Can Consumers' Online Data Be Protected?

Everything online is hackable. This is true for Equifax's data and the federal Office of Personal Management's data, which was hacked in 2015. If information is on a computer connected to the Internet, it is vulnerable.

But just because everything is hackable doesn't mean everything will be hacked. The difference between the two is complex, and filled with defensive technologies, security best practices, consumer awareness, the motivation and skill of the hacker and the desirability of the data. The risks will be different if an attacker is a criminal who just wants credit card details ­ and doesn't care where he gets them from ­ or the Chinese military looking for specific data from a specific place.

The proper question isn't whether it's possible to protect consumer data, but whether a particular site protects our data well enough for the benefits provided by that site. And here, again, there are complications.

In most cases, it's impossible for consumers to make informed decisions about whether their data is protected. We have no idea what sorts of security measures Google uses to protect our highly intimate Web search data or our personal e-mails. We have no idea what sorts of security measures Facebook uses to protect our posts and conversations.

We have a feeling that these big companies do better than smaller ones. But we're also surprised when a lone individual publishes personal data hacked from the infidelity site AshleyMadison.com, or when the North Korean government does the same with personal information in Sony's network.

Think about all the companies collecting personal data about you ­ the websites you visit, your smartphone and its apps, your Internet-connected car -- and how little you know about their security practices. Even worse, credit bureaus and data brokers like Equifax collect your personal information without your knowledge or consent.

So while it might be possible for companies to do a better job of protecting our data, you as a consumer are in no position to demand such protection.

Government policy is the missing ingredient. We need standards and a method for enforcement. We need liabilities and the ability to sue companies that poorly secure our data. The biggest reason companies don't protect our data online is that it's cheaper not to. Government policy is how we change that.

This essay appeared as half of a point/counterpoint with Priscilla Regan, in a CQ Researcher report titled "Privacy and the Internet."

Posted on February 14, 2018 at 6:43 AM • 56 Comments

Comments

Gregg GrosshansFebruary 14, 2018 7:21 AM

Im not sure Bruce’s solution will solve the problem, government policy.

I say this because there is government policy for people to have a drivers license, and for people who own vehicles to carry auto insurance. What about people who have had their credit/debit card stolen or copied and used elsewhere?

Most Americans know how well the above have worked out. How have these similar approaches worked out in other countries.

I do agree there needs to be some sort of action people can take if a company/site doesn’t protect the data.

Our current legal system would be the best approach to solve this, but how well does this work out when the offending institution/party doesn’t have the resources to provide just compensation? Think Takata and their air bags, or The Harvey Weinstein (spelling) company.

I think there needs to be a fundamental shift in thinking and services to facilitate this. People purchase health insurance to protect them. Perhaps something needs to be done similar in this arena Bruce raises.

Ted LapisFebruary 14, 2018 8:12 AM

Nobody opts in to the 3 big credit rating agencies. They operate in violation of privacy protections. They are not held to account, for violating, and endangering liberty and/or freedom. Without consequences, we are left with gestures:

NerijusFebruary 14, 2018 8:15 AM

Bruce, can you do an entry in this blog of yours about GDPR? Seems to be related to what you were describing in this post. It's not an ultimate answer, of course, to the problem described, but part of the solution. Would you agree?

BWebFebruary 14, 2018 8:31 AM

In most cases, it's impossible for consumers to make informed decisions about whether their data is protected. We have no idea what sorts of security measures Google uses to protect our highly intimate Web search data

That's one case where it's really easy to protect yourself: search over Tor. (But Google Search mostly blocks Tor so you'd have to use something else.)

Or at least use some kind of private-browsing mode so the searches won't go directly into your history. They can still track by IP, browser fingerprints, etc.

