There’s been another data breach. This time, Level One Robotics was found to have left the data of many top automobile manufacturers vulnerable due to a poorly-configured server.
With this data likely to include trade secrets, the story could turn out to be a really big deal. However, because it’s just the latest in a long series of such vulnerabilities, it’s somehow hard to find it interesting or notable. What is truly frustrating about reading another data breach story though, is the fact that blockchain and decentralised technologies could do away with these issues right now.
We don’t care enough about security, yet
This sort of failure has become such a persistent trend that we’ve become desensitised to it. It’s worrying to think that, even as data continues to become more and more valuable in our economy, these vulnerabilities keep happening. Unfortunately, though, we keep storing consumer data in centralised databases that are vulnerable to attack rather than decentralising data storage and bringing control back into the hands of the individual.
Of course, there are other reasons why the issues around secure consumer data have not yet been fixed. Firstly, security in products that are not about security tends to be undervalued by consumers. Even technically inclined users are often not knowledgeable enough about either information security in general or a product’s specific security features. Plus, they aren’t helped by closed source products that almost never give them enough information to be truly aware.
Instead, the appearance of security is valued over actual security and we can see hints in the services we use. Many services store user passwords in plaintext and still claim (and possibly even believe) that they secure all data very carefully, even though anyone with a good understanding of security issues knows why this is very bad and what should be done instead.
Systems can be hard to defend
Proper security in a complex system can also be hard to achieve because of the fundamental asymmetry between defender and attacker. The defender needs to make sure every system is hardened, every protocol secure and every encryption key safeguarded. The attacker generally only needs to find a single weakness to wreak havoc because one weakness can be used to exploit the network further.
That one vulnerability is often not some complex vulnerability found by a genius hacker orchestrating complex conditions to break your security. It’s often as simple as an rsnyc server that was not configured to authenticate connections, as in the Level One Robotics breach. Such conveniences are often set up during development and never intended to be part of a production environment, yet have a way of ending up there anyway.
So security requires specialised knowledge and a painstaking application over the whole system. Such effort is hard to justify for some services if, when you go to sell your product, that security isn’t understood or valued by most of the customers. It’s easy to see how this results in there being no real market for secure applications and services in most fields, as well as why users that want secure products are out of luck because no one is making them.
How security becomes valuable
Right now, it’s not even realistically possible to abstain from insecure services while still participating in modern society. In many areas, such as cell providers or local banks, most people have only a couple choices and no particular reason to believe that any of them will do a good job of safeguarding information. Even companies that we never agreed to do business with in the first place can lose our data. The Equifax breach is the highest profile example, while Facebook is infamous for compiling data about people who don’t have profiles.
So what can we do then?
I believe one of the most important changes will occur soon when people realise that the data they generate has real value. We should not let the products we use collect that data for free and in a borderline nonconsensual way. The people who generate data should be properly compensated for the value of that data and they should have real power in deciding who gets it and how.
In these systems, each user stores their own personal data in a database. Then, instead of that data being passively scooped up by the services they use, the user grants those services the privilege to access that data explicitly through the database. The user retains authoritative control over who gets the data and how it’s stored.
The point is that the technology to enable this sort of decentralised exchange of data for remuneration is already available today. All that needs to change is for individuals to start choosing to control and monetise their data, something that offers obvious benefits.
Once this switch has been flicked in the minds of consumers, the decentralised technologies that underpin the blockchain now will become what underpins the new data economy of tomorrow.