Data Privacy & Ownership
In our daily lives, we use devices to send emails via free services Gmail or Outlook (yes, some people still use it) and store data on cloud platforms. Do we ever question to whom we are granting access to our data? Do we contemplate the value or cost of our privacy compared to what we receive in return? In modern organizations, data is often one of the most valuable assets. While data privacy might seem abstract and subjective to some, it is a crucial concept for security professionals. These concerns may not always be at the forefront of everyday people's minds, but they should be, particularly for organizations and their leaders.
Consider social media: do you own your data, like your list of friends, or does the platform? This is a key ethical issue in data collection and management. The complexity arises from various factors, such as laws, regulations, copyright statutes, and trade secrets. A 1991 SCOTUS case involving phone books illustrated this complexity, where the Court ruled that facts gathered cannot be owned, and the effort in gathering those facts does not confer ownership rights. While organizations cannot claim ownership of the facts themselves, they often store these facts in databases. The structure, organization, and arrangement of these facts can, however, be protected. How an organization secures this data could be considered a trade secret.
Surveillance & Consent
Private information comes in two forms: PII (Personally Identifiable Information), which can trace back to an individual, and PHI (Protected Health Information), which includes healthcare records regulated by HIPAA. Consent is critical for ensuring privacy and sometimes legal compliance. It gives individuals the right to agree or disagree with whom they grant access and authorization to their data. Consent is your clear and informed agreement to allow an organization to collect, use, or share your private data. This is also where trust between the user and the organization is formed.
Consider a healthcare provider using video surveillance in a patient check-in area. They must inform patients (obtain consent) that they are being recorded, especially if conversations about their health (PHI) or identifiable features (PII) are being captured.
Security vs. Freedom
