No Mr. Big Data Service Provider, You CANNOT Do That!

In a very interesting presentation at the 2015 ISC2 EMEA Congress in Munich, Dr Lucas Feiler posited that any big data analytics performed, whether internally or outsourced, is going to attract significant legal challenges related to privacy. And even if the challenges CAN be resolved, it will likely be in ways that make something of a mockery of the EU General Data Protection Regulation (GDPR)’s intent.

Getting around privacy regulations will involve token human interaction (i.e. smoke and mirrors) where none is desired. In areas that needs to be dominated by AI and the resulting automated decisions (insurance for example), adding the human element to avoid the appearance of prejudiced results will probably be standard until the algorithms become smart enough to be considered ‘reasonable’ (my absolute favourite legal term, right up there with ‘appropriate’).

Human interaction is not desired by those doing the analysis mind you, we may think otherwise.

While not in place …yet, the European Council aims for adoption of the GDPR in 2017 and have it in full effect after a “two-year transition period“. While 4 years may sound like a long time, when you consider the following statistics (taken from you can only imagine how difficult it will be to clean up the mess if organisations don’t start following the regulation now:

  • The data volume in the enterprise is estimated to grow 50x year-over-year between now and 2020
  • 35 zettabytes (that’s 35,000,000,000,000,000,000,000 bytes) of data generated annually by 2020
  • According to estimates, the volume of business data worldwide, across all companies, doubles every 1.2 years

Granted, the vast majority of this data will be in the form of cat videos and Kardashian tweets, but that still leaves an extraordinary amount of YOUR data sitting on servers just waiting to mined, manipulated, and analysed in ways we cannot even imagine. We cannot imagine them because they have not been INVENTED yet, and that’s the Holy Grail for any organisation, and the impetus behind big data analytics in the first place; How to manipulate the data they have into the development of new revenue streams.

To put that another way; How to take the data they have on you already and present it back to you in a way that makes you spend more money.

I’m actually not against this per se, Amazon are already doing a mild version of it with their “Frequently Bought Together” and “Customers Who Bought This Item Also Bought” sections, but can you imagine how much data they have on their more than 1.5 MILLION servers across 17 global regions?

The card brands and Facebook can predict within a two week window whether or not you’re going to get divorced, how much other data do THEY have? Or Google?

But can the GDPR actually make a difference? Probably, it has a VERY big stick, and you know how lawyers love their class action suits!

Look at GDPR CHAPTER II, PRINCIPLES, Article 5 – Principles relating to personal data processing:

Personal data must be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject;

(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; (…);

(c) adequate, relevant and not excessive in relation to the purposes for which they are processed (…);


…and now CHAPTER VIII, REMEDIES, LIABILITY AND SANCTIONS, Article 79a – Administrative fines:

The supervisory authority (…) may impose a fine that shall not exceed 1 000 000 EUR or, in case of an undertaking, 2 % of its total worldwide annual turnover of the preceding financial year, on a controller or processor who, intentionally or negligently:

(a) processes personal data without a (…) legal basis for the processing or does not comply with the conditions for consent pursuant to Articles 6, 7, 8 and 9;

If you LOSE personal data the fines can be a much as 5% of worldwide annual turnover.

Will that make a difference?

I hope so.



Can Too Much Privacy Actually Increase Your Risk?

My rather unusual theory; that too much privacy might actually reduce your security, stems from a few things:

1) Security is all about baselines, and anything that falls outside of those baselines should be prevented, or at least investigated;

2) Everything you do in life is based around one thing; your identity. Relationships, work, and everything you do over the Internet is a direct reflection of all the things that make you, you. It’s the AUTHENTICATION of your identity that enables your everyday actions online. It also exposes your data, and;

3) The one thing that has no place in pro-active security; Big Data, actually has an enormous role to play in your privacy and the security of your identity. Somewhat counterintuitively, it’s the big data that provides the baseline from which your identity can be protected.

Most of us know that your spending patterns are what the banks / card brands use to detect potential fraud, but this data is only a small part of your identity, the sum of which includes (but is not limited to); your location, work history, financial history, family and friends, likes and dislikes, and pretty much everything you’ve ever posted online.

What if your identity could be profiled? Not in the negative way used to profile ‘possible terrorists’, but in a way that prevents someone else from being you. For example:

1) Why would you buy an international airline ticket if you don’t have a passport, or if you have never previously left your own country?;

2) Would someone start posting hate filled messages on FB /Twitter etc. if all they’ve posted previously are funny cat stories?;

3) Would someone change address and order new credit cards if nothing in their ‘profile’ suggested they were moving?;

4) Would someone go on a spending spree, when their ‘profile’ suggests a lifetime of frugality?;

…and so on.

The answer to all of these questions, is maybe, and except for 2., they most certainly should not be stopped from performing these legitimate actions, but there COULD be a greater degree of due diligence on the part of the organisations fulfilling these requests to confirm identity first. This is only possible if they have access to a profile from which to make these necessary decisions.

