I was inspired by a Westminster eForum event entitled Missing Discs and Mislaid Laptops to write this article.
Why is it that disks, data and laptops appear to go missing with alarming frequency (although, as I say in another article, this appears to have abated recently)? Is it that there is a general lack of understanding about the nature of digital data, and how it is fundamentally different from the old paper-based approach?
You may find it useful to discuss the points made in this article with your students.
We may live in the digital age physically, but mentally many people still exist in the pre-internet era. I say “still”, but this applies as much to children and young people, the so-called “digital natives”, as the rest of us. What I am referring to is the tendency to treat digitised data as merely a more convenient form of paper data. It is this failure to grasp the reality of computerised data that, in my view, underlies the alarming tendency for laptops to be left lying around and disks to be sent through the post. What it comes down to is a lack of understanding, and therefore a lack of respect.
Although people and organisations are often implored, rightly, to make backups of their data in case it is lost or deleted, there is, perhaps, not enough emphasis on the other side of the coin. That is to say, the longevity of data. Incidentally, this is a key issue to try to get across to (young) people in terms of their conduct online, especially in social networking communities. Consider the following five points.
Once data is computerised, the cost of duplicating it is pretty much zero, and it is easy to do. I recently read a novel in which someone unearthed sensitive documents from the WW2 era and destroyed them in order to protect people. The possibility of solving the problem in that way may or may not have been viable when the book was written; it is certainly not viable now.
Once data is computerised, it can be copied and copied and copied with no loss of quality. It’s not like photocopying, where after making copies of copies a certain number of times it becomes unreadable.
Once data is computerised, it can be spread around the world in seconds. Ask anyone who has lost their job or their reputation because of ill-advisedly sending a risqué joke to their friends by email.
Once something has been posted to the web, it cannot be unposted. Even if web pages are deleted, archives of them exist on the internet. You can take down a photo you have posted – but someone may have already downloaded it to their own computer and be thinking about sending it to others.
Encrypted data may not be as secure as you think.
When you consider these points, it becomes clear that committing data to disk, and then disseminating that information, are not trivial decisions. Organisations (and individuals) need to ask the following three questions before doing so:
1. Do we need this data, in this form? Here is a good example of this way of thinking. Because of the drive to have joined-up databases in the area of children’s services in the UK, it is often taken as read that certain data have to be available to all the professionals concerned with an individual child’s welfare. That is not necessarily true. The goal might be achieved by having a system of flags in the data, ie notes which say things like “Contact the child’s doctor about this”.
2. Have we taken basic precautionary steps to keep data safe? That means giving different people access levels according to their professional needs, as opposed to their level of seniority; making it mandatory for computers to be password-locked when people leave their desks momentarily; making it harder to pass the data on than it is to not do so.
3. What would be the cost, in terms of reputation and litigation, if we get it wrong?
Some of the issues involved can be solved by technical means, such as encryption and other security measures. But on the whole what is needed is a completely different way of looking at computerised data: a different mindset entirely.
I once wrote, somewhat flippantly but not entirely jokingly, that if you live in the UK and pick up a newspaper on any particular day there is almost certain to be yet another news report about a government laptop going missing. The very next day another of those articles appeared. My perception is that things have improved since then, but that could be because little has occured for a while on a large enough scale, or frequently enough, to warrant the attention of the mass media.
The sorts of disaster I'm talking about include the occasion when it was reported that the UK's tax website had to be closed temporarily because:
"a memory stick containing confidential pass codes to the system was found in a pub car park."
That was repeated again a few months later, along with another article stating that according to official figures, one official is disciplined over data loss every day. And if that's the "official" figure, there is no doubt in my mind that the actual figure is higher. I wonder what it is when you take into account private companies "losing" data, or Local Authorities "losing" data?
I've even attended a seminar on the subject of missing data and laptops, where a number of experts gave talks on the problem. But it seems to me that the problem could actually be solved very quickly by changing the way we think about data.
One of the aspects of many ICT courses is the effects of IT on society. Perhaps this opinion piece (which, as you will see, is backed up by facts and figures) might be used as the starting point for a debate and other work on the subject.
For those outside the UK who may not have heard about this phenomenon, these are basically what seem to be the common features of these cases.
