The red herring of data protection

The red herring of data protection

Summary: Why do corporations need to store personal data anyway? The real cure to our data loss plague will be individuals taking control of their digital identities. Eric Norlin looks into a federated metasystem future.

TOPICS: Big Data

The numbers lately have been staggering: 145,000; 13.9 million; 40 million. I'm speaking, of course, of the recent rash of "data loss" -- the innocuous term for "millions of accounts containing personal data being exposed to the wrong eyes." Whether it's MasterCard, ChoicePoint, LexisNexis, Bank of America, Wachovia, Stanford or the University of California at Berkeley, the expanse of this problem has quickly become stunning.

Set aside for a moment the debate about why, all of a sudden, we're hearing about all of this. Instead, focus on the reasons behind the data loss: physical tapes lost in transit, hackers, malicious insiders, bad network security practices. Notice that the reasons behind the loss are all over the map. We're told the solution is better network security, better encryption, better corporate safeguards, and better "data protection." Of course, all of these "solutions" are a bit specious, as they're always accompanied by the corporate lawyer caveat, "we cannot guarantee that this won't happen again."

All of this will ultimately result in some bloated piece of federal legislation around "data privacy and protection" that will impose new restrictions on corporate security practices and result in a wave of new spending on IT solutions to help solve that problem. But will we have solved it, really?

I don't think so.

In the end, this "data loss" problem isn't really about data loss, data protection or data safeguarding at all. That, my friends, is a red herring. The real question to be asked is: Why do all of these corporations need to store all of this personal data in the first place? Why does my credit card company need to store my social security number? Why does Amazon need to store my credit card number? Why shouldn't every company store only what I tell them they can store? And why shouldn't the data that they store be as little as they possibly need to conduct business?

Assuming that there's even a smidgen of validity in my line of questioning, the next question becomes how -- how do we go about making the possibility behind these questions a reality?

Enter two concepts: federated identity and the identity metasystem.

Much has been said or written about federated identity, but I'd like to ground federated identity in one simple statement: Federated identity is an infrastructure that makes security follow the transaction. It does this by making the identity associated with the transaction "portable" across heterogeneous security domains. In short, federated identity (whether it's SAML, Liberty Alliance or WS-Federation) is building the infrastructure necessary for identities to move around securely.

Identity metasystem is a newer concept -- one that has been developed out of what can only be called community conversations that have occurred around Kim Cameron's weblog. In short, the identity metasystem is a conceptual backplane that would allow the individual to have fine-grained control over which "attributes" or "claims" are presented and/or stored about him - where an "attribute" or "claim" could be anything from birthday to credit card number to favorite color. The identity metasystem is really a framework for individual control and presentation of identity data.

Taken together, federated identity (the infrastructure) and the identity metasystem (the control and presentation) present a fairly complete path by which the true problems of "data protection" can be addressed. These two pieces, taken together, would give individuals control over their digital identity in ways that they have not experienced to this date.

Today, as an end user, when I go to Amazon to make a purchase, they ask for, receive and store my credit card number. In a future of federated identity and the identity metasystem, I would go to Amazon to make a purchase and grant Amazon the permission to seek a one-time use of my credit card. This permission could be presented to my credit card company, who could then charge my account. Amazon would no longer have a need to store (or even see) my credit card number at all.

In a federated metasystem future, I could have control over which attributes are stored where. I could grant permission to companies to access attributes without storing (or, in some cases, even seeing) them. And I could decide which portions of my digital identity would be presented in which contexts.

In a federated metasystem future, we would have laid the necessary digital plumbing to make security follow each and every transaction -- and we would have done so by giving individuals control over the presentation of their identities.

In a federated metasystem future, we would be a lot closer to a web of electronic commerce that protected you, me and the companies we interact with.

In a federated metasystem future, we would have actually moved toward solving the problems around personal data. In the meantime, however, we'll hear a lot about "data protection," "corporate safeguards," and "legislative initiatives."

Eric Norlin[Editor's Note: Eric Norlin has been involved in federated identity since he joined Ping Identity 19 days after Andre Durand founded it. Ping Identity has gone on to become a leader in federated identity and an early mover around the Identity Metasystem - demonstrating an open source Java version interoperating with Microsoft's InfoCard implementation at the May 2005 Digital ID World.]

Topic: Big Data

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • sudo id

    there should be a government that it is illegal to store anywhere, a federal id number used to verify identity in case of a serious problem. Almost everywhere I have applied for employment they have asked for my ssn, which means there are literally hundreds of copies floating around. OK lets go for the implanted chip as well, and just have it over with, although an exploit would be found for that as well. Fingerprint anyone??? DNA??
  • These are easy!

    Remember, I don't say these are great answers, and certainly not the answers we want, but they represent the reality to these questions.

