Reviewed by Michael C. Macchiarola, Distinguished Lecturer, City University of New York. Email: Macchiarola [at] gmail.com.
Two centuries ago, the German writer Johann Wolfgang von Goethe observed that “[n]ature knows no pause in progress and development, and attaches her curse on all inaction.” Though Goethe certainly predated the struggles of information security, no truer words on that subject could be spoken today. Against a backdrop of ever-increasing data collection, retention and mining, Professor Andrea Matwyshyn offers HARBORING DATA: INFORMATION SECURITY, LAW, AND THE CORPORATION, a fine collection of essays that seem to share Goethe’s disdain for inertia with an appeal for vigilance, execution, improvement and imagination.
If a single leitmotif is revealed in the ten essays that the book offers, it is that, in the nascent information security arena, anything is possible. Still weary and tottering from national defense and financial market attacks that few thought possible just a few short years ago, we are introduced to yet another front in need of our focus and attention, and a robust plan of defense. The world’s business models are becoming ever more data-intensive, and, therefore, subject to disruption as a result of security breach. “The threat of electronic data theft also has serious implications for societies that increasingly rely on the security of data networks to conduct daily life” (p.34) These vulnerabilities must be confronted head-on, with a healthy respect for just how multi-layered and multi-dimensional the evolving challenge is for companies and regulators alike. More than anything, HARBORING DATA’s contribution is that it highlights a long menu of information security challenges and offers an impressive assessment of what we do well and what needs enhancement. In the end, as Professor Matwyshyn herself concludes, “[m]eaningful improvements in information security require a commitment to security as an ongoing, collaborative process” (p.18)
In the book’s first essay, “Looking at Information Security Through an Interdisciplinary Lens,” Jonathan Pincus, Sarah Blankenship and Thomasz Oswald argue that information security is better observed in a more holistic fashion than we have become accustomed to. “Although computer science is not traditionally viewed as a social science,” the authors open their essay, “problems in its domain are inherently social in nature, relating to people, their interactions, and the relationships between them and their organizational contexts” (p.19). As computers become more and more a part of the commercial and social fabric of society, the contribution’s main observation takes on a feel of stating the obvious. The essay [*293] provides an adequate introduction to the size and shape of the topic, yet does not match favorably with the better paced, more accessible and less theoretical explanation offered in Professor Matwyshyn’s own introduction. And the former falls short of offering a meaningful prescription. What remains unanswered, then, is just what we are to do once we concede that social science principles do not cease to apply at the doorstep of computer security.
Those in denial as to the scope of the information security vulnerability need only read “Compromising Positions: Organizational and Hacker Responsibility for Exposed Digital Records” by Kris Erickson and Philip Howard. The authors carefully analyze reported incidents of compromised data between 1980 and 2007 to “conservatively estimate that for every U.S. adult, in the aggregate, nine private records have been compromised” (p.39). Having raised the hair on the back of the reader’s neck, the authors argue persuasively that our reflexive antipathy for the hacker has only “obfuscated the responsibility of commercial, educational, government, medical, and military organizations for data security” (p,48). These entities simply must do a better job of keeping personally identifiable information secure if citizens are going to remain beyond harm.
Kim Zetter’s “A Reporter’s View: Corporate Information Security and the Impact of Data Breach Notification Laws” is a nice complement to the Erickson and Howard piece that precedes it. Zetter describes the evolving tactics of the journalist in search of a good story of compromised computer security or data breach. Through the evolution of Zetter’s own campaigns, the reader is treated to a fine exposition of the various styles of corporate information breach and a practical critique of the nation’s embryonic notification laws. Zetter’s piece also does well to shed light on the fact that good security is more than a “one-time installation” (p.51). And, while data notification laws have generally helped the process and brought positive change in consumer awareness and security best practices, there is no substitute for top-flight personnel engaged in a dynamic process.
