In 2002 Bill Gates sent the “Trustworthy Computing” email that lit the fuse of internet security. Similarly, Mark Zuckerberg’s Privacy Manifesto will be remembered for kickstarting a new era of data privacy.
Bill Gates got religion because Microsoft revenue was at risk. It was not a philanthropic gesture nor an attempt to dodge antitrust investigations. It was a compulsory business decision because he saw Microsoft customers headed to greener – more secure pastures.
Today, Facebook sees their users moving to small, private and ephemeral groups. In parallel, regulators are demanding more privacy from Facebook’s expansive social networking communities. Facebook has recognized that without “privacy protective services” users will churn, and regulators will attack. These are the business drivers behind the “Zuckerberg Privacy Manifesto”.
Regulators have been gathering at the gates of One Hacker Way demanding Facebook become the editorial cop of the internet. Through this announcement Facebook may have absolved themselves of the expensive mandate to police the internet while also passing this onus to the other Big Data companies like Google, Microsoft and AWS. If nothing else, in the near term, there will be a lot more head scratching than gate storming by the regulators.
Facebook will, of course, face a different set of regulators who want to ban end to end encryption. China, Russia, Iran, North Korea pose obvious problems… and the UK, Australia and India have recently taken steps to join this dubious group. The US government has even made rumblings about banning encryption while simultaneously declaring that “Today’s cyber-threat is bigger than the government itself”.
It’s a sticky debate that has raged for years and the Zuckerberg Manifesto will not force resolution. But are regulators ready to mandate that Facebook maintain access to all our private data and communications and require that these communications remain unencrypted and not deleted?
Congressional oversight, GDPR, CCPA are all driving the cost of unprotected data towards unsustainable levels. Mr. Zuckerberg speaks of the difference between living rooms and town halls. But what about board rooms? The DOJ has approved the use of ephemeral messaging when used responsibly in corporate settings. Ephemerality is the logical approach to counter the dangers of permanence.
Yet, corporate information security and legal communities are slow to act because they are conditioned to oppose data privacy in corporate environments. Secure and ephemeral communications will be a tough pill to swallow because information security and legal teams want to gather as much data as possible to look for flaws and bad guys.
Your corporate counsel with an ACLU sticker on his laptop relies on unfettered e-discovery capabilities. Likewise, your EFF t-shirt wearing CISO is not motivated to keep data private. Her team is built to conduct investigations and respond to incidents. End to end encryption and ephemerality can mean the loss of access to data and telemetry used for investigations. Ironically, the very same people who lobby for data persistence simultaneously tell you they cannot protect data from Advanced Persistent Threats.
The truth is that ephemerality can be deployed to accommodate any set of needs and investigations will be successful without access to everything. Ephemerality is normal. We delete things. We have diskless thin clients, ephemeral microservices, we ephemeralize cloud instances and we have always shredded old documents. We do this because of the security and reliability benefits of non-persistence. To drive this point home I like to point people to the very detailed and thoughtful data deletion policies at Zendesk. It’s a great example of when data destruction is the best business decision.
Facebook has signaled that they see ephemerality as a more profitable way to manage and profit from data. The Facebook announcement should have the competition wary, the regulators contemplating next steps and corporations reconsidering their instinct to data hoard.
Bill Gates’ email was the first step in establishing security as a mandate for enterprise computing. Mr. Zuckerberg’s Manifesto will drive our industry to understand that having control over data is a critical business requirement, not just a t-shirt slogan. Not bad for 3,200 words.