    Q. Why do all of these corporations need to store all of this personal data in the first place?
    A. They don't "need" to, but they certainly want to. All reasons come under the heading of "monetarily advantageous".

    Q. Why does my credit card company need to store my social security number?
    A. The credit card company looks up your credit history to ensure you're a good risk. They also like to be able to track you down if you decide to stop paying on your account.

    Q. Why does Amazon need to store my credit card number?
    A. Amazon stores it to help you make impulse buying even easier. The fact that you simply need to push a single button rather than several buttons AND enter some text might mean the difference between you purchasing that Space Ghost DVD or not. Making it easier for you to order increases Amazon's profits.

    Q. Why shouldn't every company store only what I tell them they can store?
    A. Your idea of what the company needs is probably far different from what they feel they need. With the amount of irrational individuals out there, it'd be near impossible to trust each individual to appropriately set limits.

    Q. And why shouldn't the data that they store be as little as they possibly need to conduct business?
    A. Because then it would limit the company's ability to cross-market to you, to sell your info to other companies, and to otherwise perform retail warfare. As long as it isn't explicitly illegal, they'll continue to do it. And even then it might be questionable as to whether they comply or not.
    • corporate pig: wants lipstick needs lyposuction

      Good post, ejhonda. I would only add that the companies responsible for retaining your personal data (and then losing it to hackers) are still a long way from truely understanding the situation and their role in reversing it.

      Instead, most credit card companies now send you a pitch for buying "credit insurance" (with your monthly statement). Pure gall and/or stupidity in evidence here. THEY are the ones creating the opportunity for your personal finances to be wrecked. But rather than bite the bullet, THEY have decided to turn their incompitance into a business opportunity -- and sell YOU protection! Now, isn't that kinda like what the mob does when it is not out loansharking, paying off politicians, or peddling drugs?

      A very basic first step would be to make those businesses that retain personal information 100% responsible when/if something goes wrong and the "bad guys" hold up the data bank. Selling credit insurance to cardholders should NEVER be a legitimate option.
    • these are easy

      >>With the amount of irrational individuals out there, it'd be near impossible to trust each individual to appropriately set limits.<<

      Ain't you got this bass ackards?
  • That is the best answer on why companies hold on to your data (NT)

  • red herring abounds

    Truth is, any solution requiring the consumer to be responsible for controlling how their information gets used is broken. Brain-dead broken.

    Until the folks consuming the information are made responsible for fully checking identities fraud will continue.
  • red herring

    There is no privacy. As long as we are on the subject I cringe when people call to list me in their directory. Even if you tell them no they list you anyway. When they ask, is this so & so? I love to tell them No it is not.
    • Agreed

      A transaction implies trust between 2 or more parties. In the middle ages trust was not such an issue since the only people you did any form of business with were the people from your own village (so physical identity was typically established from birth and intimately knowing who was who).

      However, in this day and age it isn't practical to do that; nearly all transactions are conducted based on a level of trust that is not based on actually knowing somone, but rather relying on systems (whether paper, electronic, or whatever) validating the claim that you are who you say you are. And all those systems are open to abuse by the unscrupulous/plain stupid/human mistake brigade.

      And I'm afriad that even installing electronic tags, chips and the like into a person don't actually solve the problem, nor does DNA - someone will be able to "fake it" eventually.

      I think that we just have to accept that the convenience of not being locked into a little village in the middle of nowhere comes at a price (privacy/identity).

      Deal with the "human condition" of being dishonest, etc and we might eventually have a solution to the problem.

  • What I've been saying for years....

    Why do companies need to store my credit card number? Is it really that much trouble to type it in every now and again?

    If they didn't store my number then nobody would be able to steal it.

    Similarly why do I need to form a business relationship with deal with anybody on the Internet? I don't have to give a bricks-and-mortar store all my personal details to be able to buy something, why should the Internet be different?

    I don't know of a single Internet site which has a button to "delete my account and forget all about me". [b]Not one![/b]

    The best way to avoid data being stolen is not to store it, period.

    If you want to make laws then this is what you should be looking at, not "data protection". Start fining people for having my personal data without my explicit, written permission.
  • Personal Information = Money

    Why is so much personal information stored? Because retailers, banks, credit card companies, loan companies need it and are willing to pay handsomely for it. And if they have it, they can sell it.

    Banks routinely get $0.50 per contact with good credit and they are not to picky about who is buying. With millions of customers these transactions are an important secondary income source.

