Security in a World Without Secrets

Security and privacy are at a major turning point in our society. The events of September 11 catalyzed an already rapidly growing trend in the gathering of personal and enterprise information, made possible by advancing technologies.

These technologies have created what I call A World Without Secrets, in which a great deal of information is recorded, little can be concealed from determined interlopers, and data travels widely and quickly.

When technologies work for us, they are marvelously convenient. Who in business or in their personal lives would want to do without the Internet or automated banking and credit card transactions? But our trust in technology is being tested by the availability of sensitive information and the sudden demand for much greater levels of security. With that testing comes a degrading of the relationships between enterprises and employees, customers and vendors, and government and society.

Enterprises and Employees: The Growth of Distrust

Enterprises are watching employees and employees are watching employers with increasing unease on both sides. In our global economy with its fluid workforce, in which longstanding relationships of trust are difficult to establish and maintain, the temptation for businesses is clear: monitor every employee, all the time.

Employees are feeding the distrust. Many enterprises live with the lost-time cost of widespread employee abuse of e-mail and Internet access. But it’s much worse than that. Gartner estimates that more than 70% of unauthorized access to information systems is committed by employees, as are more than 95% of intrusions that result in significant financial losses. Add to that the mind-boggling potential for carefully planned crimes of mass destruction and you can see the temptation to impose rigid security measures.

How are enterprises reacting? Gartner estimates that average enterprise spending on security worldwide will increase by a factor of two to three within the next few years, and by a factor of 10 by the end of the decade. As usual where technology is concerned, most of that money will be spent on smart people, policies, processes, and procedures.

The unfortunate result of “clamping down” is more friction, the drag that distrust puts on relationships. Power and control work from the top down; productivity and creativity work from the bottom up. As top-down control exerts itself to a greater extent, there is a rupture of trust and a corresponding decline in creativity and productivity. Having your emails read or being watched by security cameras tends to naturally deflate one’s sense of company loyalty.

What top managers of enterprises need to find is a balance between security that can protect their businesses and free communication that can stimulate growth. Success depends on it. They need to think about that balance in terms of what Gartner research calls the “Resilient Virtual Organization” in which security is the ability to survive and prevail, not just hunker down and resist intrusion.

Customers and Vendors: Violating the Pact

Businesses want to create personalized, irresistible approaches to each and every customer. Customers want to be recognized as distinct. What customers don’t want is to be watched and monitored, especially without their knowledge. What they fear is that privileged information is being collected by people they don’t know, and used for purposes they don’t understand or approve.

Collection is easy. For retail customers of banks or booksellers, for example, online data is contained within enormous customer databases. The implicit deal is that the information remains contained and doesn’t travel. But that’s changing fast as the owners of those databases come under pressure to find new revenue streams.

Consider two recent high-profile cases. In September 2000, Amazon.com announced that it reserved the right to share with third parties information gathered about its customers, reversing its policy not to sell this data. More egregiously, in December 2001, the telecom company, Qwest announced that it would sell information about customers’ calling habits to third parties whether its customers liked it or not.

These are the realities. Policies are impermanent. Companies can unilaterally decide to share information once thought to be private. Privacy is compromised. And with these realities come a growing percentage of customers who prefer that nobody at all knows information about them.

While regulations have been slow in coming, we can assume that enterprises will soon be forced, by markets or governments, to account for the information they receive from customers and the uses to which it is put. It’s already happening in the European Union.

In the meantime, a superior strategy is the cultivation of trust. Enterprises must sooner or later face the fact that customers want to be protected as well as served globally. It starts with strong policies, publicly stated. But that’s not enough. Customers look to what is done, not what is said.

Government and Society: Resisting the Temptation

To a government, security means protection of lives and property, as well as the protection of assets such as industries and markets. Historically, national security has been strongly tied to geography (which in turn was tied to resources and markets).

Territory still matters, but it matters less and less in a global economy. Our era is seeing the rise of the “network army,” a social structure tied together by values and beliefs, not geography. The network army communicates via the Internet. Its members are drawn from multiple communities. Their agendas may differ dramatically in many respects, but where they align, the army’s power can be massive.

Ask the publisher Harper Collins. In the fall of 2001, they were assaulted by a network army of librarians and other conscientious protectors of free expression over the company’s decision to indefinitely warehouse thousands of copies of Michael Moore’s book, “Stupid White Men and Other Reasons for America’s Decline,” which the company considered too controversial to release in aftermath of September 11. Harper Collins did one of the two things an enterprise faced with a network army can do. It publicly capitulated and released the books. The only other choice is to get ready for a 100 Years War. Negotiation isn’t an option because there is no leader in a network army.

Or consider the Open Source movement, an “army” of some 750,000 software developers interested in the Linux operating system. With a single email message, Linus Torvald, the originator of Linux, can communicate with all of them at once. That’s power.

More insidiously, al-Qaeda is a network army, joined by ideology, not geography, enabled by the Internet, using available technologies with devastating efficiency.

In government, there isn’t an elected official today who isn’t trying to cope with a huge upsurge in correspondence thanks to the growing popularity of e-mail. The ease of composing and delivering a message has politicized a larger constituency, or at least enabled those who are politicized to better express themselves. When they congeal around a single position on a single issue they become an army, sometimes a large and daunting one.

With network armies potentially arising from anywhere, governments are tempted to watch everyone all the time. The technologies of surveillance will soon make it feasible. But massive surveillance implies massive conformity, not a characteristic many societies are hoping to encourage.

Whatever their goals, from now on, individuals, businesses, and governments will have to either join network armies or fight them. Either way, network armies have become a defining social structure with which we must all grapple.

Technologies That See It All

Technology has its own momentum and consequences. The tools of surveillance and analysis have become small, cheap and mobile enough to be almost literally everywhere within the next few years.

While the right of the state to interfere in relationships has not changed, the ability to do so has increased dramatically. Gartner Research Fellow Jackie Fenn’s work on advanced technologies describes how high-bandwidth wireless communications, miniaturized cameras, miniaturized databases, and audio recorders and transmitters will combine in the next five to ten years. The result will be an alert, aware, always-on machine environment: the eyes and ears of a world without secrets. The cost of these technologies is already low enough that individuals can own them.

In the post-September 11 world, governments have asked for and been granted new rights to use such technologies, plus data mining, wireless communications eavesdropping, Global Positioning Satellite technology, and biometric (face, hand, iris) identification. Calls for national identification programs supported by biometric ID have increased. The uses to which such identification would be put are undefined. And, ominously, the record of governments in protecting such information from official and private misuse is poor.

Conclusion – Define Proper Use For Different Kinds of Data

We are at a major turning point. Real danger has coincided with the arrival of powerful, intrusive technologies. It has never been so important for enterprises and individuals to assert themselves. Questions about what is enough security and what is too much will play out in societies worldwide for years, driven both by technology and the events that shape our perception of risk and danger.

Starting now, enterprises must carefully define what they consider to be legitimate ways to gather and use information about themselves, their employees, and their customers. Without such a definition, there’s no basis for trust. Trust is essential for both relationships and transactions.

Ultimately, to protect trust, what we will need is agreement – worldwide agreements on what constitutes rightful and wrongful gathering and use of personal information, whether it is in the name of security, commerce, or opportunism. In the same way we need trade agreements, environmental agreements, copyright agreements, we will need information agreements.

Read more Gartner research on Security

Richard Hunter is Vice President, Security Research, GartnerG2. His book,

World Without Secrets, will be available in May, 2002.