The security of personal data, a major challenge

As the world’s major leading internet giants cross the Atlantic to meet France’s President Macron, recognising in him a fervent ambassador for technology and the development of the Start-up Nation, comments about the security of our personal data are fuelling the discussion and debate at trade fairs (and not only VivaTech). We, the Europeans, do of course intend to defend ourselves against the threat of data being swallowed up by the formidable GAFAM group (to which it now makes sense to add major actors such as Netflix and AirB&B). But isn’t the threat lying in wait for us more likely to be found amongst the public agencies and organisations that hold, entirely legally, a large amount of our most personal information?

How can we protect them?

When we provide our referring doctor with our social security card; when we indicate our income by detailing our investments, or provide our address information; and when we hand our passport to customs officials at borders, what guarantee do we have that the data collected is protected?

This is undoubtedly what led President Trump’s government in the US to produce a report whose conclusions speak for themselves: This will not do at all!

This particular warning, issued on the other side of the Atlantic, is one we could well be hearing in our own countries in the coming months. The situation appears to be very serious, such is the extent to which protective systems are either completely lacking or ineffective. To illustrate the gravity of the general situation, here are a few figures taken from the report:

  • Only 55% of US public bodies limit access based on user characteristics and roles.
  • Only 57% of them check and monitor administrative rights.
  • Only 27% of federal bodies state that they have the capacity to detect and investigate unauthorised attempts to access large amounts of data, and even fewer state that they test and check these capacities on an annual basis.
  • Only 52% of these bodies state that they have validated the roles to be assumed by responders in case of incident when carrying out tests over the course of the previous year.
  • Fewer than 16% of them are able to encrypt data at rest, i.e. stored data; though 73% state, by contrast, that they are able to encrypt data in transit.

This report, produced by the OMB (Office of Management and Budget) and the DHS (Department of Homeland Security), also indicates that in only 38% of incidents (out of the 30,899 examined) did it prove possible to identify the method of attack used! And this despite the fact that 5.7 billion dollars were spent on improving the various protective services in a single year. Additionally, the question of security is not simply confined to the use of devices that are relatively easy to hack. It applies to all physical entities that store data somewhere. The rise in popularity of blockchains is perhaps a response to all this. Breaking up highly sensitive data into separate parts and distributing it across multiple storage points to render it no longer vulnerable to attacks targeting single servers – should this be seen as a long-term solution?

It is the responsibility of government organisations to get to grips with the problem, and it is a sovereign duty of states to ensure the security and safety of their citizens, and, therefore, their data. Digitalisation is not a guarantee in itself. It also introduces weaknesses. There is an urgent need to develop awareness of these issues in public and private organisations of all kinds and to come up with new solutions to the challenge of making our data inaccessible.