accesses since July 11, 2008
copyright notice
accesses since July 11, 2008
There has been quite a bit of media coverage lately on digital vaults. Many of you have seen some of the press coverage. I predict that digital vaults will become much more prominent in the years to come. It is not at all obvious, however, whether that will be good or bad overall. I'll outline a few of the attendant risks below.
So that we're all both literally and figuratively on the same page, some definitions are in order. As I use the terms, digital vaults, digital crypts, and digital ossuaries are all digital repositories of data. Nothing is excluded as long as it can be represented as zeros and ones. But I make a distinction between vaults, crypts and ossuaries in terms of (a) the nature of their contents, (b) whether they're necessarily online, and (c) the purpose they serve. When I use the term "digital vault" I'm referring to online repositories with real time accessibility. "Digital crypts," on the other hand, are online but are only subjected to limited or occasional access. Think of digital crypts as a vault at 110 baud with occasional modem faults. Finally, "digital ossuaries" are offline digital repositories used exclusively for archival purposes - kind of a mausoleum for bytes. These distinctions become important as they all have a different business model and have different implications for privacy and the law.
Let's dispense with digital ossuaries first as they are the most traditional examples of digital repositories dating back as far as the earliest removable storage devices. The first practical example of personal removable storage media with sufficient capacity to hold personal data was the Iomega Bernoulli Box in the 1980's. Many of you may recall Iomega's popular successor to their Bernoulli Box, the Zip drive, that followed about 10 years later. What made these storage devices useful was their capacity - approaching that of internal hard disks. For the first time it was possible to back up a large part of a hard drive with removable media that could fit in a pocket.
The ossuary role of Zip drives was evident from the start Many IT professionals began storing sensitive, personal, and private data on this media for offsite storage. In effect, these devices made it possible for individuals to achieve a level of secure storage that was previously only available to the enterprise. Offsite storage of personal data remains commonplace today, especially with the advent of R/W DVD technology. There were two aspects of the original digital ossuaries that make them relatively harmless: first, the media remains in the care, custody and control of the information owner, and second, the digital repository was not accessible from the Internet cloud. The importance of these two factors should not be overlooked.
As an aside, this technology illustrates the principle of "technological displacement." The Zip drive evolved into the Jaz drive just about the time that R/W CD and DVD technology took off. The result was that the Jaz drive died a quick death. The reason was an axiom that all IT professionals should hold dear: other things equal, cheap and disposable media will always displace the more expensive and permanent.
We're familiar with vaults, if for no other reason that our banks intentionally make them visible to us. We have come to expect a vault door looming large from virtually any vantage point in a bank lobby. I still remember seeing a bank vault for the first time. To a child this was an object of amazement - an enormous foot-thick, stainless steel door with huge 3 inch locking bolts and a giant spindle on the outside that opened into a thick-walled room of smaller doors. Even Superman couldn't break into that I reckoned.
It didn't take the info-brats long to figure out that we could use these physical vaults to store our digital ossuaries - say by storing complete computer backups on removable media in safety deposit boxes or off-site safes. We can think of digital vaults as a variation on this theme. Digital vaults simplify storage because they avoid the trip to the bank or safe. I've been working with digital security for more years than I care to remember. I've seen all sundry kinds of hacks, malware, scams, phish pharms, viruses, worms, etc. to the point where virtually nothing surprises me any more. From where I sit, the prospect of a digital vault doesn't give me that warm, fuzzy sense of security I had when I first saw the Superman-proof bank vault as a kid. To the contrary, when I think of a digital vault I think of the lockable piggy bank molded in pot metal in the shape of a potato that my dad gave me when I was 5. Even at that age, my first keyless "withdrawl" took me less than 10 seconds!
But digital vaults are here to stay. The business model is predicated on the assumption that since most of our personal data is now digital, storing it on removable media and transporting it to a secure location. Why not just deposit it in cyberspace? There are many parallels of this sort of technology disintermediation. 10 years ago, most duplication of recorded music resulted from "duping" CDs. Now, most duplication involves file transfer over the Internet. If you think about this phenomenon in the abstract, you can see why CD and DVD technology has to be on the way out: it just doesn't make sense to distribute digital information on physical media if you don't have to. CDs and DVDs will last for awhile in applications with limited file sharing capability (e.g., cars, boats, trains, and airplanes), but their days are definitely numbered. I remember giving a talk on this topic to a group of business executives about 10 years ago. I predicted the demise of CD and DVD technology to a group that had yet to embrace them. Eyebrows raised, the audience heard me prophecy that removable entertainment media would be historical relics by 2020. Ten years later, I still hold to this prediction. CD and DVD sales will continue to set sales records during the next decade or two. Then they will greacefully drop out of sight like the 8-track tape.
