If Microsoft's chief security adviser had his way, it would be a felony to misuse personal data.
Stiff penalties are the only way to ensure that people and organizations won't violate rules about appropriate data use, said Craig Mundie, speaking on privacy and cybersecurity at the EmTech MIT conference in Cambridge on Thursday (All of which should make for interesting conversation between Mundie and NSA director Gen. Keith Alexander, both of whom were to be honored later in the day at the Eisenhower Awards Dinner in New York City for their contributions to national security.)
Current rules for ensuring data privacy are broken, according to Mundie, in a world in which people are being observed in increasingly intimate ways by the tech devices and tools they use daily. "More and more, the data that you should be worried about, you don't even know about," said Mundie, who until late last year was Microsoft's chief research and strategy officer. "You don't even know to complain about the existence of the data."
Back when credit cards emerged a few decades ago, individuals could weigh the risks and rewards of revealing private information in exchange for services that would make their life easier. That model worked to guide law and policies, but "is now failing in a gargantuan way" because of all the data being collected and retained in so many ways. With smartphone apps asking permission to use your location but never telling you what they plan to do with that info, or indicating what might happen to via downstream distribution, it's clear that data privacy rules need serious updating, Mundie said.
He envisions a "usage-based way of controlling data" under which information would be protected in a sort of cryptographic wrapper (think digital rights management on movie DVDs or music CDs) with metadata defining what can and more importantly can't be done with the data. Based on discussions Mundie has been involved in with people at other companies as well as with regulators around the world, he said reception to such a concept has been generally good, even in Europe where data privacy rules have become increasingly strict.
With sensitive data such as that related to genomics only becoming more commonly available, there's a realization that rules will need to change, but rules won't be able to apply to each specific type of data, Mundie said. "Therefore I think we need to move to a model with an architectural basis," he said.
A computerized architecture to manage all this would support users changing their mind over time regarding what they would allow others to do with their data, as new applications they never anticipated emerge, Mundie said. "You can't possibly write [all] the rules in advance," he said.
Sign up for Computerworld eNewsletters.