A safe, data-centric future

The future of data is private

Privacy is a word that gets used almost carelessly in today’s world. What is privacy? Here’s a definition we like:

Privacy is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively.” –Wikipedia

It follows that in the digital context, data privacy is the right to determine who gets access to which bits of your information.

It’s a sad truth that many consumers will trade away their data privacy for free services like Gmail, Twitter, and Facebook. There’s an assumption of benevolence from those companies. Many feel the risks are low since those companies won’t publish users’ private data to the world. And that is mostly true if you ignore unethical partners like Cambridge Analytica.

But it’s pretty hard to know for sure whether employees of these companies are spying since they don’t provide transparency of data access. In fact, each of these companies has had scandals where employees were caught peeking at private customer data.

This isn’t just a problem for consumers. It’s a major problem for businesses. Businesses can be penalized if the sensitive data they hold is accessed by someone without authorization. They have obligations under regulations like GDPR, FINRA, SOX, and HIPAA, and they have contractual agreements with partners demanding data protections.

The trouble is that data multiplies

Data gets copied. For starters, it is probably backed up. It is probably also shared between people, systems, partners, cloud vendors, and others. Then there’s the derivative data: the reports and summaries and spreadsheets and indices and machine learning models that all stem from the data.

The simple truth is that the data consumers and businesses most want to keep private is likely stored in more places than they realize and is accessible to more people than they can imagine.

The fragile chain of trust

The more technically sophisticated (and paranoid) of us can take extreme measures to keep our data safe. But unless we’re completely off the grid, we probably have a bank account and health insurance and credit cards and so on.

In other words, an awful lot of our data is being held by third parties. And those third parties may well use fourth parties who use fifth parties and … you get the idea.

Whether we’re talking about our personal data or business data, we can’t make more than a first line guess at who we should trust. No matter how well we protect the data that we hold, when other parties have access to that data, we have to trust them to take equally good care of it. And we’ve seen over and over that they don’t. The trust chain is fragile.

Data control for all

The antidote is data control. The owner of the data – the user or organization who is the originator or has primary responsibility for the data – should be able to determine what gets shared and with whom. And not only that, but they should have transparency into who has accessed their data no matter how many copies there are or what storage layers are used.

This isn’t just some lofty ideal: it’s the only pragmatic solution to the problems of data distribution.

It’s not really sufficient to have one or two companies and a handful of consumers benefit from data control. It doesn’t move the needle enough. The whole world should be able to ensure that the data they deem private stay private as long as there isn’t a legitimate public interest in that data.

And that means we need to start with businesses. The more organizations control the data they hold, the safer we all are – business and consumer alike.

The path to the future

Sometimes the dream feels too big and the counter-incentives to disrupting the status-quo seem too powerful. But there is a clear path to a future of data privacy and we as a society are steadfastly marching down it.

Already there is a shift in the process of building applications towards building data protection and privacy by design. Security is being introduced earlier in the process.

Regulations like GDPR’s Article 25 require this, but also there is a dawning realization from security teams that securing the servers and the network just isn’t sufficient. Many are already expanding their domain to include the security of data in applications.

As thought leaders start to build software right, others will follow. This is because much of the law around liability and many of the regulatory requirements use a vague concept of “industry best practices” as the requirement for security.

These best practices are arguable, but as more and more companies settle on a practice, it becomes less defensible for their peers to ignore it.

Change is happening

Somewhere in our future, perhaps two years or perhaps ten years from now, we’ll hit the tipping point after which all companies must properly control their data, wherever it lives. They will have no choice but to empower their customers and to protect their personal data as if it were a valuable commodity.

This shift is happening, one organization at a time. Change is coming. The drive to privacy and data control is accelerating. And we look to a future in which the industry best practices graduate to meaningful security from the veneer of security that is the norm today.