“To my knowledge we have had no data breaches,” stated Tim Morris at the Tech Leaders conference in the Blue Mountains west of Sydney on Sunday.
Morris, the Australian Federal Police force’s Assistant Commissioner for High Tech Crime Operations, was explaining the controversial data retention bill currently before the nation’s Parliament which will require telecommunications companies to keep customers’ connection details – considered to be ‘metadata’ – for two years.
The bill is fiercely opposed by Australia’s tech community, including this writer, as it’s an expensive and unnecessary invasion of privacy that will do little to protect the community but expose ordinary citizens to a wide range of risks.
One of those risks is that of the data stores being hacked, a threat that Morris downplayed with some qualifications.
As we’re seeing in the Snowden revelations, there are few organisations that are secure against determined criminals and the Australian Federal Police are no exception.
For all organisations, not just government agencies, the question about data should be ‘do we need this?’
In a time of ‘Big Data’ where it’s possible to collect and store massive amounts of information, it’s tempting to become a data hoarder which exposes managers to various risks, not the least that of it being stolen my hackers. It may well be that reducing those risks simply means collecting less data.
Certainly in Australia, the data retention act will only create more headaches and risks while doing little to help public safety agencies to do their job. Just because you can collect data doesn’t mean you should.
I agree that “Just because you can collect data doesn’t mean you should.” But how can you know the answer to the question “do we need this?” We know that information will increasingly give you a competitive advantage.
I suggest that we keep the information and put it in a secure place.
Securing data in cloud and big data is still evolving and must balance security and data utility in a new way that will allow these architectures to still perform and scale.
I’ve seen two interesting approaches to address basic privacy and security issues.
The first approach is based on a service oriented distributed and decentralized anonymization for privacy-preserving data publishing that are addressing privacy (of data subjects and privacy of data providers). This service oriented approach can provides control over how data is used.
The second approach is based on new advanced database privacy technologies, like data tokenization and masking, can provide a balance between access to sensitive data and privacy requirements. This data-centric approach will secure the data itself against attacks.
I think that a balance between the first and second approach can provide an attractive data centric solution.
Ulf Mattsson, CTO Protegrity