Craig Mundie is Microsoft’s senior advisor to the CEO, spending his time on big-picture stuff such as (according to his bio) “key strategic projects within the company, as well as with government and business leaders around the world on technology strategy, policy, and regulation.” At the EmTech MIT conference on Thursday, Mundie leveraged his expertise in policy and regulation as it pertains to issues of cybersecurity and personal identity.
Mundie recounted the initial privacy uproar that occurred when credit cards first became available: People were worried that banks could track their credit card purchases, which was true, but ultimately decided that giving up access to this data was worth the tradeoff of convenience and having access to credit. People could control the collection and retention of their data on a simpler level — get a credit card or don’t — which has been one of the basic tenets of the data-collection model for the past 30 years. But Mundie said he thinks “it’s now failing in a gargantuan way.”
When asked why, Mundie responded, “Because there’s just too much data being collected in too many ways. And most of it now is from things where you don’t feel like you had a specific role in the transaction.”
Mundie continued, “I think now it’s just you’re being observed. Whether it’s for commercial purposes or other activities, I don’t think it’s possible anymore to decide to control things by controlling the collection and retention of the data. That’s been what we’ve done, legally, in this country and elsewhere, and I think that’s run its course and we have to move to a new model.”
In other words, instead of trying to opt out of everything that could possibly track you, let’s all just accept that a lot of data’s being constantly collected about us and instead regulate how the data is used. The cat’s out of the bag; the toothpaste is out of the tube.
Mundie contends that most people don’t care so much that data’s being collected about them, it’s that they care more about how the data is used. So instead of trying to regulate the collection of data, we should be trying to regulate the usage of data.
“I think we’re going to have to have a usage-based way of controlling this now,” said Mundie. “And one way to think about doing that is to put cryptographic wrappers and metadata around these things that control the uses of data. To do that, we have to perfect identity to a degree that we haven’t in the past and we have to make sure that the incentives for comporting with those rules are there. And that’s where the law comes in.”
That’s easier said than done. We’d each basically have to have a universal profile of ourselves protected in a way such that no identifying information about us gets revealed and that can’t be assumed by someone trying to steal our identities. It’s like DRM for our data, as Mundie would later explain.
Mundie’s references to cryptographic wrappers, metadata and perfecting identity are currently three pretty big hills to climb. Assuming we could get those three things worked out, though, we’d then be able to turn to regulating how our data could be used. When asked what the policy regime would look like, Mundie offered the following: “In the simplest terms, what you want to say is that there are substantial legal penalties for anyone who would essentially violate the rules that are defined in the metadata.”
Mundie continued, “Personally, I would make it a felony. Because without that, the penalties are too low to deter people. What you really want to do if you want society to generally move in this direction is to make it a really serious crime for people to subvert those mechanisms.”
Other topics covered in Mundie’s topic included the notion that apps should tell you what they’re doing with your data instead of just telling you they’re collecting your data, the taxonomy of cybersecurity, the implications of government surveillance, and how as a society, we’ll eventually have to grapple with letting people opt out of certain things but not opt out of others.