Lessig: Future Tech Will Help Privacy Catch Up With the Internet

An anonymous reader writes: In a new interview, Harvard law professor Lawrence Lessig shared his view of the future of privacy in this age of data breaches. "The average cost per user of a data breach is now $240 — think of businesses looking at that cost and saying, 'What if I can find a way to not hold that data, but the value of that data?' When we do that, our concept of privacy will be different. Our concept so far is that we should give people control over copies of data. In the future, we will not worry about copies of data, but using data." Lessig sees new technological advancements as the key to shoring up our privacy, which has been eroding since the dawn of the internet. Being able to act on data without holding it is key: "If I ping a service, and it tells me someone is over 18, I don't need to hold that fact. The level of security I have to apply [is not] the same [that] would be required if I was holding all of this data on my servers. This will radically change the burden of security that people will have."

Data will still be copied.

"If I ping a service, and it tells me someone is over 18, I don't need to hold that fact"
Well yes, but the service costs $/call. Being over 18, if true, is immutable after that and is well-suited for caching which also helps protect you from service outage somewhat.

Re:Data will still be copied.

And you had to enter into an agreement with the service and submit to their Terms.

Re:Data will still be copied.

[zAPPzAPP]

But that is exactly the point the article makes:
Holding (sensible) data also comes with a cost. Securing the data has a cost and a risk attached to it.

If the cost of 'pinging' is lower than that, then the idea may hold true.

If.

And this of would require standards so that these data accesses can smoothly run in the background between all parties.

Re:Data will still be copied.

My first thought is: If we're talking about future world where caching costs more than not-caching, then the movie about this world is classified as Fantasy, not Sci-Fi.

Then I RTFA. He is talking about government adding an additional cost to the caching.

So we're back to Sci-Fi, but it's dystopian, where the government is watching everyone's computers, which of course means it needs to watch all the people too. "Winston Smith's brainscan reveals his computer is remembering bits about Julia. Social analysis division reports their relationship is not sufficiently intimate for Winston to be authorized to store these bits. Thou^H^H^H^HPrivacyCrime fine: $24."

Re:Data will still be copied.

[zAPPzAPP]

The first cost is in paying a guy who knows how to set up and maintain a secure database that holds the information.
That is not Sci-Fi...

The government would come into play in case of a breach. So far, companies seem to face no consequences for squandering their customers data in countless breaches, other than bad publicity. If this changes, companies actually have to pay up for the damage they cause, then cost of handling such data rises.

Re:Data will still be copied.

[stephanruby]

Holding (sensible) data also comes with a cost.

Yes, but leaking the information that someone is 18 years old doesn't cost a company $240. It probably doesn't even cost the company one penny. He's going into hyperbole territory here.

HIV testing results, dating web site for cheaters, credit cards numbers along with personal identifiable information, yes, those types of breaches can cost the company who had those breaches dearly, but it really depends on the type of data that we're talking about.

Re:Data will still be copied.

[Kjella]

If the cost of 'pinging' is lower than that, then the idea may hold true.

But he also picked the very simplest use case, verification where you're only interested in the outcome. If you're looking to attach it to something like getting the shipping address for an order you normally want to store it. If you want to be able to effectively query it like age for a partner search you must store it. And the vast majority of data is gathered for analysis, where you typically want fast and local access to all the samples like all the purchases in a shopping history. And the value of polling instead of storing only matters if there's rate control, if your HR department needs to report payroll on everybody and can effectively query for the whole database then it's no significantly safer. And finally, if a compromised server can siphon sensitive data as they're used you will get the data eventually so it doesn't really prevent it completely. There's just not many places it works in practice even if companies wanted to, which they mostly don't.

Re:Data will still be copied.

The value of a database grows exponentially with the amount and quantity of information about people that it contains.

What Lessig is talking about is a world where the information will have to be consolidated by some spy company like google or facebook, and made available to the masses of other companies one bit at a time through an API.

That's great for limiting the risk from the masses of companies, but makes the risk from the likes of google almost infinite. If they change or tweak the information they publish, who will know? And even if someone knows, who is going to stop them? And then there's literally the world of hackers who will find it irresistible to steal, modify, hold to ransom, etc the information. How likely is it that google's handful of phds will stop an onslaught of the world's best hackers when the motivation is that great?