Elizabeth Rowe’s “Dangers From the Inside: Employees as Threats to Trade Secrets” concerns anything but top-flight personnel in exploring the risks of rogue insiders within an organization. Again, an author bemoans the fact that the hacker has come to represent a convenient target. Rowe’s well-written piece implores companies to keep a sharper eye trained on their employees, as “[t]he widespread availability and use of computers, together with the overall decline in employee loyalty, provides fertile ground for the dissemination of trade secrets” (p.92). As the article highlights in abundance, the trade secret genie is not easily placed back in the bottle. Too often, dissemination can have a devastating effect on an organization.
The book’s third section concerns “U.S. Corporate Information Security and Its Shortcomings,” examining the worlds of health data, financial data and children’s data. Not surprisingly, each author uncovers plenty of faulty design and implementation of security protocol and regulation. With respect to our nation’s health data, for example, Sharona [*294] Hoffman and Andy Podgurski concede that the while electronic collection, capture and processing of healthcare data is beneficial, inappropriate disclosures “can cause victims to suffer discrimination, medical mistakes, financial ruin, and a variety of serious legal problems” (p.120). The authors believe that the HIPAA Privacy and Security Rules that went into effect in 2003 have marked progress in this area. As they reveal, however, the law suffers from several inherent flaws. Moreover, as the medical practice increasingly transitions to electronic and automated formats, “the dangers of privacy and security violations will only intensify” (p.120). A reader is only left to wonder whether the 2,000 pages of the recent healthcare reform legislation sufficiently addressed this issue.
Cem Paya’s “Quasi-Secrets: The Nature of Financial Information and Its Implications for Security Data” does a fine job of explaining the dangers of the social security number as an identifier. More importantly, the author’s contrast of the comparative successes of the credit card companies against the seriously compromised social security number says a great deal about the relative value of market incentives and government regulation. In the end, however, the scope of this essay is too limited, or the volume deserved another essay on financial markets.
As the recent “flash crash” shows us, the global financial markets are highly data-dependent and subject to great gyration beyond the control and understanding of most participants and regulators. In such an environment, we seem at the mercy of the data without any reliable method of independent verification.
More generally, HARBORING DATA’s greatest omission is found in the lack of discussion or examination of the wisdom of surrendering such ground to the computer. The book’s essays are all very practical in nature – as all of the contributors take computers, data and their proliferation as a given. Perhaps too little attention is paid to the rather credible argument that the greatest danger on the horizon is born of the ceding of such great swaths of ground to the computer decision-maker without retaining sufficient human control. In a scenario that seems less fantastic and more realistic by the day, one high-profile commentator once worried that
“[a]s society and the problems that face it become more and more complex and machines become more and more intelligent, people will let machines make more of their decisions for them, simply because machine-made decisions will bring better results than man-made ones. Eventually a stage may be reached at which the decisions necessary to keep the system running will be so complex that human beings will be incapable of making them intelligently. At that stage the machines will be in effective control. People won't be able to just turn the machines off, because they will be so dependent on them that turning them off would amount to suicide.” (Kaczynski 1995).The book’s prognostications are left to Lilian Edwards and Ian Brown, who, in “Data Control and Social Networking: Irreconcilable Ideas” observe that the “future of both law and technology will require reconciling users’ desire to self-disclose information with their simultaneous desire that this information be protected” (p.202). The authors use a series of case studies to illustrate (i) user misperceptions about the protection of [*295] their social networking information, (ii) the misappropriation of such information by third parties, and (iii) the various troubles that come with behavioral advertising resulting from social networking site tendencies. In the end, few can disagree with their assertion that “a serious look at how we regulate social networks to seek some compatibility between the human urge to be gregarious and the human need (and right) to be private seems urgently needed” (p.227).
With inertia or complacency the enemy, it is clear that companies and regulators must aggressively protect the data that proliferates, as “[i]nformation security will continue to be an inherently messy, human-driven, and evolving area for corporate and social policy in the coming decade” (p.234). It remains unclear what meaningful change an individual can employ apart from carefully managing her own dissemination of personal information. In the end, the innovation supported by all of the data we now harbor must be accompanied by a certain resignation that our data remains one step from victimhood.
Kaczynski, Theodore.1995. “Industrial Society and Its Future.” (also called the “Unabomber Manifesto”), N.Y. TIMES (Sept. 19).
© Copyright 2010 by the author, Michael C. Macchiarola.