Alrighty, brainstorming time people. If you could write some practical laws, what protections do we need to stop these from happening.
I’m thinking 3 categories: Reporting, oversight, and accountability.
Reporting: all entities holding personally identifiable information (PII) must reach out once every 12 months. This hopefully unveils seedy brokers relying on obscurity. Maybe a policy to postpone notification up to 5 years (something like that) may be available as opt-in.
Oversight: targets of PII have oversight of what is collected/used. Sensitive information may be purged permanently upon request.
Accountability: set minimum fines for types of data stored. This monetary risk can then be calculated and factored into business operations. Unnecessary data would be a liability and worth purging.
Ok, bit of an outlandish idea, but how about something like:
Decree that information about a person is the property of that person, and therefore cannot be possessed without compensation. Think of it like intellectual property, but for your personal information
Set a standard royalty - say $0.05/year - that must be paid to the owner of that information for as long as that information is held. This forms an incentive to not hold information you don’t need, and gives visibility to all the places that are now forced to contact you every year to pay you the royalty
Places where you have an explicit contractual relationship with (utilities, banks, …) could have a clause to set the royalty at $0.00, but this can’t be extended to third parties - strong incentive not to transfer information to third parties
Unauthorised transfer or loss of information could be considered IP theft, and result in significant civil penalties
How about a government-sponsored, non-profit authentication service? That is, it should be impossible to get a loan, open a line of credit, or anything else in somebody’s name, without the lending institution verifying that it’s actually on behalf of the named individual. Eliminate the security-through-obscurity technique of using bits of easily-leaked personal information as a poor substitute for actual authentication.
I mean, (as a comparative example) I have to go through an OAuth2 consent dialog to connect a third-party app to my email account, yet somebody can saddle me with huge debts based on knowing a 9-digit number that just about everybody knows? It’s the system that’s broken, tightening up the laws on PII is just a band-aid.
The US system is broken. I have a tax file number in Australia, which is the broad equivalent of a US SSN, and you know what someone can do with it if they also have my name and DOB? Fuck-all, except file my taxes for me, because you can’t use it as an identifier anywhere else than the Australian tax office.
If I want a loan or a credit card or to open a bank account or any number of things , I need enough verifiable documents including photo ID to satisfy the other party that I am really them. Basically it’s a points system where any form of government photo ID gives you about 80 points and any other item of identifiable data gives you 10-20 points and usually you have to clear 100 points to be “identified”.
So my passport plus my driver’s licence is enough. My driver’s licence plus my non photo ID government Medicare card or my official original copy of my birth certificate is enough. My driver’s licence and two bank or credit cards is enough. About 5 or 6 things like my birth certificate, electricity bills in my name or local government rates notices and bank cards is sometimes enough, although photo ID from somewhere is usually required, or you need a statutory declaration from someone in good standing saying that you are who you say you are.
This kind of thing, while slightly more inconvenient, requires a number of physical items that can’t be easily stolen en-masse. I carry enough of them in my wallet that I can do anything I need to do, as my driver’s licence provides photo ID. People who don’t drive or have a passport can scrape together enough bits and pieces to usually get by.
So it’s time for a change. But it doesn’t have to involve technology or a huge shift in the way of doing things. It just requires a points system similar to what I describe. Whether the US can effect that change now with the millions of systems that rely on a SSN for a trivial key in a database in some small retailer somewhere, I don’t know.
It’s similar for stuff like state drivers’ licenses.
The thing is, a federal domestic ID is all but prohibited. We have to have passports for international travel, but too many people are against federal ID because of “muh privacy”, even though it means we just end up misusing SSNs and companies like this one compensate by collecting multiple data points on each person.
Oversight: I would add a mandatory security audit annually, that they have to pay for, and which occurs during a given quarter at random (so you can’t “put on your best face” for a single day).
The security audit cost is partially subsidized if they agree to a second audit 6-9 months after the first (tax funded).
Accountability: I would add Prison time as a minimum penalty for the CEO and CIO, and the punitive damages must be a percentage of their profits (no flat rates), which is in addition to any compensatory damages awarded to plaintiffs. The penalty shall be used to help pay for future audits.
I think we also need levels of PII or something, maybe a completely different framework.
There’s this pattern I see at work where you want to have a user identifiable by some key, so you generate that key when an account is created and then you can pass that around instead of someone’s actual name or anything. The problem though, is that as soon as you link that value to user details anywhere in your system that value itself becomes PII because it could be used to correlate more relevant PII in other parts of your system. This viral property it has creates a situation where a stupid percentage of your data must be considered PII because the only way it isn’t is if it can be shown that there is no way to link the data to anybody’s personal information across every data store in the company.
So why is this a problem? Because if all data is sensitive none of it is. It creates situations where the production systems are so locked down that the only way for engineers to do basic operations is to bend the rules, and inevitably they will.
Anyway, I don’t know what the solution is but I expect data leaks will continue to be common passed the point when the situation is obviously unsustainable
Alrighty, brainstorming time people. If you could write some practical laws, what protections do we need to stop these from happening.
I’m thinking 3 categories: Reporting, oversight, and accountability.
Reporting: all entities holding personally identifiable information (PII) must reach out once every 12 months. This hopefully unveils seedy brokers relying on obscurity. Maybe a policy to postpone notification up to 5 years (something like that) may be available as opt-in.
Oversight: targets of PII have oversight of what is collected/used. Sensitive information may be purged permanently upon request.
Accountability: set minimum fines for types of data stored. This monetary risk can then be calculated and factored into business operations. Unnecessary data would be a liability and worth purging.
Ok, bit of an outlandish idea, but how about something like:
Wow, you just reminded me of a data use policy I wrote up when I was young and sent a data broker after a security breach!
They laughed at me.
You and I think alike here.
PII data at rest (i.e. in a database) must be encrypted.
If the DB is running, it’s not at rest. Clients side encrypted data would be the way.
I think my definition is pretty standard: https://en.m.wikipedia.org/wiki/Data_at_rest
The catch is interpretation, which the wiki points out:
Any company like this one would consider this data “in use” but “inactive” because any person could need a loan at any point.
How about a government-sponsored, non-profit authentication service? That is, it should be impossible to get a loan, open a line of credit, or anything else in somebody’s name, without the lending institution verifying that it’s actually on behalf of the named individual. Eliminate the security-through-obscurity technique of using bits of easily-leaked personal information as a poor substitute for actual authentication.
I mean, (as a comparative example) I have to go through an OAuth2 consent dialog to connect a third-party app to my email account, yet somebody can saddle me with huge debts based on knowing a 9-digit number that just about everybody knows? It’s the system that’s broken, tightening up the laws on PII is just a band-aid.
The US system is broken. I have a tax file number in Australia, which is the broad equivalent of a US SSN, and you know what someone can do with it if they also have my name and DOB? Fuck-all, except file my taxes for me, because you can’t use it as an identifier anywhere else than the Australian tax office.
If I want a loan or a credit card or to open a bank account or any number of things , I need enough verifiable documents including photo ID to satisfy the other party that I am really them. Basically it’s a points system where any form of government photo ID gives you about 80 points and any other item of identifiable data gives you 10-20 points and usually you have to clear 100 points to be “identified”.
So my passport plus my driver’s licence is enough. My driver’s licence plus my non photo ID government Medicare card or my official original copy of my birth certificate is enough. My driver’s licence and two bank or credit cards is enough. About 5 or 6 things like my birth certificate, electricity bills in my name or local government rates notices and bank cards is sometimes enough, although photo ID from somewhere is usually required, or you need a statutory declaration from someone in good standing saying that you are who you say you are.
This kind of thing, while slightly more inconvenient, requires a number of physical items that can’t be easily stolen en-masse. I carry enough of them in my wallet that I can do anything I need to do, as my driver’s licence provides photo ID. People who don’t drive or have a passport can scrape together enough bits and pieces to usually get by.
So it’s time for a change. But it doesn’t have to involve technology or a huge shift in the way of doing things. It just requires a points system similar to what I describe. Whether the US can effect that change now with the millions of systems that rely on a SSN for a trivial key in a database in some small retailer somewhere, I don’t know.
That’s basically how it works in the US too. For example, for a form I-9, Employment Eligibility Verification, you need a passport, OR both proof of identity and proof of citizenship: https://www.uscis.gov/i-9-central/form-i-9-acceptable-documents
It’s similar for stuff like state drivers’ licenses.
The thing is, a federal domestic ID is all but prohibited. We have to have passports for international travel, but too many people are against federal ID because of “muh privacy”, even though it means we just end up misusing SSNs and companies like this one compensate by collecting multiple data points on each person.
This so much. In fact, go a step further and have a few competing auth services, with some regulatory oversight for managing that much pii.
Oversight: I would add a mandatory security audit annually, that they have to pay for, and which occurs during a given quarter at random (so you can’t “put on your best face” for a single day).
The security audit cost is partially subsidized if they agree to a second audit 6-9 months after the first (tax funded).
Accountability: I would add Prison time as a minimum penalty for the CEO and CIO, and the punitive damages must be a percentage of their profits (no flat rates), which is in addition to any compensatory damages awarded to plaintiffs. The penalty shall be used to help pay for future audits.
I think we also need levels of PII or something, maybe a completely different framework.
There’s this pattern I see at work where you want to have a user identifiable by some key, so you generate that key when an account is created and then you can pass that around instead of someone’s actual name or anything. The problem though, is that as soon as you link that value to user details anywhere in your system that value itself becomes PII because it could be used to correlate more relevant PII in other parts of your system. This viral property it has creates a situation where a stupid percentage of your data must be considered PII because the only way it isn’t is if it can be shown that there is no way to link the data to anybody’s personal information across every data store in the company.
So why is this a problem? Because if all data is sensitive none of it is. It creates situations where the production systems are so locked down that the only way for engineers to do basic operations is to bend the rules, and inevitably they will.
Anyway, I don’t know what the solution is but I expect data leaks will continue to be common passed the point when the situation is obviously unsustainable