Is it Time to Rethink Security?

Is it Time to Rethink Security?Until a couple of weeks ago few people outside the wireless carrier industry had ever heard of Carrier IQ. Now this previously obscure company is leading the news, and not in a good way. Its software – installed in up to 140 million smartphones, including Android and Blackberry models – stands accused of reporting on users' text messages, keystroke by keystroke, without their knowledge.

Carrier IQ asserts that it was only recording usage metrics, but a company spokesperson acknowledged that it could "probably" read users' messages. Senator Al Franken is asking tough questions, and one law professor, former federal prosecutor Paul Ohm of the University of Colorado, argues that Carrier IQ may have committed literally millions of violations of federal wiretapping laws.

For anyone concerned about privacy or data security, these revelations point to issues that go far beyond the fate of Carrier IQ. Three basic realities need to be considered:

  • Information is everywhere. The moment you go online (or use any device that could go online) you are immersed in a sea of it, and everything you say or do online adds to it.
  • We need better control over data we regard as private. The inherent default state of online technology is that nothing is private.
  • We need to look at security from the ground up. Our existing tools and approaches are not sufficient.

As things stand now, the only way to fully ensure that confidential data remains that way is to never entrust it to any digital device. Even if the device is not connected to the Internet, it could be in the future, reading everything in memory.

But we neither can nor wish to go back to the pre-computer era. Which means that if we want to protect our data – and we do – we need to start thinking about security in a comprehensive way. Security is not just about shadowy cybercriminals. It is about managing the constant flow of data, and making sure it goes only where we want it to go.