Why Privacy Will Remain an Open Issue Unless

2018 was a year of awakening to the dear side effects of technological innovation on privacy. The news from Facebook’s mishandling of users’ data has raised concerns everywhere. We saw misuse of private information for optimizing business goals and abuse of personal data as a platform to serve mind-washing political influencers posing as commercial advertisers. Facebook is in a way the privacy scapegoat of the world but they are not alone. Google, Twitter and others are on the same boat. Adding to the fiasco were the too many examples of consumer services which neglected to protect their customer data from cyber attacks. 2018 was a year with rising concerns about privacy breaking the myth people don’t care for privacy anymore. People actually do care and understand what is personal data though their options are limited and there is no sign 2019 would be any different.

So how did we get here? A growing part of our life is becoming digital and convenience is definitely the number one priority and a luxury possible thanks to technological innovation. Conveniency means a personalized experience and personalization requires access to personal data. The more data we provide the better experience we get. Personal data is made of information provided by the user or indications of user activity implicitly collected using different digital tracking technologies. The collected data is fed into different systems residing in central computing facilities which make the service work. Some of the data is fed into machine learning systems which seek to learn something insightful about the user or predict the user next move. Inside those complex IT systems of the service provider, our data is constantly vulnerable to misuse where exposure to unauthorized parties by mistake or intention is possible. The same data is also vulnerable just by the mere fact it resides and flows in the service provider systems as they are susceptible to cyber attacks by highly motivated cyber hackers. Our data is at the mercy of the people operating the service and their ability and desire to protect it. They have access to it, control it, decide who gets access to it or not as well as decide when and what to disclose to us about how they use it.

We are here in this poor state of lack of control on our privacy since the main technological paradigm dominating the recent 10 years wave of digital innovation is to collect data in a central manner. Data is a physical object and it needs to be accessible to the information systems which process it and central data storage is the de-facto standard for building applications. There are new data storage and processing paradigms which aspire to work differently such as edge analytics and distributed storage (partially blockchain related). These innovations hide a promise to a better future for our privacy but they are still at a very experimental early stage unfortunately.

Unless we change the way we build digital services our privacy will remain and continue to be a growing concern where our only hope as individuals would be to have enough luck of not getting hurt.

No One is Liable for My Stolen Personal Information

The main victims of any data breach are actually the people, the customers, whom their personal information has been stolen and oddly they don’t get the deserved attention. Questions like what was the impact of the theft on me as a customer, what can I do about it and whether I deserve some compensation are rarely dealt with publicly.

Customers face several key problems when their data was stolen, questions such as:

  • Was their data stolen at all? Even if there was a breach it is not clear whether my specific data has been stolen. Also, the multitude of places where my personal information resides makes it impossible to track whether and where my data has been stolen from.
  • What pieces of information about me were stolen and by whom? I deserve to know who has done that more than anyone else. Mainly due to the next bullet.
  • What are the risks I am facing now after the breach? In the case of a stolen password that is used in other services I can go manually and change it but when my social security number was stolen, what does it mean for me?
  • Whom can I contact in the breached company to answer such questions?
  • And most important was my data protected properly?

The main point here is the fact companies are not obligated either legally or socially to be transparent about how they protect their customers’ data. The lack of transparency and standards as for how to protect data creates an automatic lack of liability and serious confusion for customers. In other areas such as preserving customer privacy and terms of service the protocol between a company and its customers is quite standardized and although not enforced by regulation still it has substance to it. Companies publish their terms of service (TOS) and privacy policy (PP) and both sides rely on these statements. The recent breaches of Slack and JPMorgan are great examples for the poor state of customer data protection – in one case they decided to implement two-factor authentication and I am not sure why didn’t they do it before and in the second case the two-factor authentication was missing in action. Again these are just two examples which present the norm across most of the companies in the world.

And what if each company adopted a customer data protection policy (CDPP), an open one,  where such a document would specify clearly on the company website what kind of data it collects and stores and what security measures it applies to protect it. From a security point of view such information can not really cause harm since attackers have better ways to learn about the internals of the network and from a customer relationship point of view, it is a must.

Such a CDPP statement can include:

  • The customer data elements collected and stored
  • How it is protected against malicious employees
  • How it is protected from third parties which may access to the data
  • How it is protected when it is stored and when it is moving inside the wires
  • How is the company expected to communicate with the customers when a breach happens – who is the contact person?
  • To what extent the company is liable for stolen data

Such document can increase dramatically the confidence level for us, the customers, prior to selecting to work with a specific company and can serve as a basis for innovation in tools which can aggregate and manage such information.