Big ideas 4: identity, privacy and security
This is number four in my long read about big ideas. Click around to find the earlier posts in this series. This installment gets at problems with identity, privacy and security in today's software landscape.
I'm Tom Hickman. Who the hell are you?
I don't know about you, but about quarterly I get a breach-notice informing me that dumb or lazy engineers failed to take standard precautions, and that bad guys stole (again) my SSN, DOB, secret Q&A, and passwords.
I was at the dentist recently for a checkup. While I waited for my appointment, the receptionist asked me to fill out a paper form with blanks for personal information, and the standard HIPPA compliance acknowledgement. On the paper form were slots for date of birth, social security number, and next of kin information. On a paper form. At a dentist's office. I declined to fill this in, and was challenged when I handed it back across the sign-in desk. I explained my view that there was absolutely no reason for my dentist to store this information, and that even if there were a reason for them to have it, a paper copy is a ridiculous way to collect and store it. The only explanation they could offer for wanting to collect this PII was "we have a new computer system." I guess the computer system had a default field named SSN, so they wanted to fill it in. Sigh. This points to a problem bigger than simply protecting PII. The entire concept and implementation of identity, at least in the US and as it pertains to online systems and credentials, is badly broken. SSNs are obsolete and simply need to go away. They in no way confer identity, yet somehow confer transactional and financial responsibility.
One-time-use biometric security markers are needed, but any imaginable future where they exist starts to look pretty dystopian.
There are some great companies building tech for password-free authentication, but a bigger vision might mean coupling multiple biometric markers with a shoe-leather approach to identity verification… I played around with this idea in the 00’s, looking at DNA-sequenced ID verification as a way to validate professional credentials. But my idea was like “background checks” on steroids (think LinkedIn meets RSA meets the FBI), and I still don’t think the world is ready to tolerate this level of Big Brother.
Something needs to change here, and it's not about better or cheaper credit monitoring or identity theft insurance. This idea about coupling identity to a shoe-leather approach to ID verification might be worth chasing down, though actually building that company seems like a slog.
Privacy, sure, but it'll costs extra.
It's a problem all on its own that corporations have become citizens, and the individual entities formerly known as citizens— aka the people—have become product.
Our wants, wishes, needs, search terms, and social connections are all fodder for machine learning algorithms to figure out how to sell things to us better, how to manipulate our opinions more easily, and at its worst, how to control us. I expect, or really hope, that there will be a backlash in human attitudes about privacy—something beyond the right to be forgotten online. Irrespective of any GDPR-style regulation here in the States, I really hope consumers tire of being markets.
Part prediction part hope, I think that there may be a sea-change coming, and with it a preference for software and information services that do not seek secondary (or often primary) monetization of consumer data and influence over consumer preference.
That is to say, I'd be willing to pay extra for real privacy and security, and I don't think I'm alone...
(Weirdly, I think the now ancient Tivo 30-second-skip feature may end up being what started this… It changed consumer expectations amongst early adopters, and has led to hopeful early signs of commercial-free premium streaming services... proving that people will pay for goods and services devoid of drag-along marketing. 30-second-skip isn't much, but I think it might be a tell…)
Aside from continuing to believe developers should build more secure software (still a fan of the AppSec and Micro-segmentation solutions I've built in past gigs) I'm taking a wait-and-see attitude on this one. And sadly, I'm still using free software, services and storage from social media companies, which are, at their core, media companies.
Up next, my thoughts about the bad things economic constraints and time to market necessities can do to promising technology. Aka, Robots and Gene Editing!