alt Hacker NewsFor years, I've been trying my best to stay low-key when it comes to my personal information on the internet. I don't create new accounts, I never cross-login with my email address, I don't use phones. Certainly not perfect, but a lot of times I'm preferring privacy over convenience.
At the same time, my government and society at large is pushing more and more for "digital everything". It's great when it works. But to me, every new service translates to a new opportunity for my data to be leaked.
I think one reason why we're still seeing so many breaches is that security is hard and thus expensive - and on the other hand, other than customer push-back, companies or other providers have pretty much nothing to worry about when their data gets extorted. To me, this is impossible. When I give my private data to them, I'm giving them something very valuable. If being careless with that value basically has no consequences, the incentives to care are low.
We need to establish measures of accountability for data holders. Not securing customer data appropriately needs to be persecutable, and the affected parties need to be given a right for compensation. Of course, that's not going to happen. It would be difficult to implement in practice, if at all possible. But as long as there is no monetary incentive for data holders to be as careful as possible, the laxness is going to continue.
Replies
It’s a double whammy in places like India where “digital push” means everything is based on your mobile number with worst of safety and regulation the planet has to offer. Push is 100%, safeguards zero (if not negative).
What makes it even worse is every policy and regulation push is just talk on paper and even it succeeds and comes in effect, it essentially stays at where it was — zero power to the people, zero accountability to others, and negative punishment to the offenders (they are not even considered offenders). There are no legal frameworks like a class action lawsuit either. As in, when you look beyond “paper regulators” (and won’t have to look hard) there is nothing at all, practically speaking.
The thing is you can’t fight it, and you really can’t opt out. Not here. It feels kafkaesque, you don’t even speak up because 90% or more of your compatriots will wonder what the hell you are on about, if you are lucky enough to be not labelled an anti-national.
The issue is how easy computers make everything, and how well processes scale with computers. Back in the day to heist data you'd have to physically break in or infiltrate, rummage through files, copy them somehow or just straight up take them. In a briefcase?? How many files can you exfiltrate per day like that?
But on a database it's practically a matter of running a copy command and uploading it or exfiltrating it. And there will always be software vulnerabilities.
Computer processes have no inherent rate limiter to them, and they even allow you to run stuff from a distance.
> . I don't create new accounts, I never cross-login with my email address
I honestly tend to think this is the only viable long term strategy.
Let's face it: In a truly global internet where every single forum or website is hosted in a different country with a different jurisdiction, hoping that every single actor will act responsibly is just delusional.
It is not what we see. It is not happening and it is not going to happen.
Individual need to have right to online privacy.
That's means the right to get proxy email address, proxy phone number, proxy physical address and even proxy identity (first name/family name).
The sooner the governments will accept that, the better.
If done right, it is not incompatible with a system where identities can be reconstructed by the authorities for legal actions.
If nothing is done, scams and blackmails will continue to spread like bushfire and proxies anonymity will happen anyway outside of any control.
If a business legitimately needs such information to operate, isn't it borderline impossible to 100% prevent it from leaking? If the data is there, it can be compromised either by technical means or non-technical means.
The primary issues in my opinion are (1) businesses collecting and holding on to information they don't need and (2) businesses getting so large that they become prime targets by default.
In a world where pointless data collection was disincentivized and there were many small businesses instead of a few large ones, this problem would be much more localized and addressable. But of course this is a dream within a dream.
>We need to establish measures of accountability for data holders
This is true, and it needs to change. The incentives are warped right now, as a decent chunk of global GDP traces itself back to ad tech.
>We need to establish measures of accountability for data holders. Not securing customer data appropriately needs to be persecutable, and the affected parties need to be given a right for compensation.
The ultimate entity that could hold businesses accountable is the government but the government itself is careless with citizens' private data.
I underwent a government required background check to get a security clearance and my data was stolen: https://en.wikipedia.org/wiki/2015_Office_of_Personnel_Manag...
My "compensation" for my data being leaked was 1 year of free credit monitoring. But obviously, criminals interested in identity theft will continue their attacks after 1 year.
As far as persecution/prosecution, I suppose Katherine Archuleta, the director of OPM, and the CIO, Donna Seymour ... could have been put in prison as punishment instead of just resigning. I don't think that would change anything. There will still be future scenarios where governments want more collection of private data. Flock cameras, TSA airport scans, internet access age-verification face scans, etc.