One of the thorniest issues in information security is the matter of ownership. Who is the owner of the data/information? In SABSA this is especially important because the owner will be the person who makes policy about how that data/information should be protected, against which threats, and for exploiting which opportunities. An owner is a domain authority for all data/information within his/her span of control.
Well that sounds clear and simple, but practical matters make it much less so. One question that arises is: can it be possible for the data, information and knowledge to have different ownerships? Who owns the risk, both opportunity and threat, and can there be a conflict of interest?
For example, a digital photograph is a data set, for which the photographer owns the copyright. However, if the photograph is of a person, then that person is a ‘data subject’, and EU data protection laws state that data subjects are entitled to data privacy. This issue is brought into sharp focus by so-called ‘paparazzi’ photographers who take pictures of celebrities without the permission of the subjects. Who owns the image: the photographer or the subject of the photo? If there is more than one person in the photo then the matter becomes even less clear, because one or more of the subjects may have given the photographer permission, whereas other subjects have not. It could even be a malicious plan between the photographer and one or more subjects to compromise the reputation of one or more of the other subjects. So who owns the image now; and who can control its public disclosure?
Now let’s make the example even more complex. A family is on holiday and they take many digital photos of places they visit and of family members in various locations. It is common practice to snap a picture of a family member or group standing in a public place outside a famous monument of other visitor attraction. By pure chance, and unknown to the family, one or more pictures include an image of a famous celebrity who just happens to be in the same vicinity at the same time. There are circumstances that make this an embarrassment for the celebrity, because they shouldn’t really be there or shouldn’t really be with the person next to them. No-one so far has any ‘knowledge’ of this situation. The data has been captured and information is contained in the data; information about the family, but also information about the celebrity.
Later the photograph is posted on Facebook and seen by a third party who recognises the celebrity. Now there is knowledge based on the information contained in the data set. That knowledge provides an opportunity for those with access to the photograph to blackmail, intimidate or simply ruin the reputation of the celebrity. It also poses a threat to the celebrity who has been misbehaving.
There is a conflict of interest here that is not easy to resolve. Morality is involved for each of the photograph owner, the third party with the knowledge and the celebrity whose misbehaviour has been captured. What about legality? How does copyright law interact with data protection law? Whose interests should prevail? Do the data, the information and the knowledge belong in different domains, subject to different policies, and who should determine those policies?
What this example reveals is that there is potential complexity in ‘ownership’ that is not easy to resolve. However, SABSA, through the application of Attributes Profiling, provides some analytical tools that will help to bring some simplicity to a complex situation. The attribute ‘owned’ will need some further decomposition based on sound principles. The question remains, however: what are the basic principles that should be applied in resolving such conflicts? In the days of social media and everyone with a smart photographic device in their pocket or handbag, this is an issue that society as a whole must address.