It’s a rare week when a new online activity doesn’t come along – and when a fresh concern doesn’t surface around internet privacy and security.
With each new mobile device, app, social network or e-commerce site we use, our online trails grow longer and more winding, not to mention permanent. Knowingly and unknowingly, we’re leaving more and more of our personal information open to potential exploitation and abuse.
Canadians have traditionally placed a high value on personal privacy, even as they have been among the most active internet users on the planet. They were, for example, the most enthusiastic adopters of Facebook early on, but they also forced changes to the company’s data-sharing practices when they violated Canada’s privacy laws.
The tandem growth in both the benefits and threats of online activity not only raise big questions about the kind of world we want to live in, but about the role Canada’s technology sector will play in that world.
Is privacy possible in an always-on, hyper-connected world? Are our fears overblown? Does the tech community bear responsibility for eroding our privacy, and thus for fixing the problem? Does privacy even matter?
Communitech is exploring such questions in a series of interviews with experts who hold various perspectives on online privacy and security.
We begin with Mark McArdle, who spent more than a decade in the security field. After stints as a developer with MKS and OpenText in Waterloo, McArdle moved to Silicon Valley in 1995 to work with security startup PGP, which was acquired by McAfee in 1997.
McArdle stayed with McAfee and served as senior vice-president of consumer product development until 2008, overseeing 400-plus employees worldwide and security products for 30 million-plus users, worth more than $650 million in annual revenue.
He joined Communitech as an executive-in-residence in 2009 and advised early-stage companies including TinyHippos, which made him CEO in 2010. The company was acquired by Research In Motion this year. McArdle now advises startup entrepreneurs at the Accelerator Centre in Waterloo.
Q – When it comes to online privacy, should it be up to individuals to educate themselves and protect their own personal data?
A - I wish that was feasible, because I think that there’s an amount of personal responsibility that everyone has to manage their privacy both in the real world and online. But I think we have to recognize that the technologies have evolved so quickly, and are so far beyond the understanding of what the implications are, if you’re a regular consumer.
It’s hard enough when you are immersed in tech, all day and every day and night, to really think through the implications of what you’re doing. To expect someone who has a job that has nothing to do with this technology to have the time and means to understand it is maybe a little naïve.
That said, the things that Canada’s privacy commissioner is doing are very commendable. We need people who understand and put some focus on the implications of things, like sharing your life on Facebook and Twitter, and to hold companies to account when you decide, ‘You know what? I don’t want to be on there anymore, and I want everything I’ve ever shared to be removed from at least your servers’.
Deleting something on the internet poses some ridiculously significant challenges, but I think the privacy policies that we have to hold businesses to have to represent the individuals and the consumers who are basically building their business for them.
You’re inventory; you are the means by which they are making their massive profits. Your privacy, as long as it aligns with their business interests, will be taken seriously, but when push comes to shove, you know which way they’re going to go, unless there’s government oversight and something with real teeth.
Q – So, what do we need to be doing to bolster people’s privacy that we’re not doing already?
A - There’s never a magic bullet to anything, but I think there’s a number of things we could all take some ownership of, and one is being more proactive in communicating to people the implications of their activities online.
The folks I worry the most about are the kids growing up now, who are pre-teen and even into their early 20s, who see it as second nature to share everything they’re doing, with no real lockdown in terms of who can see it.
If they’ve met a person once, they’re friends now on Facebook, and they can see everything that’s happened in the past and going forward. I think that’s something that I certainly look back on during my university years and think, ‘Thank God there wasn’t a camera in every mobile phone, and an archive of every goofy thing I’ve ever done.’
Q – Then again, with so many people sharing their lives online, could it precipitate a value change whereby no one will care if embarrassing photos from someone’s youth turn up years later?
A - That’s an argument I’ve heard a bunch of times, and it’s probably best answered by sociologists who can maybe look back and see what precedent is there. I mean, rock ‘n’ roll changed values, but it was more of a collective thing than individuals painting their own rebellion on some public forum; it was more anonymous. I’ve joked around saying we’ve lost an entire generation of electable public servants.
I don’t know; maybe [a value shift] is going to happen, but I’d like to assume a more conservative approach and say that isn’t necessarily going to happen, and try and take some steps to minimize the damage.
Q – What can the tech community do better to equip us against invasion of privacy? Is the tech sector taking enough responsibility, or is it hiding behind the idea that technology is neutral in order to avoid dealing with this?
A - I guess I have two perspectives. One is from working for a company whose core mission was to protect privacy, and we went to extreme lengths to have people not only trust us, but trust that the products didn’t have back doors to the government; that it was an encryption product that allows you to securely communicate over the internet. That was PGP (Pretty Good Privacy), which was then acquired by McAfee a bit later.
There is definitely a population in the market that cares very intensely about these issues, and is very, very active in promoting that; the problem is, they’re largely considered kooks and paranoids.
The mass market doesn’t understand or care enough, and I think, like everything else in our society, no one really does anything until there’s a disaster. We’ve had some pretty big blow-ups in terms of credit card thefts and large institutions being hacked.
The content that we’re all publishing up there, and the information that hackers have the potential to harvest about us, is kind of a ticking time bomb. And identity theft is likely only going to get worse unless this authentication problem, that relies on user names and passwords, is solved in more efficient and effective ways.
I’m not optimistic that companies have the market pressure required to change, because security and privacy from a product feature perspective are extremely hard for a user or customer to define. “Would you like security? Yes, please,” and if you go a level deeper than that, and say, “Well, what threats do you want to defend against; what’s the threat model we want this product to be robust within,” it’s, “You lost me. I just want it to be secure; I don’t want to be hacked, and you smart guys will go and figure that out.”
