Home / Blogs

Data Security: Being Open About Secrecy

Bill Thompson

It must be tricky to be an advocate of transparency when your job involves selling serious encryption tools to government departments, large and small companies, hospitals and people who are concerned about having their bank account details hijacked from a home PC.

After all, the point about good encryption software and the systems that surround it is that they provide a way to keep your secrets secret, while open government and the effective regulation of financial services would seem to require the widest possible dissemination of all sorts of operational data, from Member of Parliament (MP) expenses in UK to bank investment portfolios.

And once something is on a website, in an email or available for inspection through a published program interface then it is no longer secret, however well the copy on your internal network might be protected.

Phil Dunkelberger, CEO of encryption specialists PGP Corporation, believes that openness and secrecy are actually two sides of the same coin, and that the fundamental question concerns the ways organisations and individuals manage their data so that they can decide on policies for disclosure and stick to them.

He also thinks that the best way to make companies and businesses take data security seriously is to make them aware of just how much it costs them when they are careless, which is why PGP sponsors the independent Ponemon Institute to produce an authoritative survey of how companies use encryption, how many data breaches they suffer and how much it costs them.

Dunkelberger was in London this week to launch the latest report on the UK data breaches, which found that 70% of UK organisations have had at least one incident in the past year, with public sector respondents admitting to an average of 4.5 breaches per organisation.

Separate research by Ponemon estimates that the average cost of incidents is £60 per record lost or £1.7 million per organisation, and of course the wider impact on people's lives as they have to change bank details or clear their credit records is also significant.

Over half of the data breaches that feature in the Ponemon report were caused by staff error, with people losing computers or data storage devices, deliberately breaking procedures because they did not understand their importance, or simply making mistakes that the systems developers had not anticipated.

Whatever its flaws, computerised data processing is not going to go away, and the proliferation of mobile devices, portable data storage and online access means that the problem of data leakage is not going to go away either.

And recent moves towards more openness between organisations and more transparency in both public and private sectors makes it impossible to simply lock the data up in a corporate vault, however well-constructed.

The tension between openness and security has always existed, and modern technologies do not change the fundamental reality that once a secret is shared then it is less of a secret.

The best way to keep a computer secure is to disconnect it from the network and unplug the power, but this also makes it rather less useful, so any sensible data management policy has to accept that perfect security is not possible and have procedures to mitigate the impact of the inevitable leaks and failures.

A good system should also allow for effective disclosure. A proper MPs expenses system would not have relied on scanned receipts, released as thousands of pages of PDF files with potentially sensitive data blacked out by hand, but have been built around a database in which all data was stored, cross-referenced to original documents for verification.

Releasing the expenses data would then only have required changing the permissions on a few database tables.

Of course, explaining this to MPs would have taken a lot of effort, because few of our elected representatives have any background in computing or any real understanding of the principles of systems thinking.

We can't be too hard on MPs. Data security is a complex area that involves hard mathematics and complicated software and requires an ability to think clearly about the interrelationships between multiple overlapping systems, only some of which are computer-based, and few of us have the necessary training to do this.

But if we are going to have a network society that relies on computer-based systems then everyone needs to understand how those systems operate and how they are put together. Just as a democracy can only really function if the citizens are actively engaged in the decision-making process and not merely turing out to vote every few years, a wired world needs people who appreciate what is being done in their name.

At last weekend's OpenTech conference I talked yet again about the growing divide between the geeks, who can code and know about computers, and the users who simply take what systems they are offered and work with them.

OpenTech was a conference about getting things done, not just talking about it, so we decided that every new member of parliament elected at the next General Election should be taught the basics of programming, so that when they come to vote on expensive IT systems they at least know how computers work.

We might even persuade them all to use encryption sensibly on their office computers, laptops and phones, and to use digital signatures for their emails.

It may be a small start, but it would be a start. And once MPs are doing data security properly it might offer a good model for the rest of us.

By Bill Thompson, Journalist, Commentator and Technology Critic. More blog posts from Bill Thompson can also be read here.

Related topics: Cybersecurity, Privacy


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

DNS Security

Sponsored by Afilias

IP Addressing

Sponsored by Avenue4 LLC


Sponsored by Verisign

Mobile Internet

Sponsored by Afilias Mobile & Web Services

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum