Lessig: Future Tech Will Help Privacy Catch Up With the Internet

An anonymous reader writes: In a new interview, Harvard law professor Lawrence Lessig shared his view of the future of privacy in this age of data breaches. "The average cost per user of a data breach is now $240 — think of businesses looking at that cost and saying, 'What if I can find a way to not hold that data, but the value of that data?' When we do that, our concept of privacy will be different. Our concept so far is that we should give people control over copies of data. In the future, we will not worry about copies of data, but using data." Lessig sees new technological advancements as the key to shoring up our privacy, which has been eroding since the dawn of the internet. Being able to act on data without holding it is key: "If I ping a service, and it tells me someone is over 18, I don't need to hold that fact. The level of security I have to apply [is not] the same [that] would be required if I was holding all of this data on my servers. This will radically change the burden of security that people will have."

Data will still be copied.

"If I ping a service, and it tells me someone is over 18, I don't need to hold that fact"
Well yes, but the service costs $/call. Being over 18, if true, is immutable after that and is well-suited for caching which also helps protect you from service outage somewhat.

Re:Data will still be copied.

[zAPPzAPP]

But that is exactly the point the article makes:
Holding (sensible) data also comes with a cost. Securing the data has a cost and a risk attached to it.

If the cost of 'pinging' is lower than that, then the idea may hold true.

If.

And this of would require standards so that these data accesses can smoothly run in the background between all parties.

Re:Data will still be copied.

[zAPPzAPP]

The first cost is in paying a guy who knows how to set up and maintain a secure database that holds the information.
That is not Sci-Fi...

The government would come into play in case of a breach. So far, companies seem to face no consequences for squandering their customers data in countless breaches, other than bad publicity. If this changes, companies actually have to pay up for the damage they cause, then cost of handling such data rises.

Re:Data will still be copied.

[stephanruby]

Holding (sensible) data also comes with a cost.

Yes, but leaking the information that someone is 18 years old doesn't cost a company $240. It probably doesn't even cost the company one penny. He's going into hyperbole territory here.

HIV testing results, dating web site for cheaters, credit cards numbers along with personal identifiable information, yes, those types of breaches can cost the company who had those breaches dearly, but it really depends on the type of data that we're talking about.

Re:Data will still be copied.

[Kjella]

If the cost of 'pinging' is lower than that, then the idea may hold true.

But he also picked the very simplest use case, verification where you're only interested in the outcome. If you're looking to attach it to something like getting the shipping address for an order you normally want to store it. If you want to be able to effectively query it like age for a partner search you must store it. And the vast majority of data is gathered for analysis, where you typically want fast and local access to all the samples like all the purchases in a shopping history. And the value of polling instead of storing only matters if there's rate control, if your HR department needs to report payroll on everybody and can effectively query for the whole database then it's no significantly safer. And finally, if a compromised server can siphon sensitive data as they're used you will get the data eventually so it doesn't really prevent it completely. There's just not many places it works in practice even if companies wanted to, which they mostly don't.

Re:Data will still be copied.

[pnutjam]

Well, this has certainly held true for other companies like mining, manufacturing, fishing etc... Look at Exon and BP. They certainly paid every cent necessary to make the areas affected by their spills whole again. Plus the heavy fines they paid...
wait...
Isn't that what shell companies are for?

Over 18?

[U2xhc2hkb3QgU3Vja3M]

If I ping a service, and it tells me someone is over 18, I don't need to hold that fact.

Lessig: do you mean a website like www.is-she-legal-yet.com ?

$240

[amberdalan]

Obviously it is not enough to invest in preventing the breach in the first place.
 
FTC fines anyone?

Re:$240

[GuB-42]

I think the solution is more insurance-like : when a company asks for personal data, a damage clause must be present on the contract, repaying $xxx in case of a data leak. Like when you send a package and get a certain amount of money back if the package is lost.
The advantage is that it will open an insurance business, and insurances are much better at dealing with security than the legal system. The idea would be like with physical security : you open a warehouse, you promise your clients you will pay them back if their stuff is stolen, you then contact an insurance company to deal with this case, the insurance company will mandate security measures (alarm, high security locks, etc...)

he's missing the point, entirely

[dltaylor]

The cost of breaches is never going to be enough to offset the value of having the data, any more than the cost of insurance and lawsuits has offset the value of dangerous (to employees, nearby residences, ...) workplaces and operations caused companies to be extra careful. It's just perceived as a cost of doing business.

Only when executives and board members do long hard prison sentences for data breaches will they ever give up collecting every scrap of data they can acquire.

Re:he's missing the point, entirely

[sunderland56]

Another missed point..... hackers have always been one step ahead of security. Saying that technology is going to improve and save the day misses the fact that the hacker's technology is improving too.

Funny How A Few Short Months Change Perceptions

[RobotRunAmok]

I used to read "Lessig" and think, "right, he's that often clever crypto-tech guy." Now I see the name and think, "pathetic, over-his-head failed politician." Not really fair to him, I know, but I can't help it...

Re:Funny How A Few Short Months Change Perceptions

[phantomfive]

I used to read "Lessig" and think, "right, he's that often clever crypto-tech guy."

Lessig is a Harvard law professor, maybe you confused him with Bruce Schneier? Both are great people, and Lessig volunteers to help the FSF. He clearly doesn't understand how to do legal activism, though (some might say that Harvard people in general are out of touch with the world).

Sounds like he's saying to farm everything out

[fustakrakich]

Let somebody store the data you want to access. Doesn't somebody have to hold it to make it retrievable? I didn't go to Harvard, so I'm not really up to speed on these things. Let's get a second opinion from Yale...

Solution for wrong problem

[penguinoid]

> I don't need to hold that fact.

You do if you want to sell it.

exactly what is the cost of a data leak ?

[swell]

If the CIO knows that he will lose his job when he lets security be lax ... if he knows that he will be disgraced and banned from a similar job forever ... if he is subject to criminal charges ... Then the company will take a serious look at privacy and not collecting information that isn't urgently needed.

Now let's look around after millions of peoples' privacy has been sacrificed due to government and corporate mismanagement -- how many CIOs lost their jobs? Has any responsible person ever faced serious consequences?

Where is the incentive to invest in security or avoid collecting unnecessary data? In the US, a corporation has only one responsibility- to provide maximum return for their investors. Don't believe the sweet talk about how the customer is their highest priority. One government employee in the history of the US had a sign on his desk declaring "the buck stops here" (President Truman), that person is long gone and everyone in government is passing the buck regarding responsible action. Until the personal and corporate cost of data leaks is greater than the cost of prevention, the status quo will continue.

Which is better?

[GrantRobertson]

One big, supposedly hard target, or millions of definitely soft targets?

A) The hard target only has to be breached once for the concept to be abandoned.

B) So Lessig is shilling for the NSA now? Putting ALL of EVERYONE'S info on one system is NOT a wise move, if we have any hope of protecting our privacy.

Howsabout...

[Chas]

We just to it right, NOW.

Instead of trying to unfuck a totally fucked up, privacy-free system with layers and layers of bureaucracy protecting government from abusing their citizens?

Huh?

Okay?

Stop relying on pie in the sky future tech to protect you SOMEDAY.

PROTECT YOUR FUCKING SELF NOW!