Would you know if somebody had been sleeping in your bed or eating your porridge? When it comes to data security, the real threat is not only from somebody breaking the door down, it also comes from stealth and charm, as in the fairy tale of Goldilocks and the three bears.
With two major data security issues in the news currently, it is worth revisiting the story to discover what it might be able to teach data professionals. Not least because the modern, cleaned-up version in which Goldilocks is a beautiful young woman worthy of pity by the bears hides an older, more telling story about an intruder who gains access and usage of the bears’ property before stealing away unseen.
Apple currently finds itself confronting the FBI in the US courts because it has chosen not to have a key to the lock placed on its iPhone. As a result, it has no way as a company to access data on any handset - a deliberate choice to place privacy above data access. By contrast, the FBI believes it should engineer a backdoor for security services to use in the event of a need to interrogate the user’s connections and data, as with the current case of two terrorist bombers.
In this example, Apple is saying it has locked the house and thrown away the key in order to guarantee the data security of the homeowner. If it had a skeleton key made, it would potentially fall into the hands of bad actors, not just the white hats who are seeking a way in. The FBI might position itself as Goldilocks with a clear and present need to understand what has been going on inside, but letting the bureau in would weaken those defences against other, undesirable intruders. Arguments on both sides are raging within the information security world, especially among solution vendors, as they wrestle with the ethics of double blind encryption.
In the UK, meanwhile, GCHQ has had to step in to raise the encryption level being used for smart meters. Under the existing programme, all 55 million meters planned or installed would share a single key that would unlock access not only to the smart data they generate, but also to their operation.
What spooked the spooks was the possibility that a hacker could find the key and gain control over the lights in every UK household fitted with a smart meter. That is like the bears putting a lock on their house which is the same as every other lock in the forest - a rogue Goldilocks who worked out how to pick it would be able to get in to everybody’s home.
What these examples show is how data security is not a simple issue that can be resolved with a one-time fix. It requires ongoing investment and innovation, mapped against both user experience and wider social/legal needs. Apple clearly never expected to be arguing on behalf of the privacy of terrorists (as the rightwing US media view it) in order to sustain the wider position that everybody’s iPhone data should be beyond all third-party access.
Equally, the three bears did not expect to find their porridge eaten and their beds slept in. For data security professionals, that is probably the most telling part of the story. It is not just about the lock on the door, it is also about spotting suspicious activity as quickly as possible.