IoT
IoT
IT Leadership // Security & Risk Strategy
Commentary
1/6/2016
09:06 AM
Pablo Valerio
Pablo Valerio
Commentary
Connect Directly
Twitter
RSS
50%
50%

Top Data Privacy Issues To Scare You In 2016

In 2016 issues regarding privacy, whether in personal or business data, are going to dominate headlines and change the way people interact with technology and the companies that provide it. From encryption to drones, to personal information, here's what to watch in the next 12 months.

Encryption Debate: 8 Things CIOs Should Know
Encryption Debate: 8 Things CIOs Should Know
(Click image for larger view and slideshow.)

When it comes to guarding data, whether it's your personal email or the company's balance sheet, nothing is easy anymore. In fact, privacy is one area that's about to have a serious debate in 2016, as individuals, companies, and governments clash over what can or can't be accessed.

A great example of this happening between two close Western partners: The US and European Union.

To start 2016, most companies, primarily US-based Internet providers with users in Europe, are operating in a legal limbo, since there is no current framework for the collection and storage of personal information across the Atlantic. That is because just three months ago the European Court of Justice (ECJ), struck down the 27-year-old "Safe Harbor" agreement between the EU and the US.

Users of popular services such as Gmail, Instagram, and Facebook could be seriously affected if a new agreement is not reached soon, since any cloud provider will be forced to store all data locally in every country. Is that only personal email or social media? What about company data that flows across borders?

(Image: D3Damon/iStockphoto)

(Image: D3Damon/iStockphoto)

With that as a backdrop, I want to address three specific issues that individuals, IT managers, and CIOs should watch in the next 12 months: Encryption, drones, and a new privacy directive in Europe. These are important and shouldn't be forgotten during 2016.

War On Encryption

The so-called crypto-wars began in the 1970s when the US government attempted to classify encryption as munitions.

Until 1996, the US government considered anything stronger than 40-bit encryption illegal to export. Before 1991, the government and large companies were the only real users of encryption technology. But then programmer Philip Zimmermann released free software called Pretty Good Privacy (PGP), which can encode ordinary email. When PGP appeared in other countries, the Department of Justice launched a three-year criminal investigation of Zimmermann.

During the past two years law enforcement agencies on both sides of the Atlantic have been voicing concerns about the use of "Zero-Knowledge" approach to encryption. Zero-Knowledge services allow users to encrypt data and communications with their own generated keys that service providers can't unlock. Big tech companies such as Apple and Google have started letting users encrypt their mobile devices, on both iOS and Android, with private encryption keys.

Apple and Google argue that they won't be able to unlock the device's data without the user's cooperation. While the Obama administration said earlier this year that they won't seek a ban on encryption, the recent terrorist attacks in Paris and San Bernardino, Calif., have triggered renewed efforts to require that Internet companies and service providers make it possible to break encryption if served with a court order.

At the heart of the debate is the question about how the government deals with the fact that communication data is increasingly being encrypted.

In 2014, the US toyed with the idea of a key escrow, something that required all providers to have a "spare key" with a trusted third party that can be requested by the government. Technology companies strongly refused to consider the idea, arguing that could create an administrative nightmare and users will reject it.

Now the UK is preparing a set of new laws that actually ban Zero-Knowledge encryption, and British Prime Minister David Cameron said after the Paris terrorist attacks that there should be no "means of communication" which "we cannot read." Australia already went so far as trying to ban research on cryptography.

But most technology and security experts have been warning about the risks of "backdoors" for law enforcement, arguing that their existence will be eventually exploited by criminals to access critical data. Many services including the BlackPhone and Silent Circle will continue to offer full Zero-Knowledge encryption on their servers located in countries such as Switzerland.

Surveillance and Drones

The US Federal Aviation Administration started registration of "Small Unmanned Aircraft -- better known as drones -- on Dec. 21. The new rules establish that devices weighing "more than 0.55 pounds (250 grams) and less than 55 pounds (approximately 25 kilograms), including payloads such as on-board cameras, must be registered."

