If Microsoft's chief security adviser had his way, it would be a felony to misuse personal data.
Stiff penalties are the only way to ensure that people and organizations won’t violate rules about appropriate data use, said Craig Mundie, speaking on privacy and cybersecurity at the EmTech MIT conference in Cambridge on Thursday (All of which should make for interesting conversation between Mundie and NSA director Gen. Keith Alexander, both of whom were to be honored later in the day at the Eisenhower Awards Dinner in New York City for their contributions to national security.)
The data you should be worried about, you don't even know about.
— Craig Mundie
Current rules for ensuring data privacy are broken, according to Mundie, in a world in which people are being observed in increasingly intimate ways by the tech devices and tools they use daily. “More and more, the data that you should be worried about, you don’t even know about,” said Mundie, who until late last year was Microsoft’s chief research and strategy officer. “You don’t even know to complain about the existence of the data.”
[IN THE LABS: 25 of today’s coolest network and computing projects]
Back when credit cards emerged a few decades ago, individuals could weigh the risks and rewards of revealing private information in exchange for services that would make their life easier. That model worked to guide law and policies, but “is now failing in a gargantuan way” because of all the data being collected and retained in so many ways. With smartphone apps asking permission to use your location but never telling you what they plan to do with that info, or indicating what might happen to via downstream distribution, it’s clear that data privacy rules need serious updating, Mundie said.
He envisions a “usage-based way of controlling data” under which information would be protected in a sort of cryptographic wrapper (think digital rights management on movie DVDs or music CDs) with metadata defining what can – and more importantly – can’t be done with the data. Based on discussions Mundie has been involved in with people at other companies as well as with regulators around the world, he said reception to such a concept has been generally good, even in Europe where data privacy rules have become increasingly strict.
With sensitive data such as that related to genomics only becoming more commonly available, there’s a realization that rules will need to change, but rules won’t be able to apply to each specific type of data, Mundie said. “Therefore I think we need to move to a model with an architectural basis,” he said.
A computerized architecture to manage all this would support users changing their mind over time regarding what they would allow others to do with their data, as new applications they never anticipated emerge, Mundie said. “You can’t possibly write [all] the rules in advance,” he said.
“Oftentimes it isn’t until an app emerges and grows to scale that people start to realize it is kind of creepy,” Mundie said.
Such a data privacy architecture would work both ways though, Mundie said. Governments might decide there is certain data that users must share for the common good, such as related to public health or law enforcement, he said. But rules would need to be very clear so that the public is comfortable with how such data is being used, unlike with that found to be collected in the wake of the Edward Snowden leaks.
As for the broader topic of cybersecurity, Mundie lumps threats into five not mutually exclusive categories: hacking; crime; espionage; warfare; and terrorism. Espionage – and more specifically, economic espionage -- is the one that really has him worried these days, with countries such as China blatantly supporting or at least looking the other way when businesses within its borders swipe intellectual property from outfits in the United States and elsewhere to gain competitive advantage.
“Over a relatively short period of time, a decade or two, you could see a fundamental undermining of the economic well-being of a country” if such activities are allowed to persist, Mundie said. In the case of the United States and China in particular, the U.S. needs to take actions on the trade front, he said.
For organizations, traditional access control and password-based security techniques aren’t enough to protect critical assets, Mundie said. Such assets will need to be encapsulated in more rigorous ways, he added.
One technique Microsoft has been taking for about two decades to keep its friends close and potential enemies closer is to share its Windows source code with other nations’ governments and their intelligence agencies, figuring these governments use its technology so they would have an interest in protecting it.