TheInformedOneFebruary 14, 2018 9:08 AM

GDPR is contradictory to free-flowing capitalism. This is why the EU can implement it, but the U.S. can't. As a U.S. citizen, it is your privilege to participate in a society which purports freedom sponsored by military supremacy, yet seeks to data-mine and profit from every thought it's citizenry will ever have. The new gold is "Data". At best (and after many years of open exploitation), the U.S. government will be forced to adopt some flavor of GDPR-Lite which allows capitalism to legally exploit the citizenry, while simultaneously allowing politicians to get elected for promising to defend a citizen's right to privacy. Life is grey, not black & white.

MichaelFebruary 14, 2018 9:38 AM

I am confident that the market will eventually correct this. One reason that it has not, is that in considering the model for human action popularized by Mises, the market forces that drive change have not fully materialized. A sense of unease, along with a vision for a better state must occur, and must occur widely for a change to be driven in the market.

I would submit that the pain that most people suffer from the reduction in security and privacy of hacking and inadequate corporate controls is not sufficient that they are willing to engage the flawed and oppressive controls of a government, knowing too well the negative tradeoff they are accepting in that approach. I think most peoples view can be summarized in the proverb, better the devil you know, than the devil you don't.

IggyFebruary 14, 2018 9:49 AM

If someone can figure out how to access air gapped computers, then someone can figure out how to use cash online and fully anonymize our IP addresses, so commerce can return to being about the swift and transitory exchange of currency for goods and that's all. As long as our names and addresses are allowed to be treated like goods, the less we are seen as human beings. Whoever decided monetizing our personal data was a good idea is evil incarnate. Because now we're expected to fork it over or be treated as suspect or worse, as nothing. And the money lenders who steal even more info under the pretext of protecting themselves against loss? They infest the devil's bowels.

Impossibly StupidFebruary 14, 2018 10:03 AM

Auditable algorithms are a better first step than broad government intervention. A company like Apple can say they do end-to-end encryption for iCloud data, but they sure go out of their way to not make that service interchangeable with a third-party service, so it's hard to know for sure what exactly they're doing with your data. Give me a way to not give you my data and I'll be able to trust your security a lot more.

Bob Dylan's Heaving SighFebruary 14, 2018 10:24 AM

My belief is that government policy will never materialize in favor of privacy because it is cheaper and easier to condition people to accept the loss of privacy and anonymity as the price to be paid for living in a "modern, civilized" society.

tomFebruary 14, 2018 10:26 AM

It'd be nice to have a break from the government being shoved down our throats at every turn. We can't do this without the government, we can't do that without government; we're helpless without the government. People should be capable to coordinate and solve problems well enough on their own for the vast majority tedious issues out there.

PeteFebruary 14, 2018 10:44 AM

While I'm almost never a fan of govt interdiction, privacy has been taken away from most people in the world. I see no method to regain privacy OTHER than govt intervention, at least in the USA.

Until an individual is provided complete control over their data, the abuses will continue.

I have paranoid friends who will not visit a doctor, due to HIPPA mandates for medical information. THAT is wrong that someone might need to choose between health care or privacy.

Coordination to solve the issue? That would be nice, if it didn't also require giving up next to all privacy to perform. Insta-Goo-Face-Tweet are how most people communicate. Just try to coordinate without those things? I organize a group of 1100 people and we DO NOT use any of those methods. We run our own website, email lists, and still get hassled by Gen-X and younger people that they didn't know we existed for years because we refuse to use centralized services.

In short, without govt confirming that a human owns the data about themselves, and that human is free to release it OR NOT, no changes will be made to sufficiently protect the data.

IMHO.

AnuraFebruary 14, 2018 10:45 AM

@tom

Ideally, that would be the case; however, as we are in a capitalist society, most people are dependent on others for everything in their life, and government is the only authority over the minority of people who control the property most people depend on. As long as we are in a capitalist society, government intervention is going to be required at every corner to ensure exploitation is limited to an acceptable level. The only way for consumers to make those decisions for themselves is if they own the property they depend on.

Neoliberalism has been an abject failure, and consumers are only getting less and less control over the products they buy over time as control of the economy becomes more and more centralized.

albertFebruary 14, 2018 11:29 AM

Who's still using Google search?r

Sorry to say, but The Brucester is right.

