Everyone is after personal data, not just the NSA

On the drive into San Francisco, a huge billboard alongside Highway 101 states: "We're all data nerds now."

It's an advertisement for a tech company, but it neatly summarises a key issue at this year's RSA Conference, a huge annual security event that, over several days of keynotes and sessions, picks apart every angle of IT security.

It's the first post-Snowden RSA conference here, and his revelations – and the international discussion they have prompted – certainly seem to have focused minds on security and privacy.

A record number of attendees are here, even though some companies and past participants have chosen to boycott the event due to a Snowden leak that suggests RSA itself provided a "back door" in a product that made it easy for the US National Security Agency (NSA) to gather data. The assertion was refuted by RSA executive chairman Art Coviello in the opening keynote of the event and remains a major topic of discussion and speculation at the conference.

Indeed, every keynote, and many of the big general sessions on the opening day, included the “S” word.

But despite Snowden’s continuing revelations of secret data gathering, we show no signs of losing our collective appetite for creating and using data.

Consumers want the devices and services that generate, and sometimes stem from, streams of data. Businesses, from small startups to huge corporates, want that data because it has commercial value. And as Snowden has revealed, security and policing agencies want that potentially revealing data, too.

But where do the boundaries of gathering and analysis lie? We are barely at the start of an information age where capability and possibility run ahead of our ability to think through, or even understand and visualise, consequences.

What's okay?
What increasingly stands out is this: it's no easy task to differentiate between these varied types of surveillance – or is that big data use? – or neatly state what's okay and what's not okay. If the issue has taxed your own mind, rest assured the experts in data security are just as uncertain.

The more sessions one attends at this conference, the more it seems odd to criticise a government’s secret data gathering when so many companies effectively conduct surveillance of their own, sucking in and analysing vast amounts of personal data from users.

Most of the time, users are unaware that this is happening behind their app, browser or device. Sometimes, legally, and sometimes, illegally.

Some here have argued that apathy about data gathering and privacy protections – from citizens, from the security industry – is a major problem. But that view begs the question of whether the general public should have to be aware and demand change, in order for lawmakers to legislate to protect.

Certainly, there are large areas of life in which citizens are deemed to deserve legal protections, without noticing or precisely articulating the need themselves.

Where, then, does "big data" end, and "surveillance" begin? The reality, as security expert Bruce Schneier noted in his talk, is that they often go hand in hand, to form "basically a public private surveillance partnership. Surveillance is the business model of the internet."

We give companies our data, and they sell it to advertisers.

"It isn't like the NSA woke up and said, 'let's spy on everybody'. They woke up and said, 'hey wow, corporate America is spying on everybody; let's get ourselves a connection," he said.

Yet even Schneier noted that society could benefit from enabling some types of surveillance of personal data troves, while also protecting individual privacy, such as health research.

Better safeguards
While some speakers call for clearer "norms" on data use, or improved guidance from lawmakers on acceptable boundaries (once they become better informed than they are now, naturally), Schneier and others suggested we can build better safeguards and management into the systems themselves. Encryption, as Snowden himself noted, remains effective. Make networks and software more transparent, and introduce trusted protocols for managing data – with international co-operation and support.

Such an approach could enable data to be gathered and parsed for various uses, but still protect privacy.

Implementation would be a challenge, but no more so than the demand for international co-operation required in tackling, say, money laundering, said Schneier.

That's a useful way of looking at it, especially after Washington DC policy group the Information Technology & Innovation Foundation predicted in November that NSA spying could cost US technology companies $35 billion in revenue from lost sales.

Many speakers here have noted, though, that while the NSA has got all the (unwanted) publicity, it isn’t just the NSA that’s the problem.

Europeans, Russia, the Chinese; governments and companies – everyone's going after personal data.

So, internationally, there’s both an economic and a social argument for finding a way to protect data, while making it usable within defined limits. If the protections are intrinsic to the very systems that produce and manage data, unwarranted surreptitious gathering and use becomes difficult – a goal well worth aiming for.