Information security (infosec) is very simple and very hard.
Infosec is simple: there are only three steps:
- Figure out how you are giving information to people.
- In each case, evaluate whether you want to do that.
- Stop giving information to people who you don’t want to have it.
Actual implementation of each of these steps is extremely difficult.
Suppose a customer calls you up on the phone and talks to you about their account. How are you giving information to people?
Obviously you are giving information to the customer.
Did you remember that you are giving information to your phone company? Calling number, called number, time started, duration of call. That’s not much information, but you’d probably like to keep it private. Telephone companies have a duty of care to keep that confidential… right? Sort of. They can give it to the government. They can use it in providing the service. And they can use it for any purpose that you consented to… and you consented to them using it for all sorts of thing, remember? It was a checkbox on the third page of the form that you signed up with six years ago. It said something about sharing. Sharing is good.
Also, the NSA is recording all of your calls. Don’t worry, machine transcription to text isn’t “listening” and letting them go through isn’t “intercepting” so the NSA will cheerily tell you that they are not intercepting or listening to your calls. Text is easier to search, anyway.
Your calls are recorded for quality assurance purposes… also as evidence in the possible lawsuit. If it’s entertaining enough, someone may copy it and share it.
If any part of your call passed through the Internet, anybody who had access to your data can reconstruct the phone call, Doesn’t matter if you encrypt it — taking the arrival times of the raw data is enough (pdf link).
I assure you we have not exhausted the possibilities of figuring out who has access to your phone calls. And that’s step one.
Then there’s email.
And file transfer.
And so on.