The gov't -could- provide the best solution to the problem....in theory.

I may be preaching to the choir here, but the first step is to get the money out of politics. It would take a genius to convince politicians and corporations that regulation is better for everyone. That person hasn't shown up yet.

Our society is being sucked down in a whirlpool of greed, and barring outside influences, whirlpools don't stop themselves.

It'll be interesting to see what happens to this little experiment known as 'democratic capitalism'. Yes, I know it's an oxymoron, but appropriate nonetheless, n'est-ce pas?

. .. . .. --- ....

RSaundersFebruary 14, 2018 11:42 AM

Car's in the 1930's and 40's were started with a button, albeit on the floor. This tended to make them very easy to steal. Car manufacturers responded to public concerns about auto theft by using a key on the ignition. For a while, it was common practice to store this key on the sunvisor, rather than in the ignition, to reduce car theft. As more people started carrying their keys, thieves started popping the locks or jumping the wires. Then the key got a chip added to it, so that it cost a lot more to replace, to counter this effect. Eventually the chip led to fobs and today's push-button keyless ignition, the 1930's button moved to the dash.

This market evolved this way because people had theft insurance on their cars and insurance companies rated cars based on the anti-theft features installed by the manufacturer. The insurance company aligned the interest of the consumer (who didn't want their car stolen) and the auto maker (who was otherwise uninterested in car thefts unless they led to more sales).

In the data space, data hoarders are allowed to lose personal data with no penalty. If hoarders were held liable for the loss of data on 1M people, they would factor security into their IT designs. They might choose to hoard less data in systems connected to the Internet.

When we allow data hoarders to spill data freely, it's like allowing power plants to spill gasses into the air freely, more spilling is likely. If there were spilling costs, companies could choose to invest in insurance and anti-spilling technologies. While perfect security is not achievable, any more than an unstealable car is possible, we can move the engineering balance point by changing the financial liability in this tradeoff.

Bob WalkerFebruary 14, 2018 12:18 PM

Bruce,

Are you blocking access to readers that are using a VPN service? If so, how are you doing this? A list of VPN providers? Some other way of detecting VPN use? Sorry about being off-topic.

JDBFebruary 14, 2018 12:26 PM

GDPR still does not solve this problem as alot of corporations do not interact or sell to citizens of the EU. GDPR calls for those who possess the information of EU citizens to abide by the GDPR security framework but will not be mandatory for all US organizations. There should be a US equivalent but quite frankly, our government likely depends on the availability of this information as part of their surveillance programs.

IggyFebruary 14, 2018 1:02 PM

@impossibly stupid, no thanks to a single judge's ruling decades ago, our names and addresses were ruled to be "public" and thus not subject to any protection by the self-sovereign. Over-turning that ruling would be the clarion call that his issue urgently needs. I'm not optimistic. Therefore, other, likely more draconian strategies will be required. And it may be too late in any case, as an entire generation of humans have been raised to consider their privacy as an impediment to instant gratification.

Gerard van VoorenFebruary 14, 2018 1:11 PM

@ Michael,

"I am confident that the market will eventually correct this."

I am pretty obvious that the market will not. Why? It's a technical issue, not a political one. So, let's talk about the technical issue. Are we talking about (F)OSS, or closed source? The latter, I, nor you, nor anybody else, can talk about. Just think about Intel. It can't be done right. If talking about (F)OSS, the market is too large. There is just too much to inspect. Do you want to audit such as Apache, for instance, good luck. Then I am not even talking about Linux, which has to go to its knees simply because of (again) Intel.

So, I am a pessimist about the market.

justina colmena February 14, 2018 1:53 PM

@Gregg Grosshans

What about people who have had their credit/debit card stolen or copied and used elsewhere?

Faaahhkkk! Their identity has been stolen! Don't you get it? They don't even know who they are half the time! It's a fekkin' mental illness! Multiple personality disorder or chronic paranoid schizophrenia or something like that!

