Skip to main content

DATA PROTECTION AND THEFT

Both businesses and individuals have their own data that they do not want anyone else to know about, and they want to protect it. However, they also do not want to spend too much time for the transactions they will make using this data. The main handicap of these individuals and organizations, who live back and forth between information privacy and ease of transaction, is the approach that nothing will happen to me.

How meaningful is it to think that our identity number, which is asked for many transactions today, is confidential? In the buildings we enter, hospitals, hotspots, schools, banks and many other places, we hand in our ID card or enter this information ourselves. All of this information is recorded in systems and used. Even if we leave aside the question of how reliable the person collecting the information is, how protected are the systems where this data is recorded against information theft? Today, there is almost no person who does not leave their ID card in a safe place when entering an ordinary business center. However, all the information on the card can be easily entered, photographed or copied while you are visiting (minimum 30 minutes).

There is no concept of data privacy anymore. Every data is accessible by someone called authorized. Considering that these authorities cannot remain authorized for life, the data is actually open to access by the unauthorized of the future. As in the recent example of voter data being made available on the internet, there will always be someone who is ready to share the information they have accessed in an authorized capacity without authorization. Information theft caused by those with insider access to information constitutes the vast majority of total information theft. Considering this situation, we can clearly say that every digitized information is no longer private. If you have data that you want to keep private, the only way to hide it is to keep it away from the digital world. The sentence “I only uploaded it to my machine” is an innocent self-deception. Every machine that can access the outside world is a potential data flow gate and is ready to share its contents with authorized or unauthorized persons.

Of course, internal users are not the only source of data theft. If that were the case, our job would be a little easier. Stealing data using information technology is also an increasingly common method. Many global scandals have a story of data theft or leakage. Investments in security cannot prevent these flows. If information is valuable enough, there is a way to access it. Just because a leak is not publicly known does not mean it does not exist. The software you use for protection can be the main actor in the theft, like Hasan Sabbah’s men, the close bodyguard who holds a gun to the vizier’s neck when the order comes.

It should also be noted that you don’t need to be an IT expert or have terrible vulnerabilities in the opposing systems to get the information. For example, there is an application called name by number. When you query random phone numbers, the information of the owner of that number is listed. With simple software, you can download the entire data of a telecom company in a few weeks. Similarly, what kind of privacy can you talk about when you learn the identity of the caller with a software installed on a cell phone and make all the information in your own contacts publicly available?

Today, a new actor has emerged for this scope! You voluntarily give the data with your own hands. Like a hypnotized person disclosing all their secrets; under the name of campaigns, social media, membership, etc., people upload the data they are afraid of being stolen to the systems with their own hands. This data is stored somewhere and used when needed. People do not hesitate to share all their data for an ordinary fuel campaign. A loyalty application not only accesses the data of hundreds of thousands of people with promises of discounts, but also has the privilege of using it with permission.

If a data really needs to remain confidential, different approaches need to be taken. It is very important that the people authorized to access it are trustworthy. Without this, all other steps become a meaningless endeavor. Meeting this condition can only be the first step. Trustworthiness does not preclude an audit. While a lot of confidential information is hidden from the team players working on the project, it is easily accessible to people called IT officers who are not even part of the project. Ironically, this is a common practice. All e-mails of a general manager can be easily read and archived by these people. What security can we talk about if an e-mail sent to the general manager can be forwarded to another e-mail with a very simple command? If the recent requests of many authorized persons to communicate via a generic e-mail address is not the product of this fear, what is it? If we want to talk about real security, we need to build systems that even the authorities cannot access. We need to build systems that prevent the formation of a whole without bringing many people together. While doing this, we should also be careful about the ownership of the devices you use. You may be happy thinking that the systems you will build with operating systems, security software, application software, encryption software whose source codes you cannot question are secure, but this will only comfort you, it will never provide real security.

If we are talking about security, especially in state-related systems, structures such as domestic software, domestic or open source operating systems, domestic passwords, etc. should be established in which you control all parts of the whole. Otherwise, you are leaving all your assets at the mercy of someone else. Panama Leaks showed that security cannot be ensured by installing expensive systems. Therefore, a road map should be determined for the software to be prepared for systems that require security, and systems whose source codes can be accessed by domestic software companies should be created. The first step must be the operating system. With a sustainable model, a modern operating system that is integrated with the world should be developed and kept up-to-date. Supporting an open source system for this purpose will provide both fast and sustainable results. Of course, this step alone is not enough. Internal attacks should also be taken into account, work should be carried out in differentiated layers and the formation of systems that can be completely dominated by organized minorities should be prevented. Systems must be kept under control through independent auditing and constant questioning. For this purpose, white hackers should consciously work on system vulnerabilities. It should be ensured that this team is completely independent and their audits should not be neglected with the necessary audit mechanisms.

Let’s talk about personal data. Talking about privacy in an age where personal data is shared in a rude manner is really a big dream. First of all, individuals should be made aware and not share their personal data in public. In addition, security algorithms used in personal transactions should be reviewed. The miraculous invention of the mother’s maiden name should be abandoned! Interactive methods such as password transmission to cell phones should be emphasized. Since we cannot stop people from conducting their transactions online, we should focus on ensuring that these transactions are secure. Let’s not forget that at every stage our risks will continue and we will have to accept some of them. However, it is up to us to continuously improve systems.

Another topic that should be on our agenda is the storage of private data that individuals do not use during transactions. We need a change in approach to data that should and can remain confidential, such as health, personal life, private documents and pictures. The areas where such data is stored need to be protected physically and in terms of interfaces. We need more radical approaches, such as the computer where a doctor keeps patient records being completely closed to internet access. Of course, no approach is a solution if the doctor is malicious, but the fact that the majority respect their work cannot be ignored. We can also talk about special measures such as isolating the machine where you keep your family albums from the internet. It is important to remember that all data on an accessible device is at risk. If you don’t protect yourself, no one else can protect you.

Finally, another issue that needs to be emphasized is the approach to transactions based on personal data. Approaches that assume that all transactions made using personal information that can somehow be obtained are made by the person concerned should be abandoned. In all transactions where it is not confirmed who made the transaction, the party who made the transaction should be considered responsible. A fixed four-digit password should not be used to assign this responsibility to the user. Each system owner must protect its users against risks and take responsibility for malicious use.

It is an indisputable fact that we will experience serious traumas if we cannot produce new social and legal reflexes against the theft approach we have just met in the internet age. Approaches that run away from technology are not realistic here. If we abandon the steps taken by showing unnecessary courage, we can turn the internet age into an engine of development.