Businesses should stop collecting Internet data they don’t need or can’t secure and consumers must take responsibility for the risks they expose themselves to in exchange for online convenience, a security expert said Wednesday.

The remarks came from John Proctor, vice-president of global cybersecurity at CGI Group, during a roundtable discussion on Internet governance and security hosted by the Economic Club of Canada. Proctor said businesses shouldn’t participate in the Internet economy without their eyes fully open to its risks.

“Assume (the Internet) is compromised. A business has to look at it and say there’s a lot of benefit to it but there’s also a risk. That’s where the education component comes in. As a business, you’re exposing yourself to this free, open and insecure Internet and I think that’s the reality,” Proctor said.

On the consumer side, he said users must realize businesses won’t make data security and privacy a top priority until customers force it on them by demanding it en masse. Instead, most consumers today willingly sacrifice some degree of security and privacy in exchange for greater convenience, he said. Proctor said the situation likely won’t change “until a consumer says ‘Build it securely and I’m more likely to buy it from you than your competitor.’”

The event was organized by the Internet Corporation for Assigned Names and Numbers (ICANN), the Canadian Internet Registration Authority (CIRA) and the Toronto Internet Exchange (TorIX). It was billed as ‘Inside the Fight to Save the Global Internet’, a title that couldn’t have been timelier.

Apple vs. the FBI

In recent days a U.S. judge ordered Apple Inc. to help the FBI access data from the iPhone of a San Bernardino mass shooter allegedly motivated by terrorism. Apple vowed to fight that court order; Microsoft Corp. co-founder Bill Gates said allowing such access may be warranted in some cases; and the Canadian Security Establishment (CSE) acknowledged it broke the law by unintentionally sharing Canadians’ personal metadata with intelligence agencies in the U.S., U.K., Australia and New Zealand.

The Apple and CSE incidents have brought an ongoing question back to the headlines: how much control should governments wield over the Internet? All of the speakers agreed that government does have some role to play in overall Internet governance and standards but stopped short of endorsing a system where a federal government directly regulates Internet in each country.

“We welcome government as an advisor and as a participant. We really do need them,” panelist Allan MacGillivray, senior policy advisor to the president at CIRA, said. He then noted, however, that too much direct government control of the Internet could be dangerous without other forms of oversight: “(The government of) Egypt turned off the Internet during the Arab spring (uprising).”

MacGillivray said CIRA favours the current multi-stakeholder approach to Internet governance that includes government bodies, technical authorities like CIRA and ICANN, law enforcement agencies like Interpol, human rights organizations, global groups like the World Wide Web Consortium (W3C) and technology corporations such as Google and Facebook.

From a purely business point of view, heavy-handed government control might not be ideal, said fellow speaker Ann Cavoukian, executive director of the privacy and big data institute at Toronto’s Ryerson University.

“If you want innovation, I would suggest you not rely singlehandedly on government,” said Cavoukian, former privacy commissioner of Ontario.

Government and Internet control

Although a new European Union law unifies data privacy regulations among all 28 EU nations, Cavoukian said there are drawbacks to taking a legislative approach to online oversight.

“Of course government has a role to play. But it takes time to pass a law. By the time it’s passed and functional, the technology has gone way past it. So there’s a problem of lagging back and forth between the new technology and the laws around it,” she said.

By legislating privacy by design, however, governments can resolve that time lag by requiring privacy features to be embedded into all new technologies at the earliest design stage, Cavoukian said. Part of the new EU statute enshrines privacy by design principles in law for the first time ever, she said.

While the global debate about government Internet control and data access continues, Proctor had some simple data risk management advice for businesses in all sectors.

“If you can’t protect it, don’t collect it,” he said. “I tell CEOs all the time, ‘What happens if you lose all that (customer data)?’”