The profile does not have to contain all of your deepest darkest secrets, but enough of your identity has to be available for organisations to make judgment calls. Yes, this could be used for targeted marketing (not everyone is covered by the GDPR), and yes, bad people will always find ways of using a ‘profile’ for more nefarious reasons, but we already HAVE many forms of profiling that we take for granted; credit scores, CV/resumes, social media content, circle of friends, clubs / associations and so on.

The use of these existing profiles for good and bad is not so much in the individual components, it’s in the whole, and it’s one of the rare instances where the whole is in fact greater than the sum of its parts. However, the more information that’s out there should lead to a safer profile due to numerous overlapping and cross-referenced checks and balances, all of which report back to you.

Of course, there will always be those who instantly assume this will become an Orwellian dystopia and move to a cabin in the woods, and there will be those who see it as a utopia and jump in head first. The answers for the rest of us lie somewhere in-between, and will evolve over time.

This generation is already making it happen in my opinion, with the prevalence of social media entire lives are being documented online, and the apparent lack of common sense when it comes to posting compromising selfies suggests that our idea of what’s ‘private’, is not theirs. What my generation cares about, cannot be forced upon the next, and our values cannot dictate how the next generation leads their lives, but what we CAN do is design an identity framework that turns privacy into what it’s always been; a form of ‘currency’ for which YOU need to take full responsibility.

Spend too much and you’ll have no identity to call your own, spend too little and you’ll be left behind.

What you want, and what we don’t currently have, is a choice.

[If you liked this article, please share! Want more like it, subscribe!]

The Future of Retail Payments (The Rise of the Service Provider Integrator)

[It’s clear that this topic has wayyyy too much material for just a blog, so at some point I’ll back this up with a white paper or some such. Please accept this as an amuse-bouche];

Today, the savvy buyer does their homework on all major retail expenses, ensures they have they the funds for it (debit or credit), and finds the best deal BEFORE buying.

The non-savvy, or impulse buyer, tends to get hosed, which may result in several things; the buyer either changes their minds and returns the item (and/or gets into financial difficulty), the merchant has a second-hand system to get rid of AND has the hassle of a charge-back, and the financial institution behind the payment runs the risk of non-repayment of the resulting bad debt.

While you’re never going to get away from consumers making bad decisions, you CAN make level the playing field, and make the experience for all parties less risky, more efficient, and potentially cheaper all round.

Two of the challenges we face today are:

  1. The vast majority of new businesses in the payments space are innovators, and have a very narrow focus. i.e. see a need, fill a need from a niche perspective. So if you’re looking around for those types of services, you have hundreds of small organisations from which to choose, and you either gamble, or wait until the market settles down and risk missing out entirely on a potential competitive edge.
  2. Every player in the payments ecosystem is either a dependent, or in competition, leaving everyone worse off, especially the consumer. You just have to look at the number of e-wallets, coupons, or loyalty point systems to see that 99% of them are unsustainable. The corollary is that new innovations in the retail space are very slow to be adopted, if at all.

So how do you choose the right combination of payment services for YOUR business?

Choose the right one(s) and the benefits are clear and ongoing, choose the wrong one(s) and you’ve potentially damaged your brand reputation. How many times have you collected loyalty points (for example), and never had the opportunity to enjoy the benefits?

The biggest issue the payments ecosystem faces it that the true cost of an expense if rarely apparent up front, and your payment options are limited to the offers of either your existing financial institutions, or of the retailers themselves.  Instead, what if the banks made available enough information at the time of purchase for you to choose the RIGHT payment option?

Bob Mackman wrote a short white paper How to Pay: The Future for Mobile in m-Commerce, in which he posits that for a mobile application to;

…weigh up the advantages of each [payment method] by looking at things such as: available credit, due date, interest rates and any loyalty schemes and give them the pros and cons of each for this particular purchase at this moment in time. Perhaps putting them into an order of preference.

…that the background financial institutions would first need to provide;

“…direct access to the information from the bank and card accounts being used. If the providers made API’s available for even just some basic transactions then this would be possible.”

You can imagine how often his happens currently.

But, if the banks could see the amazing potential this provides, then this would not be the “pipe dream of a romantic“, as Bob puts it, but a reality in which anyone NOT providing these services is left behind.

Like most things, it’s not that easy. For this to truly work you have to consider all of the following and many more:

  1. Authentication – ALWAYS the primary consideration in payments
  2. Ratings & Reviews integration – against financial services, retailers, products etc.
  3. Big data analytics and customer profiling resulting in targeted displays / coupons based on instant access to metadata of preferences (e.g. material / colour / designer)
  4. Existing payment technologies – PEDs, EMV, NFC, e-wallets and so on…
  5. New[er] payment technologies – Bluetooth beaconing, geolocation, bio-metrics and so on…
  6. Payment choices / instant credit through existing financial institutions (which has dependencies on single purchase interest rates and unaffected credit ratings etc.)

