May 28, 2014 § Leave a comment
What if I would suggest that it is possible to provide a 100% secure way of storing your data and in a way that the operator itself cannot read or reveal the data it is storing – even in front of any legal or other threat?
For example, the recent eBay episode where their user data (user names, passwords, addresses etc http://www.reuters.com/article/2014/05/21/us-ebay-password-idUSBREA4K0B420140521) were stolen would not worry you at all because you could be sure that even if they had all the data in their customer data storage, yours included, they could not find and indentify your data. You could sleep your nights well.
Further, what if you could decide on how various service providers in the net can collect data about you and your whereabouts? This will be possible with this same security solution where the operator simply does not know whose data it has and where exactly it is stored!
I’m lucky to work as the advisor for a project where such a (patented) system is on its way to the market, in various application and service forms. Of course it is an inspiring innovation challenge, but the most motivating ambition is to return the right to privacy to the individuals and to other actors who need protection, the right to own their personal data and the right to decide to whom they reveal it – or their identity. It is not only a matter of protecting our data, it is a profound human right and one of the most foundational requirements for true democracy as Pekka Pere, the chair of our company board has repeatedly emphasized. Sounds like science fiction? It is not.
The inflicted security neurosis
You don’t have to be a security pathologist to understand why people have lost their trust in data privacy. But it is even more surprising how firms and technology innovators alike express this same tendency to worry and helplessness. Having attended a few recent meetings and seminars on data security in Silicon Valley and in Finland I’ve been astonished by the lack of trust in the (near) future technology’s ability to solve the current security problems – once and for all. I know there are highly competent people and teams in the field, take a look at the Stanford University computer scientists, for example, but in general, most of the population and even computer professionals seem to suffer from a social helplessness syndrome in data security.
It is not long time ago when the first seriously dangerous computer viruses gave their wake-up call to individuals and public and private organizations alike. Then came the targeted attacks like the Stuxnet worm in 2010 – only a year after the publication of the famous book “Daemon” by Daniel Suarez, where he painted a black fictional landscape for the worst future possibilities in data crime. Only quite recently we learned from Wikileaks, NSA, and Snowden that no data is safe today.
Last, the FBI and the US Government, in 2014, made their call by ensuring that even a data service operator, with good motivations, cannot offer secure data storage or mail systems to their eager and worried clients: the Government forced the operator to reveal their keys to access the data of interest, actually any ‘suspicious’ data – and in this way, made the trust-based business of LavaBit impossible in USA.
It is time to turn around the security question and formulate it anew:
Now that a perfectly secure data storage system becomes available, protecting your data so that none can hack it from its storage site and the system does not reveal your identity, what can – and what should we do with such a service and application? My prediction for a rather near future is that we will have to relearn the ways of protecting our data and identity but also to learn new ways to express our trust in the world of the virtual. Traditional protection systems are needed as before but the security game as a whole will change and people and firms will benefit from it. This will touch a number of digital service providers in all sectors of public and private life when they cannot take it for granted that they have automatic access to our data.
Hence, here are some of my first thoughts about the consequences of this change in security services and everyday practices. I believe that once we have our products on market and the potential customers – firms, public or private organizations or individuals – have learned to trust the new security tools and services, a game change is inevitable. The team with which I work will not be the only ones trying to ignite it; the markets have been ripe for some time already.
We deserve a 100% security
We all benefit from the services offered by Google, Facebook, Yahoo, Pinterest, you name it – in exchange for the personal data we offer them to be used according to any of their business models. Visiting Stanford in 2010 and discussing some of these issues with my always inspiring colleagues there, I started thinking about a possibility to found a data & knowledge broker who could interfere with this situation – what I see partly as an unjust arrangement – and to start taking care of our personal benefits and protecting us when needed.
