Part 2 of a four-part “Privacy Reality Check” series. Click here for part one.
When it comes to privacy, what’s the difference between Facebook and the federal government?
Facebook wouldn’t dream of letting its employees use one. Facebook’s massive library of personal data on its vast user base is its greatest asset. It’s worth billions. If Facebook employees could simply copy this information, or part of it, onto USB keys in order to take their work home, then it would only be a matter of time before Facebook’s biggest asset was leaked to the world. Someone would sell or lose a memory stick, laptop, phone or hard drive. It would show up online, we would all be exposed, and that would be it for Facebook.
Canada’s federal government has no such aversion to portable memory devices. Canadian spy Jeffrey Delisle filled up his memory stick again and again with classified military intelligence that he then shipped off to the Russians. It took more than four years for these constant breaches to get detected. A careless employee of Human Resources and Skills Development Canada lost a USB key with data on 5,000 other Canadians. Even this failed to bring about a change in data-handling policy. Soon a hard drive containing the sensitive personal information of 583,000 student loan borrowers went missing. Nothing has changed. The same thing could happen again today in dozens of federal government offices.
“It’s shameful and shocking,” says David Fraser, a privacy lawyer with the firm McInnes Cooper in Halifax. Ottawa’s sloppy data hygiene, he believes, stems from a wrongheaded aversion to cloud computing:
“The government talks about ‘data sovereignty’ — the idea that data must stay in Canada. It’s a made-up concept. It’s a fiction that it matters where data is located. Then there’s a real phenomenon of ‘server-hugging,’ the erroneous belief that if you can go down into the basement of your building in Gatineau and see a server blink, you know where your data is. The truth is, you have no idea where copies are.”
The security benefits to cloud computing, says Fraser, are many. There’s no need for employees to copy information on to local drives of any kind. Any lost device, says Fraser, “would be stupid. They’re only a portal to the data.” As for inside spies and internal threats, a centralized cloud service knows what’s going on — it knows who is looking at what and when. It can automatically detect suspicious behaviour, and it can be audited when problems arise. Neither Jeffrey Delisle’s spying or the HRSDC leaks could have occurred had cloud security been in place.
Perhaps an anti-cloud argument could be made regarding protection from malicious external threats. But hackers were still able to compromise Finance Canada and the Treasury Board in January of 2011. We never learned what the attackers got (more on this disclosure problem later) but the compromise was bad enough to force the government to completely shut off Internet access in some departments for months (which in turn forced federal employees on to Starbucks’ open WiFi connections with their work laptops!).
Whatever theoretical arguments you might lay out, there’s no getting around the superior track records of secure, private sector cloud data facilities over whatever rubber-band and chewing-gum solutions Ottawa’s disparate IT managers have cobble together. Therein lies a clue to the true motivations for Ottawa’s provincial (sorry) aversion to the cloud. Again, David Fraser:
“We have also seen privacy insecurity being used as a way to prevent outsourcing. Privacy becomes a prop to be used — a fear to pull on to advance a political position.”
It’s understandable that certain security workers in our government would say whatever they feel they must in order to protect their jobs. But there’s no need for us to heed these arguments. The money Ottawa would save taxpayers by using centralized cloud security are considerable. But the most compelling reason for the public to demand this is of course because it’s our information they are putting at risk
I’ll leave you with another difference between Facebook and our government. We choose to give our information to Facebook.
We have no such option when it comes to government data collection.
NEXT: The leaks you never knew. Why government doesn’t have to disclose privacy violations.
Follow Jesse on Twitter @JesseBrown
Wednesday, February 6, 2013