Seeking the Holy Grail but Finding New Pandora’s Boxes: Confidentiality and International Security

Machine learning, neural networks, big data, the Internet of things and other contemporary digital technologies are based on collecting and processing of large amounts of data. Organizations and governments using such technologies often ignore issues of confidentiality in their quest for new data. Sophisticated mathematical models allow businesses to tailor advertisements to individual people and enable politicians to target their campaigns at specific groups of the population.Increasingly, we observe not just individual “intrusions” into people’s privacy, but also the direct manipulation of personal data.

Many security threats and common technical risks to confidentiality have two key underlying reasons. First, objects of digital technology have limited resources in terms of energy consumption, memory capacity, computing power and so on. Second, the lack of uniform security requirements, as well as the broad range and great diversity of protocols, complicate the preservation of data confidentiality throughout the life cycle of digital technologies.

The rapid development of new international and cross-border digital business models results in personal data becoming a valuable commodity (“the new oil”). National economies and the international economic space do not have absolute immunity to copyright and intellectual property violations, whereas the specific nature of data and information confidentiality makes some states more vulnerable than others that enjoy a digital advantage. In this stalemate situation, corporations and individual governments benefit the most from storing, processing and analysing sensitive data, while citizens grow dependent on services provided by foreign companies.

Unfortunately, due to the large number of factors and discrepancies, as well as the personal, corporate and other interests of influential players, a uniform approach to settling the confidentiality problem at the international level is not likely to emerge in the foreseeable future.

The status of confidentiality in the context of international security is ambiguous: on the one hand, governments, corporation, and ordinary citizens do not want their secrets to become known to other people, while on the other hand, they want to know other people’s secrets, even if they publicly state the opposite.

When digital technologies are used in critical infrastructure, the use of resources, solutions or services provided by foreign corporations brings to the fore issues not only of personal privacy, but also of the country’s stability and sovereignty, seeing as this process places significant leverage in the hands of foreign investors, shareholders and governments.

Digital technologies have significantly changed both our personal lives and the way states are governed. This technology is based on, and consumes, data about us. We can state pessimistically that “Pandora's box” has been opened wide. We can no longer do without digital technology. At the same time, we cannot continue to “do business as usual” and ignore the fact that losing control over new technologies has come to mean losing control over our own lives. The number of changes caused by digitalization is growing. Working out systemic approaches to the problems of personal data and confidentiality in the digital world is necessary if we want to regain control over digital technologies, as well as over our own lives (which no longer means merely our online lives).

We all know, or suspect, that confidentiality is important: no one wants their personal, sensitive information to become public. However, at what point does data confidentiality cease to be our own personal business and become a matter of international security, a focus of national or international agendas?

Pavel Sharikov
Protecting Sensitive Data: The Experience of Russia and the US

There is currently no common notion of privacy, but there are many interpretations of the concept, and subjective views play an important role here. In this sense, we will hardly be able to agree on a universal definition [1]. Those of us who grew up in the era of social networks and widespread access to the internet, those who essentially spend their lives online, have their own perceptions of privacy, personal data, the boundaries of private life and so on. Our understanding of threats is often delayed in time, such as when previously generated information begins to be used against its owner (for example, in smear campaigns aimed at searching for “dirty laundry,” including past dubious activities and statements on the internet). Reinterpreting the concept of personal privacy may result in the idea of private information losing its meaning, because more sensitive data (such as a person’s sexual orientation, relationship status, etc.) are available on social networks and other digital platforms.

Machine learning, neural networks, big data, the Internet of things (IoT, [2] which includes the smart city and smart car concepts, automated buildings and homes, as well as various devices and gadgets) and other contemporary digital technologies are based on collecting and processing of large amounts of data. Organizations and governments using such technologies often ignore issues of confidentiality in their quest for new data [3]. Sophisticated mathematical models allow businesses to tailor advertisements to individual people and enable politicians to target their campaigns at specific groups of the population. Increasingly, we observe not just individual “intrusions” into people’s privacy, but also the direct manipulation of personal data.

One way or another, modern digital technologies fit into the concept of digital transformation. The positive impact of digital transformation on human development depends on the safety and security of the digital environment [4]. Many politicians, governments and international organizations, unless they are confirmed “luddites” when it comes to digitalization, manifest a fairly positive attitude towards building a development potential for the relevant resources, organizational, legal and institutional mechanisms. Ultimately, they are prepared for profound social, economic and political transformations, hoping to benefit from them. However, as the concept of privacy becomes increasingly eroded, the prospects of qualitative positive change begin to appear dubious. If we look at the famous CIA information security triad (no matter how ambiguous it may sound [5]) of (1) confidentiality, (2) integrity and (3) availability, then regulating confidentiality issues may appear to be nothing short of the cornerstone of a developed state’s national interests. In this sense, confidentiality is perceived not only as an issue of access to sensitive information, but also as an issue of control over the content, storage operation and availability of information and data.