There's a striking similarity between digital and physical vaults when it comes to securing the data. The dual-key paradigm applies here as well - one key in the hands of the owner and one in the hands of the custodian (aka online service). Both keys are required for access. In terms of the online experience, the custodial key is provided by online access. The private key is the encryption password that applies to the data. Eventually, public-key encryption will be deployed much as it is in email, but in the near term custodial access will be through popular security protocols like SSH and SSL.
Though key-distribution is handled similarly, there are some differences. Physical vaults are decidedly low-tech; unauthorized access is generally characterized by force, and it's practically impossible to not leave evidence of the intrusion. In contrast, digital vaults are high-tech, unauthorized access is generally characterized by finesse, and it is relatively easy to not leave evidence behind because "clearing the tracks" is the last step of hacking. Digital vaults stand to physical vaults as digital ballot boxes stand to physical ballot boxes - the "digital" varieties are easier to use and, as a consequence, easier to abuse. That's why so many IT professionals have spoken out against the use of "paperless ballots!"
One example of a digital vault is Wells Fargo's vSafe. In May, 2008 Wells Fargo announced their version of cyberstorage for rates ranging from $4.95 for 1 gigabyte to $14.95 for 6 gigabytes. Take a virtual tour of this service via their vSafe website at https://www.wellsfargo.com/jump/wellsfargovsafe/comingsoon. Google, Yahoo and Microsoft have also moved into this space, though business model is ad-based subscription. Within a year, expect every online service of any size to offer digital vaults because the potential for ad revenue is considerable. Imagine an access to your archived bank statements when a pop-up appears that emphasizes that the Bank of No Returns provides free checking. Eventually, the ad-based systems will dominate just as they do in virtually every other online market. I would expect that the financial companies will quickly move to a bundled-service model to add value to their other services. For-fee digital vaults will go the way of commercial web browsers.
This past year the Cleveland Clinic partnered with Google to store patient electronic personal health records in a product called Google Health (www.google.com/health). Google Health uses standard health-care data formats for data portability. Records already conforming to a clinical document architecture in the form of eCleveland Clinic MyChart makes uploading straightforward. Access to this information at present is limited to the Cleveland Clinic and their patients. The argument for this is that this will empower patients, limit costs and ensure portability, all of which is true. It is important to note that apparently no patient objected to this voluntary program! The reason for this lack of dissent is in my view a lack of understanding of just how serious the downstream privacy implications are. Microsoft also offers a similar service under the name HealthVault (www.healthvault.com)
I think this is pretty scary from a privacy point of view. Let me explain why I feel this way:
Sharing healthcare information with potential employers can lead to a pernicious form of healthcare discrimination. Needless to say the employers health care premiums will go down if it only hires healthy people - and since health care costs represent a large share of the benefits package, not employing less-healthy people provides a company with a competitive advantage. I see health-risk prospecting as a real threat to health care in the US.
As we know from the world of identity theft and financial fraud, once the digital toothpaste is out of the tube it's impossible to get it back in. If the custodian's servers get compromised, who's to tell what nefarious ends the hacker might put to the information.
.In my opinion, digital vaults represent the biggest threat to personal privacy since the misuse of the social security number. If something goes wrong with digital vaults in the healthcare industry, we could end up with a caste of healthcare untouchables in the US who can't access adequate healthcare and are unemployable. This is a trainwreck in the making.
Of course, there is a simple way to avoid the biggest part of the problem: legislate that the patient, alone, has any ownership claim to his/her healthcare records. This simple move would place enormous incentives on any proprietor of digital records storage to ensure their safe storage under HIPAA. With that one stroke, many - but not all - of my concerns would be addressed. By the way, Australia did this some years ago, so it can be done in western democracies *if* the public demands it. However, left to its own devices, the body politic will react to the pressure from lobbyists from insurance and healthcare provider industries who do not want the inconvenience of having to be accountable to the patient.
Society has always had a fascination with vaults. History records their widespread use in Pharaonic Egypt 6,000 years ago in the form of the ancient pyramids. Bank robbers have figured out sundry ways to compromise them. The devious among us have relied on them for stealth. Vaults aren't good or bad in themselves, it's the use to which they're put and the fact that they may give us a false sense of security that we need to worry about. Take a look at the 24/7 Private Vaults website (24-7privatevaults.com) for example, and ask yourself who the prospective customer might be.
This is definitely a techno-trend worthy of eternal vigilance.