In this piece, I made a case for the re-emergence of privacy from extinction, using the indispensable power of legal, technology, people and processes. While the central argument of this paper focuses on the right of global citizens to privacy and confidentiality, the enterprises of the world would find the insights adaptable to their strategic directions.
Some may call it a rude shock, or brand it a total disregard for freedom, liberty and pursuit of privacy, but whichever appellation we settled with, none can simplify the sudden death of privacy. Of a sudden, we have been stripped off our hard-fought right to privacy! The inventions, innovations and advancements we were long and thirsty to achieve hurriedly came to us like hurricane but left an indelible mark of exposing our lives to the world outside of our reach. Our private lives became the public domain where everyone connects to transact, and commercialize. Now, where do we turn? The rescue efforts in privacy laws and regulations, which could have salvaged the situation had unfortunately arrived too late and appeared insufficient.
Electronic mails (emails) are routinely read by a live person, communications are eavesdropped, messages are intercepted, network traffics are sniffed and telephone conversations are interfered by firms (mostly, for profit), government (for citizens’ “protection”), and other interested parties called digital hackers. It must be clear henceforth that privacy is no longer a right, but a privilege! If you did not know, please be informed that most public email providers such as, Gmail, and others have processes where their third-party App Developers read your email before it is sent over to your inbox. The justification of many have always been ‘to fight terrorism and to protect against those who would want to do us harm.’ There is nothing wrong in being proactive to protect lives or assets, but how do we manage the information, or, how do we know the information being connected are not rendered to the knowledge of those without the need to know thus, violating the principle of least privilege? Another social media that have contributed to trivialising personal privacy is our darling Facebook, but in a way that betrays our trusts and reliability.
In the recent case involving Facebook v. United States Government, the complainant (the US) alleged the Facebook knowingly abused the privacy of its users to the advantage of the Trump’s campaign by colluding with Cambridge Analytica to provide certain data, which in turn assisted the Republican campaign. In a rear admittance of wrong doing, the social media mogul, Mark Zuckerberg agreed to the highlighted flaws, and committedly promised to fix the age-long privacy issues. Don’t get me wrong it may be nearly impossible to guarantee absolutely privacy giving the ongoing commercialization of inventions and the flurry of innovations, but it is wrong to let out the privacy of those who trusted your platform on the account of profit. Facebook is not the only culprit in the privacy-breach saga, but others have also followed in the same direction, the situation that have introduced a perpetual concern to government of nations including Canada.
Concerned about the rate at which her citizens’ right to data privacy are continually eroded, the Canadian Anti-Spam Legislation (CASL) received a royal accent to become the law. By this law, it would be illegal for one party to send emails to another party (ies) without being authorized. It implies those retailers, techie stores and co. may not send any marketing mass emails or bulk emails, or even any email at all without a prior consent in form of subscription. It was a great day for an average citizen, and privacy fighter, but a sad end for marketing, retail and techie firms. Unfortunately, the excitement was not sustained – thanks to the annulment of critical sections of the law – ss47-51 of CASL. The violation of privacy which could have attracted the maximum compensation of $1Million to the victim and strengthening Personal Information Protection and Electronic Documents Act (PIPEDA) and the Competition Act, were completely removed from the legislation, the action that imperilled the balance of the legislation.
In the case of R v. Marakah and R.V. Jones, the Supreme Court sort of established a new boundary in the privacy legal system by establishing a dichotomy between the seizure of personal telecommunication device for civil or administrative matters, versus confiscating defendant’s communication device for criminal matters. What does that mean? Your phone can be confiscated, opened and read while you look on. This is related to developments we heard and read from some US Airports, where a certain individual who had arrived from a trip were asked for the password to his phone while the officers inspect. Now, does that remind there are no privacy rights left over for the citizens of the world to engage?
Typically, laws and regulations are the procedural techniques that could protect the right of the citizens from being trampled. It avenges for crimes committed by one against another. It re-distributes fairness in an equitable and egalitarian manners. But, what happens when the law has failed to yield the expected outcome thus, leaving the citizens in the hand of manipulators and cartels? Where do we turn when the gaps and loopholes that exist in our laws have been silently and smartly exploited by the “agents of exposure?” Do you remember Ashley Madison and the loss of money, lives and reputation through the act of few hackers, who published and publicised the private emails and credit cards of some of their victims?
While the problems are enormous, and stakes are high, we must find a strategic approach towards securing and protecting our world using the combinations of technology, law, people, and Government. I have laid out some solutions (or strategies) that can be easily adapted to frustrate the goals of known and unknown enemies against our legitimate right to privacy.
Administrative Controls: The Privacy that was once thought as that golden parachute that protects the right of citizens against threat agents have become the public good, where everyone feeds off, and distribute the left over at will. The responsibilities are in the hands of the primary custodians of information – the users (or rather I should say, You). The privacy you have is the privacy you deserve! Be smart about the release of your information online, and if possibly create an information decoy that misleads those that may want to profit from exposing your life to the rest of the world without your due consent.
Technical control: Have you wondered why corporations are so eager to obtain information? It is simple! Information is the source of money. The more information they have the more it can be monetized. I must admit however, not all access to privacy should be contrived as a serpentry behaviour, but any access to your private data without permissions, or a breach to your personal information is an attack against your privacy and must be treated as such. There are specific steps and controls you can apply including opening an email that has higher level of security and totally different from what you have always known. I might be able to recommend combinations of technical, process and administration controls that could help restore your lost privacy.
In the end, your privacy is a critical part of your life, without which your life, your firm, or your agency can brought to its knee within a nanosecond. Therefore, no precautions or investment can be too much to assure yourself of privacy over your personal data. The higher the precautions and investment the better your self-assurance of privacy and protection.
You can reach out to me if you care to know if you have been hacked, or needing information about applying technical and administrative controls to maintain your right to freedom and digital privacy.
Yomi Olalere, LLM, CISM, CISA, CRISC
Abaster Consulting Inc.
Member, 2019 International Cybersecurity and Intelligence Conference