What is the effectiveness of legislation in our online world?

 

At the heart of the debates over data retention and privacy legislation lie the key considerations of data rights and data security. Question is: What is the effectiveness of legislation in our volatile, opaque and insecure online world?

More specifically, how does the effectiveness of legislation stand up in respect of protecting individual’s right to privacy in cyberspace?

As a concept, Big Data is nothing new. Its origins stem from the earliest days of computing when large businesses and governments started amassing vast amounts of data for a range of purposes such as tax collection, scientific research, surveillance or census analysis.

Since then, the combination of the internet and the explosive uptake of mobile and “smart” devices has generated ever-increasing volumes of data.  Added to this is the data generated by governments and corporations, further fuelling that growth. Big Data came of age when the torrents of data could be accessed and analysed in near-real time.

In this changing landscape, how can legislators and regulators meet the data security and protection challenges head on?

What is the effectiveness of legislation in today’s online world?

While many governments are seeking to ensure our rights to privacy by passing legislation, these rights are being sorely tested, for several reasons.

First, we have those seeking to access and monetise people’s digital footprints.  Our globally dominant digital landlords such as Google, Microsoft, Amazon and Facebook are all vying for a slice of the multibillion-dollar expenditure on advertising made possible by our individual usage patterns.  In exchange for free apps and other digital goodies, we, for the most part, have no option but to cede many of our rights to privacy each time we hit the “I accept these terms and conditions” button on our apps or websites.

Forget George Orwell’s 1984, it’s happening today.

Anyone with a Google account using the default privacy settings on their mobile device will be able to see exactly where they have been.

The question is: who has access to this information and for what purpose?

Second, governments are passing laws aimed at protecting the individual’s rights to privacy, specifically personally identifiable information (PII). The fact that more than 100 countries have privacy laws and almost 50 have enacted data breach legislation shows that governments are trying to ensure the individual’s online privacy rights are maintained through legislation.

Third, the global ecosystem of security and law enforcement agencies remains, for the most part, invisible, and has acted with relative impunity across international legal jurisdictions.  For example, the disclosure in 2013 by Edward Snowden of the US National Security Agency’s covert surveillance initiatives included reports of national leaders’ phones being  tapped. Adding nation-state cyber surveillance to this mix only elevates concerns about information security.

Finally, there is the shadowy world of cybercrime, opportunistic hackers, state-sponsored cyber attacks, terrorism and those who inhabit the so-called dark web.  Wade Baker, principal author of the 2014 Data Breach Investigations Report from the US mobile communications company Verizon, sums up the situation more bluntly: “After analysing 10 years of data, we realise most organisations cannot keep up with cybercrime – and the bad guys are winning”. Seems that in this shadowy world, the effectiveness of legislation is negligible.

Fuelled by the terrorism threat, Australia’s proposed data retention legislation will only add to the volume of Big Data that needs to be stored and made available for analysis. Other than the added costs of retaining this data, other concerns have been raised including the risks to privacy, the practicalities of implementing poorly structured legislation and the danger to journalists’ ability to protect their sources*.

Those countries that have data retention laws are facing resistance from privacy rights activists; in some instances, legal challenges have been mounted to amend legislation.

Legislating for data protection.  A losing battle?

The effectiveness of legislation in respect of data retention, breach or privacy legislation in our fast-moving and shadowy digital world has to be questioned.

The speed and agility of the cybercrime industry stands in stark contrast to the glacial pace of regulatory and legislative evolution.

For the legal and regulatory mandates to be effective, they rely on considerations such as the deterrence factor, the protections afforded under the law, and the practicalities of enforcing the law. The effectiveness of all three is to be questioned in our volatile, borderless, digital world.

The recent conviction of the creator of the online illicit drug marketplace known as the Silk Road is a rare case of a successful cybercrime prosecution and conviction.  The conviction followed a sustained and extensive investigation on a known and visible target – and the main prosecution related to money laundering and narcotics dealings, not data theft as such.

While there have been other successful takedowns of dark web operatives, the mercurial nature of the dark web means this is a continuing and formidable challenge.

In the face of advanced and persistent threats (known in the IT security industry as APTs), the protection offered by the legislation is limited, especially if an organisation is not aware of the attack even having occurred.

These breaches represent only the tip of the cybercrime and data breach iceberg.

The bottom line is that legislation alone will be only a small part of the overall effort needed to protect critical information assets.  Welcome to 1984.

* [20th March 2015] The recent passing of the Australian data retention and national security legislation has included some protection for the disclosure of journalists’ sources.

| This article written by me and published in the Sydney Morning Herald, March 18th 2015