JP Rangaswami, in a delightful read, muses on Drucker's quote "people make shoes, not money" and how information has no value until it informs a decision. Our institutions value sharing, cooperation and trust -- but create cultures of hoarding for advantage and control out of fear. Perhaps this is because we haven't learned to manage when information wants to be free. JP notes that "Information is changing. And it is becoming more valuable to us all by becoming less valuable to any one of us."
But this except sparked a thought:
Take a completely different perspective on all this. Privacy. Why does someone worry about who has access to his medical records? Not because the records themselves have value. But because someone can misuse them. Because, for example, someone can refuse to insure, or raise premiums for, some hitherto undeclared medical condition. Or even worse, for some future projected medical condition, projected as a result of discovered habits.
It’s not about the information, it’s about what you do with it.
Privacy and security paradigms focus on controlling the flow of information. I wonder not only if this is possible. But if its the right focus. Information precedes action. Now I'm no Bruce Schneier, but perhaps the security industry should be focused more on controlling action than information.
I recall a panel on Data at Large at PC Forum, way back in 2003. Jeff Jonas from SRD shared how they were at the frontier of using social network analysis for security in casinos. In hallway conversation, Gilman Louie, then with In-Q-Tel, clarified an interesting tension around homeland security and civil liberties. In a top-down manner you could data mine communications for patterns and profiles to discover threats. Or, from the bottom-up, you could work with a lead to reveal a graph of conspiracy. The latter is much closer to traditional intelligence or the practice of private investors, just with new tools. And with less risk of infringing upon civil liberties.
I recall when we introduced wikis into a bank in London where JP was the CIO. The compliance officer's initial reaction was to demand that he approve every edit before it was posted. Of course we could have developed that feature, and the attempt to control would prevent any collaboration whatsoever. But we showed him the audit trail inherent in a wiki, revision history where you can see who did what at what time. We gave him some smart search feeds for basic monitoring. If someone did something inappropriate, he could prosecute the lead and potentially fire them.
Perhaps the need to know basis has less of a basis than we believe. Perhaps there is an opportunity for security systems to be more effective as a whole system when it focuses on what people do with information instead of controlling its flow.
