Stop asking for my data
Companies have clearly shown that they're not capable of protecting it, so it’s time that they stop trying to get their hands on it.
It seems like I get a new letter in the mail every month from some company I’ve had to give sensitive information to telling me that they’ve been hacked. Some of that information, and they’re not really sure what, is out there bundled up with millions of others’ similar details for purchase by people who want it to steal my identity or simply steal my money. These companies want to assure me that they take this all very seriously, and offer me some kind of credit monitoring—as if I’ve forgotten that Experian itself was hacked in 2017.
Why this is happening
All of these companies once had control and responsibility over the data they collected. It was stored on their own servers and accessible by their own infrastructure. It was protected by their engineers. As we’ve moved into the cloud storage age, this data is more often than not out of the company’s direct control. It’s stored on another company’s servers and ultimately, it’s the server owners’ security practices that determine how safe our personal information is, not the practices of the company that collected that data from us1.
Recently, Snowflake, a data cloud provider, was hacked, and information about Ticketmaster and Santander customers has been confirmed stolen and posted for sale. That hack might have also released Advance Auto Parts and LendingTree customer data as well. We still don’t know the extent of the hack; there could be more companies’ data out there as well.
Even when the data isn’t on cloud servers, companies are trying to open up massive security holes on our personal devices. Microsoft Recall implemented so badly by default that the operating system itself was going to open every single user up to a complete and total destruction of their lives if anyone accessed the database. And it was a trivial task to access the database. They need an AI product, and whether or not it’s valuable to their customers or remotely well-designed is secondary to being able to tell analysts and shareholders that they have AI.
If you want to stop it, Just Switch To Linux™
No, I’m just kidding. But that’s often the “solution” that’s suggested when people grow frustrated with the amount of bloatware and spyware on operating systems these days. I saw it in response to the the alarm at the release of Recall, and I saw it in response to people who were upset at Apple’s AI feature releases as well2.
Running Linux instead of Windows or macOS certainly gives you more control over your computer, but it’s more complicated than running either of those two operating systems. While Linux is more mature now than it’s ever been, you still have to troubleshoot drivers to get your speakers to work and support for many basic applications simply doesn’t exist. We’re just getting to the point where you can run some popular games pretty reliably on Linux, and many Linux users still have a second gaming machine that runs Windows.
Even if you switch to Linux, that doesn’t protect you from Google and Amazon and Microsoft scanning your photos and documents hosted on their clouds to train their AI models. For that, you have to not use their services. There are plenty of free, open-source options to replace Google Drive and the like, but most of them require you to self-host it. Do you know how to do that? Do you want to learn how?
That’s kind of the rub here: It’s not feasible to just tell everyone to switch to Linux and self-host all their services. I’m relatively tech-savvy, and I’ve jumped into the deep end on self-hosting and I’m still way in over my head. There’s no way that many people’s parents could figure this out even if it were their full-time job. And honestly, the same goes for people of any age. And even if they could, would they want to? Probably not.
Companies don’t need all this data from you
We’ve moved around a lot—first we were talking about data that you had to give to a company that they lost control of, then we touched on vulnerabilities to your own devices from its own software, and finally, we talked about basic components of the modern internet that are hoovering up your data and data about you. The common thread between all of these things is that we’re talking about data that was taken from you without you really having much of a choice because of the lack of practical alternatives.
Some of the instances of companies asking for too much information that I’ve thought of that really irk me:
If you want to finance a phone through a carrier, you have to give them your social security number so they can run a credit check on you. They don’t get rid of your social security number after that, though. They hold on to it and keep it attached to your account. Why? I can’t think of a good reason, but since AT&T got hacked earlier this year, tens of millions of Americans’ most important nine digit numbers are being bought and sold along with all of their other personal information. Put all that together and it’s not hard to steal someone’s identity.
E-commerce websites love to get you to store your credit card number on their site because that means the friction to making a purchase in the future is lower. They usually check the “save this payment method for later” box for you by default, and they shouldn’t. It’s just another piece of data that can cause headaches for customers if it ever gets leaked.
I just found this one as I was writing this piece. I was trying to figure out how to change the MLB app’s notifications on my iPad and noticed a button that said “Do Not Sell My Data”. I went through the form asking them not to sell my data, and after that form, they plopped me out on the page with their privacy policy on it. I was scrolling around trying to find out why they sent me there and saw this (emphasis mine):
“Do Not Track” signals are options on your browser that inform website operators that you would not like to have your online activity tracked. Currently, there is no industry standard regarding any appropriate action that websites should take when they receive “Do Not Track” signals. As there is no industry standard, please note that we do not alter our Website’s data and information collection and use practices when we receive a “Do Not Track” signal from your browser.
Cool! Thanks MLB! I guess since there’s no industry standard, there’s no possible way to know what a user who is sending a Do Not Track signal wants you to do. And if I as a user don’t like this, then my options are to either accept it or just…not watch professional baseball. That’s definitely a reasonable choice for the MLB3 to present to its customers.
It’s impossible to take part in modern life without divulging information that should be kept secret to companies that can’t keep all of that data safe. Threat actors know this and will continue to exploit that at customers’ detriment. Knowing this, it’s only responsible for corporations to stop asking for data that they don’t absolutely need, and to dispose of the little data they do ask for after they no longer need it4.
Obviously the company with whom we directly interact is responsible for ensuring the sufficiency of the security practices of whichever company they use for data storage. But as they’re not the ones implementing and maintaining the data security practices, the ultimate concern is about the server owners’ security practices.
Although the people who were upset at Apple’s AI the most were actually techy people who should have understood the difference between Apple’s baked-in AI stuff and the optional, off-by-default OpenAI integration. For the record, I hate the external integration as well, and I won’t enable it.
It’s not just the MLB, either. It’s likely every website you encounter. They put together a ghastly privacy policy that’s as invasive as they could imagine because they can sell whatever data they can pluck off of you and tell you that if you don’t like it, you simply shouldn’t use their website. It’s simply not possible to lead a remotely normal life without tacitly agreeing to hand over data about yourself and your browsing patterns and history to anyone who wants it. You can take as many precautions as you want when browsing, but you’re still agreeing to the privacy policy by using that website.
This will not happen. They make too much money selling your information and trying to optimize their marketing campaigns to you based on all the information they learn from the tracking.
Since it’s obviously off the table for companies to simply do the right thing, Congress needs to pass a data privacy law that’s useful in the 21st century. The EU has given them a framework to start from.
That also isn’t going to happen.