Companies Not Saving Your Data

There's a new trend in Silicon Valley startups; companies are not collecting and saving data on their customers:

In Silicon Valley, there's a new emphasis on putting up barriers to government requests for data. The Apple-FBI case and its aftermath have tech firms racing to employ a variety of tools that would place customer information beyond the reach of a government-ordered search.

The trend is a striking reversal of a long-standing article of faith in the data-hungry tech industry, where companies including Google and the latest start-ups have predicated success on the ability to hoover up as much information as possible about consumers.

Now, some large tech firms are increasingly offering services to consumers that rely far less on collecting data. The sea change is even becoming evident among early-stage companies that see holding so much data as more of a liability than an asset, given the risk that cybercriminals or government investigators might come knocking.

Start-ups that once hesitated to invest in security are now repurposing limited resources to build technical systems to shed data, even if it hinders immediate growth.

The article also talks about companies providing customers with end-to-end encryption.

I believe that all this data isn't nearly as valuable as the big-data people are promising. Now that companies are recognizing that it is also a liability, I think we're going to see more rational trade-offs about what to keep -- and for how long -- and what to discard.

Posted on May 25, 2016 at 2:37 PM • 20 Comments

Comments

ArclightMay 25, 2016 5:30 PM

I'm glad to see that the economics are starting to rationalize. Realistically, how much old data is really valuable to someone trying to sell you a product? Is the fact that you repeatedly searched for "How to buy a gun in West Virginia" or "Contraindications for herpse simplex 2 treatment" of more interest to an authoritarian security agency or someone who sells annuities?

Show me the law firstMay 25, 2016 6:28 PM

The public will never have anything approaching meaningful protections of their private data until those protections have, 1) been written into law, 2) have significant penalties for transgressors, and 3) those penalties uniformly enforced.

Until that time, I'll continue to have little trust for those that ask that I "trust them" with my most personal information.

http418May 25, 2016 7:51 PM

It seems that risk valuations are beginning to rise. Companies that focus on renting out someone else's asset are doing so partly to reduce their risk. Once upon a time owning the asset was the gold. Have governments and lawyers pushed society onto the next plateau?

DanielMay 25, 2016 8:34 PM

I fundamentally don't believe that the marketplace is the proper solution to data retention issues. Putting limitations on data collection and retention is a quintessential legislative function no different than statute of limitations in the criminal law or term limits for political office holders. It's nice, to be sure, that companies are doing this but the reason they are doing it is because of the failure of the legislative branches to engage in any meaningful debate--let alone any meaningful resolution to data retention problems. The whole issue represents a significant failure of democracy.

In a properly functioning democracy Google would have been brought to heel and nationalized a decade ago. In a properly functioning democracy the government would not only recognize but embrace its limitations instead of engaging in parallel construction, secret courts, and endless warfare--all which are classical symptoms of gangster government. Don't get me wrong, I am glad that companies are at least doing something in the right direction but we shouldn't get too excited about applying band-aids for broken bones.

anon a mouseMay 25, 2016 8:50 PM

Please...

[about the title, Companies Not Saving your data.]

LarryMay 26, 2016 5:34 AM

Daniel,
Pardon me, but you seem to contradict yourself(maybe I'm missing something). Presuming you're in the US,the government is not a democracy.
First you say Google should be nationalized? As in run by government?
Then you say government should embrace its limitations (which I agree with 100%). That will never happen. Aren't the 2 ideas are contradictory?
I also agree we do have a gangster government & it will not get better.

GweihirMay 26, 2016 5:44 AM

They may also have found out that the data they were collecting or could collect is not really that valuable. In fact, the only use I can think of that can generate significant revenue is targeting ads, and Google is already doing that for them. (And even that may not really work well.) Most other "Big Data" approaches to making more money seem to have failed, fizzled or backfired, despite the grand promises made by the respective vendors and to no surprise of people that have some actual experience with the technology.

My conclusion is that these businesses have finally realized that in most situations, anything besides addresses of actual customers for billing purposes is _only_ a liability, and no asset at all.

Fortune tellerMay 26, 2016 7:30 AM

The insurance and human resource industries will also likely buy data, old and new.

PeteMay 26, 2016 8:09 AM

I've been living at my current address for 15 years. During this time both of my adult children [43 & 41] have had time living with us for good reasons. The last time was 10 years ago. I still receive direct USPS mail addressed to them. Based on this I think that Big DATA is highly disorganized and in the larger view isn't all that important to individuals.

blakeMay 26, 2016 9:43 AM

@Gweihir

"I called you about this issue last week! What do you mean you have no record of that?"

Inventory, service & ticket management are really important systems. They're not sexy, they've been around for decades, and they're easy to overlook, but they're really important.

In the stated context of "the data-hungry tech industry" then yeah, you're right, no-one should give a damn about how long it took you to close an interstitial ad, but "anything besides addresses of actual customers for billing purposes" is overly broad.

JonKnowsNothingMay 26, 2016 10:18 AM

Companies that claim they are NOT saving data is highly inaccurate, especially when implying they are more aligned with user data protections.

Everything passed along the Internet pipeline CAN and IS saved regardless of whether a company choses to does so. USA law enforcement pen registers can be installed by court order at any point along the internet pathway. Short time delays between messages and deletions are added on demand by US Law Enforcement and Security Services to allow full mirroring of all traffic.

Even should a company be successful at avoiding the Pen Traps, everything upstream and down stream is likely to have them already installed.

Encrypted systems are not immune either and fall under the Infinite Storage protocols until their encryption is broken by future super/quantum computers.

Although a company may claim not to data mine and resell the information, law enforcement and security services world wide do. Sometimes this is in the guise of warrants (legal or not) and sometimes they simply sell the data to other governments (tit-for-tat).

