The Panama Papers have the world’s full attention. The pundits conjecture that the Prime Minister of Iceland stepping down from power due to revealed financial improprieties is just the tip of the proverbial iceberg of a global financial scandal. Is this finally a case of a heroic insider at a legal firm shedding light on all of the improprieties that we have grown to hate? Are whistleblowers heroes? Are they hacktivists (activist hackers), determined to shine a light on corruption? Or are they just data thieves?
One outcome is sure. This massive data exposure has everyone in the data security industry questioning what types of information should be secure from exposure, regardless of the reason. As security experts, do we simply forget about privacy obligations because we feel like a particular company is involved in nefarious dealings—whether legal or not? Do we follow Apple’s moral lead and refuse to expose any private data regardless of consequences? Does turning over sensitive data to authorities, set future legal precedent?
Far Reaching Consequences to Exposing Private Data
I think this breach reveals much broader implications about how organizations are handling sensitive data. It is a slippery slope when an individual employee breaks confidentiality agreements just because they have an issue with a client and how they operate. Am I saying that the law firm involved with the Panama Papers was free from wrongdoing? Nothing could be farther from my mind. There are some really bad shenanigans going on with very far reaching implications that will impact our global community for a considerable time. However, where do we draw the line in the digital sand on what information we keep private and what information we can legally – and morally – reveal. Do organizations operate on feelings or agreements?
Hackers vs Whistleblowers
I think the people involved with the Panama Papers are whistleblowers and not hackers. But are they heroes? There is a very clear difference between a hacker and a whistleblower. Whistleblowers make the concerted effort to reveal sensitive data no matter how many people will suffer – á la Snowden. When we see hacktivists such as Anonymous at work, they are infiltrating the Iranian nuclear program, taking down disgusting websites, and causing general mayhem to elicit social justice. That is a major difference in motive and context.
Is there actually a difference between data theft being the actions of a whistleblower versus a hacker? Those who decide to work at a law firm understand the ramifications of handling such sensitive data that could potentially be damning to its clients. This case will most certainly be damaging to the Panama Papers’ law firm’s clients, even though if the information goes to court, it will probably be inadmissible. The vast majority of any company’s employees sign an agreement to not divulge any information no matter the situation. If we, as security professionals, decided to only secure the data we like, then we will not be in business for long. Granted we never intentionally deal with illegal organizations, but as a tokenization provider, we do not know what data our clients are storing.
Data Security’s Dilemma
The Panama Papers are exposing the inner workings of law firms, governments, and corporations worldwide who are colluding to create offshore bank accounts for money laundering and tax evasion. Were people’s lives at risk? Were people dying? No and no. Was there some really bad stuff happening? Certainly. But when an employee uncovers these deeds, the need to be exposed through the proper legal channels. If data security is determined based on the way an organization operates or with whom they are affiliated, no data would be safe.
Security providers like TokenEx have contractual agreements with client organizations to protect all data at all times. If we were informed that a client was involved with criminal activity, would we reveal their sensitive data? We could not because we made a contract to protect it. In fact, the way we store and tokenize client data means that we have no visibility into its meaning—at all.
Apple Did the Right Thing
Look at the situation with Apple’s fight with the FBI over decrypting a crime-related iPhone. While they didn’t know what type of information existed on the device, their contract was to protect the owner’s data—no matter the legal ramifications. Apple stuck to their agreement when they could have unlocked the phone. When you make an agreement to protect sensitive data, that’s what you are bound to do. If you do not agree with the way an organization, government agency, or individual handles their business, then there is a legal chain of command for bringing it to light. Unfortunately, precedents get set when encrypted data is decrypted “just” one time. In this case, the Department of Justice wanted one killer’s iPhone unlocked to document terrorist behavior, but now they are demanding that Apple decrypt another iPhone of an accused drug dealer, and have a list of hundreds more. My, how quickly precedent takes shape.
Data Security is a Contractual Obligation, Not an Opinion
As data security professionals we are caretakers of our clients’ sensitive data. We have to approach all aspects of data security impartially. The legal and moral climate is ill defined. Hackers of every ethical stripe constantly breach databases and steal personal, financial, and health data for hacktivist notoriety or monetary gain. Our job is to protect client’s data. If we go down the equally slippery slope of determining which types of information we will keep private based on personal opinion, then we—as a security industry—are in serious trouble. Will the Courts, Congress, or Hackers decide for us? Stay tuned.