By Peter Gunning, Identity Management Consultant, BT
2014 is the 25th anniversary of the World Wide Web’s birth. I wonder what its progenitor, Sir Tim Berners-Lee, thinks when he turns a fatherly eye to his creation and considers how it has developed over the last quarter of a century: from a niche intra-organisational communication tool to a global capability that, already, few of us could imagine living without.
We do know that he has concerns over how some of its capability is being used — or perhaps that should be ‘abused’ — by governments. He proposes a ‘Magna Carta’, or bill of rights, protecting web users from government interference, and calls on users to “take action” and “protest”. It’s an understandable point of view, but the debate over the extent of governmental scrutiny of electronic transmissions is one we shall park for another day’s discussion. For the purposes of this blog, let us accept that it’s happening and spend a few minutes pondering instead what a ‘web Magna Carta’ would contain.
Certainly it would have a role in specifying exactly what our government agencies do with all this data. At a recent conference, a police officer from a cybercrime unit explained the judicial oversight required to investigate an online life, so I’m (relatively) certain that there are rules in place governing the capture, retention and usage of web data. However, I confess that I’m not immediately certain what they are. There are many questions that stick in my mind: what criteria are in place for designating citizens as ‘persons of interest’? What kind of people would I have to communicate with, what websites would I have to be browsing before I appear on the radar? And what then? What further powers could be used to investigate me and who grants them? Under what circumstances can my email be read? When would my ISP be compelled to hand over my browsing history? Is there an agreement with the U.S. Government to force Google to hand over search terms? Although, it could be argued our search engines ‘know’ your psychology better than any government will. How long could this data be retained? What other parties will the government share the data with? How secure are they keeping that data? (Recent revelations suggest the answer to that last question is clearly ‘not very secure at all’.) And so on. So I fully approve of a charter that restricts what a government can do with the data they collect as well as compelling them to protect it.
I also wonder if Sir Tim would mind if we extended the scope of his Magna Carta to include service providers and retailers. Many more people have been impacted due to cybercriminals hacking their identity or payment card data from a retailer than have had a run-in with the government over their browsing habits, so it makes sense to talk about a ‘quid pro quo’ in this area, too. It seems to me there’s one set of rules for the online businesses, and another set for us users. For example, whilst we users are told that refunds for losses can be dependent on early reporting — implying the need for constant vigilance over multiple accounts — it’s completely apparent that service providers are in much less of a hurry to make full disclosure when their own vigilance drops and their defences are breached.
In the recent ‘Michaels’ breach, for example, where three million customer credit and debit cards were compromised, almost three months elapsed between the company making an announcement that they had detected suspicious activity and the full confirmation that the breach had compromised customer data. Sometimes, retailers are forced into an admission when news of a breach emerges from another quarter: like security service infiltration of online fraud marketplaces, for example; or a financial institution seeing a sudden spike in fraud. And whilst users are encouraged to change login details regularly, use long and complex passwords, install anti-malware software, and avoid sharing PINs and passwords with others, service providers and retailers are repeatedly exposed to attack through inconsistent security practices and poor password and vendor access management. Is it possible that we could construct a Magna Carta that guarantees service providers securing our private information in a consistent fashion?
Enforcement is the key to all this, of course. Which agencies would monitor compliance? And what would the penalties for breaching the charter be? Would it be worth the paper it’s written on? The real Magna Carta was disregarded within a year, and it took two wars and a further eighty-two years before a widely-accepted version came into being. Given the apparent lack of interest from the users of the web, is it naïve to think we could arrive at some agreement between citizens and government, service providers and consumers, that constitutes more of a two-way, open, transparent deal, rather than the one-sided Ts&Cs we sign up to without reading?