1. Someone, for reasons best known to themselves, leaves their place of work with a laptop or memory stick containing personal data details of thousands -- or in one case, 25 million -- people.
2. They leave the laptop or usb stick on a train, back seat of a car or other equally safe places.
3. Someone discovers it and reports it to the authorities or the press.
4. There's a press release assuring us that the data was encrypted, but they've changed everything anyway, so there is no need for anyone to worry.
5. The person who lost the item is reprimanded or fired.
6. There's a lot of wringing of hands, promises of internal inquiries and so on.
7. It all goes quiet as the media focus on the next organisation to lose a load of data.
To my mind, there is something wrong with the word "loss" in this context. I'm not sure exactly what the right word would be, but I think of it in much the same way as road accidents. Traffic "accidents" tend not to be called "accidents" these days, because most of them are caused by human error. The word "accident" conveys a sense of "not my fault", when actually most road crashes are someone's fault, as opposed to, say, mechanical failures or acts of God.
In the same way, losing thousands of people's details is not simply accidental, as the term "loss" implies. To leave a laptop lying around or to lose a memory stick in the street surely suggests a lack of attention. We all lose stuff -- I'm always putting things down and then retracing my steps mentally to work out what I did with them -- but I can assure you that when I leave the house with something really valuable, like my passport, I go to absurd lengths to prevent losing it, such as using a bulldog clip to attach it to the inside of my pocket. Or, despite wearing a jacket with zipped pockets, I check that it's still there every 5 minutes.
Why do people feel the need to take such huge amounts of data away from the office in the first place? I've been working now for nearly 35 years, and in all that time I have never taken home the kind of data that seems to go missing virtually all the time now in the UK. If I did take data home, it consisted of pupils' names and their exam grades. School registers, which contained pupils' names and addresses and phone numbers, were never allowed off the premises.
These days, if people have to work from home, they should be able to access the data they need over a secure internet or extranet arrangement. I just don't see why there should ever be a need to physically remove the data from the place of work.
What to do about it?
Health and safety
As long as people continue to think of data loss as losing "data", there is never going to be a real appreciation of the possible consequences of the data loss in human terms. There have been cases of armed forces personnel details going AWOL, fugitive criminals' details, financial records going missing . See this article for a summary of this pretty bleak picture as it stood in August 2008, and then this article for more examples from the first few months of 2009. Just last month someone walked into a council office and walked out again carrying a laptop containing over 14,000 people's names and other details.
So surely the first thing we should do is redefine data loss as a health and safety hazard? According to a report last year into identity theft:
"More than 49% of the respondents reported stressed family life, 22% felt betrayed by unsupportive family members and friends, and 23% said their family didn't understand.
The strongest feelings expressed were: rage or anger, betrayal, unprotected by police, personal financial fears, sense of powerlessness, sense they were grieving, annoyed, frustrated, exhausted, sleep disturbances, an inability to trust people, and the desire to give up and stop fighting the system. ITRC long term emotional responses included: 8% felt suicidal (my emphasis), 19% feeling captive, 29% ready to give up and 10% felt that they have lost everything."
When we discuss e-safety with kids we talk about the need to keep their identity secret from strangers. There's an inconsistency if we fail to regard the losing of data, which could clearly lead to identity theft on a massive scale, as a health and safety issue too.
Now, if a company was poisoning its employees or the local populace with toxic waste or a contaminated water supply, they would risk being fined. The directors could even find themselves arrested on a charge of corporate manslaughter. I wonder what effect it would have on data loss if employees and their managers knew that if a memory stick ended up in a rubbish tip or whatever they could end up facing years in prison?
Learning from schools
Schools in the UK are subject to inspection every so often, and are also obliged to undertake self-evaluation. Why shouldn't companies have to do the same, and be expected to show high standards, and improvement over time, on a range of criteria, including data security?
Learning from photo libraries
If you're in the media business in the UK, and you need to hire photographic transparencies from a photo library, don't lose or damage them. Why not? Because you're likely to be fined between 400 GBP (630 USD) and 600 GBP (945 USD) for each one.
What if, applying this principle, companies or government departments were fined for each unit of data they lost? Even if only £1 per item was levied, losing 25 million names would be a costly business. Or do we as a nation think that in principle photos have more value than people?
Over to you
What do you (or your students) think of my suggestions?
This is an updated version of an article which appeared in 2008.