Last week, the “father” of the Internet, Tim Berners-Lee, did a series of interviews to mark the 28 year anniversary since he submitted his original proposal for the worldwide web.
The interviews were focused on the phenomenal success of the web, along with a macabre warning describing 3 key areas we need to change in order to “save” the Internet as we know it.
The three points were:
- We’ve lost control of our personal data
- It’s too easy for misinformation to spread on the web
- Political advertising online needs transparency and understanding
I want to primarily discuss the first point – personal data, privacy and our lack of control.
As nearly every private, non-profit and public sector organisation on the planet, either has a digital presence, or is in the process of transforming itself to be a digital force, the transfer of personal data to service provider is growing at an unprecedented rate.
Every time we register for a service – be it for an insurance quote, to submit a tax return, when we download an app on our smart phones, register at the local leisure centre, join a new dentists or buy a fitness wearable, we are sharing an ever growing list of personal information or providing access to our own personal data.
The terms and conditions often associated with such registration flows, are often so full of “legalese”, or the app permissions or “scope” so large and complex, that the end user literally has no control or choice over the type, quality and and duration of the information they share. It is generally an “all or nothing” type of data exchange. Provide the details the service provider is asking for, or don’t sign up to the service. There are no alternatives.
This throws up several important questions surrounding data privacy, ownership and control.
- What is the data being used for?
- Who has access to the data, including 3rd parties?
- Can I revoke access to the data?
- How long with the service provider have access to the data for?
- Can the end user amend the data?
- Can the end user remove the data from the service provider – aka right to erasure?
Many service providers are likely unable to provide an identity framework that can answer those sorts of questions.
The interesting news, is that there are alternatives and things are likely to change pretty soon. The EU General Data Protection Regulation (GDPR), provides a regulatory framework around how organisations should collect and manage personal data. The wide ranging regulation, covers things like how consent from the end user is managed and captured, how breach notifications are handled and how information pertaining to the reasons for data capture are explained to the end user.
The GDPR isn’t a choice either – it’s mandatory for any organisation (irregardless of their location) that handles data of European Union citizens.
Couple with that, new technology standards such as the User Managed Access working group being run by the Kantara Initiative, that look to empower end users to have more control and consent of data exchanges, will open doors for organisations who want to deliver personalised services, but do so in a more privacy preserving and user friendly way.
So, whilst the Internet certainly has some major flaws, and data protection and user privacy is a big one currently, there are some green shoots of recovery from an end user perspective. It will be interesting to see what the Internet will look like another 28 years from now.
This is a Security Bloggers Network syndicated blog post authored by Simon Moffatt. Read the original post at: Infosec Pro