Just because a company claims it does not take your data, doesn't mean it isn't happening.

It's a 100% take on everything.


https://en.wikipedia.org/wiki/Tit_for_tat

DanielMay 26, 2016 11:04 AM

@Larry...

It's not Google the company per se that I think should be nationalized but Google the search engine. Information retrieval and knowledge dissemination are quintessential public goods. Up until Google and the internet came along the overwhelming majority of knowledge was disseminated via the public education system whether that be k-12 or university. In 1980 if a person wanted to know something they went to the /public/ library and looked it up.

With Google, a significant portion of this search (knowledge dissemination) function has been privatized. We no longer go to the library and look at up something in the card catalog and find a book using the Dewey decimal system: we Google it. That can't be right. Knowledge is power and if knowledge is not dispersed among the people--but remains in the control of a corporation--that cannot be healthy for a country that at least formally views itself as a democratic republic. Search is a public good that should be provided by a public entity.

I recognize that some people when they look at their governments today and compare them to corporations see the corporations as the lesser of two evils. However, as appealing as such a position might be it is not a socially sustainable answer. Because it leads to either in the breakdown of the social order itself (anarchy) or the corporations take over the place of government (fascism).

So my first comment in this thread shouldn't be seen as a plea for big government. It is plea that when it makes sense we should not be afraid of assigning tasks to the government when it is in the best interest of the whole that government take on that task.

Jesse ThompsonMay 26, 2016 12:19 PM

Selling Data Erasure as a product, you say?

Why start from scratch, just hire the pioneers of that approach to do all of the heavy lifting for you. Ashley Madison!

JonKnowsNothingMay 26, 2016 2:10 PM

@Daniel

We no longer go to the library and look at up something in the card catalog and find a book using the Dewey decimal system: we Google it.

There is a reason why you cannot go to the library and look up books/magazines/periodicals and research information in the card catalog and that is: all card catalogs were deliberately destroyed.

Libraries not only physically destroyed these listings they prevented wiser patrons from rescuing any part of them: from the physical cabinets to the 3x4 inserted cards.

Not all librarians agreed to this destruction and if they objected many were fired or had their positions reassigned to someone more "compliant".

Additionally, the information when converted was deliberately truncated and entire chunks were omitted.

It wasn't accidental. It wasn't incompetence. It was deliberate.

One can safely point out that in hindsight, it was extremely fortuitous that Google just happened to come along at the same time as the destruction of this public knowledge base. Destruction planned and paid for by the US Government.

Google is now winning court cases about the cataloging of "all" books at major libraries. The same issues exist today as they did yesterday and years before:

Can you trust Don't Be Evil to main the knowledge of the world? Do you trust Be Evil to return the correct search results without censorship of any kind?

Be Evil has outed itself quite nicely.

WhiskersInMenloMay 26, 2016 2:14 PM

The same conclusion is surfacing with simple credit card data.
Someone did the math and N * Liability = OMG and management
got worried.

Some tried migrating data to physical media that can cross an air gap roach motel style.
Data checks in but only summary reports get out.

The issue that convinces managers is $$ and combine that with the legal and technical expense of servicing court orders domestic and international for free knowing that the answer is "no" for a large class of data and a whole department of non-productive staff goes away.


JoshMay 27, 2016 5:48 AM

@ Daniel,

Google search should have a disclaimer right under search box as a warning, "search results are censored, your results may vary."

Index Of The OversoulMay 30, 2016 9:21 AM

@JKN, re: library stuff

That's because Dewey Decimal requires a license or something right?

William HurleyMay 31, 2016 6:41 PM

How much, if any, of this trend is fueled by the libertarian compulsion to avoud, evade & dodge any & all gvt oversight?

Clive RobinsonJune 1, 2016 2:27 AM

@ William Hurley,

How much, if any, of this trend is fueled by the libertarian compulsion to avoud, evade & dodge any & all gvt oversight?

From the way you put it very little.

The companies have a choice between obtaining/retaining data or not.

There has been a lot of nonsense talked about "Big Data" and how there is profit in it. Like all "bubbles" every one rushes in to be the person to profit, then reality strikes and the bubble bursts.

Whilst people talk about the likes of Google the reality is rather different, even for the likes of Facebook the pickings are realy quite slim. The reality for most who have obtained data is, the cost of obtaining it and making into a product that someone will pay for has nearly negated any potential profit in doing so.

Worse as they are now waking up to find potentialy there is a huge liability that could bankrupt them or even have them imprisoned, which comes not from the data subjects, but the sociopaths in the DoJ and FBI, who having been brushed off by the politico's for legislation change, have decided to get case law established. So far the DOJ/FBI have been unlucky, but like terrorists they only have to get lucky once. Worse still unlike terrorists they effectivly have unlimited funding from the US tax payers.

For most CEOs and CSOs etc this is a new and very significant risk well outside the usual regulatory / oversight risk. They can not externalise this risk as they do others or pay off the authorities in the way banks do with a few fines abd promises not to do it again. I suspect it's been quite a shock to them and their private equity share holders. Like fairy gold the gleam and glitter of untold riches of Big Data has in the morning light, first turned into the dull poison of lead and is now found to be more radioactive than the core of a nuclear reactor that's suffered melt down.

Thus the stark choice of make at best a very little extra profit on obtaining subject data, with the potential of bankruptcy and jail or don't collect any user data above the bare minimum required for the core business and avoid having your head on the FBI/DOJ execution block.

So some companies will keep with collecting data and some will stop collecting it for now. What will almost certainly happen as the smell of "free money" is almost irresistible to modern corporates is that some way will be found to externalize this risk to a third party, probably through a large data aggregator who can most easily give the data a value added twist.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.