Having grown up in Germany, I am well acquainted with “Datenschutz” or literally “data protection” – a set of attitudes, laws and regulations around how companies should deal with data collected from individuals. In the wake of the NSA disclosures there has been a lot of debate about how to further strengthen these protections. Much of this is well meaning but it seems to me a classic case of the road to hell being paved with good intentions.
We can never perfectly protect data nor should we try to. Perfect data protection is a physical impossibility – even black holes radiate information as Stephen Hawking famously figured out. Yes we can encrypt data as it travels over the network or is stored on disk. And yes, we may even be able to do some analysis while retaining encryption (due to the marvels of homomorphic encryption). But that does not really solve the issue – it merely shifts it to the new issue of the management of keys, which are themselves data that needs to be kept somewhere.
So in the end, there will always be leaks of data. Whether that’s because someone broke into the system and copied the keys, or socially engineered their way into the system, or intercepted the data as it is being presented to end users (which is the hole for all cryptography just as it is for all DRM) doesn’t matter. It is not a question of if a million patient records will be leaked. It is a question of when.
Does that mean we shouldn’t encrypt at all? No (at least not for now and probably not for quite some time). We tend to lock the front doors to our homes and close the windows while we are away. That to me is the equivalent of practices such as connecting to your bank, or email, or healthcare over an encrypted connection. We are making it just hard enough so that economic conditions, social norms and laws and their enforcement can do the rest. I am listing a whole bunch of different things here because they all work together to give us the relatively low property crime environment we currently live in.
Let’s come back to the road to hell part of data protection. Why and how could more data protection come to hurt us? First, by messing up the Internet. I was surprised to hear a member of the Chaos Computer Club endorse European data domicile regulation. This is re-imposing the old geographic boundaries and divides on the Internet and thus re-enforcing existing political power structures not disrupting them.
Second, by providing an argument for and movement towards “trusted chip” architectures – the idea that, in order to solve the infinite recursion of keys being again just data that needs to be stored somehow, we will store the keys in hardware that we can trust. That too has a way of concentrating instead of diffusing power. Why? Because it is exactly what is necessary for hardware to be locked down and for vendors to control what you can do on a device that you have purchased.
Third, it further cements existing information asymmetries. Companies and governments that already have a lot of secrets will find it easier to keep them instead of harder. Somehow the proponents of these new rules seem to ignore that these will also help to better protection corruption, abuse of power, etc.
Fourth, it takes our eyes of the ball from everything that could be gained by sharing more data and from creating the economic and social conditions, plus laws and regulations, that would enable more, rather than less, sharing. Let’s look at medical data for a moment. At a time when my medical record existed as a paper file, two things were true. First, it was relatively easy to physically protect my file by literally locking it up. Making copies was a physical activity that required access. So the cost of protecting it were small. Conversely, there was very limited upside to sharing it. Why? Because there was no easy way to get the world to look at it – I could physically bring it or mail it but that was to known group of people. So it made perfect sense to try to keep medical records private.
Now the situation is reversed. Protecting the digital file is hard (impossible) and very costly. But the potential upside from it being public is huge. A disease might be diagnosed, or a treatment proposed, by a doctor (or someone else) whom I have never even heard of before! And a large public collection of healthcare records would enable rapid advances in medicine for everyone. In this new world we should want to publish our medical information.
So then why are we so afraid about our medical records being public? Because right now we look at it at best as a potential source of embarrassment and at worst as a threat to our livelihood as we might lose our job or access to healthcare. This is what we really need to be working on – creating the social norms, economic conditions and laws and regulations that remove the stigma and the threat. We need to focus on protecting people from the potentially negative consequences of data about them, not on working harder and harder to protect their data.
None of this will happen overnight. It will takes us a long time to go from our current culture, society and economy to one in which some or all of us freely share our healthcare data and reap the benefits for all of humanity (instead of for a few large pharma companies with the power and wherewithal to buy all the data they need). And we shouldn’t force people into either. That’s why need some level of encryption at least for now.
PS Tech Tuesday will resume next week.
