For years, I've been trying my best to stay low-key when it comes to my personal information on the internet. I don't create new accounts, I never cross-login with my email address, I don't use phones. Certainly not perfect, but a lot of times I'm preferring privacy over convenience.
At the same time, my government and society at large is pushing more and more for "digital everything". It's great when it works. But to me, every new service translates to a new opportunity for my data to be leaked.
I think one reason why we're still seeing so many breaches is that security is hard and thus expensive - and on the other hand, other than customer push-back, companies or other providers have pretty much nothing to worry about when their data gets extorted. To me, this is impossible. When I give my private data to them, I'm giving them something very valuable. If being careless with that value basically has no consequences, the incentives to care are low.
We need to establish measures of accountability for data holders. Not securing customer data appropriately needs to be persecutable, and the affected parties need to be given a right for compensation. Of course, that's not going to happen. It would be difficult to implement in practice, if at all possible. But as long as there is no monetary incentive for data holders to be as careful as possible, the laxness is going to continue.
>We need to establish measures of accountability for data holders. Not securing customer data appropriately needs to be persecutable, and the affected parties need to be given a right for compensation.
The ultimate entity that could hold businesses accountable is the government but the government itself is careless with citizens' private data.
I underwent a government required background check to get a security clearance and my data was stolen: https://en.wikipedia.org/wiki/2015_Office_of_Personnel_Manag...
My "compensation" for my data being leaked was 1 year of free credit monitoring. But obviously, criminals interested in identity theft will continue their attacks after 1 year.
As far as persecution/prosecution, I suppose Katherine Archuleta, the director of OPM, and the CIO, Donna Seymour ... could have been put in prison as punishment instead of just resigning. I don't think that would change anything. There will still be future scenarios where governments want more collection of private data. Flock cameras, TSA airport scans, internet access age-verification face scans, etc.
Katherine Archuleta and Donna Seymour aren't writing code or administering online systems. I'm sure their organizations have security policies and standards, why not put the devs and sysadmins in prison if they didn't follow them?
I think that what we're seeing is evidence that humans, in general, are not capable of securely delivering the kinds of online services that they are trying to deliver. It's just too complicated, and while defenses have to be perfect, attacks only have to work occasionally to be worth doing.
Edit: not that we shouldn't expect best efforts, and financial liability for organizational failures. Prison maybe for clear proven negligence or intentional sabotage, but for mistakes? Nobody will write software anymore. When is the last time you wrote even a screenful of code without a mistake?
>why not put the devs and sysadmins in prison if they didn't follow them
So we should start treating them like licensed engineers... Actually I agree with this.
This is bit too far to put onus on devs for security and the comparison is more like apples to oranges with other regular licensed engineers. It hard to justify ROI on Security, if anything it makes it harder to roll out features with more traction.
In the absence of any fine, most companies are comfortable with bit of reputation damage.
When the Minneapolis bridge collapsed there were no criminal charges involved. HN has this obsession with "licensed engineers" as if it completely prevents catastrophe and holds people to the highest standards. It's just a dog and pony show.
I mean, 40 years is a bit longer than the garbage we're making lasts.
And software holds people to exactly zero standards and it shows.
Accountability needs to start at the top. To allow a system where some underling is a liability blind for the top is to set up a system ripe for abuses of power.
No problem. We can have AI do it.
And the side benefit is that we could summarily execute one every once in a while for failing to write secure code.
> As far as persecution/prosecution, I suppose Katherine Archuleta, the director of OPM, and the CIO, Donna Seymour could have been put in prison as punishment instead of just resigning.
If they committed a crime.
Law enforcement failing to prevent a robbery is not treated on the same order as someone committing a robbery.
As a practical matter, I just assume that the data I provide to anyone will get leaked, because there's a pretty good chance it will.
> The ultimate entity that could hold businesses accountable is the government but the government itself is careless with citizens' private data.
Let's not forget the largest data breach in US history by Elon Musk and his DOGE kids.
It’s a double whammy in places like India where “digital push” means everything is based on your mobile number with worst of safety and regulation the planet has to offer. Push is 100%, safeguards zero (if not negative).
What makes it even worse is every policy and regulation push is just talk on paper and even it succeeds and comes in effect, it essentially stays at where it was — zero power to the people, zero accountability to others, and negative punishment to the offenders (they are not even considered offenders). There are no legal frameworks like a class action lawsuit either. As in, when you look beyond “paper regulators” (and won’t have to look hard) there is nothing at all, practically speaking.
The thing is you can’t fight it, and you really can’t opt out. Not here. It feels kafkaesque, you don’t even speak up because 90% or more of your compatriots will wonder what the hell you are on about, if you are lucky enough to be not labelled an anti-national.
The issue is how easy computers make everything, and how well processes scale with computers. Back in the day to heist data you'd have to physically break in or infiltrate, rummage through files, copy them somehow or just straight up take them. In a briefcase?? How many files can you exfiltrate per day like that?
But on a database it's practically a matter of running a copy command and uploading it or exfiltrating it. And there will always be software vulnerabilities.
Computer processes have no inherent rate limiter to them, and they even allow you to run stuff from a distance.
