In July of last year, I sat next to one of the heads of the FTC antitrust department in a plane. We were traveling to the same conference and we started chatting about innovation in technology, the definition of antitrust and market power, and eventually the changing role of national defense. The first, and most important responsibility of a government, and in fact the very reason for its founding is to protect its citizens. But the notion of protection is changing. Increasingly, it means of citizen data protection. The South Korean government is forbidding websites from collecting national identity numbers, after too many websites leaked data.
Web services want/need deep user data to (i) provide better experiences to their users (ii) generate more money from their users. Most of the time, we’re willing to trade one for the other. Relevant ads are much better than irrelevant ones. Compare GroupOn deals (for pole dancing lessons) to Facebook ads for example. Aside from apathy/laziness, I think this is why most users remain with errant web services.
But the ecosystem gets into trouble when data leaks. One tension exists between short-term growth and long-term data security. As web services seek growth and quick time to market, short term investments in user data security don’t make sense. After all, who knows whether SHA encryption matters if we only have a few hundred users. Don’t hash the db yet.
By the time web services reach scale, there tends to be huge technical security debt. Compounding the challenge, exploits are becoming increasingly sophisticated. Lastly, most users aren’t trained to handle sensitive data, copying files to their laptops in unencrypted form and shortly thereafter, misplacing the laptop. The result: wide-spread data leaks even at the world’s largest institutions. More than 867TB of data was stolen in 2010 alone by foreign actors.
We’ve all been impacted, to such an extent that we even become blasé about it. I suffered 2 data leaks last year at the hands of Citibank and Stanford Hospitals. I bet much more of my data leaked without my knowledge. Think of all the data syndicated through FB apps, GMail oAuth, Chrome extensions, mobile phone apps, and Twitter.
The problem is a huge because of the potential to destroy credit, steal identities or worse. At the heart of this challenge is complexity of these systems. Very few people understand these systems through and through (despite FB app permission dialog boxes and 40 page EULAs), much less the average user or Congressman.
The Internet has blossomed and released a huge amount of data. Over the next decade, data security will be a fundamental challenge. And there are no easy answers because of the scale of the problem: the number of users, web services, companies, petabytes of data and cooperation needed between public and private entities. But ensuring we protect our data is critical to the continued growth of the web because trust underpins all transactions, even those on the web.