IT and DevOps Preface
A little about myself – I’m the Director of DevOps at SpireDigital, I’ve previously worked with a wide range of companies, from small startups to fortune500’s like Apple, Microsoft and Ford MC. Like many professionals in my field, I’ve honed various skills over the years and look forward to sharing my experiences with those who seek it.
There is a new trend, though small at the moment, where IT professionals have a duty or responsibility to the public at a scale never seen before. And, it’s called data security and management. Many threats face us every day for our data. There are many schools of thought on what is considered acceptable privacy, but the fact is, it is an issue.
One of the biggest hurdles to face as IT decision-makers is deciding whether you accept the moral implications of your decisions. When people think policy, they think politicians, but the corporate policy can have just as great an effect on our lives, if not more so in some cases.
I want to make you aware of some of them.
This is a huge one, so I’ll start here. This is a problem that stems back to a problem of consent, which was first introduced in the world of computing in the forms of “Terms and conditions,” “Acceptable use policies,” and other names for essentially binding documents that indemnify the doings of the company and generally strip some of your rights. Don’t overthink it; the problem isn’t inherently companies here, or the TOS itself. It is our desire for instant gratification. We see the pop-up, we can’t be bothered to interrupt what we were doing to actually sit and read through an indiscriminately long term of service, so we hit accept and don’t worry about it.
The PROBLEM with this, is you’re likely also volunteering your data over to the company, and while one side may say it is data used for providing better services and more functions for your application, another may say you’re giving up your info to the highest bidder. The fact is, you are more than likely relinquishing more information about yourself than you realize.
One great example is Google Maps – Many people were shocked to find that Google keeps a complete location history about your travels. This is data used to improve certain services, such as letting you know a store you want to visit is nearby or your most-used work commute is backed up with heavy traffic. Useful, however, if someone with a badge came to the door and immediately asked where you’ve been for the last two weeks, we would be more hesitant to give up this information. People don’t realize that many tech companies are obligated to share certain information with law enforcement, even without a warrant. Due to the Patriot Act and other government population control measures, our information is considered public domain if it can be reached via the web.
You’re not a criminal and have nothing to hide. So, the moral implication becomes that while the country fights for what is liberty through bipartisan politics, decision-makers in key positions in the tech world actually drive what data even exists. We make decisions to double-blind the data from ourselves, to encrypt your data, to store it properly away from harm, and to scrub it when you ask. We implement the tools and know-how to make sure your information is safe. Unfortunately, not all IT people work in your best interests. As with every business, there is always someone a little more greedy than you. So, we see some of those results in Equifax breaches, where a little investment in security would have gone a long way to ensuring the safety of all those identities. We see others where public figures have had their personal information leaked to the world, an act known as Doxxing. It becomes not only incumbent on IT decision-makers to choose the correct moral and legal actions but also to implement them well enough to ensure your safety.
There are some terms, which explicitly state what your information may or may not be used for. This is usually your first tangible line of defense for your information. Reading carefully, you may find information regarding what your data is collected for, what is considered acceptable use of your data, whether it is being sold off to 3rd parties, if it is personally identifiable data, if a warrant is required for law enforcement, what the retention policies are, etc. It is best to read these things. One of the first painful things I learned early in my career is to read anything you sign, and later I learned that applies digitally too.
Social Media and Data Policy
Let me be very direct about this. If you use social media, you have more personally identifiable information out in the world than you are even aware. I won’t be so verbose with this as it relates to the previous section. When we use social media, we accept about 30 pages of terms of service, and those terms essentially promise 3 general things:
- You have no rights to anything regarding the service anymore, no rights to litigation, copyright claims, anything. Read it, it’s there. Twitter, Facebook, Instagram – all guilty of it; should any issues arise, the wording will take your rights from doing anything. Whether the forfeiture of legal council and proceedings is going to hold merit in court is questionable; however, you are consenting to it.
- You are offering your data to the highest bidder. This is data collection at levels we’re not seeing, many not even used to it. Some examples of data we share without realizing;
- Go to a concert – your app tracks your location; see an artist – the app tracks your music preferences; go to eat food – the app tracks where you went, when you went, sometimes what you ate, how much you paid and more, even when you haven’t touched your phone.
- Posting a picture of your friends at the beach soaking in some sun? They are now associated with your profile, and the app knows you were near the other user, knows where, and knows why.
- Searching for a movie or song? Your phone is taking in more information than the song you search. It is also taking in when you searched it, what sounds it hears that made you search it, who was near you when you searched for it, and what influenced you.
- You agree they can change the terms without notifying you. This is really there, tons of writing that explains the company can change the terms at any time even after you signed, and your continued use is implicit consent. You signed over your random tweets; technically the company can change its terms to say after 30 tweets Twitter owns your car. There are safeguards against this type of practice, but they are extremely hard to enforce. Pay attention.
So what is the big issue with this information? It’s huge, this data is sold to analytic companies, marketing companies, and more. If you’re a bespoke soap maker, your apps and services may cater to the highest bidder, and your searches and activities will slowly edge you out of your own industry. The chain store next door paid more for ad revenue, so even though your rating is higher, they appear first, and over time you lose business. That’s just on an individual level. At the states level, this data has been purchased and used by political parties to sway public opinion, re-elect along voter lines, gerrymandering, propaganda, and more. Many think “I’m a Democrat/Republican” and I don’t care who knows it. Great! But please realize that your opinion is also a tool that can be used to sway opinion in any direction influencers please, and their first step is to collect data on you. To know you – what you like and don’t like – and show you the world they want you to see. It is a dangerous time to simply accept what we see as true.
The Responsibility of IT Professionals
I won’t defend the notion we are some kind of secret superpower in the world, but we are in a unique position to help change things. We are the plumbers of the modern world, the sewage flows where we want, the freshwater where we choose.
Some examples of how we can help:
- Build systems that cannot be exploited. Have user data for your app? Use trusted keys on the end user’s device as cryptographic ciphers, giving access back to the user. Have to collect personal information directly from a consumer for marketing? Decouple the identifiable data from the statistical data.
- Pay attention to security issues. It is one thing to have our policy to never share the data, but bad actors may still gain access to our data and do it themselves. We need to be proactive in patching security issues, encrypting things, never being lazy about it, and always improving how secure a system is. Most data breaches in recent times have been due less to serious flaws but due more to negligence. This is unacceptable.
- Offer solutions which don’t strip rights from the users. If we must collect data from users that can be misused, offer solutions in owning your information. Allowing users to download their full data, for example, so they can be aware of the information we collect or allowing them to wipe their data completely when they delete an account.
The unfortunate truth is much of IT is beholden to the higher echelons of corporate power, capitalistic motives, governmental overreach, and bad actors. However, we do have the power and the personal responsibility to make real change. It starts with understanding the dangers of our work and how it can affect things on a grand scale – from personal relationships to small businesses, from large corporate profits to government meddling, political propaganda, and more. We all have a civic responsibility to each other or the world would have never made it this far. To forget our place in the name of profits is abhorrent and all too prevalent. Change begins with you.
If you’re interested in devops or software development articles, check out this one about time optimization, by Krysta Hunt.