Customer Data May be Too Risky to KeepBy Dan Gillmor | Posted 09-05-2005
Companies keep finding ways to misplace consumers' personal data. Courier services lose tapes on their way to long-term storage facilities; malevolent social engineers con their way into access; laptop computers holding multiple databases are stolen.
We hear a lot about these kinds of things now because a new California law requires companies to disclose to consumers when their data has been compromised. It should be obvious, though, that data loss has been happening for some time, because the level of security in these cases seems to have been, at best, pervasively inadequate.
All of which makes me wonder: Why are companies keeping our data at all? Wouldn't theyand webe better off in the long run if data wasn't collected and stored in the first place?
This sounds counterintuitive, and it certainly goes against today's common business practices. It's basically been an article of faith that gathering, storing and massaging ever more data is a good thing. Information can be power. It helps determine risk and reward. It helps a company know its various constituents better, including customers and suppliers. And it's worth money.
The current model fails in two areas. One, as noted, is with shamefully lax security. The other is the perverse notion that our personal lives are a commodity to be bought, sold and traded without serious regard for privacy or the consequences of sloppy handling. This doesn't even take into account the common problem of data that is outright false.
It is distressing that most personal informationsuch as what we spend and where we spend it, not to mention the ultimate skeleton key for identity thieves, our Social Security numberscan be bartered at all. And when information is compromised or incorrect, consumers are largely responsible for cleaning up the chaos that results.
The data collection system is, at long last, beginning to fray at the edges. Consumers are growing more worried and angry over what they're learning about shoddy storage and trading practices. A recent survey by Harris Interactive found an increase in identity theft and a decrease in consumer confidence that negatively affected purchasing decisions.
The worst practices are drawing the attention of trial lawyers who, in the absence of more serious government enforcement, are prosecuting the promise-breakers.
But the California law may be a canary in the coal mine for keepers of data, because it signals the possible reappearance of legislators into an arena they've tried hard to avoida natural tendency, given the prodigious amounts of campaign contributions legislators have collected from the data collectors and sellers.
It's in this context that we should be asking whether the rewards of holding on to consumer data are worth the troubleand whether it's possible to create an infrastructure that gives consumers much more control over their information from the outset.
Eric Norlin, a vice president at Ping Identity Corp., and a longtime writer on these matters, advocates "federated identity"a decentralized system that would have the effect of giving consumers just this sort of granular control. "This is about customers being able to make their identities portable," he says, "to allow individuals to present the ID they choose to present to the service provider."
For example, if I were buying a plane ticket, I could give the airline permission to charge a certain amount of money to my credit card. But the airline wouldn't need access to the actual credit card number if I'd simultaneously given the card issuer enough information about the transaction to make the transfer. The bank or other card issuer would need my permission to pay the airline, but the entire transaction could take place in a seamless mesh of business logic, using advanced Web services, that lends parts of my identity to those who need it on a temporary basis.
This leaves a single potential point of failure (for this transaction, at any rate) from an identity-theft standpoint: the bank. Even though banks can, and sometimes do, get careless with data, a financial institution that builds and maintains an excellent record for data security will win more business. Competition for customers would bring more business to providers that are the most careful.
For such a system to have any chance of working, a variety of technologies is required. Ultimately, consumers and merchants must trust that the parties they're dealing with on either side of the transaction are indeed who they're supposed to be. Also, data cannot be easy to compromise. So encryption as well as the ability to digitally "sign" what we send around are crucial.
A viable public-key encryption infrastructure meets these requirements, and the technology's inventor is Whitfield Diffie, Sun Microsystems' chief security officer. He questions whether institutions would ever buy into an identity system where the data resided solely with consumers, but says there's no fundamental technical barrier.
Still, the practical difficulties are not trivial. Mortgage lenders may lose some of their ability to uncover information borrowers may have failed to disclose, and that would mean greater lending risk. One way around the problem might be harsher contract sanctions for failing to give lenders correct information when asked, plus a higher interest rate for more limited kinds of disclosure. In such transactions, people will have to make visible more verified data about themselves than in deals, such as a simple purchase, where the stakes are lower.
Another real-world barrier, Diffie notes, is the lack of a ubiquitous key infrastructure. The old AT&T could have created that, given its one-time dominance of communications. Federal agencies such as the National Security Agency had the wherewithal to do it, but the NSA damaged its credibility with the public by trying to exert improper control over encryption. Federated identity advocates are painstakingly building an infrastructure today that they hope will solve the problems of tomorrow.
One drawback with user-controlled data has nothing to do with business, and that is the government's wish to spy on us. Law enforcement might find its job complicated by an identity system that decentralized control and collection of information.
Even so, there is enormous logic and value to society in returning people's personal lives to their own control. The credibility of future electronically based commerce may depend on consumers' trust in the system. They are losing faith already, and a data Chernobyl is in no one's interest.
The way we're going, however, such a meltdown might be hard to avoid. It would be wise to plan now for the aftermath, wiser still if companies would considerjust considerthe possibility that data retention itself could be the heart of the problem, and seriously analyze the alternatives. That alone would move the ball ahead.
Corporate America has an unfortunate addiction to centralized data that it doesn't need. Sometimes, losing control is an advantage.
This is my first column for CIO Insight. We're calling it "EdgeWise" to reflect the growing decentralization of today's information economy. The insights and endeavors that people (and their machines) at the edges of networks feed back to the center, and to each other, are already enormousand they're expanding. We see this phenomenon in open-source software projects. We see it in Weblogs. We see it in grid computing and mass parallel processing.
You know more than I do. I hope you'll tell me things that you know and I don't and that CIOs need to know. Let's make this space a conversation, not a lecture.
Dan Gillmor is author of We the Media: Grassroots -Journalism by the People, for the People and founder of Bayosphere.com, a San Francisco Bay Area Web site. His next column will appear in December.