January 28 is Data Privacy Day. Throughout the months of January and February, the EDUCAUSE Cybersecurity Initiative will highlight higher education privacy issues. To learn more, visit StaySafeOnline.
I’m looking at you, Silicon Valley. And why not? You’re watching our every move. Which may be fine — you give me free e-mail and unlimited storage for the digital tailings of my life; you let me video chat with my elderly mother and her 80-years-younger niece and nephew. It’s a quid pro quo, and to a large extent most of us are reasonably comfortable with it. Sure, you’ve screwed up once in a while, and let’s face it, “do no evil” is rapidly becoming hilariously ironic. But none of us should be surprised, given that the mitochondria that power the Internet are advertising revenue.
But I do wonder what our world might look like if privacy weren’t a policy but rather a posture. An attitude. A feature you engineered into your applications and services with the same thought and focus you put into optimizing network and storage requirements. Imagine if every one of your developers and application architects were required to demonstrate how his or her code reflected Fair Information Practice Principles in the same breath that they demonstrate that it’s free of bugs or minimizes memory use. Imagine the impact on universities that are pumping out coders if the industry leviathans stopped hiring people without a year of coursework in privacy and secure coding practices. (Yes, you can build privacy requirements into an application’s design; there are even automated tools that help with this.)
Transparency is wonderful, and sunlight is the best disinfectant, but it’s disingenuous to believe that it is sufficient. To put the burden of choosing privacy on user behavior is a disruption of the user experience. If I can manage my courses, my finances, and my personal relationships on my phone using only my thumb, why do I need to disrupt this elegant experience to choose whether or not to send my location information to a third party? You may feel you’re empowering us on how our information is shared, but it rings hollow. It feels lazy and like a retrofit.
You build for us these amazing services that profoundly change how people interact and learn, and they evolve and are used in ways no one could ever imagine.1 Yet we are continuously faced with the consequences of privacy and security failures, be it the Snapchat fiasco or the IoT attack on Dyn, too many engineers seem to have a very narrow view of their responsibilities for privacy and security. When I’m feeling charitable, I think much of this is the result of our all-too-common tendency to create silos in IT. Need security? Hire security professionals, create a security shop. Need privacy? Hire a privacy professional (and sadly, shove them into the compliance office).
If we can recognize that addressing privacy (and security) systemically will require expanding the expertise and expectations we have of “ordinary” technology professionals, then perhaps we will finally begin to raise the bar on privacy and security within the digital ecosystem. This is true for us in higher education as well: CIOs, are you under pressure to expand your security or privacy operations? Have you included these as explicit responsibilities in your networking and systems staffs’ job descriptions? Are your developers evaluated on how vulnerability-free their applications are found to be through application scanning?
Of course, as we shift to the cloud and more consumer-oriented services, more and more of our ecosystem is created outside of our own shops. So again, I’m looking at you over in Palo Alto, Boston, Cupertino, and Seattle. You folks in Detroit looking to embed technology in cars. Time to get in the game.
- See the last four paragraphs of As Iraqi Forces Prepare to Attack Mosul, a Civilian Exodus Could Follow.
Michael Corn is the CISO for the University of California San Diego.
© 2017 Michael Corn. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.