They've shown they can't handle their own money! They can't even hold onto their own purse! They need a payee or custodian or a guardian for their money to make sure the pay their bills on time! Don't you see!

Ross SniderFebruary 14, 2018 2:00 PM

These companies literally sell your information as a product to others. They partner with governments and intelligence agencies. They do not protect the information.

What they do is protect their brand and the affect of hacks on business, market, and perception.

How many people know that all of GMail was hacked because they put in back doors for the FBI to use? Few, because Alphabet Inc knows it costs less and is better for the business to spend money on lawyers and PR in place of doing the right thing for people.

albertFebruary 14, 2018 2:18 PM

@Michael, @Gerard,

The market -could- correct this problem....in theory. But the 'market' as presented by academic theorists doesn't exist. It is totally controlled by the plutocrats. What little regulation exists is now being legislated out of existence, or officially not enforced. This proceeds -regardless- of the party in power.

What -would- work is lots of folks voting with their wallets, and breaking the consumer economy.

I'm not holding my breath.
. .. . .. --- ....

Private PeteFebruary 14, 2018 2:19 PM

The government? Like the NSA? Who spy on everyone, abusing privacy rights? Or, the FBI? Set up originally to gather information on people in order to blackmail them? That government?
There is only one defence - stop giving your data away. If you can't stop, at least demand that the organisations that you give it to, pay for it. And if they won't, ask yourself 'how badly do I need this 'service'?
And if you can't even do that much, this is all hot air...

Nick ToumpelisFebruary 14, 2018 2:51 PM

Completely agree. The GDPR is a good step in that direction and perhaps it could be a force for change in the US. What do you think?

(required)February 14, 2018 3:08 PM

"These companies literally sell your information as a product to others. They partner with governments and intelligence agencies. They do not protect the information."

-----> Congress that sells you out "legally" for lobbyist money says its fine though.

And we elect them. *(at least, we did before citizen's united made corporations > people)

The only thing "protecting" this information right now is corporate lawyers and their hedged bets.

Security SamFebruary 14, 2018 3:27 PM

Securing the old barn door
After the horse has bolted
Like hoisting a lightning rod
After you got really jolted.

VinnyGFebruary 14, 2018 3:28 PM

@Bruce re:"government policy" - would that be the same government that via regulatory policy faciliated 10 companies gaining near-monopoly power over nearly every important aspect of the internet, and then rescinded the only (meager as it was) meaningful consumer protection against that consolidated power by doing away with net neutrality? Good luck with that "trust model" - I think you're going to need it...

@BWeb re "...Google Search mostly blocks Tor..." My experience is that Google also attempts to block some searches based on diagnosis of VPN use, but they are very inconsistent to the point of incompetence at accomplishing it (my results consistently vary by exit point as reflected in IP block,) so it might be worth some experimentation.

@Bob Walker re VPN - I am accessing this blog via a popular VPN, so the answer to your question in general would appear to be "no"...

(req'd)February 14, 2018 3:39 PM

Security Sam, master of verse
his poems are wise, even if terse
he'll still be here rhyming while we suffer worse
as our private data is traded for purse

BWebFebruary 14, 2018 5:29 PM

My experience is that Google also attempts to block some searches based on diagnosis of VPN use, but they are very inconsistent … it might be worth some experimentation.

Sometimes it works, sometimes it's "You're a robot" with no recourse, sometimes it's a captcha (and my desire for Google isn't so strong I'd bother with it). I sometimes type "!g" if DuckDuckGo isn't giving me good results, but with a >50% chance of failure I normally avoid that and just go to Bing instead. Never had any Tor-related trouble there.

Sites like Google and Cloudflare (and Salon) should heed Salon's warning: it's not easy to get users back once you've stopped your hostile behavior.

Alyer Babtu February 14, 2018 5:57 PM

I see people all around that act as if they assume the masters of the universe design in privacy and in some measure have settings defaults that at least partially favor privacy. Paradoxically, when you ask these same people if they trust the big companies, they ruefully say no. So, an effective critical thinking habit on the part of users is absent in large measure. Other industries are not allowed to operate unless design and defaults favor safety.

hmmFebruary 14, 2018 6:47 PM

Is it hostile to block anonymous VPN's? What else is on the list of hostilities?
That could be a good list!