No such brokers have appeared so far, and then it happened that Manu Rautakoura – a friend and a security business pro, with similar ideas – started discussing this theme with me openly over FB. Finally, we ended up on a better idea related to Manu’s and his colleagues’ work: they had already started a most ambitious and innovative development work on personal data security – the 100% security concept I have mentioned above. We realized that their data and identity protection scheme could become one of the first significant steps towards a new arrangement of the secure, perhaps even dynamically anonymous personal data markets of the near future.
Personal data is our true currency, stronger than bitcoin
The most important data asset we have as individuals or firms is the knowledge of the security status of our data, be it family finances, other economical data and documents, private life episodes, inventions, work in progress, customer documents, health, whatever. Traditional computer security systems are surprisingly weak in providing this asset to us in a trustworthy form and it seems like people have just adapted to this unhappy situation – while being increasingly more worried about their data privacy and security.
It is a serious learning experience for anyone to find out how important it is to have the right to our own data so that it is not used against us in an unjust way. Public and private organizations alike can sometimes put us in a situation where by owning our data and using it according to their whatever business or service models, they can put an unjust pressure on us, affect and limit our behaviors – without offering any alternative solutions to us. There are a number of asymmetric transaction situations on the personal data markets of which well-known examples are the cases where a person’s credit history data is not perfect for reasons the person himself knows but the companies do not care to note. Similar problems occur when a person’s health-related precondition allows insurance companies to deny insurance services.
Most of us have nothing against telling the whole and honest health story when asked by a reliable company or organization, willing to offer its help and to use data for that purpose. But if the company does not have any service offer to its customers who are in trouble – and by that can only cause extra harm to them – then they do not deserve the right to access that personal data neither. It should always be a two-ways street of trust. Actually, the patient or any customer offers valuable capital, the data and identity, to the serving firm, which can then easily turn it into economical capital.
Knowing the true security status
The data security firms have not succeeded in helping us know our own security status and they try to teach us to trust when they say that “your virus defense has been updated” or that “we have a secure system”. When new threats occur, they have “updated their protections systems and services”. We need and deserve more: we simply have to know when our savings and the documents related to them are really safe and that nobody can access our private data.
The knowledge of the security level of our own data is not only a nice service or luxury (or a burden to the security provider) – it is the most influential knowledge that can guide us in managing our valuable assets of life. Anything can happen in the world and cause problems but we need to know exactly what is the security status of our possessions (e.g. customer data if we are a firm, personal data as individuals) in the storage systems we rely on. Our company should be able to provide that level of security within six months from now.
As shown by the scary example on how FBI and the US Government acted in the security case we now know that even the operators cannot guarantee complete security in USA – unless they are offered a suitable technology to do that. Of course, USA is not alone in the security battle and on these problematic markets, and we should better know the related practices in China, Russia and many other countries, small and large alike.
Better UI for data security awareness
Data security and privacy protection systems are perhaps the worst UI examples within the ict applications industry today, especially considering how vital they are to their user. Hence, I had an extra delight to be early involved with our security concept development and for once, could have a word early on how to build the UI so that it supports everything that the tools and the systems have been built for – to help the people and firms in knowing their security status, for real. I assumed the extra role as UI-concept designer for a totally new, simple and fresh way to help people in managing their own personal and identity security. This will appear on the systems to come.
What about cyber-criminals?
It is perhaps a wet dream of the cyber-criminals to have a 100% secure data storage and communication system – like ours – for storing any sensitive and criminal data. This being the fact of future we should again turn the question around: how can we involve people and help them provide secure ways to allow access to any of their data when they think it is relevant and beneficial for them or the society?
Then remain the serious questions of what to do when a cyber-criminal refuses to reveal the key to the criminal data or what does it mean when criminals have 100% secure ways of communicating and conducting their evil deeds? We do not have a solution to these problems now but we are convinced that whatever the solutions will be, they have to achieve the trust of the people who comply with such new arrangements. We will be developing these thoughts further and continue the discussion in the blog and in our coming Youtube videos.