Social media spurs privacy paradox
A key challenge for security practitioners is the "privacy paradox", said Maiendra Moodley, the State IT Agency's GM divisional head for financial systems and processes.
Speaking at ITWeb Security Summit 2015 yesterday, Moodley argued the privacy paradox will continue to dominate security practitioners' agendas, as social media usage increases, with one of the main challenges being the definition of privacy versus confidentiality.
"There is a challenge around understanding where privacy starts, where confidentiality starts and where these two seemingly different words are used almost as if they are synonyms - as opposed to there being a gap between them."
The problem with trying to understand and define these two concepts, Moodley explained, is that people's idea of privacy is a subjective issue, which is where the privacy paradox comes in.
"For example, you want to keep your information private from somebody you don't want to know about it. So, if you and I were socialising together and somebody took a photo of us at the pub, we wouldn't mind if all our friends knew about it. We would mind if we were on Facebook with our managers, and they saw us there."
"Now that's the whole crux of this privacy paradox - people want to keep things private in a subjective manner, and it's very hard for us to find what that subjective manner is, because it depends on each individual."
Moodley said while some people are happy with their lives being on display, effectively like a reality show, others are particular about what's known about them, and it is up to security practitioners to try and find that balance.
"How do you ensure when people start posting things on the Web and claiming it is their privacy - in other words, it is their right to post things on their Facebook page or Twitter account - it doesn't have an implication on your company's reputation?
"That's the business impact of this problem."
Moodley pointed out confidentiality was always easily understood as the concept of keeping a secret, but the problem for security practitioners is the concept of privacy, which includes subjective elements.
"And then what makes this thing even more difficult is how to ensure while you, as a security practitioner, are monitoring what people post that could have a negative impact on the reputation of the company, you're not violating the privacy of individuals."
An example of this, Moodley noted, is companies that have an e-mail monitoring policy, but also allow employees to use the e-mail system for personal communication.
"So, where do you draw the line? [On the one hand] you say 'you can use the company asset and when you use the company asset, we're going to monitor it'. But what happens when people start raising the issue of privacy?
"The issue is that, up to now, we've been alright about this. Nobody has really made a major issue of this. But, as people start becoming more and more privacy-aware and privacy-conscious, this is where the challenge starts coming into it," Moodley said.
He added the next challenge - where the paradox is going to become even more interesting - is the evolution of people's online personas. Initially, he said, most people used the Internet for transactional purposes, such as online banking or shopping.
"Your digital persona was a transactional persona. You didn't really mind that somebody monitored what you did. You knew when you went onto online banking, the bank was actually going to try to ensure it was you [and] where you were when you transacted, so that they could legitimately ensure, in the event of fraud, they could investigate it."
However, Moodley pointed out, the advent of social media has changed the way people view privacy. At the same time, he said, the line between people's social and professional online personas is blurring, with most people posting their employer's details on their Facebook profiles.
"Facebook gives you the option to post your current job title and where you work. So when you start posting things on Facebook, which have an impact on your company, how do you differentiate between what is said in your personal capacity and what is said in your professional capacity?
"And when you post things on social media, you enter into the space that, once it's publicly known, people use that information and rely on it. You can't claim it's private once it's known."