Threats to Confidentiality: Technological Aspects

Many security threats and common technical risks to confidentiality have two key underlying reasons. First, objects of digital technology have limited resources in terms of energy consumption, memory capacity, computing power and so on [61]. Many security protocols (for example, Transport Layer Security [TLS] or Internet Protocol Security [IPsec]) are capacity hungry and cannot be implemented with platforms and services with limited resources. The insufficient implementation of security protocols can compromise confidentiality (including data leaks, eavesdropping, unauthorized surveillance, etc.). Second, the lack of uniform security requirements, as well as the broad range and great diversity of protocols, complicate the preservation of integrity throughout the life cycle of digital technologies. This could result in physical damage (for example, a road accident involving a smart car), financial losses (such as bank accounts getting hacked into and stolen from) or confidentiality breaches during operations with user data (such as massive leaks of personal data). Such consequences directly threaten the national security of individual countries and have repercussions for international security.

Let us consider a specific example of a foreign manufacturer using a cloud computing solution in the healthcare sector. There are studies describing successful attacks on insulin pumps containing confidential customer information [7]. Such attacks certainly present a technical threat to the security of personal data. If the medical records of clients around the world who use insulin pumps is concentrated in the hands of a single foreign organization, then a massive data leak may become a destabilizing factor in international relations. Those countries whose citizens’ confidentiality has been violated will try to do everything possible to protect those citizens, safeguard their reputation and exert influence on the foreign organization in question.

Another example of a country’s scientific and technical development and the threat of foreign technology both playing an important part in providing confidentiality is the case of Huawei Corporation, which, at the very least, has complicated China’s relations with the United States and its allies.

Against this background, the plans of the Moscow city authorities to equip the metro system with Chinese-made face-recognition cameras sound somewhat controversial. This effectively means that China will have a massive database of Moscow residents and visitors. The consequences of this are difficult to predict, given that research into the use of digital technology for purposes of transport safety indicates the importance of discussing and regulating the storage, distribution and availability of video surveillance data [8].

When digital technologies are used in critical infrastructure, the use of resources, solutions or services provided by foreign corporations brings to the fore issues not only of personal privacy, but also of the country’s stability and sovereignty, seeing as this process places significant leverage in the hands of foreign investors, shareholders and governments.

Threats to Confidentiality: Lack of Political and Legal Unity

The rapid development of new international and cross-border digital business models results in personal data becoming a valuable commodity (“the new oil”). In this sense, both an increase in a state’s competitiveness and the implementation of digital economy programmes must have confidentiality at their core. National economies and the international economic space do not have absolute immunity to copyright and intellectual property violations, whereas the specific nature of data and information confidentiality makes some states more vulnerable than others that enjoy a digital advantage. In this stalemate situation, corporations and individual governments benefit the most (both commercially and in terms of influence) from storing, processing and analysing sensitive data, while citizens grow dependent on services provided by foreign companies.

Against this background the Brazilian–German initiative entitled “The right to privacy in the digital age” adopted by the UN General Assembly in 2013 is a remarkable example of the international community’s response to a problem which, if ignored, is fraught with negative consequences. Unfortunately, due to a large number of factors and discrepancies, as well as the personal, corporate and other interests of influential players, a uniform approach to settling the confidentiality problem at the international level is not likely to emerge in the foreseeable future.

Maria Gurova
The XXI Century Gold Rush — Social Networks and Big Data

Another such example is the EU General Data Protection Regulation (GDPR) initiative, which aims to protect users from possible violations with regard to their data. That the need for ensuring proper confidentiality and data regulation is being recognized as both critical for the economy and as a socio-political attempt to address the potential risks of espionage (both commercial and inter-governmental), manipulation and abuse is a good sign. It can be argued that the initiative is not ideal and contains certain contradictions, but the document signals a readiness for a constructive dialogue with the professional community and the corporate world on this extremely complex problem.

Both governments and businesses involved in the creation of digital resources and technologies need to realise that ensuring confidentiality is a continuous process that requires input from all the parties involved [9]. Digital technologies should (and this is not a wish, but a necessity, including on the technological side) ensure security and confidentiality throughout the life cycle of products and services, irrespective of the region in which they are used. This implies continuous work on the part of the manufacturer to eliminate any defects, as well as the user’s observance of the rules of product use. For example, manufacturers need to update their products in a timely manner in order to address newly discovered vulnerabilities and provide a clear end-of-service strategy for each product so that it can be “discontinued” without disclosing confidential data.

Developing disclosure indicators for individuals and organisations will allow technology users to assess the risks associated with their decisions, while helping regulators to identify any abuses. Similarly, methods of predicting the service life of technological solutions and how companies work with confidential data will allow people (end users) to understand how their degree of risk exposure. There is also a need to develop usable privacy solutions, such as applications that analyse data collected by portable devices. Promotion of awareness and a conscious approach to data are the first, and most crucial, step towards addressing confidentiality problems.

Generally speaking, trite as this may sound, education (digital literacy, information literacy, etc.) is of critical importance: on the one hand, it helps users understand how to store sensitive information and protect their privacy, while on the other hand, it established uniform standards of privacy protection for developers, analysts at technology companies, and so on.

