I always learn something or get to think about something more deeply when I give a talk, because I’m open to being challenged, and yesterday was no exception. Yesterday’s challenge: can we — and should we — secure open data?
Yesterday’s talk was on the Microsoft campus in Charlotte, NC, addressing the North Carolina chapter of Infragard, the public-private partnership between the FBI and security practitioners.
Of all things, this security-focused group had asked me to talk about open data.
The benefits of open data are pretty clear to me and to others — my personal favorite thing is that it creates more efficient government because it automates open records and saves staff time. This means that municipal staff can focus on other valuable activities. Just like with any automation.
But, many security folks are a little nervous about the whole notion of providing easy-to-access public records. And at some level, why wouldn’t they be? Intelligence about your target is exactly what you want when you’re the perpetrator — and what you don’t want the perp to have when you’re the target.
More than one person in the audience challenged me with this notion: why would you want to publish government open data that SHOULD be benefiting citizens, and publish it on a medium that is world-wide — way beyond the scope of most citizens’ expectations? To paraphrase one audience member’s question: Why would citizens want to make their own data available to the enemy?
It’s a good question.
Catastrophic Privacy Failure
I went into the talk expecting this kind of pushback, and came prepared to talk about the notion that you have to address problems with privacy where they’re most egregious, not where it’s least egregious. In other words, when the dam is failing, why would you start focusing on the little rivulet to the side?
We live in an age of catastrophic privacy failure. I am, of course, not only talking about the creepy “find out anything about anyone” phenomenon (which largely DOES come from public records, but largely does not come from the government providing automated data — those guys have their own tools), but also Facebook’s “once you understand the privacy implications, you quit, but it’s too late” services, and the upcoming Google Glass surveillance state. Most attendees said they didn’t participate in social media, but when I pressed them about participation in shopper loyalty programs for either themselves or their spouses — something that reveals a great deal about who you are and what you do — most said that they did not opt out of this “marvelous” way that companies learn your secrets.
We also live in an age where the government may have tampered with security mechanisms that we rely on for private communications. But we won’t go there, at least today — Bruce Schneier has already written passionately and well on that topic.
So with all of this going on, what makes us think that the automation of public records (which must be provided to a requester) is the thing that we need to focus on when we’re trying to fix personal information security? It’s probably not that this is the best place to focus on. It’s that it is the one that folks may feel is the most controllable, since we can control local government more than we can control Google or Facebook.
Still, an attendee asked another good question: don’t government officials have the obligation to perhaps create an authentication mechanism that might offer “only authorized users” the data?
Sure … as long as we define authorized users. That’s the sticky wicket. The law, at least in NC, is silent about authorized users. “Freedom of information” means freedom — it doesn’t restrict the disclosure of that data.
The beautiful thing about open data — as opposed to any of the other ways that personal data is torrentially cresting the dam — is that there ARE laws that surround open records.
Indeed, if, as a government official, you start putting up barriers or choosing who can access data, it’s highly likely that you are breaking the law.
So, the question may not be: should we secure open data and open records, but rather, should the laws in the United States follow other countries’ lead and do a better job of protecting personal information? And, can we do that while still preserving the many advantages of open government data?