Lessig's world isn't better than today, in fact it's more brittle and the stakes are higher, not lower.

Re:Data will still be copied.

[pnutjam]

Well, this has certainly held true for other companies like mining, manufacturing, fishing etc... Look at Exon and BP. They certainly paid every cent necessary to make the areas affected by their spills whole again. Plus the heavy fines they paid...
wait...
Isn't that what shell companies are for?

Over 18?

[U2xhc2hkb3QgU3Vja3M]

If I ping a service, and it tells me someone is over 18, I don't need to hold that fact.

Lessig: do you mean a website like www.is-she-legal-yet.com ?

first baby

GNAA up in this bitch!

first

got it

$240

[amberdalan]

Obviously it is not enough to invest in preventing the breach in the first place.
 
FTC fines anyone?

Re:$240

Exactly. I'm in the business and it's troubling how many companies can't be bothered with this possibility. In fact, almost "certainty".

It's been my opinion for a few years that the real solution heavy fines for individuals and prison time, with regulations on mandatory maximum privacy data retention time.

Typical capitalist mechanisms do not work for this issue since there are essentially no consequences to wrong doing. Just immediate or possible future benefits.

Re:$240

[GuB-42]

I think the solution is more insurance-like : when a company asks for personal data, a damage clause must be present on the contract, repaying $xxx in case of a data leak. Like when you send a package and get a certain amount of money back if the package is lost.
The advantage is that it will open an insurance business, and insurances are much better at dealing with security than the legal system. The idea would be like with physical security : you open a warehouse, you promise your clients you will pay them back if their stuff is stolen, you then contact an insurance company to deal with this case, the insurance company will mandate security measures (alarm, high security locks, etc...)

Re:$240

But how often would the person responsible for the leak who is most likely a PHB going to be the one charged. I am sure they already have logs showing that the new peon hired last week was the one that opened the data and should be the one in jail because of it.

he's missing the point, entirely

[dltaylor]

The cost of breaches is never going to be enough to offset the value of having the data, any more than the cost of insurance and lawsuits has offset the value of dangerous (to employees, nearby residences, ...) workplaces and operations caused companies to be extra careful. It's just perceived as a cost of doing business.

Only when executives and board members do long hard prison sentences for data breaches will they ever give up collecting every scrap of data they can acquire.

Re:he's missing the point, entirely

[sunderland56]

Another missed point..... hackers have always been one step ahead of security. Saying that technology is going to improve and save the day misses the fact that the hacker's technology is improving too.

Re:he's missing the point, entirely

THIS. The people need to WTFU. Tech will not stop privacy-intrusion. Ever. Because people are power-hungry. Even good people will take from their neighbors if they know they won't get caught - cheating is a core requirement for progress in any system. If we want to keep an element of cheating to a minimum we must increase the negative risk associated. Losing a hand for stealing means only the most brazen will attempt. Draconian laws are required if we, as a society, truly want to make a hard line point about invasion of other's privacy. This is only going to increase until we decide, as a collective, where the line is drawn.

Funny How A Few Short Months Change Perceptions

[RobotRunAmok]

I used to read "Lessig" and think, "right, he's that often clever crypto-tech guy." Now I see the name and think, "pathetic, over-his-head failed politician." Not really fair to him, I know, but I can't help it...

Re:Funny How A Few Short Months Change Perceptions

Now I see the name and think, "pathetic, over-his-head failed politician."

I have felt that way about him for quite some time, rolling my eyes when he talks about tech on slashdot. Maybe I was simply aware of him a few short months sooner than you.

Re:Funny How A Few Short Months Change Perceptions

[phantomfive]

I used to read "Lessig" and think, "right, he's that often clever crypto-tech guy."

Lessig is a Harvard law professor, maybe you confused him with Bruce Schneier? Both are great people, and Lessig volunteers to help the FSF. He clearly doesn't understand how to do legal activism, though (some might say that Harvard people in general are out of touch with the world).