Existing drones that were operating before the rule need to be registered by Feb. 19, and new ones need to be registered before the first flight. So, if Santa got you a new drone for Christmas, make sure you tell the government before playing with it outside. Registration is free until Jan. 20, and the FAA will collect a one-time fee of $5 afterwards.

[Read more about the FAA's proposed drone regulations.]

Personal drones can't fly over 400 feet altitude, need to be visible by the operator, can't be flown near airports, groups of people, stadiums, sporting events, or any area where emergency agencies are operating.

But the real battle is now up for states and towns to regulate their use in their communities. While people could fly their drones in their back yard, they could be subject to serious fines if the device flies over to their neighbor's yard or if it uses a camera to monitor his or her activities. In Louisiana, for example, it's illegal to use a drone to monitor a person or property without consent. Offenders face a fine of up to $500 and six months in jail.

Cities such as New York are already looking for a complete ban on the use of those devices, including drones for commercial purposes and law enforcement.

New European Union Privacy Directive

Recently, the European Parliament approved the new EU Privacy Directive, the most comprehensive set of rules to protect user privacy on the continent. As with the Safe Harbor rules, the new Directive limits the amount of data that companies can collect, store, and process. It also and requires explicit user consent to share data with third parties, even if data is technically "aggregated" and "anonymized."

It also raises the age of data consent to 16. Users younger than that will be required to get parental permission to share information about themselves. This effectively will require that companies such as Facebook will require parental consent to open and keep accounts for youngsters. Previously the age of consent was 13.

Technology experts already call the new rules "restricting" but there are some benefits. For instance, it's a single framework rather than separate and sometimes slightly different rules previously used by the European Union's 28 member countries. This had been a major headache for firms doing business across Europe.

Companies found breaking the rules could face fines up to 5% of their global revenue, which is a staggering amount of money for companies such as Google or Facebook.

The Directive needs to be approved by the European Commission and the European Council before it becomes European Law. The approval is usually a rubber-stamp procedure.

**Elite 100 2016: DEADLINE EXTENDED TO JAN. 15, 2016** There's still time to be a part of the prestigious InformationWeek Elite 100! Submit your company's application by Jan. 15, 2016. You'll find instructions and a submission form here: InformationWeek's Elite 100 2016.

Pablo Valerio has been in the IT industry for 25+ years, mostly working for American companies in Europe. Over the years he has developed channels, established operations, and served as European general manager for several companies. While primarily based in Spain, he has ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ariella
50%
50%
Ariella,
User Rank: Author
1/6/2016 | 11:16:18 AM
Re: data
@Pablo I knew that the EU has a lot more privacy protection built into its laws pertaining to data use. That's why Google gets slapped with fines every once in a while.  Fines may get even stiffer in 2018, according to the BBC's account of changes to go into effect then: "Stewart Room, head of data privacy at PwC, said: "The scale and breadth of the EU's changes to privacy rules will deliver unprecedented challenges for business and every entity that holds of uses European personal data both inside and outside the EU."
Pablo Valerio
50%
50%
Pablo Valerio,
User Rank: Ninja
1/6/2016 | 11:09:41 AM
Re: data
Ariella, The EU has stricter rules on data privacy. Depending on the type of information it is illegal to store it outside of the EU, and sometimes it has to be kept in the same country the data is collected or created.

The "Safe Harbor" agreement granted the possibility to transmitt and store some information to the US and vice-versa. But the fact that the US government has the right to subpoena most data without a court order made the ECJ consider the Safe Harbor rules illegal. European governments can't legally request access to any personal data without judicial oversight.

A new "Safe Harbor" agreement is being negotiated, but it will restrict the ability of US agencies to request any data belonging to EU citizens and corporations without more control. Gag orders are also considered illegal by EU Law.
Ariella
50%
50%
Ariella,
User Rank: Author
1/6/2016 | 10:39:10 AM
data
<What about company data that flows across borders?> Yes, that is an important point to clarify for companies with international operations. What is legal in one country sometimes isn't in another, and you have to satisfy the law for every place in which you do business. Perhaps a new branch of international law will develop with a specialization in cyber law.

 
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.