BWebFebruary 14, 2018 9:17 PM

Is it hostile to block anonymous VPN's?

Well, there's no security reason to block anonymous users from reading a static page as Cloudflare does, so I'm going to say yes. And I can understand why Google would block people who try to "protect their online data", but no users benefit from it (just Google and advertisers). By contrast, sites that just block anonymous posting are unwelcoming but I wouldn't go so far as to call them hostile.

But that's just, like, my opinion.

(FWIW, my list also includes paywalls, ad-blocker-blockers, anti-copying scripts, popups/interstitials, and secret cryptocurrency miners ;)

hmmFebruary 14, 2018 10:07 PM

Well it's good to have opinions, man.

Cloudflare is kind of core-based on the idea of blocking things though right? DDOS/etc.
Not so surprising. Maybe even a selling point?

I'm with you on all the (stuff) of course.

Zen MonkFebruary 14, 2018 10:22 PM

I think the business model of the internet, i.e. pay per click has a lot to do with the problem. Another more pervasive problem is human nature, i.e. greed. As long as someone can use your data to make money there will be a lot of people who participate in that. A solution is to stop buying s--t. The vast majority of what is bought in the USA is to satisfy wants that we have been brainwashed to see as needs. If a large proportion of the population stopped buying things we didn't need then things would change radically. Not sure if that would be helpful or not, but it would be interesting.

PatienceFebruary 15, 2018 5:43 AM

I'm sure the legislators would take this seriously if more of them were personally affected by data leaks. Imagine if Congress got doxed one day. All their addresses, phone numbers, personal email addresses, where their kids go to school, that sort of thing. Once this threat is just as scary to them as it is to the rest of us, selfishness will prevail and we will all win.

It just sucks that this is how laws tend to get passed. Wait for the disaster that everyone's been warning you about to actually happen, then actually start talking about how to prevent it from happening again. Safety regulators refer to this as "graveyard legislation". I truly hope nobody actually dies in the process of inspiring some decent data security laws, but what with how cars can be remotely driven off the road through their entertainment system's OS, I'm not so sure things will go so smoothly.

BWebFebruary 15, 2018 8:19 AM

Cloudflare is kind of core-based on the idea of blocking things though right? DDOS/etc.

Yeah, if there's a Tor-based DDOS targeted at a site it might make sense (if the error/captcha page is much cheaper than the real one—shouldn't the static pages, at least, be served from cache anyway?), but it beggars belief that every Tor exit node is attacking every Cloudflare site simultaneously all the time.

small dataFebruary 15, 2018 8:19 AM

Because we know that everything government does, it does with the utmost of efficiency and effectiveness. Government policy to protect my data would be either a laughable farce, or just downright scary.

vas pupFebruary 15, 2018 8:59 AM

Agree with Bruce 100%, but devil is in details.
Government should be on the side of consumer's privacy interest, not big corporations.
How exactly? Set up a legal framework for this Congress, FCC. Executive orders, etc.
E.g. ALL 'inventions' of corporate law sharks to deny you any chance to protect your interest in the court by:
-setting up corporation privacy policy as multiple pages of small print legalize which even not understandable for Law school graduate with English as the native language (should have level of understanding of high school graduate - no legalize);
- denying class action law suits;
- forceful arbitration,
- clause which set up place for dispute resolution very inconvenient to average Joe/Jane.
SHOULD be illegal. Period.
balance of power should be like: Joe/Jane + functional government standards versus law departments of big corporations.
Agree with respected blogger as well on:
"In short, without govt confirming that a human owns the data about themselves, and that human is free to release it OR NOT, no changes will be made to sufficiently protect the data."
It should defaulted that set of personal data collected is subject for opt in, and defaulted to opt out for ANY future usage except completion of particular transaction. Opting in should be based on providing benefits, not to be mandatory.

