US News and World Report was forthright in pointing out the problem. Its article, under the headline, "How Your Privacy Is being Stripped Away," stated: Many experts warn that high technology has put personal privacy on the endangered-species list. They say the flutter of [data] through a computer's electronic fingers [is] inexorably eating away at the last vestiges of that very American concept of being left alone…"Today, you don't need a central data bank with all the records collected in a single location," says Jerry Berman, Washington legislative counsel for the American Civil Liberties Union. "More and more computers are interactive, and they can talk to each other. Modern technology allows decentralization of data that can be reassembled with pushing a single button. What we are seeing now is new technology undermining the protections and producing results that Congress objected to strongly 10 years ago."¹

Pretty scary stuff, especially if you believe that large organizations, whether corporate or governmental, already know too much about each of us. It is definitely worrisome to see how far the data collected on computers and networks have come to violating our own sense of privacy, of limited access to information about ourselves.

It would be even scarier to contemplate if this article had not been written in April of 1984! Sixteen years have passed, and we still seem to be scaring ourselves with the same ominous specters. Sixteen years and we are still telling ourselves how bad it is going to be.

Now privacy is a considerable concern, and certain technological advances such as the Internet and data warehouses have raised the ante significantly. But the fact is that we lose the battle of raising the awareness of the people -- especially the people who can affect corporate decision making -- when they have the persistent and justified sense that they have heard it all before, and nothing has happened. We know the story of the little boy who cried "wolf!" so often that he was disbelieved when the wolf was in fact at the door. So the issue is not one of wolves, or privacy for that matter, but the credibility of little boys or, in this case, of security professionals and IS auditors.

This same story can be repeated with many other texts. The advent of the year 2000 did not end civilization as we know it; in fact, it barely had any effect at all. For all the havoc wrought by Melissa and ILOVEYOU, viruses have not ground the Internet to a halt. No one can point to viability-threatening losses caused by hackers. Despite urban legend, there are no verifiable stories of companies going out of business due to a fire in the data centers.

Of such denials are perpetually-cheerful Pollyannas made: The sun will come up tomorrow and we will all go to Big Rock Candy Mountain. No, I am not so naïve as all that. I am simply skeptical of predictions of dire consequences when these have not been the case in the past. I do not give much credence to the triumph of despair over experience. As with the privacy example given at the start of this article, the continuing focus on the terrible things that might happen obscures the fact that they have not happened. This thinking keeps the focus on the negative rather than the positive aspects of the systems in question.

Some people may believe that the corporations and governments collecting and storing data about us are vicious and corrupt, and perhaps in some lands this is true. I live in a Western democracy, and I simply do not believe that civilized nations are overrun with jack-booted thugs, or that sinister helicopters are massing to swoop down on harmless civilians, or that great dossiers of surreptitiously obtained data are being collected to manipulate our lives. More than a political statement, this is the viewpoint that I think must be brought to the discussion of the possible consequences of any security-related problem. The vulnerability should be discussed in the context of the positive benefits that were intended by the sponsors and developers of the system in question.

Using privacy again as an example, there is indeed ample evidence of inroads into many individuals' private information since the days when the US News and World Report article was written. But relatively few of these incursions have come about as the result of malicious snooping, of wiretaps or cloak and dagger passage of secrets. Most of it comes from people willingly and knowingly giving up information about themselves, in return for perceived benefits. In the world of e-business, so much a matter of concern for privacy advocates today, the benefits have come in the form of the hometown newspaper online, tailored lists of CDs to purchase, home delivery of medications or low-price stock trades. To be sure, the providers of these products and services gather personal information in search of higher profits (or market penetration), but these gains are intended to be made by providing a higher level of service, which results from knowing more about their customers.

That indeed is the internal correcting mechanism of the system. If vendors collect information to improve customer service and thus to make more money, then harming customers' interests will result in reduced revenues. Those who might violate privacy have an incentive not to do so. The recent saga of DoubleClick's difficulties with privacy issues is instructive. The online advertising company had intended to tie personally identifiable information to Internet users' online surfing habits by combining its data about Internet "cookies" with the personal information in the Abacus database, which it bought in November 1999. The resulting uproar that occurred in Internet time – for those not familiar with the hip-hop lingo of the e-era, that means "very quickly" -- forced DoubleClick to halt their plans "until government and industry have reached a consensus on privacy rules for the Internet"². Well, not really. What went unsaid is that there is a consensus, though not formally stated or easily defined. But the line definitely exists. DoubleClick found that they had overstepped it.

Once again, the issue is credibility. DoubleClick was not defeated in its plans by speculation about what might be, but by the market reaction to what they were actually planning to do. Their senior management was forced to listen to the mysterious voice of the people, or the press, or their e-mail; real indicators that management could understand and relate to.

Senior management does not react nearly as well to horror stories about the future, particularly when these visions do not coincide with their own lessons of the recent past. And especially when the implications of the story are that they should not carry forward plans that are considered beneficial to the company, its customers or both. Too many security professionals complain that management does not listen to them. Perhaps it is because when the security professionals explain that the wolf is at the door, management hears them crying wolf.

Endnotes

¹ April 30, 1984, pp. 46-8.
² The Center for Democracy & Technology, www.cdt.org/action/doubleclick.shtml

Steven J. Ross, CISA
is a director at Deloitte & Touche.

Enjoying this article? To read the most current ISACA^® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute^® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2000 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.