The Problem

We seemingly hear about another data breach, information leak, or other indication that the data about us is no longer under the control of the entities who have collected it every week.  This data is about us, our financial records, our DMV records, our personal identities, whatever.

Whether is is Target, Home Depot, JPMorgan Chase, Healthcare.gov, whomever, data about our identities are being systematically harvested by crackers who have no legal reason to obtain that information.  It is unclear if these, and other organizations, don’t care or can’t care about safeguarding our information, the results are the same.  Criminals have access to, and use our information for their gain, and there is nothing we can do about it, other than go ‘off the grid’, and only use cash, which we have stored under our mattresses for all transactions.

The organizations I listed above are the tip of the iceberg.  Many, if not most, corporations and government entities who have been breached fail to report the intrusions unless they must do so due to legal reasons.  They don’t want you to know that they haven’t met their fiduciary responsibility to protect your information.  Even when they do admit to the breach, they do everything they can do to minimize the fallout from it

Scott McNealy, then CEO of Sun Microsystems, famously said in 1999: “You have no privacy, get over it.”

I used to make a distinction between data I gave up willingly, to Google, Facebook, Amazon and any other internet-centric entities and ‘brick and mortar’ entities where I have shopped, visited, passed by or whatever.  It does not matter anymore.  I bought some items in Home Depot, and Neiman Marcus and my financial information was potentially leaked to criminals.  I have never had a credit card number stolen during a transaction on line, but my card numbers fell into the hands of criminals anyway.

The Solution

There is no solution that will prevent the release of my information to criminals.

Both proprietary and open-source software are rife with defects that can be exploited by an ever increasing horde of people who are up to no good. I don’t even know who has my information and how well they are protecting it.

Telephone companies know where I am and whom I am communicating with. Retailers know what I have bought, where I bought it, when I bought it, and they have a pretty good idea why I bought it.  Social networks know who my ‘Friends’ are what I ‘Like’ and ‘Unlike’, what links I follow on the web, how long I am on their sites, and any number of other ‘analytics’ about me. Other than using cash for all purchases, and only communicating with people face-to-face, and not traveling on any road that has cameras potentially recording my movements, I am at the mercy of these companies and how well they protect the data they have.

So, what can I do?

• Push for legislation that punishes companies that do not adequately safeguard my information.  Companies must do whatever they can to protect the data they get from us, whether shared on-line, or gotten through the normal course of business.  I know that it is impossible to completely lock down their system, but they can be held accountable for not being prudent in how they manage them.  Just because some other company
   been breached, they shouldn’t be able to hide behind the lame excuse: “We are doing what other companies are doing”.  I don’t really personally care how well the Discover card is protecting data, I don’t have a Discover card, I care about the companies whose cards I do have. Just because Discover Card might be irresponsible shouldn’t absolve VISA from not protecting any data they possess.  (This is not a knock on Discover, I could use any company as an example and I do not know how well Discover protects their data.)
• Push for legislation that punishes people or companies that misuse information.  I don’t know who has data about me, and I can’t prevent them from acquiring it, but I do know when information about me is being misused.  Give me the ability to go after those who misuse my information.
• Use unique passwords for every site.  Cyber security guru Bruce Schneier acknowledges that security is a trade-off.  It is less convenient to actively use security than not.  It is easier to use one password for all your sites. It is easier to use simple passwords.  But think about it: do you have one key to open all your locks (house, car, office, parent’s house)?  Of course not, because if one key is stolen they would have access to all that you lock up. So why use just one password?  There are any number of password managers you can use that will manage your passwords for you.  I don’t mean the password manager that comes with your browser, I mean a password manager that helps you pick computationally secure unique passwords for each site, secures those passwords, and then presents that password to you when it is needed.  I personally use lastpass (I have no financial interest in lastpass). It can generate secure passwords of sufficient length that brute force attacks become infeasible to do. My default setting is for passwords of length 20, and use alpha, numeric, and punctuation characters.  It is free to use on your desktop, and for $12/year it protects and makes available your passwords on mobile devices.  I only need to remember one long secure password to have access to all my passwords.
• Encrypt all data that can reasonably be expected to fall into the wrong hands.  For most people that means systems you use that are mobile.  The NSA has said that they are not happy that the new iPhone will have data encryption built in.  (Android has encryption but it isn’t currently turned on by default.) Tough.  My data is my data, and unless you have a warrant to obtain it, you don’t have a right to see it.  I do have a right to encrypt it, and the NSA has the right to get a warrant. I’m interested in keeping it out of the hands of criminals, and I have a right to do whatever I can to protect it.

Let’s not create laws that protect us from some specific vulnerability, or some specific technology.  These laws should be built on principles that would be applicable to any vulnerability or technology.  We don’t need to be chasing our tails on this.

Be prudent, and you’ll be safer than most. Like I said, you can’t be totally secure, but if you make it just a little bit harder to be hacked, the criminals will move on to the next easy mark.