Open to the world
We must determine whether or not a particular database should exist, not by a single, isolated evaluation of risk, but by a global evaluation of risk.
The norm isn't that some company's databases are stolen. Most privacy discussions should begin with the assumption that all companies' databases are stolen or are likely to be if they contain anything of value. If that assumption is correct -- and it is whether or not we acknowledge it -- then I think the answer would often be no, we should not trust most companies to hold and secure most data.
For example, Bradley Manning is currently on trial for leaking top military secrets. If he is found guilty, he needs to go to jail. But 1.4 million people in the United States have top-secret security clearances. It's likely that at least a few -- if not more -- of them are leaking secrets, too. It can't just be Pvt. Manning. He was simply dumb enough to get caught. I've read about American spies stealing secrets for more than a decade before they were nabbed.
In the corporate world, you'd be amazed at how many staffers in a company can read, copy, or download a private database meant to be seen only by a few people. I frequently conduct data protection audits for big companies, and what I find no longer astonishes me.
On top of that, every outside company and contractor that has access to the data is a potential point of leakage. It's almost certain that one or more of those data custodians have been thoroughly compromised.
By accident or design
Often data leaks are purely accidental. Millions of people inadvertently overshare other people's personal information every year -- by posting on public websites, excessively divulging details in public documents, or leaking through a file-sharing program they installed to illegally download movies.
Do a little search engine "hacking" to find classified or top-secret information and you'll be amazed. You'll find entire state databases of financial information sitting on the Web -- for years -- just waiting to be downloaded. Spend a little time Googling for passwords and other supposedly secret information and you'll scare yourself.
Wait, it gets worse. You might think information is protected, but guess again. Most cryptographers believe that in less than one decade, quantum computing will be marshaled to crack any encryption. We spend our professional lives protecting information inside of encrypted datastreams and encrypted files. One day those boundaries will suddenly evaporate. The world's governments are symmetrically recording all encrypted traffic because they know it will all be easy to read soon enough.
The truth will set you free
My intention is not to scare anyone. It's to awaken everyone. Our private data hasn't been private for a long time. The first decade of the third millennium will go down in history as a period of time in which the world's thieves stole everything.
Our laws and regulations are all written with the assumption that data custodians can protect data. That assumption is wrong. If that is so, should any entity be allowed to collect our information?
The answer is no -- and I can't blame you for responding that preventing any company from collecting our personal data would bring business and industry to a halt. I'm not the one making the rules. The laws and regulations say that data custodians must be able to protect our data. They clearly can't. They clearly haven't. Nothing they are doing to improve their security right now is making it any better in the short term.
I'm not the bearer of bad news. I'm your enlightenment. You can take the red or the blue pill. It's up to you.
This story, "It's over: All private data is public," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.