Let's Make Stolen Data Worthless
There's an old saying in politics: Where you stand depends on where you sit.
We need to look completely new ways of tackling some of largest problems. One that's been gnawing at me is the whole "Privacy" issue. We need to stop wasting resources on data breaches and work to make stolen data worthless.
Ten years ago people were declaring that privacy is dead and privacy is a thing of the past. We built a great deal of the Internet with no regard to privacy. You gave up your personal information in order to download an app or join a community.
Skip ahead ten years and we have GDPR and a wave of privacy legislation that essentially do NOTHING to secure privacy data. Putting the privacy genie back in the bottle is a nearly impossible task. Let's compare it to the security genie.
The Internet was also built with essentially zero security and security was bolted on after the fact. In 1985 you could Finger me at the University of Michigan. Today, 90% of you have no idea what that means.
Security is achievable because a technology "generation" is about every 18 months, and almost everything on the Internet gets replaced within two or three generations. So after ten years, we can implement completely new processes and procedures.
But privacy is not like that. Private information is the ultimate gold ring of the Internet: DATA. I have worked in the "information" business, buying and selling data since 1993. The absolute first rule about collecting personal data is that you never throw it away.
You can stop emailing to someone, but you don't delete the record. If you don't maintain it, your data becomes less accurate over time. But it always has value. And you never delete it.
This is why Infusionsoft, Salesforce, Goldmine, and a thousand other companies exist. They collect, archive, and maintain massive data collections for millions of companies.
Your data is out there. Breaches at the government, Target, Delta, Facebook, Lord & Taylor, Panera, your doctor, etc., happen every day. As long as companies hold and store data, there will be data breaches.
Massive fines for data breaches cannot do anything to solve this problem. Let's turn it around.
We (everyone who uses technology) need to put some attention on the real problem. Why do we care that private data is stolen? We care because that data can be used to file a fake tax return in your name. Or open bank accounts, acquire passports, sign up for new credit cards.
THAT's where we can fight the bad guys. We need to put our attention on preventing the abuse of this data. We can build systems that make stolen data worthless.
We know we can do this. Today, it is clunky and inconvenient, but we already have ways to make stolen data worthless.
For example, I recently posted up a photo of my drivers license and (three months later) a credit card. I don't care, because I've secured my credit. You can find all my data, or buy in on the dark web, and it will do you no good.
All that security is also a pain in the neck. I can't access my online tax records with the IRS because they can't verify my identity. I can't sign up for new credit cards without a huge hassle. But making the data useless is possible.
So here's our challenge: Let's put out time, effort, and money into developing elegant and easy ways to make stolen data useful. We know we can do it. Now let's make it easy for non-technical people to do by default.
Some will say it's impossible. Well, remember, everything's impossible until it's possible. And everything difficult before it becomes easy.
GDPR and the new state data privacy laws are great for creating massive fines that punish companies for the inevitable. I think our resources are better spent making stolen data worthless.
Let that race begin.
My 2 cents.