It all comes down to where the boundary for data access is implemented, and how strictly.
If your webapp has unfettered database access then don't be surprised if it is hacked and someone can do `select * from users` and then posts that dump somewhere.
The attack surface changes if your webapp can only do a REST call to pull a single user record at a time. That way you can put some auditing in, you can put rate limiting in to detect that, etc.
Obviously the user record REST api endpoint is still vulnerable, but it's a much smaller attack surface, easier to audit, and can be monitored a lot more closely.
Yes, ultimately, there will still be a set of vulnerable humans that have access to the database servers themselves and they can always walk out of the place with an SD card hidden in a Rubik's cube but there has to be an element of trust somewhere.
The problem is that too many people put that trust boundary way too far out into the big bad Internet. Or don't even consider it at all and just rely on the fact that other targets are more appealing.
There are layers of understanding about security and people assume they are doing best as per their knowledge.
Databases (SQL) have concept of views, restricted access going all the way to column level.
Connections can be restricted from firewall itself.
One can have MTLS connections with database on the top of it to beef up security.
Unfortunately the generation of people who knew and did all this is just considered friction and has been made obsolete.
We need to attach actual monetary amounts to PII. If a company loses the data they owe you that money. The money is increased based on how and if they disclosed the leak. Lying about a leak should be a criminal offense.
This would would allow engineers to better be able to prioritize security, which typically gets ignored or put low in priority.
Wow, I've not heard this idea before and I think it is very interesting! How would you set this amount though? Does the company/user/government set it? Would the same data have different amounts depending on the company? How would that system handle users with multiple accounts?
I think we should exempt this from double-jeopardy: the fines are considered purely-punitive, and are in addition to any civil or criminal penalty issued by the courts. This will help ensure that organisations can't just price data breaches in to "move fast and break things" and have no further liability, and that people who've experienced damages much greater than the standard fine don't lose their chance to get suitable compensation.
If a business legitimately needs such information to operate, isn't it borderline impossible to 100% prevent it from leaking? If the data is there, it can be compromised either by technical means or non-technical means.
The primary issues in my opinion are (1) businesses collecting and holding on to information they don't need and (2) businesses getting so large that they become prime targets by default.
In a world where pointless data collection was disincentivized and there were many small businesses instead of a few large ones, this problem would be much more localized and addressable. But of course this is a dream within a dream.
I'd also add a third issue to this list: data retention. Too many companies I've dealt with have privacy policies that state something to the tune of "we'll hold onto your data for as long as required" without giving much of an explanation as to how long "as required" is.
Which usually means until the financial incentives to remove the data outweigh the incentives to keep the data. Data is more valuable than database storage costs, thus there is no incentive to remove the data. Policies should therefore be in place to punish unnecesary data retention.
There is a vast difference between it not being 100% impossible and data holders not doing the absolute basics to keep it safe.
I could imagine if, after a data breach, there was a government-run cyber investigative task force that would come into an organization, and be tasked with investigating and fully understanding the nature of the breach. We already have forensic detectives for other crimes, why not this one?
And if it turns out that the failure occurred due to the company acting negligently, a la (whoopsie all the records were in an open S3 bucket) then humans would be found personally liable.
--
But in principle, i also agree with the other causes you list. These are very much what GDPR was aimed at improving. It really is a shame when you look at what GDPR could have accomplished if not for malicious compliance by American tech giants, and shitty enforcement (instigated by American tech giants)
It doesn't even need to be government-run, we just need the right incentives. I've seen proposals for making some kind of data loss insurance mandatory to compensate victims. The insurance companies would then conduct audits which determine the premiums for the company, and investigate for negligence after a breach.
Edit: Thinking more about it, this would probably also be positive for security investigators. If a company is stonewalling you and ignoring a legitimate bug report, you now have the option to escalate this to the insurer. Maybe they could even facilitate bug bounty programs for smaller companies
I've had a similar thought in the past. I was thinking about the feasibility of a law being introduced where each company making over a certain amount of money per year must begin a VDP (and optionally a BBP) so that security flaws can be reported to them easily. This can easily be done by simply opening up security@companydomain and using security.txt (https://securitytxt.org). Reports must receive a response in N days, where N is calculated based on available staff, resource allocation, and revenue of the company. If they don't receive a response after N days, this can be escalated to some government agency which can take action against the company for failing to respond to a report on time.
If something like this had been implemented 20 years ago, we'd probably be exactly where we are now. What's the point?
Small businesses are equally vulnerable, and it's possibly to perform cyber attacks at scale - Gen AI makes this easier
> . I don't create new accounts, I never cross-login with my email address
I honestly tend to think this is the only viable long term strategy.
Let's face it: In a truly global internet where every single forum or website is hosted in a different country with a different jurisdiction, hoping that every single actor will act responsibly is just delusional.
It is not what we see. It is not happening and it is not going to happen.
Individual need to have right to online privacy.
That's means the right to get proxy email address, proxy phone number, proxy physical address and even proxy identity (first name/family name).
The sooner the governments will accept that, the better.
If done right, it is not incompatible with a system where identities can be reconstructed by the authorities for legal actions.