So who’s going to be able to put this all together? No-one currently, but in much the same way that the enormous growth of telecoms options resulting in a spin-off industry of consultants providing consolidation / savings services, the soon to be exponential growth of payment technologies will spurn a new breed of consultant; the payments Service Provider Integrator (SPI).

From banks, to payment gateways, to ratings & reviews, to loyalty, to anti-fraud, the SPI will be able to seamlessly integrate all the niche providers into a whole-istic solution designed to meet an organisations goals.

Here I must stop, but this will continue in more detail in the pending white paper.

If you have any ideas around this stuff, please share, I’ll make sure to build it in.


The Rise of the Machine, Big Data’s Next Hurdle

For those expecting a Terminator-esque diatribe warning you about the evils of ‘machine’ autonomy you’re in the wrong place. For a security professional, I am perhaps the least suspicious and prone-to-conspiracy person I know. Even my Sister and Brother-in-law are worse, but they are a lawyer and Scottish respectively so their paranoia is expected.

After reading Daniel Burrus’s articles ‘Big Data Is Already Producing Big Results‘ and ‘Create an Integrated Big Data Strategy To Increase Sales Now‘ it occurred to me that while Big Data has no place in security beyond forensics (in my opinion), the security OF the big data itself is critical. So is the integrity and availability of it.

The concept of Confidentiality, Integrity and Availability (CIA) has been around almost as long as I have, but only with the advent of big data and real-time analytics does it truly come into its own.

Everyone trying to sell you something – which is everyone – is looking at big data, or more specifically, how to collect the data in first place, and what to DO with it once they’ve got it.

Scenario: You’re out shopping with your wife when suddenly you are barraged by lingerie offers, as your spending habits over the last few months have been recorded and instantly regurgitated by hopeful vendors. Your wife has no lingerie…

Morality aside, this is a gross invasion of his privacy (loss of confidentiality). Now image if that data was actually inaccurate (loss of integrity), I’m sure his wife would be very understanding, right? As for availability, that’s the vendor’s problem so I don’t care much.

Now, let’s take this even further. In ‘The Internet of Things‘, soon everything from your home security to your dog will be online. Your location, your travel plans, your favourite everything will be known by someone, or someTHING, somewhere. The amount of information being collected is growing, quite literally, exponentially. The trend is also to automate as much as possible, so for example, if no-one’s home, the oven should not be on. Do we really want ALL of these decisions made without human interaction?

I personally love the way things are going. Instant access, always-on, functionality, convenience etc. But I am prepared to pay the price for this, the currency of which is measured in terms of the loss of both my privacy, and potentially, my personal safety. The data is online, if someone really wants it, they can get it, then do things with it I don’t even want to contemplate.

Big Data is not evil, data just is, it’s the use to which the data is put that defines good or bad. Businesses have been very quick off the block to define the profit-making contexts within real-time data analysis, but so far I haven’t seen much in the way determining what’s right and wrong. Or whether or not we even have a choice to take part in it.

The generations born prior to 1990 are most likely the ones holding this trend back, so we’re the one’s who’d better write the policies, and put the checks and balances in place, because the Millennials are too busy posting pictures of their junk.

Don’t Get Me Started On ‘Big Data’

Wikipedia describes big data as; “…a collection of data sets so large and complex that it becomes difficult to process using on-hand database management tools or traditional data processing applications.

So why complicate the already difficult concept of developing an effective security program with a huge lump of data you can neither store, nor put to good use yourself?

I’m not against big data per se, there are some very relevant areas where it’s actually required; weather forecasting, social analytics, brain mapping, economics etc, but in security?  I don’t think so.

Security must be simple to be effective, and less is almost always more.  Good security is baselined, white listed, known good and so on, big data can only be effective when your end goal remains somewhat static.  I very much doubt either the bad guys, or your business will stay still long enough put the results of the big data mining efforts to good effect.

Also, and I’m far from being a conspiracy theorist (I’m just not suspicious enough), but I can’t help but think the ones who really benefit are the those who already have the storage, the bandwidth, and the exiting data mining tools to make it effective, AND are looking for more business.  Security must begin with a business need, then a requirement for specific functionality, it is not falling for a sales pitch or a perceived competitive edge based on the latest buzz-phrase.

Instead of trying to understand your security posture with big data, consider the following;

  1. What kind of sensitive or business relevant data do you have?
  2. Where is it?
  3. Which applications or people access this data?
  4. Do you REALLY need all of the data you have?
  5. Is your EXISTING security programme as effective as it could be?

If you don’t know the answer to ALL of these questions, you should start there.  This doesn’t even qualify for ‘You can’t manage what you can’t measure.’, this is ‘You can’t protect what you don’t even know you have.’

Maybe, years down the road, when your security programme is a well oiled machine, and your Governance department is the paragon of business-to-IT communications, then, and only then, should you consider something as advanced as this.  Though I seriously doubt it even then.

[If you liked this article, please share! Want more like it, subscribe!]