This is not another article explaining that Google and Facebook already know everything about us or that our governments sniff all our Internet transmissions. That's true, but it's just the tip of the iceberg.
This article represents my own realization of the incredibly poor state of data security and what that means about our privacy and data privacy laws. If you're looking for an upbeat article with feel-good solutions, stop reading now.
[ The NSA upshot: We're finally taking Internet privacy seriously. | Learn how to secure your systems with the Web Browser Deep Dive PDF special report and Security Central newsletter, both from InfoWorld. ]
I'm pretty sure I'm not the first person to have this epiphany, but I'm happy enough with myself that I'm going to call this Grimes' Second Corollary. My first corollary states: "Whatever is the most popular software in a particular category is also the most successfully exploited software." It's been retroactively true since 1986, though I came up with it somewhat later.
Grimes' Second Corollary
I feel confident enough in my second intelligent thought of the last decade to declare this revelation my second corollary.
To wit, in a world where every single entity is thoroughly hacked, it is naive to try and determine how ethical or legal it is for a particular custodial entity to hold a particular database by considering only individual circumstances or scenarios. It's wrong to ask if Google, Facebook, our government, your hospital, or your bank should be allowed to collect and store personal information about you. That's the old way of thinking.
Instead, we must ask ourselves if the database in question should be collected or created if we knew that information could be seen by the world -- because it will be or already has been.
No custodial entity can ensure the data it holds will remain private. We must instead assume that information can be stolen by unauthorized parties. If you ask security experts, every database worth stealing is already in the hands of someone who shouldn't have it. This is not wild conjecture; this is the general, well-understood consensus of the world's best computer security experts.
Yours, mine, and theirs
We need a new way of thinking until we can begin to control cyber crime, which won't happen anytime soon. We need to start thinking about any information we give as being given to the world.
For example, a hospital may have and need our medical and financial information. Yet we must, especially in today's world, assume that our hospitals have insufficient IT controls. Hackers can get that information at any time if they want it. They could sell our medical information to insurance providers and our payment records to credit bureaus, or they can give our credit card or bank account information to thieves. The formal, legal entities that collect the data are usually unaware that the information is pilfered, at least for many months or years.
Because all companies are doing a poor job at protecting data, it seems humorous to consider only whether a particular company or entity should have particular database. Simply by virtue of its collection and existence, our data is being shared by the world and the world can do anything with it.
There's a very good chance that many strangers around the world already know more about us than Google and Facebook. They may even know more about us than we know about ourselves.