If nothing is done, scams and blackmails will continue to spread like bushfire and proxies anonymity will happen anyway outside of any control.
Is the alternative just accepting that my data is out there? Even if I never used any online service, there are databases out there with my information anyway.
Just figure anything online that you aren't securing yourself is compromised. Minimize the effect that has on your life. Identify theft is annoying, but it rarely has severe effects.
You will have to go out of your way to be truly anonymous online, and it might be impossible if you aren't tech savvy enough. Otherwise, just assume everything you do online is public and act accordingly.
> Identify theft is annoying, but it rarely has severe effects.
I disagree. It has already severe effects.
- The fact we are facing so many data leaks made easy for malicious agent to cross and mix data sources and setup much more evolved and convincing scam scheme.
It is now trivial to get name, address, birthday and phone number from a data leak and crossed check that with the login id (email) used for lets say, a financial service and setup a convincing phone scam on that.
Many dubious actors are already doing that. One acquaintance of mine (working in ITsec ironically) got trapped by this exact scheme last week.
- It is trivial to harvest data leaks for online telemarketing, robot calls and any other abusing commercial practices.
- We are heading to a situation where any wierdo or/and stalker with a bit of tech knowhow can rather trivially extract a physical address out of an online profile. That is a giant opened door for harassment and physical insecurity for the most vulnerable of us.
Thats not just "nerd concerns" and the strategy "everything you do online is public" does not work. Many website will request my personal physical address for trivial matters like billing or delivery. That can not under any mean be considered public data.
> Many website will request my personal physical address for trivial matters like billing or delivery.
Some will even require it for no actual reason at all.
Do I need to give my living address when I buy a sandwich? Then why would I need to when buying an online service?
Similarly, fast foods nearly all have these automated kiosques. They don’t need any info. So why do they require an email address when ordering to the table through the app, while in the restaurant?
They don’t need them. They just demand them because they can and everyone online is used to giving them without a second thought.
I can’t wait for personal data to become digital radioactive waste.
> name, address, birthday and phone number
None of these things have historically been considered private information. There's zero reason that knowledge of any or all of this should be considered adequate or even relevant to proving identity.
> Many website will request my personal physical address for trivial matters like billing or delivery. That can not under any mean be considered public data.
I just don't buy things online, and avoid anyone having my physical address that way.
Sadly, the ubiquity of terrible 2FA means at least some companies have my phone number, though.
> Otherwise, just assume everything you do online is public and act accordingly.
This is such a depressing reality. It's also what governments want you to believe. If you aren't able to speak your mind about anything anonymously, then you won't be able to, say, spread ideas that go against them.
Admitting defeat at all and not even trying to teach people about privacy results in the "I don't care, what's the point?" attitude that plagues many people today.
So what is the alternative? I don't feel like there is a legislative fix, so what else can we do?
> If done right, it is not incompatible with a system where identities can be reconstructed by the authorities for legal actions.
Doing it right is exactly the thing that makes this impossible. If instead you give everyone a unique barcode that every other pseudonym can be tied back to, do you really think that database will never be breached? It would become the prime target for all attackers in the world.
Meanwhile reconstructing "identities" is the least valuable thing to doing law enforcement well, because the first thing criminals will do is use someone else's identity, and then tying something to the wrong identity isn't just useless, it's actively counterproductive. The thing you need is not centralized identity but proper investigations that can tie some activity to the person pulling the strings regardless of whose name they're using.
The thing centralized identity does is precisely the opposite -- it leads you to person associated with a name, often the wrong person. You want to get the person offering to do murder for hire to think they have a contract and show up somewhere you can arrest them regardless of whether you know their name, not to convict the person whose identity they stole.
> Doing it right is exactly the thing that makes this impossible. [...] do you really think that database will never be breached? It would become the prime target for all attackers in the world.
Critical data is always better in the hand of a few (trustable) than in the hands of many.
That is currently the exact reason why you are using Paypal instead of giving your credit card number to everybody.
That is the exact reason why you are using a password manager.
A lot about security is about who you trust, and for how long.
I don't use Paypal. My credit cards protect me from fraud. And it rarely happens. In fact it's been well over a decade since I had a fraudulent charge on any of my payment cards. Funny how when there's motivation, protection happens.
> My credit cards protect me from fraud.
Your credit card protect you against nothing. Reimbursement in case of fraud is not fraud protection, it is just bare minimal customer service.
In fact, the first thing your bank will do when your credit card number has been leaked and was used for a fraud... is to replace your credit card.
Because they know that, when the number is in the wild, it will happen again. The system is inherently insecure in case of dataleak.
Visa and Mastercard spent decades and millions constructing systems like "3D secure" supposed to protect again that by enforcing external authentication factors. But since the system is not enforced in every country, it is still a problem today.
> I don't create new accounts, I never cross-login with my email address
... you don't create burner email addresses specifically to cross-login with them to one service?
>We need to establish measures of accountability for data holders
This is true, and it needs to change. The incentives are warped right now, as a decent chunk of global GDP traces itself back to ad tech.
Let's not persecute anyone.