can use privacy-enhancing tools whenever they need them – without being flagged as suspicious. And widespread caution about collecting and retaining data prevents governments (or data brokers) from getting access to datasets that can be used to profile and target specific individuals.
Implementing strong privacy safeguards comes at a personal or business cost, however small: it takes a little bit of extra time and a little bit of extra effort, in part because existing privacy tools aren’t always easy to use. (Again, if more companies adopted strong privacy practices, it would help create market demand for better and more usable tools.) For those of us who put a lot of personal information online in the context of building a social media presence, there is also the potential reputational cost of sacrificing a little bit of visibility or engagement in favor of some degree of discretion.
In urging companies and individuals to assume these small costs, Snowden sounded much like vaccination advocates who encourage each of us to do our part for herd immunity. As with vaccination, it’s tempting to let other people do the heavy lifting: as long as a critical mass of companies use privacy-enabling tools like encryption and anonymized browsing, you know those tools will be available whenever you or your employees need to use them, so it’s easy to forego individual vigilance.
If, on the other hand, unsecured web browsers are the norm in corporate environments, a company that does use the anonymizer Tor or encourages employees to use their “private browsing” option looks like a company with something to hide. If the vast majority of transactions are itemized and trackable through loyalty cards, credit cards and social login, the transactions your customers keep private start to look suspicious. If companies collect and retain large amounts of data – even data that looks innocuous – it helps build the datasets that governments and some businesses (like insurance companies or advertisers) can use to profile, target and advantage (or disadvantage) specific individuals. And if companies cut corners in network design or data management, they make all that data accessible to hackers as well as government intelligence agencies.
Rather than eroding the expectation of online privacy, companies can and should help to build it. Big data is now the name of the game, but as Snowden said on Monday, “you should only collect the data and hold it for as long as necessary for the operation of the business”; any additional data represents a risk for your customers and for your business. Companies can protect the privacy of the data that they do collect by ensuring that all drives and network communications are encrypted. And as Snowden argued, companies not only have a responsibility to encrypt communications (something too many companies have done only since Snowden’s revelations came to light), but to develop technologies that protect privacy in a “simple, cheap, effective way that is invisible to users.”
Companies that take these measures are not only contributing to a business environment in which privacy is the norm: they’re also building value for their own shareholders. A company’s networks and security are only as strong as its weakest link: a single employee using a low-security password may be all it takes to compromise corporate systems. It’s not enough for a business to trust that generalized security and privacy norms will provide herd immunity for the free market: each and every organization has an immediate stake in encouraging its employees to adhere to the highest security standards.
And that’s what makes me hopeful that not only SXSW attendees, but the larger business community, will heed Snowden’s call to arms. Companies have self-interested reasons (as well as a legal duty) to drive stronger security practices. But it’s up to each and every company to do its part.
Recent Comments