In Control: How Personal Data Becomes Inherently Controllable
Information was first digitized in the 1950s, thus ushering in the dawn of data. Then, as now, software was used to create and process data, and like most new technology inventions, security was not inherently built in. Software developers didn’t feel the need to apply controls to the new data objects created. Anyone with access to the software and the rare, expensive computer on which to run it could open, read, modify, delete, or copy this data without limits.
That didn’t seem terribly risky at the time. After all, data could only be accessed with huffing, room-sized machines lacking connection to anything like “the Internet.” Lock that room and what could go wrong?
In the 21st century, however, personal, proprietary, and confidential data proliferates across billions of connected devices. Abundant access to data without built-in controls now represents a huge cybersecurity risk and an affront to our digital privacy.
Why then haven’t developers and software platform operators, as a rule, corrected this omission of inherent data control? Why are our data protection strategies still based on concepts as antiquated as punch cards?
Can Software Make Data Controllable?
The vast majority of the world’s 60-plus zettabytes of data lacks self-defense mechanisms. Get to the data and you can usually do what you want with it. This is how your personal information might wind up on the dark web.
When data is inherently vulnerable, techniques like Defense in Depth are our best hopes for protecting it. We try to keep unauthorized hands off data but we aren’t universally successful, as evidenced by the rising number of data breaches each year.
The thing is, data needn’t be defenseless. Adding controls to data objects themselves may not have been considered important in the Eisenhower era but there is no technical obstacle to doing so.
As we covered previously, data is physical. Use and access controls can be “baked in,” much like manufacturers incorporate steering wheels and locks in our cars. One example of data access control is encryption, which changes the physical structure of data to make it lockable. Analogs of brakes, steering, and “rules of the road” can also be added to dictate who can access data, from what devices, at what geographic locations, for how long, as well as what they can do with the data once accessed. Data objects can be made such that all copies self-destruct at the same instant, users can be provided controls to rescind access rights to personal data on demand, and more.
It’s surprising how many people in information technology fields, from developers to CIOs, don’t know these things are possible.
Why Doesn’t Most Software Make Controllable Data?
There are numerous reasons that data remains uncontrollable. Lack of awareness is a big one. If many technology leaders don’t realize that their software can make data with inherent, enduring controls built in, even fewer end users recognize that fact. Consumers haven’t demanded this feature and the companies profiting from our data certainly haven’t volunteered it.
As it stands today, the business models of some of the world’s most powerful corporations depend on each of us surrendering our personal privacy as the cost of entry into their marketplace of goods, services, knowledge, and ideas. Your web searches, for example, are monitored so advertisers can target you. Do you want advertisers to know what you look for online? Probably not. But losing this aspect of your privacy is a condition of using Google. Similar compromises are made across the digital spectrum.
If we were offered control of our personal data, we would likely make very different choices than most of these companies. But of course, that’s not in their interest, so instead of changing their applications, tech luminaries prattle on about how deeply they care about privacy and continue to do nothing.
They talk about privacy but don’t give us privacy-enabling technology.
When Will Things Change?
At Absio, we believe we are at a turning point. Fed up with near-constant infringement of their privacy, constituents of many nations are insisting that public officials intervene. The EU’s General Data Protection Regulation and the California Consumer Privacy Act are the beginning of a movement, not the end.
These policies cannot in themselves control data. They do nonetheless establish specific expectations regarding data use and protection, as well as increase the severity of the consequences when companies fail their customers.
Thanks to GDPR, CCPA, and other laws, companies that share data in ways they don’t reveal to users can now be fined, at least in some jurisdictions. By the same token, a serious data breach is no longer a matter of “oops, sorry.” Financial penalties, along with brand impacts and revenue losses, can be exorbitantly expensive. These factors will steadily tip companies’ cost-benefit analyses so they begin to reject software that creates uncontrollable, defenseless data.
Consumers, we predict, are also ready to leverage their power. People around the globe are increasingly distrustful of platforms and providers that continually surveil them and hand over the resulting data to third parties. The market is ripe for competitors willing to give us back control. Once consumers understand that better data protection is possible, we won’t settle for pretty words—we will demand products that physically guarantee digital privacy and security at the data level.
Build those products and we will come.