The Australian government is currently dealing with one of the largest breaches of security in their history. Apparently a second-hand shop that sells government furniture sold two locked filing cabinets with no keys. Eventually someone bought them for basically nothing. Months later, someone finally took a drill to the locks and opened them. And now information on five iterations of the Australian government are out in the open as The Cabinet Files.
Two things strike me as fascinating about this. First, we’re talking about physical paper. This is a stunning lapse in security. We’ve “solved” the problem of securing small amounts of paper. Heck, that’s one of the things that makes the Pentagon Papers so interesting from an operational security standpoint. And yet, they were leaked. I wonder if this was only possible because government officials are now so concerned about digital security that they’ve become lax with physical security practices. Remember, Reality Winner ended up printing documents to leak them.
Second, how much easier is an accidental release of digital documents than an accidental release of thousands of physical documents? We’ve seen plenty of intentional leaks, like Snowden, Manning, and the Panama Papers. I’m sure we’ll continue to see more and more of these. So are lots of people in the security world. Intentional leaks are receiving a lot of attention. But what about accidents?
Bruce Schneier once used pollution as a metaphor in a way that I think is pretty relevant to this problem:
Most of us are happy to give out personal information in exchange for specific services. What we object to is the surreptitious collection of personal information, and the secondary use of information once it’s collected: the buying and selling of our information behind our back.
In some ways, this tidal wave of data is the pollution problem of the information age. All information processes produce it. If we ignore the problem, it will stay around forever. And the only way to successfully deal with it is to pass laws regulating its generation, use and eventual disposal.
This certainly seems right to me in a privacy context, but data is toxic in other ways too. How many organizations create or collect sensitive information about their business processes, their customers, their employees, and other sensitive aspects of their operation as a byproduct of just doing what they do (i.e., as data pollution)? I regularly reflect on the fact that most digital copiers keep a scan of the documents you copy in them. I’ve written about them before as time bombs. How many other technologies out there have access to sensitive information? Every single one of them is an accident waiting to happen. Ironically, if this accident were a massive digital collection, it might have had less immediate impact simply because the sheer amount of data that would have to be sifted and sorted would end up requiring special skills and take time. But I think this sort of thing will happen to some organization eventually. It’s just a matter of time.