We live in a hybrid world—one where the “real” world and the “cyber” world are inextricably linked and impact each other. For those of you old enough to remember the time before the Internet, think about differently you retained and searched for information before Google, or how many “friends” you had that you and never actually met in person, or how many times you bought an item from a store that didn’t have a physical presence. No, we don’t all walk around with VR headsets on, we use a screen and a keyboard on our phones, which are really portable computers with computing power that is millions of times larger than the guidance computer for Apollo 11, but that is an interface and bandwidth issue only.
This hybrid world has two core issues that have not been solved–cybersecurity and privacy—how do we protect ourselves from constant attacks, including from hostile foreign nation-states, and how do we manage different views regarding the privacy of individuals, which in many cases based upon cultural norms, since the hybrid world we now live in is in many ways borderless?
This article will focus on the second point—privacy—and suggest a model that is less tied to state-specific compliance issues, and more geared towards governance and sustainability. But first we must put the creation of the Internet in context and identify four recurring issues that help define the problems, so we can begin to create solutions. In short—you cannot solve a complex problem without first understanding what the problem actually is.
The first point is to understand the history of society and how it moves things over great expanses. Society has always looked for ways to connect itself, and created technology to do it. Understanding the core components to that process is important, because there are certain consistencies in these methods of connecting—namely there is a medium that is used to connect—a “pipe”, a “platform” that travels along the pipe, an “engine” that propels that platform, and “propellant” or fuel for the platform. Over time, not surprisingly, our ability to connect in a more efficient way has only increased.
To provide concrete examples, roads were used for centuries, with various carts serving as the platforms, pack animals provided the engine, and food for the animals fueled the engines. Society eventually began using the ocean when ships were created that could travel long distances, and sails were the engine (before the creation of other engines for ships), and wind was the propellant. Eventually the skies became the pipe, when the plane became a way to connect quickly after the advent of the jet engine, which ran on oil.
Now we connect via the telecommunications backbone, with myriad platforms (apps and hardware), and the engines being computing power, including AI/ML, all of which is fueled by data. This world is largely borderless with no natural or man-made borders, and the size of the engine (computing power) keeps growing. And, as always, as the engine grows, so does the need for fuel—in this case information.
One other point is worth noting regarding privacy—in this hybrid world we are the fuel—at least a derivative of us is—our information.
The second point to understand the economic and geopolitical decisions that were independent of, but exacerbated, the issues we now face. Post-Cold War, the developed world made a conscious decision to globalize our economy, based upon the belief that economic improvements in other countries, coupled with economic interdependence, would ultimately be beneficial for society, and also reduce the chances of armed conflict. That view was partially correct. It appears we have reduced the amount of armed conflict in the world, but not eliminated it as we currently are witnessing. Moreover, the rise of new technology in the end just shifted the conflict to a new theater. In short, we traded kinetic conflict for cyber conflict.
One can look at all of the examples above of how the creation of technology enhanced the connectivity of our world, and a key point becomes clear—these pipes can be used to do four things that are generally helpful for societies, but they also can be used to do four things that can be detrimental to society.
- Diplomacy v. War
- Information Sharing v. Propaganda
- Commerce v. Crime/Piracy
- Social Connection v. Espionage
Lest anyone doubt this, a recent video release by the 4th PSYOP Group, based at Ft. Bragg, drives the point home—-“born from the ashes of a world at war…..warfare is evolving…..everything we touch is a weapon….”
Our core challenges in this hybrid world result from our inability to see these four points, and treat the cyber domain as we have any other domain we have used to increase connectivity between people, and manage the issues that necessarily flow.
There are obviously national security and cyber issues that are critical to discuss, but the focus of this post is on privacy, and understanding privacy in this context is important. But first it is important to understand what the core issues any business must manage are, and then understand what privacy is, and what it is not.
A helpful framing to illustrate the business issues is to examine what generally speaking the core things a business must manage, and a Board of Directors must oversee, which are: business strategy; operational viability; legal compliance; and financial performance. While legal compliance is one of those four, it is only one of those four. It is important to note that privacy has typically exclusively been thought of as a legal compliance issue (including fines for legal violations), and perhaps one that has financial performance implications, to the extent brand and customer churn are created by privacy events.
Turning back to how to define privacy, when there is a data breach involving a third-party, that is not truly a privacy breach, though it may impact someone’s data. When one examines privacy regulations globally, the focus is on restricting what a company that lawfully has data about a data subject does with it. While many data protection laws have security requirements, keeping data out of the hands of a third-party is not really a privacy issue.
Privacy truly relates to a situation where a company processes (collects or otherwise uses) data regarding an data subject/individual. That processing creates some amount of impact on the individual, because the data is about the individual (this is the point made above about how we are the fuel) and that adverse processing impact creates both legal risk, as well as resiliency risk for the company processing the data. The legal impact results from legal requirements. However, there are obviously more implications because of practices that are legal, but, to use the current vernacular in privacy, “creepy”, which can cause people to stop trusting your company and therefore stop voluntarily giving you their data,
To sum that up, a company’s choices about data create third-party impact, which become first-party risk for the company, and that risk exists in both the legal and resiliency domains, and otherwise legal, but “creepy”, privacy practices create resiliency risk. Since the hybrid world is largely borderless, and what is creepy varies between cultures, just trying to be compliant doesn’t solve resiliency risk.
What is the implication of that? It is that even for companies that are based in jurisdictions with heavier regulatory burdens on the use of personal data, the focus of most “privacy work” is compliance with particularized controls that are based in law, which doesn’t solve the problem. While that may be compliant in a particular jurisdiction, in light of the framing above, that may not be what controllers of data ultimately need to do. Not for legal reasons, but for data sustainability reasons.
Which is how we end up here—the concept of data sustainability.
Data sustainability examines information uses that are culturally unacceptable, inconsistent with a company’s values or brand, or otherwise something the company does not want to engage in, to try and assess whether a particular data use should be done by a company, even if the practice is otherwise legal. A complete description of the implementation of data sustainability is beyond the scope of this post, but the important point is that companies that want to address resiliency risk must stop exclusively thinking of privacy as a legal compliance issue, and must also consider it to be a resiliency issue, and then determine how to implement and oversee the concept of data sustainability.