Loving thy neighbours' data

April 27, 2017

Matthew Frazer

Ever get the feeling you’re being watched? If you’ve made any kind of electronic communication today, then it’s probably not your imagination.

The nature of our modern, resilient, distributed communication systems means that every call, message, web page, and search query passes through many waypoints on its journey. Even when active measures are taken to secure the details of these personal communiqués, it is still possible to glean morsels of information—the so-called metadata that is the subject of some public controversy.[1]

Has the Orwellian state arrived? In our world, data is currency. Advertising companies make billion-dollar profits from it. Data is knowledge. Governments learn important social trends that shape policy. Data is power. Criminals abuse and extort the innocent, and the not-so-innocent,[2] when caches of website user data are compromised.

Security and privacy are not just concerns for governments and corporate behemoths. The same principles apply to your phone’s address book. Have you ever been prompted by an app to access your contacts, and tapped ‘allow’ without much thought? You may have compromised not just your own data, but that of your friends, family and professional acquaintances. Yet if cybersecurity professionals in large tech companies can be defeated, what hope does the part-time IT guy for a local small business, community organisation or church have? The only thing working in their favour is that they are a comparatively low-value target. However, a motivated antagonist would have little difficulty causing harm to such a target.

Churches sit at the intersection of a few risk factors. As community organisations, they typically collect detailed contact information for members and visitors. As providers of social care, much of this data represents vulnerable people within the community, including children. As not-for-profit organisations, they often have constrained budgets and a ‘just-get-by’ approach to IT management. And as occasionally controversial entities, they can attract the attention of people who may seek to cause damage. All these factors elevate the chance that a data breach may be attempted and succeed.[3]

Every small and seemingly inconsequential piece of data can be used to build a profile of an individual, and when multiple sources are combined, full identity theft can result. Imagine losing access to your bank accounts, email and social media, having spurious purchases made using your identity, or even more nightmarish scenarios like your identity being used to smuggle wanted persons across international borders. Any duty of care we have for those we serve must extend to mitigating the risk of these things occurring.

While the Bible doesn’t lay out a privacy policy per se, there are guiding principles. Neglecting an obligation to act responsibly with other people’s personal information does not show appropriate care and concern. While organisations like churches can be determined in their pursuit of ‘potential contacts’, consent should be obtained if their data is to be stored, and they should be given the opportunity to have their data removed—in fact this is a requirement of law.[4] If contact has been lost with a person and there is no need to keep it, personal information should be proactively removed, whether from a personal address book or church database. Any sensitive information collected, such as financial details, medical needs or provision of social welfare, must be especially carefully treated and only accessible to those who directly need it.

Even where data privacy is taken seriously, it is extremely difficult to be properly prepared for any attack. The cost of engineering a secure information system must be weighed against other things competing for available resources. However, given the potential for damage, it warrants serious thought.

[1] https://www.ag.gov.au/dataretention

[2] https://en.wikipedia.org/wiki/Ashley_Madison_data_breach

[3] https://www.staysmartonline.gov.au/business

[4] https://www.oaic.gov.au/individuals/privacy-fact-sheets/general/privacy-fact-sheet-17-australian-privacy-principles