with Oleg Shvaikovsky, December 13, 2016
This is an interview with Oleg Shvaikovsky for the Delovye Vedomosti newspaper on the challenges of personal information and data protection that we face in the near future.
Author: Anastasija Tido
Source: Delovye Vedomosti newspaper, No 44 (1005) of 7 December 2016, pages 6-7, “Человек будет вынужден жить так, чтобы нечего было скрывать”
Answering the questions: Oleg Shvaikovsky, member of the board at Nortal.
Oleg, what do you think is the point of antivirus software? Why do some specialists say it is merely to fool gullible customers? This market boasts a multibillion turnover. The world cannot entirely consist of easily deceived simpletons. Or can it?
Antivirus protection is not a illusion; it is necessary. Stating that antivirus software is useless because there are plenty of other threats on the net is downright inaccurate. Yes, there are numerous dangers, but if we want to draw an analogy here, it is the same as saying “there is no point in washing your hands if you smoke, drink alcohol and have an unhealthy lifestyle in general”. There is a point in washing your hands despite the fact that there are other risks in life. Indeed, there are plenty of threats on the net, but antivirus helps neutralise some of them.
Two essentially different approaches can be distinguished in the context of computer security. One of them is protecting from the “outside-in” attack, and this is how antivirus software protects the computer perimeter. It knows where potential “holes” are located in your system and the approximate volume of your data the attackers can hypothetically access. I must digress at this point. The times when teenagers created viruses merely for the fun of it have long passed. Nowadays, viruses are coded for specific purposes, and the process has almost turned into industrial-scale production. As a rule, they are meant for acquiring data from users’ computers.
So, is there another approach?
Yes, the other approach implies the protection of the “inside-out” attacks. What does it mean? By analyzing the behavioral characteristics of a particular computer user, we can establish what exactly is unusual in their behaviour and what gives away a potential data leak. There are certain techniques to identify it. Behavioral characteristics displayed over a lengthy period are registered on a timeline, forming a pattern. Suppose, A works in the customer support division and processes the data of 20–30 customers daily. All of a sudden, the number of customers whose data have been processed by A rockets to 200 over a short period. This might mean that A is deliberately stealing the data or they are leaked somewhere else because the computer is infected by spyware. The latest spyware often does not download data in large quantities at a time, which would be easy to discover, but constantly downloads them in a thin trickle, which is far more complicated to identify.
Both of the above approaches are important. If we compare a computer or a network to a country, both border security troops for the protection of the perimeter and the police for catching thieves within are needed in it. You do not necessarily have to pay for antivirus software; numerous free options are rather good too. Coming back to Darren Bilby’s statement – the fact that it is a Google employee, who says that antivirus software is unnecessary is understandable and easily explained. What this company is very good at is exactly the monitoring of the users’ behavioral characteristics and patterns mentioned earlier.
A huge number of biased opinions circulate among regular users. Some believe that antivirus tools are always “a step behind” because they can neutralise trojans and viruses that have already been discovered and entered in databases but are helpless in the face of new malware. Other users think that the developers of antivirus software themselves are very much connected to the emergence of viruses. I guess this is a conspiracy theory that originated in the early 1990s, when no one exactly believed that viruses were dangerous. Today, rumours about and even real-life cases of high-technology companies’ cooperation with intelligence services are particularly disturbing. I mean Google, Facebook, Kaspersky’s Laboratory, and there have been many other situations. For example, LinkedIn has not managed to prevent a data leak… What is the user to do? Can one trust the anti-malware one is using?
I do not really believe that antivirus developers create viruses themselves. I think this is an absolutely unfounded conspiracy theory. In the nearest future, I personally see another problem. Half a year ago, the EU passed the General Data Protection Regulation (GDPR), which is, undoubtedly, the world’s strictest legislative act to regulate personal data protection so far. It establishes downright monstrous fines for violations. This regulation has not had much coverage here because many of its aspects have already become everyday reality in Estonia; data protection mechanisms have been gradually implemented here for quite a while, and we have developed the respective mentality. The concept of it being inappropriate for me to have a look at your personal information has become natural for us. But it is not like that everywhere. Namely, this directly applicable regulation will greatly affect Southern Europe. For instance, it implies the so-called “right to be forgotten”, i.e. the right for the destruction of the user’s data at the facility that has been processing it for one reason or another.
The problem with the fulfilment of this requirement though is that even the organisations with outstanding technical capacities like banks or telecommunication companies do not have the complete “customer map” that would allow all the references to the particular customer to be found and deleted. The customer’s data will be deleted from the main locations where the contract as well as major transactions and operations are stored, but numerous minor references will remain associated with the customer contacting the support service for a variety of minor reasons, and this is where these data might remain.