Which leaves commercial pressures, and I think you see this with Facebook and Google – the privacy commissioner, in the conversations I’ve had with her, said when she presses them on issues about protecting privacy more rigorously, they say, “Well, it’s impossible; we can’t innovate and do that at the same time; what you’re asking for is not technically possible”, which is all B.S. The reality is, they have a roadmap of features that they want to aggressively pursue, and those features are dictated by market pressures and strategic goals they have for the product.
If security and privacy are not core to that, it’s going to be back-burnered or done to some minimal level that they can say with a straight face, ‘”Oh sure, we take privacy seriously.”
That’s where legislation comes in, and the EU, and Canada’s privacy commissioner, are serious about having the control for consumers in how the information they share with these companies is managed, and what happens when they decide they want that information to be removed.
That’s the type of thing where no company is going to say, “We will guarantee we will wipe everything; you want to quit from us so we will make it easy and no hassle and you can download all your stuff to your own archive and we’ll delete it.” They’re not going to do that of their own volition, because it’s completely opposed to their business model, which is, more people, more connections, more stickiness. So, if it’s a legislated thing, that’s different.
Q – Do you see a bigger market in privacy protection as awareness increases and mobile devices become more and more sophisticated?
A - Absolutely. Security has been one of the most recession-proof, highest-growing markets in technology.
As we become more connected and more things move from the physical to the virtual, all the implications of securing that become real, and businesses are better at doing enterprise products like security much more seriously.
Companies like Lockheed Martin and Bank of America, they don’t look at security as a privacy issue; they look at it as a brand-protection issue; you know, “We have to secure our bank records; we have legislative penalties if we fail to do that; we have obvious brand tarnishing; if our customers don’t have faith that their financial records or health records are secure, we will be out of business.”
Enterprise technologies are much more evolved in that regard; where I feel more concern is on the consumer side, where they don’t have the same pressures.
Q – What do you see the username/password regime evolving into?
A - Biometrics have given some useful paths to proceed down. I predicted a long time ago that eventually, every computer or mobile device would come with a thumbprint reader that could be used to authenticate the user to the system, and ultimately, online.
The fact that hasn’t happened yet is that hardware still hasn’t become cheap enough to put it everywhere, or that the user experience is not polished enough where the PC companies and mobile companies feel it’s worth the hassle.
Like most things in security, the underlying math, the crypto, is a solved problem. We’ve had great algorithms and we continue to evolve them as processing power increases. The fundamental stumbling block to most consumer security has been the user-involvement piece; how much user involvement do we want to have, or need to have, while still maintaining security.
That’s not a minor issue. I’ve seen that being one of the most difficult things to get right, because if your security is completely invisible, which is your support/ IT guy’s dream come true, and the users don’t even know it’s there, there’s often real compromises in the quality of the security you get with that.
You’re not actually authenticating the person; the person is authenticating to the system. If you can make that authentication as simple as sticking your thumb on a device and getting a green light, then hey, that’s pretty transparent. But the rolling out of that technology, and that provisioning the user the first time, getting that thumbprint and being able to use that as the baseline for future authentications and all that, probably are the biggest stumbling blocks.
It’s the same with encryption keys. The underlying encryption can be made completely transparent, but the key management becomes the fundamental stumbling block. If you need to keep copies of the keys in case someone gets fired, quits or gets hit by a bus, what are the privacy implications of that?
There are technologies; it’s a question of getting the user experience right. Even Apple, in all its user-experience magnificence, really hasn’t done a whole hell of a lot to ease the pain on that side of things. I’m sure if there was a company on the planet that could do it or would do it, it would be Apple.
Q – Which brings us to RIM. Will BlackBerry’s security infrastructure become an increasingly important competitive advantage?
A – Yes. I think RIM has deep resources and deep capabilities that other providers are way behind in; the fact that they have been certified for so many different government uses and military uses, and their architecture from the get-go was designed knowing that for them to be successful in large enterprises, security had to be there.
Nobody in their right mind in the early days of mobile was going to let a back door into their enterprise networks exist without having extreme confidence in the architecture and the robustness of the security authentication and encryption.
So that’s something they’ve done very well and continue to do well; how that gets leveraged to the consumer market, where mobile devices have shifted…market pressures have, I think, diminished the value placed on security in some segments.
I suspect there are going to be some real embarrassments caused by that, at least in the Android world.
Apple’s walled garden is still pretty well-curated in terms of malware; they see their garden as weed-free and they want to keep it that way. Android, their approach is entirely different. It’s “Hey, you know, build an app and drop it into the marketplace and the community will decide if it’s a legit app or not.”
Q – Does Waterloo Region’s tech community have a particular role to play in this?
A - I think Waterloo, as much as it’s a mobile centre of excellence, is also starting to get a pretty great reputation globally for security. We’ve got some pretty neat security startups; we’ve got McAfee’s core R and D team for consumer products in Waterloo; we’ve got the Institute for Cryptographic Research at UW; lots of smart, big-brained mathematicians coming out of there with interesting underlying algorithms and technologies to help solve the problem at the lowest levels.
But it’s an area where innovation is still much needed, and the smart people that we have in the area will hopefully watch carefully to see what opportunities the problems in social media are creating in terms of privacy, and build some new products around that.
Part I in an ongoing interview series. Next: Jennifer Stoddart, Canada's privacy commissioner