The European Parliament has passed the controversial new Swift agreement following intense debate aimed at dispelling worries about data protection. In fact, nothing much was changed, and the amount of data to be forwarded to US authorities involved in the “war of terrorism” remains mind-boggling.
Proponents of the new agreement point out that it at least gives Europeans a say in what data to release. A representative of Europol, the European Law Enforcement Organization, will be able to veto any request with doubtful legal grounding. But isn't that hopelessly old-fashioned? In fact, the entire process deserves to be scrutinized more closely. Here are some questions lawmakers and citizens should be asking:
- Is "search for terrorists" really the driving force behind this agreement?
- Why can't European data be evaluated in Europe?
- Why not filter the data according to predetermined (a task that just about any decent data warehouse system can perform quite well, thank you!)
- And above all: Why aren't the data encrypted before being sent across the Atlantic?
The last point highlights just how much room for improvement still remains. User-centric encryption is part and parcel of most modern systems for handling personal data, from the electronic health cards to cloud computing. This means that only legitimate recipients are able to read and work with the data. Technology for securely transmitting such data already exists - so why isn't it being used?
The Swift agreement is like most other cases involving huge masses of raw data: first they are collected and stored, then later maybe they are deleted - or not, but even so, odds are they have already been cloned and copied. After all, erasing digital data isn't as trivial as it may sound. The use of encryption mechanisms isn't exactly rocket science anymore, and it's use would mean the authorities could gather as much data as they want - without the consent of the data owner, no one could ever decipher them.
There is a lesson in here for CIOs since it demonstrates convincingly how necessary it is to formulate and follow a conclusive strategy when dealing with data, especially customer data. The need for such policies will grow as corporate IT continues to head for the cloud where a new type of security architecture is needed to protect sensitive or personal information as it becomes ubiquitous. The first step should be Information Rights Management, or IRM. As of today, IRM is only good for unstructured data such as PDFs and Office documents, to name just a few. It will have to be expanded to cover processing of massive amount of data. In this case, maybe the proper term should be "Data Rights Management".
For IRM (or DRM) to conquer the market standards must be developed and put in place. As long as every vendor insists on using his own proprietary format, the truly secure exchange of data is impossible. This leaves us with nothing but the "Swift solution", namely the legally sanctioned flow of unencrypted, uncontrolled personal data from one side of the Atlantic to the other.