“The issue of security and privacy is the defining issue of our age,” said Art Coviello, former executive chairman of leading digital security firm RSA, adding, in ominous tones. “Whether we can solve it or not will determine if we are masters of the digital [era] or are its victims.”
For every great advance of human society, there is risk and arguably a price to be paid. The price we pay today for the convenience of our connected world is that of our privacy. It is astonishing how quickly we have become conditioned to the notion of sacrificing privacy in exchange for convenience, or merely entertainment. We think nothing of sharing our thoughts with a connected world of billions, or of allowing Internet service providers to trawl our emails and to profile our likes and dislikes, packaging our identities for sale to eager marketers waiting to bombard us with advertising at every click.
To a large extent we’ve become either immune to such annoyances, or have pushed them to the back of our minds. But we are now on the verge of a new era in our digital evolution, one in which our privacy becomes not just a bauble to be casually traded for trinkets, but quite literally a matter of life and death.
The Internet of Things (IoT) will bring about changes to our society at least as profound as those brought about by the dawn of the connected world. In the near future, the Internet will touch every aspect of our lives in a far more intimate way than it does at present. As soon as we start to trust our lives to driverless cars and our medical well-being to machines, we will have crossed a line, making privacy less a question of personal choice and more one of necessity.
Take healthcare for example. Between 2010 and 2060 total European government spending on pensions, health care, long-term care, unemployment benefits and education will increase by approximately 20 percent or 4.1 percent of the EU’s GDP, but the costs of long-term care will double. The European Commission estimates that the development of ICT and telemedicine alone could improve the efficiency of long-term health care by 20 percent. The global telecare and telehealth sector is expected to be propelled from its current $8.5 billion to $19.7 billion over the next decade.
Stolen medical data, which can be used for identity fraud, insurance scams, and even blackmail, is already big business for criminals. A recent article in Forbes magazine quotes Theresa Payton, CEO Fortalice Solutions and former White House CIO, as saying: “The IDC’s Health Insights group predicts that 1 in 3 health care recipients will be the victim of a health care data breach in 2016. My prediction is that credit card data will decline in value on the black market … [and criminals] will mine the health care industry’s data to steal patient records and personally identifiable information to commit health care fraud.”
Another example of how criminals are targeting people’s well-being and long-term security is the wave of conveyancing fraud currently sweeping the UK. By compromising unencrypted email communications between real estate lawyers and their clients, crooks are able to intercept big-ticket property transactions, diverting funds — six figure sums in many cases — into their own bank accounts. Since the first reported case less than 18 months ago, incidents of conveyancing fraud have been growing at an alarming rate. The UK police’s National Fraud Intelligence Bureau reported that by last autumn, new cases were arriving at the rate of around two a week.
End-to-End Encryption Thwarts Multitude of Crimes
Such cases as these are pushing organizations and individuals to find answers; and for many that answer lies in the strong encryption of personal data and communications. Encryption has been associated in the minds of many with society’s undesirable elements—those with something to hide from law enforcement. Today that same encryption technology is now coming to the aid of the law-abiding as well. Conveyancing encryption secures sensitive data so that it cannot be intercepted, accessed or stolen. Currently, it’s estimated that only 5 percent of the world’s most sensitive personal information is protected by encryption, either when it’s at rest on computer hard drives or in transit via messaging systems. Data includes not just documents and text-based communications, such as instant messaging and emails, but audio and video communications as well. In the context of telecare, for example, this lack of security could expose a patient’s private medical consultations, as well as their records, to interception and eavesdropping.
End-to-end encryption of all communications and streaming data is a proven strategy against data breach. Yet, of the many products on the market, most fail to adequately address the problem because they encrypt only selectively and at certain stages of data transmission from source to destination.
Some messaging products, for example, encrypt data between the client and server, but not on the server itself. Given that a large proportion of data losses occur when data is lost or stolen from within an organization, this represents a major security weakness.
Most systems do not even offer secure video and audio capability, potentially allowing criminals to eavesdrop on private communications such as telecare consultations between doctor and patient. Last year in the United States, 111 million health records were compromised—almost 35 percent of the population.
Data security, trusted identities and privacy are absolutely vital if we choose to live in a connected society. Not just in telecare and financial services, but across every aspect of our daily lives. That’s why encrypted messaging has now become the norm rather than the exception. But people may find the idea of entrusting extremely sensitive data to sit within a third-party’s servers unsettling.
Encrypted Messaging Ramps Up Protection
One answer is to implement private, closed network encrypted messaging solutions that do not require the involvement of any third party. In this scenario, an organization runs a standalone version of the messaging application on its own in-house server, issuing “licenses” to its employees. This creates a totally secure communications ecosystem in which the company maintains physical as well as digital security over all its data. In such a system data is end-to-end encrypted, which means that without the necessary key, data access is impossible—even if someone physically stole the server, they would not be able to read the data stored on it. The encryption also extends to video and audio communications, which then become impossible to eavesdrop.
Of course, like an internal phone system without an external line, such a system would be of limited use for businesses and organizations that need to interact securely with others. In such a case a free application could be made available for all major platforms, enabling a company to create a completely secure communications channel with anyone outside the organization.
Such a system is currently being trialed at a leading real estate law firm in the UK. The firm is running an on-premise messaging system on its own server. Sensitive legal and financial data is stored encrypted. Conversations with clients, which used to happen via email, now take place via an encrypted messaging channel to which only the two parties have access. Not only can both parties be confident that nobody is monitoring the conversation—even if it’s taking place over a compromised network connection—but that the person they are communicating with is who they say they are. In this way, it is impossible for the conveyancing fraudsters to fake bank transfer instructions. For the legal firm, the ability to offer its clients protection from conveyancing fraud gives it a competitive edge over its rivals.
A connected world requires us to be able to trust the identities of those we interact with, and the confidentially of those interactions. This is equally important for the next generation of IoT devices that we’ll be relying on more and more in the future. Encryption of communications and vital data must be a component of that trust relationship as it provides the only practical means to guarantee the identities and privacy of the individuals concerned. Without security and without privacy—as Art Coviello warns—we will be in a very dangerous place indeed.
(Top image: Courtesy Getty Images.)
This piece first appeared in BRINK.
All views expressed are those of the author.