VinnyGFebruary 15, 2018 9:34 AM

@BWeb re Google search - my primary search engine (and home page) is DDG. Unfortunately, in some (actually many) instances, Google produces more useful results (e.g., searching on delivery tracking numbers) so I frequently take recourse to it. I'll need to give Bing a shot. I never more than experimented with it in the past because I found its results largely indistinguishable from Google's (so long ago that at the time I regarded MS as more of a privacy threat than Google.) That _was_ a negative, it may now be a positive... To flesh out my example re Google searches, I have a complex Google News search url that I use to get headlines for my locality, while eliminating entertainment "news" on some "reality" shows and some other subjects I regard as junk. My VPN allows me to select from a list of regions (by geolocation) for my exit IP block. For the region that best coincides with my actual physical location, that query nearly always fails with a Google "too many searches from this IP address" error. Using a specific different region for my exit address, the same query nearly always succeeds. Inconvenient, but it does provide me with some degree of comfort that Google does not have (easy) access to identification of me or my computer beyond apparent IP address. Of course, I am never logged into a Google account to search, that would defeat my entire attempt to preserve a measure of anonymity.

Impossibly StupidFebruary 15, 2018 9:40 AM

@BWeb

but it beggars belief that every Tor exit node is attacking every Cloudflare site simultaneously all the time.

Only an incompetent security professional would wait for constant attacks before taking action. If any host is used for an attack, it is perfectly reasonable to ask whether or not the hosting provider (or even the originating country) has policies in place that protect attackers. So, no, you shouldn't be surprised if you find yourself cut off from sites if you go through a VPN that also does business with bad people. And I don't know about Bruce, but I will definitely block any network that provides access to a Tor exit node that attacks me. I work to protect the data I'm paid to protect, and your VPN/Tor/whatever isn't paying me a single damn cent to police the attacks that come from their network.

65535February 15, 2018 10:58 AM

I agree with Bruce S. on his basic regulation in an utopian world. But, both the world and the US government/NSA are far from perfect.

I would like to see some type of independent UL or Underwriters Laboratories for electronic devices that are dangerous to consumer’s Fourth Amendment Rights and other US constitutional rights and guarantees.

The current UL only protects against immediate physical danger and does not provide long term security to consumers in the data mining for profit sector or financial data skimming in the underworld sector.

I would like to see General Data Protection Regulation (GDPR) properly passed in the USA. That regulation is still in the political process of the EU and member nations to be refined later.

https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

I would like to see lawyers uphold consumer’s right by suing corporations that falsely lead consumer’s to give up their personal data under a miniscule type written “Terms of Service” agreements or multiple Terms of service agreements spread over different sites which are hard to understand.

Now, I am doubtful the current US government is capable of “Government policy” to reverse the NSA’s “Collect it all” policy and the fact of the huge power of this agency’s top man to says to both the government and public “I gave the least untruthful statement” and not be sectioned by that same government.

Huffington Post:

'Director of National Intelligence James Clapper sought to clarify his claim that the National Security Agency does not collect information on millions of Americans, telling NBC News' Andrea Mitchell that he gave the “least untruthful“ answer possible on the agency's surveillance program. During a Senate… hearing.”'-Huffingtonpost

https://www.huffingtonpost.com/2013/06/11/james-clapper-nsa-surveillance_n_3424620.html

Bruce also points out that “Everything online is hackable. This is true for Equifax's data and the federal Office of Personal Management's data, which was hacked” so why trust big corporations with huge data centers hosting “virtual machines” and the US government to solve the problem considering they maybe entiwined?

The US government as failed to keep is valuable personnel data safe. I am guessing that both the USA and other nations can hack virtual machines in huge data centers so why trust them?

