Behaviour analysis is a privacy-preserving technology

Recently I spoke at the e-SIDES* Workshop in Brussels on Towards Value-Centric Big Data: Connect People, Processes and Technology. Essentially, the event was focused on the balance between big data and privacy concerns, between data utility and data privacy.

This issue is critical when it comes to security, and in fact security is the perfect exemplar for the debate. Do I collect personal data that can improve security outcomes, thereby risking privacy? It’s a dilemma that I encounter often, especially (but not solely) in countries with strict labour laws like German, Italy and Finland. Companies worry that data already gathered by security tools (log data, etc) is intrusive and must be strictly controlled. Behavioural analysis of that data, and unstructured data like chat history, is a step too far.

I think this positioning of privacy versus security with behavioural analysis is a false dichotomy, based on several misconceptions. You ought to be able to have both security and privacy. Indeed, behavioural analysis can enhance privacy, rather than threaten it. Here’s why.

Firstly, some folks fret that collecting personal data breaks data protection laws, so it’s important to remember that collection of personal data for the purposes of security is a legitimate and lawful activity: see Recital 49 of GDPR. Of course, the rest of GDPR also applies, so any data gathered by security tools must be consistent with the principles of transparency, storage limitation, data minimisation, and so on.

Secondly, data gathered for security purposes must also comply with local labour laws, which again limits the scope and purpose of data collection to security-related interests. It can’t be used for other activities like performance monitoring and enforcing corporate use policies, unless it exposes the user or the company to security risk. This is easy to say but hard to enforce: how can a system determine whether a web site is banned for ethical reasons, or because it presents a security risk? And what if access to that site is required for research purposes, such as in the case of journalism or competitive analysis? These situations illustrate the value of behavioural analysis and risk adaptive security – flexibility of policy enforcement based on an individual’s business need and individualised risk factor.

Thirdly, the concern over privacy regarding security data is based on an overestimation of the security of data currently being gathered. Security data is already gathered, petabytes of it, stored in logs and SIEM and other places, which can lead to a false sense of security. Security data is often (ironically) stored insecurely, unencrypted without proper access control and privileged access monitoring. Logs are often accessed without proper access controls, or not looked at at all. Implementing behavioural analytics forces firms to increase controls on security data, and to ensure full governance of that data through, for example, pseudonymisation.

Worse, security data often gathered without full transparency of its extent and purpose, and is shipped off-site for analysis in the cloud. This often breaks data protection policy without the enterprise being aware of it. Firms that deploy behavioural analytics also create a regime of data security, governance and control, improving security and privacy. Critically they engage workers councils and other stakeholders on the benefits of behaviour-based security and – importantly – what the data is not used for. Full auditability is a core feature, and privileged access can be monitored using the same technology.

Finally, many firms underestimate the risk to security from users causing harm, accidentally or otherwise. The majority of security incidents continue to be sourced back to user activity: phishing, compromised credentials or malicious insiders. Companies that remain oblivious to this, are wilfully ignorant, or stay in denial are exposed to increased risk that may threaten the very users they are supposed to be protecting.

Ultimately, this is a question of risk assessment. But companies need a better understanding of the risks linked to user behaviour, and also of the privacy benefits of behavioural analytics and strong data governance. Only then can a fully-informed risk assessment be conducted.

*e-SIDES (Ethical and Societal Implications of Data Science) is an EU-funded project that is intended to support other research projects to promote the concept of Responsible Research. In particular, e-SIDES is exploring privacy-preserving big data technologies and their societal and ethical implications.