Sounds like he's saying to farm everything out

[fustakrakich]

Let somebody store the data you want to access. Doesn't somebody have to hold it to make it retrievable? I didn't go to Harvard, so I'm not really up to speed on these things. Let's get a second opinion from Yale...

Solution for wrong problem

[penguinoid]

> I don't need to hold that fact.

You do if you want to sell it.

exactly what is the cost of a data leak ?

[swell]

If the CIO knows that he will lose his job when he lets security be lax ... if he knows that he will be disgraced and banned from a similar job forever ... if he is subject to criminal charges ... Then the company will take a serious look at privacy and not collecting information that isn't urgently needed.

Now let's look around after millions of peoples' privacy has been sacrificed due to government and corporate mismanagement -- how many CIOs lost their jobs? Has any responsible person ever faced serious consequences?

Where is the incentive to invest in security or avoid collecting unnecessary data? In the US, a corporation has only one responsibility- to provide maximum return for their investors. Don't believe the sweet talk about how the customer is their highest priority. One government employee in the history of the US had a sign on his desk declaring "the buck stops here" (President Truman), that person is long gone and everyone in government is passing the buck regarding responsible action. Until the personal and corporate cost of data leaks is greater than the cost of prevention, the status quo will continue.

Re:exactly what is the cost of a data leak ?

The CIO actually go to jail or loose his job, he would already have proof that he had nothing to do with this and that it was some lowly part timers fault and help him along his way to the police car before taking himself back to is office to sit and collect his pay and stock dividends

Which is better?

[GrantRobertson]

One big, supposedly hard target, or millions of definitely soft targets?

A) The hard target only has to be breached once for the concept to be abandoned.

B) So Lessig is shilling for the NSA now? Putting ALL of EVERYONE'S info on one system is NOT a wise move, if we have any hope of protecting our privacy.

Assuming future people care

Future advancements will only come about if people care enough to develop and implement them. Too many people assume that everyone will magically care more about privacy in the future. While it is certainly a possibility, it is also possible that people will care even less than they do now.

Technology is making it easier and easier to find information about a person, and most people value their privacy very little. With time, people who care, and knew what it was like before such information was easier to get, might just die off. If everyone is used to their information being easy to get to, and they stop caring about stuff being public that makes us uneasy now, why would they put effort into trying to hide it again? It would be like trying to trying to get a nudist colony to develop new burkas.

You can find articles in the past talking about how much technology will change the slave industry and make it harder for slaves to escape, but that doesn't mean the slave industry flourished. Attitudes over time change. (I'm not saying that there is a moral problem with privacy or that it is comparable to slavery in that regard in any way).

Howsabout...

[Chas]

We just to it right, NOW.

Instead of trying to unfuck a totally fucked up, privacy-free system with layers and layers of bureaucracy protecting government from abusing their citizens?

Huh?

Okay?

Stop relying on pie in the sky future tech to protect you SOMEDAY.

PROTECT YOUR FUCKING SELF NOW!

Re: Howsabout...

Woof! Monkey JuSt Now! Protect moo moo woof meow yourSELF!

Diese Nike Air Max 90 Aussehen

[zhenleidu]

air max Pas Cher Mr. Nie Houbiao opened a shoe store in Xiaochang, now operating over Xiaochang Sheng Hong Sun God Health Museum, the remaining 224 shoe store opened a new pair of shoes has been put in the shop, these shoes have leather shoes, cotton shoes and shoes, worth more than 13000 yuan. Recently, Mr. Nie Houbiao saw Xiaochang newspaper volunteers on the Internet, not only for Xiaochang's poor households to send warmth, but also raise the winter to Yunnan mountain, therefore decided to donate this batch of new shoes. 17 PM, Mr. Nie Houbiao in the Xiaochang of the Sun Sheng Hong health museum staff help, will be the new 224 pairs of shoes of various styles, divided into 12 boxes installed, moved out from the store, placed at the gate. Xiaochang Volunteers Association Presiden nike tn . .

Lessig is Naive

Yup. Lessig just invented Information As A Service (not that it needed inventing).

