Customer Data May be Too Risky to Keep

By Dan Gillmor  |  Posted 09-05-2005 Print Email
With data security an oxymoron at many companies, it's time to rethink who controls customer data in the first place.

Companies keep finding ways to misplace consumers' personal data. Courier services lose tapes on their way to long-term storage facilities; malevolent social engineers con their way into access; laptop computers holding multiple databases are stolen.

We hear a lot about these kinds of things now because a new California law requires companies to disclose to consumers when their data has been compromised. It should be obvious, though, that data loss has been happening for some time, because the level of security in these cases seems to have been, at best, pervasively inadequate.

All of which makes me wonder: Why are companies keeping our data at all? Wouldn't they—and we—be better off in the long run if data wasn't collected and stored in the first place?

This sounds counterintuitive, and it certainly goes against today's common business practices. It's basically been an article of faith that gathering, storing and massaging ever more data is a good thing. Information can be power. It helps determine risk and reward. It helps a company know its various constituents better, including customers and suppliers. And it's worth money.

The current model fails in two areas. One, as noted, is with shamefully lax security. The other is the perverse notion that our personal lives are a commodity to be bought, sold and traded without serious regard for privacy or the consequences of sloppy handling. This doesn't even take into account the common problem of data that is outright false.

It is distressing that most personal information—such as what we spend and where we spend it, not to mention the ultimate skeleton key for identity thieves, our Social Security numbers—can be bartered at all. And when information is compromised or incorrect, consumers are largely responsible for cleaning up the chaos that results.

The data collection system is, at long last, beginning to fray at the edges. Consumers are growing more worried and angry over what they're learning about shoddy storage and trading practices. A recent survey by Harris Interactive found an increase in identity theft and a decrease in consumer confidence that negatively affected purchasing decisions.

The worst practices are drawing the attention of trial lawyers who, in the absence of more serious government enforcement, are prosecuting the promise-breakers.

But the California law may be a canary in the coal mine for keepers of data, because it signals the possible reappearance of legislators into an arena they've tried hard to avoid—a natural tendency, given the prodigious amounts of campaign contributions legislators have collected from the data collectors and sellers.

It's in this context that we should be asking whether the rewards of holding on to consumer data are worth the trouble—and whether it's possible to create an infrastructure that gives consumers much more control over their information from the outset.

Eric Norlin, a vice president at Ping Identity Corp., and a longtime writer on these matters, advocates "federated identity"—a decentralized system that would have the effect of giving consumers just this sort of granular control. "This is about customers being able to make their identities portable," he says, "to allow individuals to present the ID they choose to present to the service provider."

For example, if I were buying a plane ticket, I could give the airline permission to charge a certain amount of money to my credit card. But the airline wouldn't need access to the actual credit card number if I'd simultaneously given the card issuer enough information about the transaction to make the transfer. The bank or other card issuer would need my permission to pay the airline, but the entire transaction could take place in a seamless mesh of business logic, using advanced Web services, that lends parts of my identity to those who need it on a temporary basis.

This leaves a single potential point of failure (for this transaction, at any rate) from an identity-theft standpoint: the bank. Even though banks can, and sometimes do, get careless with data, a financial institution that builds and maintains an excellent record for data security will win more business. Competition for customers would bring more business to providers that are the most careful.

For such a system to have any chance of working, a variety of technologies is required. Ultimately, consumers and merchants must trust that the parties they're dealing with on either side of the transaction are indeed who they're supposed to be. Also, data cannot be easy to compromise. So encryption as well as the ability to digitally "sign" what we send around are crucial.

A viable public-key encryption infrastructure meets these requirements, and the technology's inventor is Whitfield Diffie, Sun Microsystems' chief security officer. He questions whether institutions would ever buy into an identity system where the data resided solely with consumers, but says there's no fundamental technical barrier.

Still, the practical difficulties are not trivial. Mortgage lenders may lose some of their ability to uncover information borrowers may have failed to disclose, and that would mean greater lending risk. One way around the problem might be harsher contract sanctions for failing to give lenders correct information when asked, plus a higher interest rate for more limited kinds of disclosure. In such transactions, people will have to make visible more verified data about themselves than in deals, such as a simple purchase, where the stakes are lower.

Another real-world barrier, Diffie notes, is the lack of a ubiquitous key infrastructure. The old AT&T could have created that, given its one-time dominance of communications. Federal agencies such as the National Security Agency had the wherewithal to do it, but the NSA damaged its credibility with the public by trying to exert improper control over encryption. Federated identity advocates are painstakingly building an infrastructure today that they hope will solve the problems of tomorrow.

One drawback with user-controlled data has nothing to do with business, and that is the government's wish to spy on us. Law enforcement might find its job complicated by an identity system that decentralized control and collection of information.

Even so, there is enormous logic and value to society in returning people's personal lives to their own control. The credibility of future electronically based commerce may depend on consumers' trust in the system. They are losing faith already, and a data Chernobyl is in no one's interest.

The way we're going, however, such a meltdown might be hard to avoid. It would be wise to plan now for the aftermath, wiser still if companies would consider—just consider—the possibility that data retention itself could be the heart of the problem, and seriously analyze the alternatives. That alone would move the ball ahead.

Corporate America has an unfortunate addiction to centralized data that it doesn't need. Sometimes, losing control is an advantage.


This is my first column for CIO Insight. We're calling it "EdgeWise" to reflect the growing decentralization of today's information economy. The insights and endeavors that people (and their machines) at the edges of networks feed back to the center, and to each other, are already enormous—and they're expanding. We see this phenomenon in open-source software projects. We see it in Weblogs. We see it in grid computing and mass parallel processing.

You know more than I do. I hope you'll tell me things that you know and I don't and that CIOs need to know. Let's make this space a conversation, not a lecture.

Dan Gillmor is author of We the Media: Grassroots -Journalism by the People, for the People and founder of Bayosphere.com, a San Francisco Bay Area Web site. His next column will appear in December.



 

Submit a Comment

Loading Comments...