Threats to Confidentiality: A Subjective Prism

This paper does not discuss digital trust, subjective attitudes towards confidentiality and other problems pertaining to the domain of psychology. Let us consider the problem of insider threats that directly affect the already fragile international confidentiality agenda [10].

According to a Clearswift study, 58 per cent of all reported security incidents result from internal, or insider, threats to confidentiality coming from former or current employees. These threats are viewed through a three-dimensional prism of 1) the insider’s character (his/her psychology, individuality and personality, as well as workplace factors, etc.); 2) the characteristics of the organization (corporate standards, working atmosphere, the specifics of the organization, disciplinary and internal security regulations, employee competencies, hierarchy and responsibilities, etc.); and 3) the characteristics of the attack/threat (the technical content of internal information systems, as well as access to, and the analysis and storage of, sensitive data).

The significance of insider threats to international security is clearly illustrated by the high-profile case of Edward Snowden. The consequences of Snowden’s leaks are still being felt, and very painfully so by some countries. The radical transformation of attitudes throughout the trans-Atlantic space demonstrates an interest in discussing and addressing problems of data manipulation, in particular as applied to confidentiality. Apple and Facebook are actively advocating GDPR-style legislation, whereas U.S. Senators Elizabeth Warren and Amy Klobuchar call for revising approaches to confidentiality and controls over corporations’ handling of personal user data. The huge number of initiatives and public discussions around the world indicates concerns coming not only from users and society as a whole, but also from politicians and major corporations.

The status of confidentiality in the context of international security is ambiguous: on the one hand, governments, corporation, and ordinary citizens do not want their secrets to become known to other people, while on the other hand, they want to know other people’s secrets, even if they publicly state the opposite. Despite the popular notion that “data is the new oil,” information has, in fact, always been of great value. Indeed, the expression “knowledge is power” dates back more than 400 years. However, it is now that data is capable of reducing uncertainty and helping us to make individual and collective decisions on a scale never observed before. Digital technologies have significantly changed both our personal lives and the way states are governed. This technology is based on, and consumes, data about us. We can state pessimistically that “Pandora’s box” has been opened wide. We can no longer do without digital technology. At the same time, we cannot continue to “do business as usual” and ignore the fact that losing control over new technologies has come to mean losing control over our own lives. The number of changes caused by digitalization is growing. Working out systemic approaches to the problems of personal data and confidentiality in the digital world is necessary if we want to regain control over digital technologies, as well as over our own lives (which no longer means merely our online lives).

Works Cited

1. Shui Yu; Member, S, 2016. Big Privacy: Challenges and Opportunities of Privacy Study in the Age of Big Data. IEEE Access 2016, 4, 2751–2763

2. The term “Internet of things” is not fully formed, since it implies the use of a multitude of technologies, including wireless sensor networks (WSN), radio-frequency identification (RFID), machine to machine (M2M) communication, etc.

3. Meredydd Williams, Louise Axon, Jason R. C. Nurse and Sadie Creese, 2018. Future Scenarios and Challenges for Security and Privacy. arXiv:1807.05746 DOI: 10.1109/RTSI.2016.7740625

4. Patryk Pawlak, 2016. Capacity Building in Cyberspace as an Instrument of Foreign Policy. Global Policy Volume 7. Issue 1. February 2016

5. Cirani, S.; Ferrari, G.; Veltri, L. Enforcing Security Mechanisms in the IP-Based Internet of Things: An Algorithmic Overview. Algorithms 2013, 6, 197–226.

6. The ambiguity in this instance concerns the application of the triad by the CIS itself. On the one hand, the agency stresses the importance of observing the principles of confidentiality, integrity and availability when it comes to information security. On the other hand, the CIA in its operations frequently fails to observe all three principles. In other words, the CIA-devised “mandatory” triad does not apply to the agency itself.

7. Li, C.; Raghunathan, A.; Jha, N. K. Hijacking an Insulin Pump: Security Attacks and Defenses for a Diabetes Therapy System. In Proceedings of the 2011 IEEE 13th International Conference on e-Health Networking, Applications and Services, HEALTHCOM 2011, Columbia, MO, USA, 13–15 June 2011; pp. 150–156.

8. Bigo, D., Carrera, S., Hernanz, N., Jeandesboz, J., Parkin, J., Ragazzi, F., & Scherrer, A. (2013). Mass Surveillance of Personal Data by EU Member States and its Compatibility with EU Law. CEPS Liberty and Security in Europe No. 61, 6 November 2013.

9. Hezam Akram Abdul-Ghani and Dimitri Konstantas, 2019, A Comprehensive Study of Security and Privacy Guidelines, Threats, and Countermeasures: An IoT Perspective, Journal of Sensor and Actuator Networks

10. Jason R.C. Nurse, Oliver Buckley, Philip A. Legg, Michael Goldsmith, Sadie Creese, Gordon R.T. Wright, Monica Whitty, 2014, Understanding Insider Threat: A Framework for Characterising Attacks, 2014 IEEE Security and Privacy Workshops URL: https://www.ieee-security.org/TC/SPW2014/papers/5103a214.PDF