    This is the first time in history that "privacy" has measurable value and economic impact; so the profit incentive must be removed. Like cell phone cloning, the only real solution is to outlaw the "ID trade" and apply severe penalties to those who traffic in personal information.
  • it doesn't seem to matter anymore

    This last "Mastercard 40m" theft was a little different. CardSystems was a company who disregarded Mastercard's established policies about storing data of it's customers, if the articles I've read are correct, and they stored information in an unencrypted manner on an internet facing windows server that apparently was infiltrated by an unethical hacker who placed a 'virus like computer script' on the system. AND the theft did not only affect those who have done business online, but even those who have never done any transactions online. Mastercard was apparently represented only 40% of the data stolen. Other credit cards and even some debit cards were apparently involved. And this is one of the worst cases we've seen. And one where every card holder and card issuer has a case for some serious litigation. As I have repeatedly heard by MIS administrators: "Mission critical systems should be on isolated networks that are not connected to the Internet." I would think that any system that 'stores' individual's critical information would fall under this as well as power plants etc. This type of exposure is something that no one should ever have to endure and can have far reaching and devastating effects for individuals.
    • Red Herring or Data protection

      Accolades to lilbambi.
      Everybody get on board a class action suit against companies that violate the rules of proper data maintenance. Let's get some serious litigation going, since that's what we do best. Find a judge and a lawyer corporation equivialent to the suit against the tobacco companies.
      Hit em in the wallet, the only language really understood by banks and other major miscreants.
      • I hear ya...

        Thanks russell858...It is certainly sad when the only language that big corporations will listen to is language that hurts their pocketbook. But alas, it does seem to be the case. Personally, I hate litigation as a means of doing anything but this is so out of hand.
  • There is no valid reason for any company to

    keep your personal identity information beyond the time needed to complete the current transaction. If they think that it will bring you back, there is no reason for them to be prevented from offering to you the right to store your information on their servers, but this storage must be ONLY WITH YOUR EXPRESS PERMISSION.
    Update victim
  • This story is the Red Herring

    The entire system must be overhauled. It can be done incrementally, but there are just too many holes in the security model due to the operational framework of the system.

    First off, in the brick and mortar world, retailers must keep a signed copy of your receipt in order to protect themselves against fraud. If a customer claims there was fraud, the retailer must provide the matching signature or they charge is reversed. When online vendors need to receive authorization from you to use your credit card, they tie the use of the card to your login ID and often other factors such as your IP address in order to provide sufficient evidence that you made the purchase. They must keep this proof in order to protect themselves.

    Second, someone has to provide the federation service. This entity must have access to your card number, which makes them subject to attack. This is similar to the latest breach at CardSystems Solutions. CardSystems processes cards for companies too small to deal directly with the credit card companies.

    The Payment Card Industry Data Security Standard, which will be fully in place on June 30th, is a step in the right direction. It is a bit vague and has the issues listed in this article.

    Some of the basics of info security are to minimize complexity and reduce the number of places where there is exposure.

    In my opinion, the credit card companies need to provide transaction processing and confirmation to retailers and processors so that there is no need to keep customer card numbers. Additionally, they should move to reduce the number of systems that interface with theirs.

    In the end, the card companies should give up as little control as possible. Seeing that the credit card company already had all of my personal data, I?d like them to be an identity provider. This would one to authorize all transactions directly at the card company, thereby giving the card company whatever level of proof of identity that they require and never giving any information to the retailer, except a transaction code.
  • Is George Orwell still Alive?

    I think my subject entry tells it all; Big Brother is not only watching and listening, he is still driving your paranoia.
    Remember; just because you're paranoid, doesn't mean they aren't out there.
    Or for that matter, read John Brunner's Shockwave Rider. That is not only a more accurate telling of exactly what the Federal government is up to, but also describes how to defeat the collection of personal information that threatens to strangle freedom everywhere in the U.S.
    YES, we need tighter security against idiots waving bloody flags and screaming 'Jihad!'; and yes, we need to find a way to track those same terrorists. But remember; every time society changes to combat terrorism, terrorism has won a battle.
    The thing to do is to stop surrendering to the terrorist community; stop pandering to 'Political Correctness', and stop surrendering our individual freedoms to those who will employ any means they can legalize to restrict our privacy.
    Because privacy is where we can fight dictatorship and 'big government'.
    By the way, as far as data protection is concerned, you have two options:
    1. Never pay anything but cash, and do it in person.
    2. Accept that if you pay by check or credit card, SOMEONE is going to get hold of your personal, private information - and use it against you, even if it's only to telemarket or junk mail you.
    There is NO SUCH THING as remote data security - there is only a good delaying tactic. Leave the data in someone else's hands long enough, and somebody's going to get it.
    All we can do is delay the inevitable.
  • Data Loss

    Why isn't personal data placed on a separate system that is only accessable on the company network? Not on the system that is tied to the internet. This data which will surly become a liability when stolen, if the federal law is enacted to make the companys responcible for its misuse.
    I beleave it would be more cost efficant to place it on a separate network. What is the cost of an added computer to a work station for a person to verify personally. With an approved message sent to the shipping department.