by Daniel J. Solove
It sounds like a late April Fool’s joke, but it isn’t. Heartbleed, a data security bug in Open SSL, allows hackers to access personal data and encryption keys. This vulnerability has existed for 2+ years, and there is no way to know if your data has been compromised. And the majority of websites that encrypt use OpenSSL, such as the most popular banking and retail sites. This is a security flaw of titanic proportions. According to CNN: “Researchers discovered the issue last week and published their findings on Monday, but said the problem has been present for more than two years, since March 2012. Any communications that took place over SSL in the past two years could have been subject to malicious eavesdropping.”
The implications of Heartbleed are enormous. It is hard to predict all the reverberations, but they will be huge. That we could wake up one day and discover that a majority of our most sensitive Internet activity has not been secure for the past two years and that we might never know what data has been compromised is quite a sobering reality.
There are, of course, good, bad, and ugly practices when it comes to data security. Being good on data security is still a good thing to be. But what today’s news drives home is that even good data security can still be quite tenuous. It is akin to sailing the seas during treacherous times, with pirates and icebergs, where even the most unsinkable ships can go the way of the Titanic. And this sobering news should make everyone think hard before collecting and storing highly sensitive data. We need to do it, of course, but as we start storing things like fingerprints and biometric identifiers and genetic data, we should be aware that keeping these very secure will be quite difficult. When sensitive immutable data is compromised, the stakes can be raised to another level.
Heartbleed should be taken as a heavy dose of humility and a realization that we have a long way to go until we can sail the online seas without significant peril and risk.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 600,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter