Reckoning with data risk

User data privacy and protection are still in their earliest days. Let's plan for the future.

If you're a little older and have spent any time on social media, you're entirely thankful you didn't grow up in a time where your every action had the potential to be broadcast to the universe. If you were born anytime past 2000, I'm sorry that we didn't adequately prepare for the reality you must face. Unfortunately, there are far more insidious implications to being part of this generation of "always-connected existence" beyond the social ramifications. For those of us in more technologically-savvy sovereign states, from the moment a human is born their data is proliferated.

It starts small, but it starts nonetheless. There are numerous data graph structures for each of us, interconnecting our relationships, interests, and available public data. Take for instance the Cambridge Analytica scandal, revealing the vast troves of data collected on 87 million people. We can't yet entirely understand the long-term consequences of this; whether beneficial or not, but we can take responsibility for how we manage data now.

Wild West Web

The generations of humans living today through the birth of the Internet are its test dummies.

It has been two decades since the first of the truly global-scale social media companies made their entrance onto the world stage. It started off pretty carefree. Most weren't particularly concerned with what they put out into the world; it was for the most part consequence-free. You shared your fancy new email, signed up for contests, and explored the world.

In the meantime, as anyone who works in information technology would tell you, no system was at all secure. Even today, most companies barely keep up with what you might consider a reasonable software patching schedule, and even if they do - it is kind of like trying to plug a hole in an already sinking boat.

The question of protecting users' data and privacy was relegated to the very back of the priority pile.  I myself have worked for most of my adult life in the defense and natural security industry, and can assure you that my data is in the hands of lots of bad guys from the Office of Personnel Management (OPM) breaches alone. For better or worse, we simply have to accept that most of the data we have provided companies and governments alike so far is out there for good.

Where we go from here

Every single project that consumes or produces personal data needs to start from the assumption that it will be leaked, lost, or eventually sold.

That's right. Every time I read about how a company or organization is going to protect my data with their expert cybersecurity practices, I cringe a little inside. It doesn't matter. If someone with bad intentions wants the data, they're going to get it. Even if you have the most advanced security architecture in the world, it won't matter to the next zero day exploit. We need to have very frank discussions in any project that deals with data.

We can make it harder for data to be leaked or stolen, but the vast majority can't make it impossible. So where do we go from here? We start from the assumption that systems will leak. It is completely reasonable. No system is perfect, and if you don't anticipate failure, you've already lost the game.

I recognize that the train has already left the station. For those of us that have systems in production today, maybe just start with a simple exercise to understand and rationalize:

1. What data are we collecting?
2. Where is that data transmitted or used in its lifecycle?
3. How are we protecting it?
4. How are we informing our users how we use their data? How are we informing them about who and what we share it with?

If you can't answer or map out these questions, you should probably start advocating for setting aside 2-4% of your companies revenue for GDPR penalties.