13 July 2018

Freudian Data - Security Slip

Update - 16th October 2018 - Tim Berners-Lee is working on something called Solid; an ecosystem that does pretty much what I'm discussing below. Sometimes, the threat comes sooner than you expect.

Update - 8th July 2019 - British Airways fined £183m for data breach (https://www.bbc.co.uk/news/business-48905907)

Tell Me about Your Mother
In the ever increasing digital push, we are all encouraged to interact on the internet (and yes, that does include mobile) to perform essential daily tasks. Some of us do this willingly and welcome the increased efficiency and convenience that it brings; others are forced into this world as alternative approaches become less available, and harder to access. Either way, we’re doing important stuff online, and to do that stuff we have to share our data. 
Some of this data is fairly innocuous (names, titles, ages, preferences) and we have learnt to share this information without even thinking. In fact, many people now go out of their way to share this data via social platforms even when the sharing is not necessary to perform a transaction. Some of this data, however, is sensitive and there is real risk in sharing it. Banking details, passwords, and shared secrets all involve us trusting those with whom we transact, but share we must if we are to interact in the modern world.
In the early days, this wasn’t such a problem. The organisations we had to trust were few in number (the bank, our supermarket of choice, and maybe a major online retailer or two) and the chances of that data going astray was low. We were encouraged to use “strong” passwords which we changed regularly and were reassured that the organisations in question had strong security “perimeters”. We could trust them to keep us safe. 

But they didn’t...

Addicted to Gambling
Not that I’m blaming them you understand, nor am I suggesting that the risk we took with our information was not one worth taking. Digital services have made my daily life infinitely less painful and I want more of them, not less – and herein lies the problem. As any statistician will know, risk is a numbers game and the more times you play it the worse the odds get. The game is made all the more risky by the fact that for an intelligent species, humans are remarkably unoriginal, and all the digital services we are offered work in pretty much the same way. They all require the same username/password approach, and most people return that lack of originality by using the same username and password wherever they go. This means that one leak is all it takes to compromise your online life.
So, over time we share the same critical information with increasing numbers of organisations and the odds go up and up. What is more, as the number of things you can do online increases the value of that information to those who might steal it grows steadily. With so many points of attack, so few variations on the information used, and so much value resting on it, theft of that information becomes more than likely; it becomes inevitable.
Not surprisingly, significantly loss of customer information is becoming a regular occurrence and cyber-security is the hottest topic in town.
Introvert or Extrovert?
There is a widespread belief that this continuously increasing openness with data is a trend that will continue in its current direction, but it is just as likely to be a fad; part of a cyclic process. It is reasonable to expect that we will react to the data losses in a negative way by becoming much more introvert as a society. After all, if the data isn’t out there it can’t be stolen, can it?
Why does the data need to be out there at all? At registration, we are often expected to give companies all the data they need for all the services they offer, but we may only use a few. By interacting with apps and websites, we share our behaviour so that services can be customised, “in our best interests”. We share our credit card data every time we want to buy something, and everyone has our address even if all the parcels come to us from a small number of couriers.
We do this because we have to. The current ways of working in the world of e-commerce provide us with no alternative.
Control Freak
But what if there was an alternative? It’s not hard to imagine an independent decision making app owned by the user (an avatar that acts on my behalf), containing my preferences and data. Such an app could act as an intelligent agent, doing the comparing and completing the trades on my behalf. It could work to my personal preferences and not to a generic model and I could trust the recommendations it makes because it is owned by me and acts on my local behaviours and preferences. With increasing processing power on handheld devices it is quite possible that AI engines will be able to run locally, pulling down the data necessary to reach their conclusions, with no external visibility of the decision making process. 
The proliferation of such a capability would start to remove price as a differentiating factor and providers would need to move to the next desirable USP. My avatar might start to choose to trade only with the services that request the minimum amount of personal information, and providers would respond by offering data-lite transaction completion. In essence, the transaction requiring the least data wins.
For example, a transaction that allows you to make the payment directly through your bank (e.g. via mobile payment or bank transfer) and then share the payment reference with the seller so that their systems can watch for the payment in real time would remove the need for sharing of card or account details. Anyone offering this type of transaction would put themselves at an advantage in a data-introvert environment.
Peer Pressure
But why would anyone bother? Suppliers want to keep your data and track behaviour; it is valuable, and even when it isn’t, executives have been led to believe it is by the “data is oil” mantra. Why would they give this up and offer a transaction based data free service? Well, with the increasing awareness that data breaches have a long term impact on share price, organisations might start to see the keeping of data as a very costly burden. The high fines available through GDPR legislation could push the risk of keeping personal data above acceptable levels.
It only takes one provider to offer a transaction based service with no registration and no data storage and the market will decide. The most likely contender would probably be a start-up that wants to avoid the cost of data storage, data protection, insurance, etc. etc. and also exploit a new market. Storage is cheap, but if you’re not using any it’s even cheaper. Once a disruption like this happens, all others have to follow to survive.
It’s not impossible, therefore, to conceive of a world in which the wheel turns again, and this time from distributed to local; local processing and local data storage (or at the very least single trusted location for data storage).
So the real cyber-security threat to businesses is not that they’ll leak your data… It’s that they’ll lose access to it, altogether.
The Enterprising Architect

No comments:

Post a Comment