Imagine emailing or talking with a doctor or family members about a deeply personal issue: a dire medical diagnosis. We have these conversations face-to-face, over the phone, or through email, because they are private conversations! We wouldn't want strangers to overhear, read, or listen to them. Similarly, we lock our front doors to protect against random people walking into our houses and perusing all our belongings. It is not that we have anything to hide, but it just feels invasive. There are tools for the digital equivalent to locking our doors and keeping our possessions and conversations private. The routine activities in the real world should become routine in the digital world because privacy matters!
Why is this a problem?
The first thought that comes to mind is, "I've never had to do this before, so why now?" Or, more accurately, "Are complications being added where they need not exist?" The privacy process is not about complications, rather that digital security oft-forgotten afterthought. Security has always been an issue, and privacy is about minimizing the ripple effects when our data happens to be released, breached or leaked.
Our digital presences are never going away. As kids grow up without digital practices, their lives will be completely public. There was a time before the Internet when our words and writings only mattered to our neighbors, teachers, colleagues, and gossips. Today, every word has value and matters; decades later, even. Good security practices are a marketable skill, and a way to maintain some privacy in the face of an ever-increasing digital world.
Information, including innocuous conversations, is the new gold mine for companies and identity thieves alike. Today's criminals and legit businesses are after the same thing: actual messages and conversations. Our conversational data is important to criminals looking to impersonate us and carry out fraudulent transactions. Simultaneously, companies look personalize our experiences based on our utterances. Chatbots speak to us using our own language and reference our experiences: places we've been, friends we've talked to, feelings we've experienced. The techniques elicit more conversation, more information, and more engagement. Companies (chatbots) and identity thieves are trying to mimic our individual behavior, mannerisms, and idiomatic language.
As the digital age progresses, and criminals become more sophisticated, one key aspect of communication is verifying only the intended recipients are able to understand the messages. In other words: only those involved in a conversation may read and participate in it. This maintains confidence and privacy among confidants. Authenticating the sources of information in conversations will be crucial in the future.
While privacy and confidence may not seem important to most people, consider individuals whose business relies on confidentiality (e.g. accountants, attorneys, doctors, CEOs, CFOs, human resources, etc..) Conversations, by definition, require two or more people. If conversations are not carried out in private and secure manners, then all parties are exposed. Exposure does not affect just one person, it affects everyone participating in the conversation. (Remember in towing and security contexts: "Chains are only as good as the weakest link.")
Imagine a doctor whose private conversations with patients get exposed, or an accountant whose clients' financial information gets leaked. The harm is not that the information was exposed, rather how it may be used to harass or otherwise intimidate patients or clients. These may seem inapplicable because they are professionals with obligations, however those conversations could just as easily be between friends or family. It was not necessarily the doctor or friend that was a weak link, rather the weakness of the information security practices employed.
Everyone who communicates should elevate confidentiality and privacy efforts. It helps everyone to trust in the security, privacy, and authenticity of their communications, while simultaneously protecting all participants in the future. Years of emails have been stored online: a treasure trove of information regarding our personalities, relationships, experiences, and communication styles. Some personal questions to answer about email communications are:
Do I care if my email or cloud provider suffers a data breach, and strangers are able to read all my email? Is there any information, conversations, or email chains that may cause social harm to my friends, family, or job?
If my email were hacked today, who might be emotionally or intellectually harmed by the messages in my email?
Does my email contain any private information, like business strategies or information subject to HIPAA restrictions? Could I be in legal trouble if that information were to become public?
Would there be "collateral damage" from my emails being released on the dark web?
The question list is not to suggest everything needs security, but communications should be thoroughly considered for security. The term communications includes:
Word/PDF documents
Photos of documents
Audio/Video of confidential information and conversations
Databases
Spreadsheets
Files containing sensitive information or identifiers (SKU numbers, order numbers, receipts, patient numbers, diagnoses, HIPAA, etc.)
Sensitive information, as used here is not inclusive of all situations, but may refer to: strategic plans, marketing efforts, sales advertisements, contracts and other legal documents, mergers and acquisitions, doctor-patient conversations, etc.
Information Security
tl;dr: Secured data would rather be lost forever than read by an unauthorized person.
Today, we never know whether an email is from who it claims to be from, or whether we should open the attachment. It is an important aspect to verify the email was legitimately sent by the person listed as the sender, or a document was provided by whom it says it was provided. These are fundamental concepts of trust, which is harder and harder to establish in the digital era. There are constant struggles with computer security, and attacks that seemingly come from all directions. The methods and means of attacks are beyond the scope of this writing, but there has been enough ink spilled on the subject. This is not a new problem, nor is it confined to cloud email and data systems.
As some of the links above note, there may be a data breach (internally or externally conducted) targeting any company or individual at any time. It is with vigilance that we can semi-protect ourselves, and others, in the case of: viruses, worms, malware, and other data theft. Malicious actors are not going to spend a lot of time on a single target who's conscious of data security. Instead, malice will move on to easier targets, because there are a lot of those available.
These are not designed to be horror stories, but the reality of the world we now live. The problem is not just securing data sent between two computers, like online banking, but also ensuring stored data is secure. Online banking, and every other "https" website, take precautions to handle document and file transfer in a secure manner. Similar precautions need to be taken with data stored on a hard drive or USB key, which includes cloud storage and emails stored on the web.
It should also be noted that some cloud storage providers may secure data on their systems, but it is expensive to do so. It is expensive in terms of computing power, because every time a file or email is accessed it must be processed before it is sent back to the requestor. The cloud service has to open the file, computationally process it to unsecure it for reading, then re-secure it for transmission (https), and then send it to the person who requested it. These are expensive tasks to complete and require vast computational resources at scale. The expense to power the security computations versus the cost of a data breach is vast and tangible.
"We" Need This
Proper security and document verification requires active participation and skill. It is possible to secure documents that multiple persons ("recipients") may read, however each person must create their own "conversation key." The creation of a key means having basic skills in data security and proper document authentication. We should slow down to ensure the information we send out is signed with our signatures.
Joe's Living Trust (Example)
Earlier links noted USB keys as a method of data/identity theft; security on these devices is also necessary. Suppose Joe needs to get very sensitive documents to his attorney and accountant but does not feel comfortable using the internet. If Joe's documents are securely stored on a USB stick, it does not matter that: Joe gives it to Donna, who then gives it to Rudy, who then passes the USB key through Linda to Mark, who then delivers it to the attorney through their brother Randy. The attorney then drops off the USB stick at the accountant's office per Joe's instructions.
In the outlined scenario, nobody who physically had the USB stick in their possession could read the secured documents except the attorney and the accountant. Secondarily, the attorney and accountant could have independently and securely verified the documents remained unchanged from Joe. Tertiarily, if USB key happened to get lost, Joe could rest comfortably knowing the data could not be read by anyone except his attorney and accountant.
While it would have been easier and more expeditious to use email, the point was all who had access to the data still couldn't do anything with it. If the data were emailed and the email provider had been compromised or breached, the data would have remained secure. Secured data and conversations, even physically held, cannot be read. In the aforementioned scenario, the names (Donna, Rudy, Linda, Mark, Randy) could have been changed to the names of our cloud and email providers. The underlying premise still remains true.