I often hear from people working with security that we can’t have both security and privacy. That we have to sacrifice privacy in order to prevent crimes. That law enforcement needs our private data and that our devices at home and transport need to be “secured” by gathering data about every small action you do.
This is simply not true.
I have learned, by working with the DNS TAPIR team and development, that there are ways of doing both. We just need to shift our mindset when working with data and security solutions.
It’s a bit more of a challenge but it is for sure possible, and worthwhile.
The more connected our society and our daily life is, the higher the risk for cyber attacks with severe consequences. In our homes, cars and businesses. Attacks can be conducted by hostile governments, scammers, robbers or ex boyfriends/girlfriends who want to make our lives miserable.
There are many strong initiatives to implement security solutions in our digital devices and systems. At work, at home, in our Internet connections, social media platforms, banking systems to mention some.
In the project Robust DNS we are working to discover threats in DNS data (your Internet queries), to indicate botnets and malware for instance. Instead of storing and analyzing massive amounts of data, the approach is to minimize the data in the TAPIR software. To store and look only at the least amount of data possible. We aggregate and pseudonymize the data, encrypt and most important of all - reduce it. Some call it Small Data.
If you avoid collecting data at all, you have very little risk of doing bad things, leaking data by mistake or violating laws like GDPR, that’s the idea. “You can’t lose data that you don’t have”
To do any analytics, you need data to work with, but the guiding principle is - have less.
Big Data has been a big trend for quite some time. From my experience in data organizations, this means “Gather as much data as you can about everything, no matter if you have a use case or not. It might be useful. Just don’t break any obvious laws when you do it”
It’s time for all of us, data experts or not, to review this approach. Do we really need to collect and store so much data? When a lot of data is gathered and stored, a lot of possibilities also open up for intrusion. Apart from obvious PII (Personallyl Identifiable Information), there is also data such as recordings from a car, photos from a chat, access to a parking space or gym, clicks on a media site or purchases in a grocery store. This data can be extracted, analyzed and correlated to do harm to someone.
This data can be used to find and connect people with certain actions, interests or political stand points. By evil governments, fraud criminals or other kinds of abusers.
What other options are there to achieve security or business goals? To discover and prevent attacks and fraud, or to improve our products & services and understand our customer?
Do we really need to know every trace and detail about every individual in order to do that?
When developing the DNS TAPIR platform we have the approach that we don’t need to know or store everything about individuals, their IP addresses and DNS queries. This differs from many popular solutions for DNS security which try to solve the same problem as ours.
We constantly ask the question “How can we store and look at as little specific data as possible and still make it useful for our goals?” I hadn’t really heard that question so often before joining the TAPIR team.
If you are working with customer analytics or on a security project involving data that possibly could be used to know things about an individual, Big Data isn’t the only way.
Do you want to be the one who introduced data storage that leaked something about a person that made this person’s life torn into pieces? Or made that person’s life just more troublesome or poor? Either when it comes to political issues, insurances, health, work applications, dating or something else.
Pieces of data from pictures and sounds, from restaurants, doorways, kitchens and parking lots, rentals or shopping can be inferred to map out a person’s life and movements. To actors of whom we haven’t given consent to.
I believe that we who are working with this data, either as business owners, developers, analysts or designers are responsible for the consequences of the data gathering. Since it’s very difficult to have an overview of these consequences we should start working with small data, rather than big data when it comes to people.
If you’d like to know more about how DNS TAPIR is set up to function with both security and privacy, just ping me or info@dnstapir.se and you’ll get an invitation to our next demo, news about the open source project or a chat with us.
We’re also open to anyone who offers to examine and test our ideas and implementations of a privacy concerned DNS resolver system for analytics .
(image: freepik.com)
Ulrika Vincent 
Ulrika has a background as a product leader & analyst, agile mentor, change leader, software developer and other roles in digital development. Currently growing skills in data analytics and statistics. She’s been responsible for data and BI platforms, api software, several popular mobile apps and web sites.
She has a passion for problem solving, understanding the users real needs and work with quality. She encourages self directing and cross functional work, tests, open data and learning.
You can contact her for open questions or support within digital product development
- E-post: ulrika@agical.se
- Twitter: @ulrikavincent
- LinkedIn: Ulrika Vincent