On 5 July, The Mail newspaper of the UK reported that the wife of the new chief of the British MI6 spy agency, John Sawers, who is to take charge of the secret intelligence service in November, posted his personal details on social network site Facebook, including pictures of the family, locations of home, vacation home and where they work.
She had not used privacy settings available on Facebook and, as a result, the information was available to any of the 200 million users of the social networking website across the world. The entries were removed after this was brought to the notice of the foreign office. Already, a British member of Parliament, Vince Cable, has called for a review into whether Sawers should be allowed to serve as the next head of MI6, because his personal security may have been breached.
Whether this is a security breach that warrants such an action or not, it certainly is hugely embarrassing for the government. Many UK citizens want the MI6 to face a government inquiry about the data being posted online, in the hope that this would prevent a similar incident from taking place again in the future.
UK diplomats and civil servants were expected to be warned in a new circular later that week about the danger of putting details of their family and career on social networking websites.
Odd pattern: Some social networking websites. Though paranoid about privacy, people innocently upload personal details on such sites.
What is social networking? How does it impact the security of organizations and the privacy of individuals? The past few years have seen the emergence of social websites such as Orkut, Facebook and MySpace. People love to connect with one another, make friends, chat, publish pictures of family and friends. They even post personal information for viewing by others.
They can choose to keep such information secret, share it among their closed group of trusted friends, or make it public. However, these options, though available on social websites, are not fully understood by common users, as is obvious from the case of Sawers’ wife. But the consequences of ignorance or callousness can be serious.
Behavioural patterns are quite disturbing, though. On the one hand, citizens are paranoid about their privacy—they want and expect protection of all their personal identifiers: name, address, mobile number, credit card details, PAN (permanent account number), passport number, social security number, etc. On the other hand, they reveal all their personal information quite innocently and voluntarily on such sites to unknown people.
Information shared by people gets stored on the websites’ servers located anywhere in the world.
One does not know where the servers of Facebook or Orkut are located. Where are their back-up centres, their business continuity management servers?
The personal information that we so zealously guard and protect within our four walls, or our perimeter, so to say, is now out there in the open or in the cloud, as it is commonly called, on the servers of all such websites.
Which privacy laws are applicable in these cases? While all these sites must be taking adequate security measures, cloud computing (in which information and resources can be stored and accessed from far over the Internet) does pose major security risks even as its promoters such as Google Inc., Facebook, and MySpace try to assure the world that it is safe.
Of course, there have been numerous incidents in the recent past when intruders have been able to gain access to some of the information, resulting in compromise of millions of records.
In India recently, the Armed Forces issued an advisory asking its employees not to use social networking sites. As technology marches on, such orders or circulars, whether British or Indian, will not be able to curb new behavioural patterns of humans to interact in new forms.
There is no substitute to awareness creation and education and training of users, not as a one-time exercise but as a continuous way of mitigating risks associated with technology adoption.
Kamlesh Bajaj is chief executive officer, Data Security Council of India—a Nasscom initiative. He was the founder-director of CERT-In, government of India. Respond to this column at email@example.com