What would a law about big data say?
After participating with the Privacy Commissioner of Canada’s consultation on consent, and reading about Ontario’s privacy commissioner reflection on the drivers for a legal change.
I tell you that it wont be easy.
I will be writing about this shortly for now, I will simply ask the question.
It is the digital age, and there is a new type of warfare. Cyberwarfare refers to the utilization of modern technologies and software to mount politically-motivated attacks against information systems; in the past, it has successfully brought down websites, networks, services, financial systems, data warehouses, and more. It is increasingly used by nation states, terrorists, extremist groups, “hacktivists,” and other criminal organizations as a method to create disruption or damage.
Politics and geopolitics has moved online. Many of the revolts and international headlines we read today involve some aspect of the web, whether directly or indirectly. Digital mediums can be used by the government to repress citizens in countries such as China and Saudi Arabia; it can organize and raise awareness for national or political uprisings, such as the case in the Arab Spring; it can be used to access and release confidential information, such as the case during the US presidential election. Cyberterrorism, cyberwarfare, and cyber espionage has become one of the most pressing national and international issues.
- Sochi Olympics, 2014: Athletes’ cell phones were compromised within minutes of landing at the airport
- Viber, WhatsApp, Twitter, and other apps are commonly used to locate terrorist targets in Syria. As a counterpoint, recruitment for terrorist groups such as ISIS is largely done online as well.
- Use of bots/humans to broadcast government agenda in Saudi Arabia, religious or government dissent has led to bloggers being flogged and sentenced to prison
- Kuwait enacted mandatory DNA collection from citizen to build a national genetic database
- China and Russia are actively working on their private internet
Trying to control the cyber landscape is near impossible. For instance, the sheer number of mobile applications designed for everything from communications to social media to fitness tracking make up a global marketplace that isn’t ready for innumerable threats. Individuals disclose their personal information across multiple platforms and apps that provide vastly different levels of privacy and security.
Has encryption protect google and yahoo against NSA snooping, simply not. Was the NSA protected against data extract by an ‘authorized’ user who threatened the nations security? not really. Hence we say that best encryption ceases to work upon the first authorized access.
Governance Analysis is a logic-based, computer assisted framework for validating legal compliance of enterprise governance models. This framework is intended to help check whether governance systems are consistent with the law. My approach to Governance Analysis includes legal and enterprise models, a governance analysis method (GAM), a governance analysis language (GAL), and an implemented governance analysis tool (GAT) (see Publications). GAM consists in extracting legal requirements and translating them into GAL statements by using patterns and translating them into a logic model for consistency checking.
The GAM, GAL, and GAT evolved as a result of their application to governance laws related to privacy and financial management. The method’s main processes were validated through application to Canadian and US laws (mainly PIPEDA and Sarbanes-Oxley) combined with various examples taken from enterprise systems.
Governance Analysis begins with an extraction process, which uses patterns to match legal and enterprise requirements. Next, the representation process maps extracted requirements to GAL statements. The generation process takes as input GAL statements to generate a logic model, and the Alloy logic analyser is used to check legal consistency. Three legal compliance validation techniques can then be applied: model, ontology, and scenario checks (see What are the Methods for Validating Legal Compliance?). Model checks validate the combined legal and enterprise requirements for logical consistency; ontology checks validate the enterprise structure and process; and scenario checks validate enterprise scenarios.
These Governance Analysis techniques have proven to be useful not only for identifying conflicts between laws and enterprise governance models, but for identifying the specific scenarios in the enterprise which threaten legal compliance.
Recently I have been working on a formal framework for evaluating the maturity of de-identification services within an organization. The framework gauges the level of an organization’s readiness and experience with respect to de-identification, in terms of people, processes, technologies and consistent measurement practices.
The De-Identification Maturity Model (DMM) is used as a measurement tool and enables the enterprise to implement an empirically-based improvement strategy.
The DMM was published under the auspices of Privacy Analytics, a leader in de-identification technology solution delivery. Alternatively, the article can be downloaded from DMM Khaled El-Emam & Wael Hassan. Or download a one-page DMM Summary.