This notion goes back to Nick P’s Treatise on the benefits and draw backs of Open Source Software v. Close Source software.

https://www.schneier.com/blog/archives/2018/02/calling_squid_c.html#c6769902

And, this whole idea goes back to a man’s moral character to keep his honor [or word] or an organization’s Moral turpitude to honestly guard the human rights of citizens/patrons and stay within the bounds with the US Constitution, the Fourth Amendment and basic human rights including privacy. Further, to keep large entities from herding citizens into a virtual Slaughterhouse which strips them of their privacy and turns them into digital meat to be sold to the highest bidder.

I am all for Bruce’s governmental “regulation” if and only if. the “government” is not corrupt, and it does not proceed to enact laws with deception, malice and forethought and it treats both its citizens and corporation in an open and fair manner as listed above.

DavidFebruary 15, 2018 12:33 PM

Adding Government into Application Security is the wrong solution. I can demand that any company secure my data; what I cannot do is verify the controls put into place. Should something happen, then sue any company who may have breached my confidence: https://www.csoonline.com/article/3238076/data-breach/equifax-now-hit-with-a-rare-50-state-class-action-lawsuit.html

We already have statutes and regulations to govern how confidential data is protected, exactly why do we need more? What we need are rewards to building security in, not negative repercussions that can be avoided by slick lawyers and back-room pay-offs.

albertFebruary 15, 2018 1:58 PM

@65535, @Anyone,

I agree.

The gov't used to regulate public utilities. Why? Because they had real monopolies. Now, of course, it is said that consumers have a choice of, for example, Internet providers. But is a choice between one telephone provider and one satellite provider really a choice? It's a de facto monopoly, and now they even write their own regulations.

When you eliminate choice, you eliminate competition. This truism applies to everything, from elections to data security(privacy). I'm talking about real choice, not the phoney 'choices' that you see in advertising.

Regulation has always been a problem for Big Business. Now, it is a sick joke. Consider what's happening in the FCC, EPA, etc. It's beyond criminal, and 20 years ago, it would have been beyond imagination.

It's a technical issue that's being overshadowed by politics. The two are inseparable. It's not enough that CongressCritters haven't suffered from hacking personally, and if they did, they are lawyers (mostly) and do have some juice when dealing with the Big Guys. The folks who need to suffer are the ones who pay their Congressional Meat Puppets. Not by personal inconvenience, but by their corporate bottom-lines.

That's the way to get results in this system.

. .. . .. --- ....

MichaelFebruary 15, 2018 2:37 PM

@albert
You are kind of re-enforcing my point, the market is essentially people voting with their wallets, more accurately, doing "things" driven by their self-interest, which end up benefitting all. My overall point is that while pain has been experienced by many, there has not been enough pain holistically to drive people to change their behavior in a material way, and force real change with their dollars. In addition, many smart people are working on potential market alternatives like sovereign identities, or user managed identities, which show real promise for putting that control back in the hands of the consumer.

Ollie JonesFebruary 16, 2018 10:49 AM

Dr S., you wrote:

> But just because everything is hackable doesn't mean everything will be hacked.

With respect, I disagree that policy should flow from this statement. Here's my case for that.

First of all, we can never know ahead of time what will be hacked and what won't.

Second, the past decade of history teaches us that nobody can guarantee that a cache of secrets will remain secret. Even state actors with unlimited resources can't keep secrets, not to mention companies large (Adobe) and small (Ashley Madison).

So, we need policy that allows for defense in depth around caches of secrets. We must keep caches of secrets small. We must limit their effective lifetime. We must limit their dangerousness. All this is in addition to doing our best to keeping them from leaking.

----------------

Here are some details about these thoughts.


First, obviously, built perimeter security diligently. Do our best to avoid secret leakage.

Second, limit each cache of secrets.

1-keep the secrets as few in number as feasible. Don't put EVERYBODY's credit data on one system, for example. Break it out by municipality, or the second letter of customer surname, or something, anything, so each cache is smaller.

2-make the secrets as innocuous as possible. An example of an "innocuous as possible" secret is a properly hashed password.

3-make the secrets in the cache as short-lived as possible. The hashes generated by chip-card processing are short lived, for example. Unfortunately, US taxpayer ids (SSNs) are NOT short-lived, not at all. Payment card numbers are medium-life secrets (they can be changed).

