Page last updated at 10:44 GMT, Wednesday, 8 July 2009 11:44 UK

Being open about secrecy

Marion Prison
Can you balance keeping information secret with having an open government?

We need to teach people the principles of data security, says Bill Thompson.

It must be tricky to be an advocate of transparency when your job involves selling serious encryption tools to government departments, large and small companies, hospitals and people who are concerned about having their bank account details hijacked from a home PC.

After all, the point about good encryption software and the systems that surround it is that they provide a way to keep your secrets secret, while open government and the effective regulation of financial services would seem to require the widest possible dissemination of all sorts of operational data, from MPs expenses to bank investment portfolios.

And once something is on a website, in an e-mail or available for inspection through a published program interface, then it is no longer secret, however well the copy on your internal network might be protected.

Phil Dunkelberger, chief executive of encryption specialists PGP Corporation, believes that openness and secrecy are actually two sides of the same coin, and that the fundamental question concerns the ways organisations and individuals manage their data so that they can decide on policies for disclosure and stick to them.

He also thinks that the best way to make companies and businesses take data security seriously is to make them aware of just how much it costs them when they are careless, which is why PGP sponsors the independent Ponemon Institute to produce an authoritative survey of how companies use encryption, how many data breaches they suffer and how much it costs them.

Bill Thompson
Computerised data processing is not going to go away, and the proliferation of mobile devices, portable data storage and online access means that the problem of data leakage is not going to go away either.
Bill Thompson

Dunkelberger was in London this week to launch the latest report on UK data breaches, which found that 70% of UK organisations have had at least one incident in the past year, with public sector respondents admitting to an average of 4.5 breaches per organisation.

Separate research by Ponemon estimates that the average cost of incidents is £60 per record lost or £1.7m per organisation, and of course the wider impact on people's lives as they have to change bank details or clear their credit records is also significant.

Human error

Over half of the data breaches that feature in the Ponemon report were caused by staff error, with people losing computers or data storage devices, deliberately breaking procedures because they did not understand their importance or simply making mistakes that the systems developers had not anticipated.

Whatever its flaws, computerised data processing is not going to go away, and the proliferation of mobile devices, portable data storage and online access means that the problem of data leakage is not going to go away either.

And recent moves towards more openness between organisations and more transparency in both public and private sectors makes it impossible to simply lock the data up in a corporate vault, however well constructed.

The tension between openness and security has always existed, and modern technologies do not change the fundamental reality that once a secret is shared then it is less of a secret.

The best way to keep a computer secure is to disconnect it from the network and unplug the power, but this also makes it rather less useful, so any sensible data management policy has to accept that perfect security is not possible and have procedures to mitigate the impact of the inevitable leaks and failures.

A good system should also allow for effective disclosure. A proper MPs' expenses system would not have relied on scanned receipts, released as thousands of pages of PDF files with potentially sensitive data blacked out by hand, but have been built around a database in which all data was stored, cross-referenced to original documents for verification.

Releasing the expenses data would then only have required changing the permissions on a few database tables.

Of course, explaining this to MPs would have taken a lot of effort, because few of our elected representatives have any background in computing or any real understanding of the principles of systems thinking.

We can't be too hard on MPs. Data security is a complex area that involves hard mathematics and complicated software and requires an ability to think clearly about the inter-relationships between multiple overlapping systems, only some of which are computer-based, and few us have the necessary training to do this.

But if we are going to have a network society that relies on computer-based systems then everyone needs to understand how those systems operate and how they are put together. Just as a democracy can only really function if the citizens are actively engaged in the decision-making process and not merely turning out to vote every few years, a wired world needs people who appreciate what is being done in their name.

Geeks v users

At last weekend's OpenTech conference, I talked yet again about the growing divide between the geeks, who can code and know about computers, and the users who simply take what systems they are offered and work with them.

OpenTech was a conference about getting things done, not just talking about it, so we decided that every new member of Parliament elected at the next general election should be taught the basics of programming, so that when they come to vote on expensive IT systems they at least know how computers work.

We might even persuade them all to use encryption sensibly on their office computers, laptops and phones, and to use digital signatures for their e-mails.

It may be a small start, but it would be a start. And once MPs are doing data security properly it might offer a good model for the rest of us.

Bill Thompson is an independent journalist and regular commentator on the BBC World Service programme Digital Planet.

Print Sponsor

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Americas Africa Europe Middle East South Asia Asia Pacific