Home / Blogs

Data Security: Being Open About Secrecy

It must be tricky to be an advocate of transparency when your job involves selling serious encryption tools to government departments, large and small companies, hospitals and people who are concerned about having their bank account details hijacked from a home PC.

After all, the point about good encryption software and the systems that surround it is that they provide a way to keep your secrets secret, while open government and the effective regulation of financial services would seem to require the widest possible dissemination of all sorts of operational data, from Member of Parliament (MP) expenses in UK to bank investment portfolios.

And once something is on a website, in an email or available for inspection through a published program interface then it is no longer secret, however well the copy on your internal network might be protected.

Phil Dunkelberger, CEO of encryption specialists PGP Corporation, believes that openness and secrecy are actually two sides of the same coin, and that the fundamental question concerns the ways organisations and individuals manage their data so that they can decide on policies for disclosure and stick to them.

He also thinks that the best way to make companies and businesses take data security seriously is to make them aware of just how much it costs them when they are careless, which is why PGP sponsors the independent Ponemon Institute to produce an authoritative survey of how companies use encryption, how many data breaches they suffer and how much it costs them.

Dunkelberger was in London this week to launch the latest report on the UK data breaches, which found that 70% of UK organisations have had at least one incident in the past year, with public sector respondents admitting to an average of 4.5 breaches per organisation.

Separate research by Ponemon estimates that the average cost of incidents is £60 per record lost or £1.7 million per organisation, and of course the wider impact on people’s lives as they have to change bank details or clear their credit records is also significant.

Over half of the data breaches that feature in the Ponemon report were caused by staff error, with people losing computers or data storage devices, deliberately breaking procedures because they did not understand their importance, or simply making mistakes that the systems developers had not anticipated.

Whatever its flaws, computerised data processing is not going to go away, and the proliferation of mobile devices, portable data storage and online access means that the problem of data leakage is not going to go away either.

And recent moves towards more openness between organisations and more transparency in both public and private sectors makes it impossible to simply lock the data up in a corporate vault, however well-constructed.

The tension between openness and security has always existed, and modern technologies do not change the fundamental reality that once a secret is shared then it is less of a secret.

The best way to keep a computer secure is to disconnect it from the network and unplug the power, but this also makes it rather less useful, so any sensible data management policy has to accept that perfect security is not possible and have procedures to mitigate the impact of the inevitable leaks and failures.

A good system should also allow for effective disclosure. A proper MPs expenses system would not have relied on scanned receipts, released as thousands of pages of PDF files with potentially sensitive data blacked out by hand, but have been built around a database in which all data was stored, cross-referenced to original documents for verification.

Releasing the expenses data would then only have required changing the permissions on a few database tables.

Of course, explaining this to MPs would have taken a lot of effort, because few of our elected representatives have any background in computing or any real understanding of the principles of systems thinking.

We can’t be too hard on MPs. Data security is a complex area that involves hard mathematics and complicated software and requires an ability to think clearly about the interrelationships between multiple overlapping systems, only some of which are computer-based, and few of us have the necessary training to do this.

But if we are going to have a network society that relies on computer-based systems then everyone needs to understand how those systems operate and how they are put together. Just as a democracy can only really function if the citizens are actively engaged in the decision-making process and not merely turing out to vote every few years, a wired world needs people who appreciate what is being done in their name.

At last weekend’s OpenTech conference I talked yet again about the growing divide between the geeks, who can code and know about computers, and the users who simply take what systems they are offered and work with them.

OpenTech was a conference about getting things done, not just talking about it, so we decided that every new member of parliament elected at the next General Election should be taught the basics of programming, so that when they come to vote on expensive IT systems they at least know how computers work.

We might even persuade them all to use encryption sensibly on their office computers, laptops and phones, and to use digital signatures for their emails.

It may be a small start, but it would be a start. And once MPs are doing data security properly it might offer a good model for the rest of us.

By Bill Thompson, Journalist, Commentator and Technology Critic

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix


Sponsored byVerisign