4-make the secrets as safe as possible. Disastrous OS exploits are not safe secrets, as WannaCry taught us. Neither are taxpayer IDs. Emails aren't too bad. (This is the reason we exhort each other to use different passwords on different services.)

Third, detect leakage as soon as possible. Brian Krebs is instrumental in detecting leakage of payment card data. Every publisher of a printed membership directory knows about the fake entry that detects


albertFebruary 16, 2018 11:11 AM

@Michael,
"...You are kind of re-enforcing my point..."

Then there's nothing else I can say.

. .. . .. --- ....

vas pupFebruary 16, 2018 11:41 AM

@65535:
"I would like to see some type of independent UL or Underwriters Laboratories for electronic devices that are dangerous to consumer’s Fourth Amendment Rights and other US constitutional rights and guarantees."
Yes, I did suggested this on this blog several years ago (I guess the first time) having seal like 1984 in the circle crossed of different color depending on privacy danger level (green, orange, red). That will stimulate manufacturers competition on the similar product providing higher lever of protection as advantage.
On the other hand, as I suggested many years ago on the same blog as well regarding kill switch (hardware disconnect microphones, cameras, GPS you name out of battery so no software tricks could activate them remotely without your-owner-knowledge) on smart phones, tablets, smart TVs, any consumer electronics with capability to collect video, audio, location information(recently it was posted on this blog that finally startup is creating such smart phone and also there is laptop with kill switch on the market already).
When I am thinking of consumer electronics I recall example of Elon Musk on electric cars. Before the idea is to replace in a car gas engine with electric engine, but Musk decided that electric car should be developed from the very beginning as new creature. He change paradigm of the industry. I want to see the company which change paradigm of security on consumer electronics in such way that design from the very beginning will provide consumer with reliable protection on data collection without owner knowledge (please see above on kill switch).

AlejandroFebruary 16, 2018 2:06 PM

Well said Mr. Schneier but the government works for the corporations now, and not us.

The latest proof is the net neutrality battle. WE lost.

The Royal WeFebruary 16, 2018 2:49 PM

"But we're also surprised when a lone individual publishes personal data hacked from the infidelity site AshleyMadison.com"

Speak for yourself.

from acros the pondFebruary 17, 2018 12:26 AM

Bruce, as other readers have requested: Pretty please (with lots of sugar on top) share your thoughts on GDPR.

hmmFebruary 17, 2018 11:35 AM

"from the infidelity site AshleyMadison.com"

Uh... just the fact that there IS an "infidelity site" that people upload personal info to...

I mean you can't secure every idiot's whims, can you? I don't expect that.

vas pupFebruary 23, 2018 9:57 AM

@Bruce: Government is missing ingredient in all those cases when Big Corporations take risk taking level in their own hands, and when this risk taking level applies NOT to their own assets (data included), but assets of average Joe/Jane. E.g. Banks (US) they may play with their own assets on market as they decided accepted risk level and this fit into concept of free market capitalism, BUT when they are gambling with YOUR assets (money you deposit in the bank) that is different case absolutely. Same applies to insurance companies.
How many bankers who created recent financial crisis are in club fed now? Answer: zero.

See other example below of better handling risks and responsibilities by government:

China seizes control of insurance giant Anbang:
http://www.bbc.com/news/business-43164788
Beijing has cracked down on insurance and financial giant Anbang, taking control of the conglomerate and prosecuting the firm's head. In an unusual move, Anbang Insurance Group will now be taken over by China's insurance regulator for one year.
The firm is known for its aggressive international acquisitions, including New York's Waldorf Astoria hotel.
Chinese authorities have been cracking down on the financial industry [!]to guard against excessive borrowing and risk[!].

ChrisMarch 15, 2018 3:27 AM

Short answer (in government): No.

Government has no working disincentive for getting things wrong - like failing to do security right.

When nothing bad comes from failure, no learning and no remediation can happen.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.