Paul Wing: Privacy's Northern Light

Paul Wing, former Scotiabank information security leader, says Canada and the United States need revamped privacy policies and practices

October 01, 2006 — CSO — Paul Wing believes that with privacy, things have gotten out of hand, and he's working to restore order through ambition and idealism. One of Wing's current projects is to create real governance around privacy—how we authenticate, how data is stored and destroyed, and so forth. He's developed several privacy principles that he would apply to businesses and governments across the globe. He wants privacy to become an ethical cornerstone of doing business in a sustainable way. He wants privacy to be on a par with responsible environmental and child-labor policies. The kicker is that >Wing believes that by doing this—by making privacy a moral imperative—we will improve the bottom line of both security and the business.

For two decades, Wing was head of Information Security at Scotiabank, where he implemented two-factor authentication as far back as 2000. He was Canada's privacy representative to the International Organization for Standardization (ISO) and the Organisation for Economic Co-operation and Development (OECD). He coauthored the book Protecting Your Money, Privacy and Identity from Theft, Loss and Misuse—Practical Steps for Today's World. When a Canadian magazine bought and published the Canadian privacy commissioner's personal phone records, the privacy commissioner called Wing, now an independent consultant, to seek advice and help deal with the problem. CSO senior editor Scott Berinato spoke to Wing at length about these and other privacy-related issues, including transborder data flows, his model for privacy governance and what's so interesting about his heat and hydro bill.

CSO: How is it possible for journalists to buy the Canadian privacy minister's personal phone records for $200?

Paul Wing: Amazing, right? It was just a magazine doing a proof of concept, but it produced a lot of angst up here. I've been doing a fair amount of work to get my head around what the issue is here, and I think it comes down to this: There's no common reference point for what is a best practice for authentication, for privacy, for managing risk.

How do you mean?

Here's an example. To get access to a copy of my heat and hydro bill, the company requires me to use a seven-digit, case-sensitive alphanumeric password with a minimum of one alpha, one numeric and one capital. That's just to look at my statement. That's stronger authentication than some banks require for online banking. At ATMs we use four-digit PINs, technology from the '70s. I looked around my house and the only other technology I have from the '70s is my record player for my LPs and the light switch. How can a four-digit PIN, which, by the way, I'm not required to ever change, adequately protect banking? This is why "shoulder surfing" [reading someone's PIN as they punch it in] happens. And yet, on the other hand, I have to change my e-mail password every 30 days even if I don't give a damn about that. So there's no logic behind what kind of protections we put where.