In addition, the regulation requires companies not only to prevent data leaks, but also to identify potential vulnerabilities, forecast them and eliminate gaps in protection in real time. There’s a need to develop the specialized analytical tools that allow the behavioral characteristics and patterns of the people working with data to be used in order to identify unauthorised or unjustified access to the data. One of the simplest recent examples is the leak of information about [former Estonian prime minister] Edgar Savisaar’s illness. One of the patterns that allowed the leak to be “caught” was that the medical record had been opened, but no changes had been made. As a rule, if a medical record is opened, new data about a digital prescription issued or therapy assigned is entered. However, if it is opened and nothing else happens, this could be a case of unjustified access.
Well what about the people whose entire lives are stored on computers and in the cloud, including work documents and personal materials: correspondence, photographs, personal documents? For instance, after reading “Cypherpunks”, the book by Julian Assange, the creator of WikiLeaks, one cannot help becoming a bit paranoid. It is common knowledge that while intelligence services of old times had to deliberately monitor specifically selected people because the technology did not allow hundreds of hours of records to be viewed or listened to, modern technology allows data about every computer and smartphone on the planet to be downloaded and stored “just in case they come in handy”. If an agency of national importance needs access to our data, there is no way we can prevent it.
There can be no doubt about that; this is just “a fact of nature”. The sources of data about us are so numerous that literally everything can be found out about a person if necessary. Anonymizing, encryption… none of that helps much. Two years ago, LinkedIn suffered a leak of data of over a million accounts. “It’s all right, the data were encrypted,” was what they said then. Still, technologies develop, including decryption techniques. The key will be discovered sooner or later.
But what is the point of encrypting the data which people post on social media themselves? This is essentially the information that the user regards to be appropriate for disclosing. Some posts and correspondence cannot be viewed by everyone, of course, but all in all a social network is something of a “public square” where people can state things publicly about themselves, so it is strange to expect that no one will obtain the data you post on Facebook…
Even if you cannot be found on social networks, it does not necessarily mean that your information is safe and nothing can be found out about you. There is a multitude of sources: your smartphone geolocation can provide a pretty accurate picture of where you go, how much you walk, drive or ride and where exactly. What you buy and how much, when you sleep and when you are awake – it is all out there. Thousands CCTV cameras are installed on city streets, and there will be more. The only way to avoid that is probably to go live deep in the woods; however, the quality of photos taken by drones will soon be so high that it will make you doubt that someone who really needs to find you should fail to do it. Let’s recall the society of the pre-industrial era. People lived in villages, in plain view of their neighbours, and everyone knew everything about the others. Nothing could be hidden. In such a situation, they led honest lives in fear of the others’ judgement, not only in fear of God.
What took place with the onset of the industrial era was the “atomization of society”: people who have been neighbors for decades might know nothing about one another. Today, we are going back to every individual becoming an open book for competent agencies authorized to process our data and for neighbors and acquaintances alike. In these circumstances, we will be forced to live in such a way that we have nothing to hide or be ashamed of, and a good thing, too. You cannot hide anyway.
Personal information does not always have to be something shameful or illegal, but people still have the right to want everyone not to have access to it: medical records, personal romantic correspondence, sex lives for that matter. We all do it; there is nothing to be ashamed of; it’s normal, but who would want it to become mass entertainment on YouTube?
I agree, but I have no illusions: technically, all you have described is doable. I would view it from the perspective of how it can be put to use. There are, in fact, numerous benefits that “digitalized life” can offer. We all know how simple our life has become due to Estonia’s eGovernment concept.
No one is arguing with that. E-books, navigation, various databases, data clouds sortable by tags… it is hardly possible to imagine how we lived without it all. Still, there is a downside to anything.
With time, gadgets will be playing a more and more significant role in the planning of our lives by providing analysis and assistance.
Is the smartphone going to monitor our shopping habits and warn us to “cut down on beer because you obviously have a drinking problem”?
Yes, and so what! Analytical capacities are emerging that will be able to use our behavior history over several years to warn us about potential health problems that would lead us to hospital in the end. But we can start taking early measures. We just need to accept it as a given. We have delegated substantial rights to certain officials and agencies in the non-digital society anyway: the police can enter one’s home or even confiscate one’s car to chase a criminal, they can record our calls and read our correspondence on the basis of a judge’s warrant – all of that has been done before. To ensure the safety of society, we must give someone the right to monitor those who might monitor us. In this respect, nothing is really going to change; the same will be done on a more advanced technological level.