It seems like barely a day goes by without reports of yet another large scale loss or theft of personal data. In fact statistics are quite clear on the matter – data breaches are becoming bigger and more frequent.
Perhaps this is inevitable. The total volume of personal data we generate and store is increasing exponentially as more and more aspects of our lives become digital and connected. So it follows that with more data floating about, more of it will be stolen or lost.
From a business point of view this is significant. According to a recent study, the cost to a business of dealing with an “average” data breach is now $4 million – representing around $158 for every lost record.
A scan of the headlines reveals that this week alone there were various incidences where credit card numbers and addresses were stolen – clearly exposing unwitting customers to potential fraud. But, as inconvenient as incidents like these are, these consequences pale into insignificance when compared to the potential carnage that could be caused by data breaches in the future, if the rate at which we upload and share information continues to increase at its current pace.
In particular, several data and privacy experts have been willing to admit that they see the potential of a “perfect storm” data breach, on a scale that could have seriously damaging social consequences. And one of the defining consequences would be a terminal loss of confidence among the public in sharing information online.
Now, sometimes when you look into the background of some of the reported large scale data thefts, it’s easy to think that perhaps nothing of value has been lost. For example recent hacks and thefts at online services such as Tumblr , LinkedIn and MySpace got a lot of publicity because they are well known names with huge user bases.
Often, nothing more than user names and passwords are stolen. However even this can have serious consequences if, as is often the case, users have used the same user name or password on other, more sensitive services.
However, these highly publicized breaches are a drop in the ocean, though – the Identity Theft Resource Center lists over 400 serious data breaches known to have taken place this year alone. They involve organizations as diverse as the Bay Area Children’s Association – a counselling and mental health non-profit, the National Network of Abortion Funds, and the University of New Mexico Hospital.
While precise details of what was lost in these cases isn’t available, its not hard to see that the ramifications could go beyond allowing a stranger to access your social media accounts – there’s more than money at stake. Loss of certain sorts of data could have serious social consequences.
What is really worrying is the possibility of an attack on the scale of the Myspace or Tumblr hacks, against a target with very socially sensitive data. Two possibilities which I have heard touted would be leaks of personal message data from Facebook, or user data from Google.
While there is certainly no suggestion that these precise attacks are an imminent threat, given the resources that both companies dedicate to security, neither are, in theory, outside the realm of possibility. And it’s interesting to consider how devastating the ramifications could be.
Considering the possibility of a large scale leak of messages from Facebook or a similar socially-focused dataset, there is of course the precedent of last year’s Ashley Madison hack. It’s fair to say that this is the first time the public at large may have become aware of the potential social consequences (as opposed to financial or political consequences) of poor data security.
The fact that Ashley Madison’s dataset was particularly salacious guaranteed it plenty of press attention. And it certainly had some real consequences for the celebrities who were exposed as cheaters, or the several people who committed suicide in the wake of the leak. Anyone not involved was able to reassure themselves that they wouldn’t have been affected by this because they weren’t using a service designed for adulterers.
The consequences could be far more severe with a more “mainstream” service. I would feel safe betting that a far greater volume of infidelity is carried out over Facebook private messages than Ashley Madison. Countless other private, personal and potentially damaging conversations undoubtedly also take place. And in the majority of cases these conversations will be linked to a definite, real, verified name of a person.
Sensitive conversations about individuals’ employment, or activist activity, religious beliefs and social activity take place every second of the day. Were the veil of privacy to be forcibly removed, public confidence in using online services to transmit sensitive information is likely to be severely dented.
If the idea of having everything you have said in private conversation over the last 10 years uploaded to the internet, linked to your real name, and compiled into a searchable database, isn’t terrifying enough, imagine the same thing happening with the data Google collects on us.
Google stores each and every search query we make (whether or not we are using private browsing or signed into an account), often tied to a real name or, if not, then tied to an IP address which it has a pretty good idea of who it belongs to.
This is really information which you don’t want to fall into the wrong hands. Google has dedicated itself to learning how to build profiles of people from the information they input into its services. In reality it has done this by conditioning us to enteras much data as we possibly can. Our phones constantly report our location. Speech recognition systems store recordings of our vocal commands which can be analyzed for insight into our emotional state and stress levels after they have filled their primary purpose of letting us tell Google what to do. And in the near future, Google’s autonomous cars will send real time sensor data from wherever they go. When you consider that they could – either by design or through the intervention of third parties – identify individual people they pass in the street by communicating with mobile phones in the vicinity, you can’t help but picture it as a surveillance network which will potentially be on a scale beyond anything we have seen in the past.
The possibility of a dataset such as this existing at all may be scary enough for many of us, but the consequences of it falling into the wrong hands could be catastrophic. Millions of people could potentially find themselves open to blackmail if every detail of their movement and activity could be revealed publicly at the press of a button. It’s fair to assume that people from all walks of life would be willing to bend to the will of a malicious third party to avoid this fate.
Of course there are also good reasons to be confident this won’t ever happen. Hackers would have to have technological capabilities beyond those they have today to bypass security on the scale that is deployed by Google or Facebook. The fact that hacks of the type I imagine here haven’t happened yet is evidence of that.
Additionally in the case of a hack on a global scale like this, significant resources would be needed to host and share the data. Just about 25GB of user data has so far been distributed from the Ashley Madison hack – a small enough volume that it can easily be shared using Bittorrent. A hack on the scale I describe here would likely involve petabyte scale volumes – a far more difficult prospect to host and make available to the public – particularly while retaining anonymity.
I don’t intend for this post to come across as scare-mongering – as I said there is no evidence that any group exists with the technological capacity to pull off an attack like this. But I also don’t think that there is ever an excuse for being complacent, or unwitting, about the information we share online.
While we may feel secure enough now, advances in processing speed (particularly when we start to think about quantum computing) and analytical technology may make that security redundant tomorrow. If that happens, people may start to wish they had used a bit more discretion about what information they allowed to “leak” about themselves in these early, wild west days of the digital revolution.
This article was written by Bernard Marr from Forbes and was legally licensed through the NewsCred publisher network.