The problems with his idea include:

1). He thinks it will be acceptable to get partial answers to specific questions. It won't be most of the time. His scenario of asking whether a person is over 18 is... of limited value in most business contexts. All such questions are;

2). He posits that limiting liability is (or will be) the driving factor. It won't be, in general. The liability only exists if there is an information breach. Therefore to a business, they compare the known value of having customer information, versus the (industry standard for information loss, per customer, which keeps changing) x (an unknown probability of losing said information). Usually the simple, hard fact of knowing customer information will win out, IMO. Otherwise you are attempting to quantify issues not easily quantified or that do not have stable, reliable values;

3). The hard cost of storing customer information is low and falling every year;

4). Let's say all of the above is wrong and Lessig is right. What he's doing is implicitly setting up an information marketplace. Information holders will become kings in that world and will begin charging for their services. Already, Experian and other credit rating agencies do this. Now imagine business database businesses covering a huge variety of customer profile information, and no standard business transaction can complete without accessing several such services. I predict that simple business transactions suddenly getting more expensive and more complicated. Business transactors then get cranky and look to disintermediate. Soon they begin setting up local customer databases to cut out the information brokers, which is... hey presto, the situation as it exists today!

This is why I think Lessig is naïve. He proposes a regime that is certain to raise costs and require accessing privileged data sources for even the most routine business processes. All in order to prevent a liability cost that may never be realized. Maybe I'm wrong but I doubt it. His vision goes against all of the business preferences for online business, since there was online business. Indeed when you broaden out the problem and point out that business has always been interested in reducing variable costs, his vision goes against standard business practice since businesses have existed.

Lessig keeps drifting further from reality

If Lessig is going to step outside his core competency in law into technical matters, he really needs to spend the time learning enough about technical matters to escape the Dunning-Kruger effect.

He's right in the narrow sense that protecting one database is easier than protecting tens of thousands of databases. The solution he's proposing, however, involves replacing tens of thousands of databases with a single point of failure. And probably more importantly, he's proposing replacing many moderate-value databases with a single highest-possible-value database. That single database may be very well protected, but it now presents the highest possible incentive for would-be attackers, and a single breach has the potential to compromise thousands of companies' -- and their customers' -- data instead of just one.

The other flaw in Lessig's proposal is that the database may be secure, but the connection between the database and its client companies may not be -- see also, recent OpenSSL bugs -- and the client companies' internal networks can be compromised as well, allowing an attacker to make permanent copies of data that is only temporarily visible. Considering the broad failure of companies to secure their data in-house, I'm not inclined to think they will suddenly become more careful once they've outsourced data storage and their lawyers assure them that their collective asses are covered.

Doing my part vs. trackers & dns request logs

APK Hosts File Engine 9.0++ SR-4 32/64-bit http://start64.com/index.php?o...

---

FREE, not 'souled-out' to advertisers + adds speed, security & reliability. Does FAR more w/ FAR less more efficiently vs. redundant browser addons & local DNS servers @ home.

It not ONLY fixes DNS' many security issues, it stops a LOT of tracking @ webpage + DNS levels via 1 file you NATIVELY have per my subject above!

Firewalls do the rest (on less used IP address trackers vs. host-domain name type).

---

It obtains data vs. threats & for adblocking from 10 reputable security community sites!

---

SPEEDS YOU UP 2 ways (adblocks + local RAM cached favorite sites @ TOP of hosts for fastest resolution speed vs. remote DNS (aids reliability)) vs. other "so-called security 'solutions'" SLOWING YOU!

---

All that via something you natively have vs. "bolting on browser addons 'MOAR'" that's usermode slower & increases messagepassing, cpu + ram overheads!

---

MalwareBytes' hpHosts Admin (MalwareBytes employee who verified it's source as safe http://forum.hosts-file.net/vi... ) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...

&

It's safe proven by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...

+

Its 32-bit model too https://www.virustotal.com/en/...

Its installer too -> http://f.virscan.org/APKHostsF...

---

* "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend".

APK

P.S.=> By "yours truly" - "The Lord of Hosts" so-to-speak:

"The image this title brings to mind is of a mighty military commander, one who can at a mere word summon rank upon rank of protective power" from https://answers.yahoo.com/ques... & THE WORD = hosts!

(Accept NO substitutes!)

...apk