If You Have European Customers...
Written by: Doug Peckover
Founder at DT Labs, LLC
Introduced by Nicholas Meyler
In my effort to invent new ways to extend and expand the range of possibilities available to Executive Recruiters/Management Consultants, I am currently working on a fascinating project with Inventor Doug Peckover who was awarded priority rights to the invention of “tokenization” security in 2005. Doug’s invention is now widely used (in various modified forms) throughout the secure payments industry, and companies like ApplePay, SamsungPay, GoogleWallet, etc. all use tokenization methodologies to prevent fraud and hacking.
The difference with the approach used by Doug Peckover is that he envisions a world where quantum computer hacking will be possible in the next ten years… meaning that ANY form of cryptological security will become obsolete due to vastly superior combinatorial computation power.
Doug’s 17 patents, which I am trying to find buyer(s) for, will protect against quantum computers as well as a multitude of other threats. I see my role in this effort as a logical extension of the duties of a Headhunter, in that it is not only candidates, but ultimately the Intellectual Property that they produce that is our most valuable stock-in-trade.
So, I refer all readers (and especially anyone involved in the industry of IoT, Data Security, Cybersecurity, or Online Payment) to take a look at Doug’s article. Please contact me if you have further interest!
... Your world is about to change. In less than 20 months, a new EU privacy law will be enforced. It's called the General Data Protection Regulation and you should start preparing for it now.
The GDPR has tough new rules and even tougher enforcement that you can read in this excellent article by IBM's Monique Altheim. If you ignore the GDPR, your firm may be fined up to € 20 million or 4% of its global annual turnover. Doing business with EU customers will never be the same!
My interest in EU privacy came from two events:
- I designed the first in-store retail management system at Harrods of London and learned how privacy in Europe is much more than a compliance issue - it's a cultural expectation that is only now being enforced.
- The ChoicePoint data breach made it clear that many companies have no clue how to protect personal data.
I designed a solution calling it 'pointers' and seven months later the industry gave it another name: 'tokenization.' There are many legal GDPR issues, such as if you're allowed to collect personal data in the first place. I focus on the tricky part - how the collected data must be stored, accessed, moved, and deleted. Data management will never be the same!
Here are some of the things that my design anticipated and will be required:
- Data security usually means encrypting it, but this is not a long-term solution. There's emerging technology called quantum computing that puts encryption at great risk (watch a few minutes of this video). I anticipated this, so tokens cannot be cracked even with infinite computing power. But be careful because other token designs still use SSL for traffic to and from the token vault, which just moves the risk!
- Access, rectification, and erasure are a nightmare for most companies because personal data is stored in many locations. My design anticipated this by having tokens in various files point to a single copy in the central token vault. Accessing, changing or erasing this data - and changing what apps can access this data - greatly simplifies the lifecycle data management, including compliance with the dreaded Right to be Forgotten.
- Cross-border data transfer restrictions means that regulations get tougher when personal data moves outside the EU. Tokens make this easy because personal data is centrally located and does not move, while the de-identified data can move without restriction. Personal data (name, contact info, etc.) is only needed occasionally when the person has to be contacted, so this is much easier to manage.
- Breach response is tricky because breach detection is measured in weeks or even months, so response times are already a problem. Tokens again anticipated this because personal data must be requested by an app, the requesting party must authenticate, and the party must have permission before the data is released to the app. If the who, what, when, where, or why is invalid, the request is denied, so breach detection and response times are completely eliminated.
- Data portability gives EU citizens the ability to move their personal data from one company to another. Tokens again make this easy because a single copy of the data is stored in the token vault and can be moved or assigned to another company.
There are parts of my design that are not required, at least for now:
- The Right to be Forgotten (also called Eraser) currently applies to search results, but the GDPR could be extended so that search engines like Google cannot scrape personal data in the first place. This means that EU citizens would require control of their data in unknown servers, including the cloud.
- Control of email after it has been sent is not a part of the GDPR, but is technically possible. Data Loss Prevention (DLP) can block personal data as it's being sent from a company, but there is already talk about DLP being mandated for email after a message has been sent.
- IoT device use is going to explode and will be used to collect personal data (why else would Google pay $3.2 billion for a thermostat company?) This one is obvious - the GDPR will be extended to limit the data collected by IoT devices.
- Embedded forensics may be required to help alert about possible breaches, gather data about stolen devices, take a pictures of the perpetrators, etc. It's technically possible and the EU may require these security enhancements.
- Security that gets stronger seems like an obvious future requirement. Encryption strength is based on when data was created, and this gets weaker over time. Token strength is based on when data is accessed, so with biometrics, GPS, etc. token security actually gets stronger over time. We can expect the EU to mandate new ways to protect its citizens, and tokens enable this to be retroactively applied.
Some firms like Google are fighting new EU regulations but they will fail because the EU has home field advantage and will not budge from this popular way to protect its citizens. But the GDPR is more than just about privacy - it's a way for EU companies to level the playing field with U.S. companies. For this reason, we can expect the regulations and enforcement to get even tougher for cloud data, mobile data, IoT devices, etc. We can also expect other countries to follow the EU's privacy lead as they have in the past. Embracing the GDPR will help your firm protect its international markets.
The GDPR will push you way out of your comfort zone, but so will the threat of quantum computers, the lack of control for cloud data, and patent trolls looking for creative ways to extort you. The good news is that tokens help solve all of these problems and yes, I've been granted patents that can help protect your firm.
Applying Semiconductor Knowledge to Your Test Challenges | Training Technical Leaders Using a Skills Based Approach
8 年Informative not just technically but gives insight into your own technical background. Drew Flickema
Director, Growth & Strategy | Defense & Security at Guidehouse
8 年Very good insight and provocative article on the future of security in our evolving information society... worth the read