Hacker News new | past | comments | ask | show | jobs | submit login

Personal data right now is considered an asset. It needs to be seen as a liability.

Maybe the solution is a data tax. You pay a set amount every year for every piece of personal data you have. If you buy personal data from another company, you still have to pay the tax for the data you acquired.

If you have a breach of data, your tax goes up for a period of 10 years.

In addition, every piece of personal data needs to have provenance which must be tracked. There must be a way to track from when a consumer input the data all the way through. Fraud in regards to this provenance is punishable by jail time. If you have data that does not have provenance, the company will be severely fined and people will go to jail. In the event of any data breach, not only will the company that had the breach be taxed extra, all companies that provided the data to the company (which is in the provenance information for the data) that had the breach will also be punished with increased data taxes.


In addition, maybe require annual personal data reports. The reports should contain

Amount of personal data.

Amount of personal data last year.

Data breaches.

Amount of personal data acquired directly from consumers.

Amount of personal data purchased and from whom at what prices.

Amount of personal data sold and to whom for what price.

This will be a filing to a government agency every year on penalty of perjury and be signed by all the board members and the c-suite. This will be publicly made available by the government. That way people can see what is happening with their data, and who is profiting off their data.

Instead of a data tax, I like the idea of mandatory data insurance, with payouts to users whose data is leaked/stolen. If your company has shitty security, or a history of leaks, your data insurance provider will charge out the ass.

The financial math has to clearly be on the side of it being more profitable to practice proactive security.

Without data provenance (ie a data chain of custody) corporations will just "subcontract" it out to the lowest bidder. There needs to be consequences all the way up the chain to everybody that provided the data. This way, the people will bad security won't even get the data in the first place because no one will risk their data with them.

Regulations like EU GDPR require such provenance - you can subcontract if you wish, but you're still liable if your subcontractor fails in some way.

> I like the idea of mandatory data insurance

Why not just liability for lost data? Companies could then choose to hold the risk themselves or field it out to insurers.

If it doesn't need to be insured, you could just spin off a smaller entity responsible for holding the data for you, and shut the company down if the data leaks. You can do the same if insurance is required of course, but any brand new 'personal data holding' company would likely have very high insurance premiums to offset the risk.

Its fairly common in the temp employee industry that if a temp worker gets injured the temp agency folds and restarts to avoid the penalties.

It would be nice to require insurance or a bond to hold personal data so a company can't just disappear when data is lost.

[0]: http://projects.thestar.com/temp-employment-agencies/

And people wonder why I am so hostile to the our way of creating and governing corporations, and our way of divorcing business from the lives and reputations of of those who run it.

While simultaneously championing corporate personhood.

Holy shit.

This is exactly what I mean when I say that, if you want to see real corruption, just take a look at regular small businesses around you.


> If it doesn't need to be insured, you could just spin off a smaller entity responsible for holding the data for you, and shut the company down if the data leaks

If this is possible without insurance then it’s possible with, and every insurance company will mandate the structure to limit payouts. Mandating insurance simple entrenches the insurers. Why, for instance, would you want to require Apple purchase insurance against its users’ data?

Side note: beneficial ownership [1] and affiliate definitions [2] are useful for such cases.

[1] https://www.investopedia.com/terms/b/beneficialowner.asp

[2] http://rule144opinion.blogspot.com/2014/02/rule-144-are-you-...

> If this is possible without insurance then it’s possible with, and every insurance company will mandate the structure to limit payouts.

You can't limit insurance payouts this way, because the entity has to carry the insurance. You only limit the exposure of the larger entity after the assets of the liable entity, including any insurance coverage, are exhausted. But the more the mandatory insurance level is, the less likely spinning off to protect the parent is to ever be valuable, and it never protects the insurer, so they won't mandate it.

That doesn't necessarily limit your risk exposure if litigation ensues. Anyone going after you (or the data holding company in particular) is going to attempt to pierce the corporate veil. And while that's not necessarily easy, it's still common enough. In that situation, it's almost inevitable that the separation won't be clear and strong enough to avoid being pierced.

Of course, that's all irrelevant unless there's a significant change in how the law treats data security.

It seems to me that doing so should somehow constitute fraud. It would be better if the law could be changed to make sure it is penalised as such.

Isn't this where "piercing the corporate veil" comes into play?

Seems to me substantial liability will create a market for insurance of this sort anyway.

This exists and companies purchase it, ex: https://www.thehartford.com/data-breach-insurance

Risks (all kinds, not just technical) can be accepted, ignored, transferred and mitigated so it is important to have this option.

Its still not a great option for anyone involved as it is hard to price and last I checked had pretty low ceiling on payouts.

Just set a value on the data, a monetary value, and the rest will naturally emerge through insurance and due diligence by insurers.

And since no insurance provider enjoys compensating millions of people, it would be very likely they would fiercely fight those responsible for the leak.

payouts to users whose data is leaked/stolen

What would the actuarial standards be for something like that?

I'm assuming the strength of your password. The security practices of the company storing data. e.g. Company only uses SHA-1 for storing passwords premiums skyrocket.

Sounds like the offspring of FIPS 140-2 and PCI. Have fun with that.

Yeah. I wouldn't advocate a for a law like that at all. Too much governmental control over business practices.

Troy Hunt just published and article today (Dec 19th) titled "Fixing Data Breaches Part 2: Data Ownership & Minimisation" , which discusses this exact topic [1]. The entire post is worth a read, but he offers an excellent summary:

> Summary This whole post is about giving control of data back to the rightful owners and minimising the impact on them when a breach occurs. This is equal parts a fundamentally simple objective to achieve and one that is enormously difficult. It's simple not to request that someone provides their date of birth to a cat forum; neither the site nor the user themselves lose anything by not collecting this data. Yet it remains a difficult objective because not only do so many services continue to view our data as an asset, they never expect to be the victim of a data breach which then turns that data into a liability.

[1] https://www.troyhunt.com/fixing-data-breaches-part-2-data-ow...

> Personal data right now is considered an asset. It needs to be seen as a liability.

In Europe, especially with the upcoming GDPR laws, data is seen as a liability by many companies.

Data being a liability just means that companies need to think twice before storing it - if the data is sufficiently valuable, companies will still store it, but they have to manage it properly and mitigate risks since penalties are harsh.

Storing data "just because you can" will no longer be worth it, and rightly so, given the risk.

It's my data, why should they pay a tax to the government for it? How about a data royalty. You use my data, you must pay me a royalty.

Yes! And if you “lose” my data you owe me big money.

Also have the fine scale exponentially by data items.... data set of 100 people with 2 items (name and email = $400 total or ($2x$2=$4 per user x 100 users)).

Data set with 1 million users and 10 fields per user would be $1B and $1,024 paid to each person...

Then make companies bond their liability - with recourse against anyone up the chain of title if the data was purchased...

Perhaps a bit draconian...

You've just shut down every personal blog and small (or medium or large...) forum on the Internet.

Anonymous data is not the same thing. There's no reason to jump to regulation of data without a legal trail.

What's anoymous data? If I have an e-mail, a screenname, and IP, I bet I could identify at least the household with a much greater than 0% success rate.

The royalty is free access to Facebook, instagram, [insert free web service name here]

And for the services that I paid for that lost my data?

"It's my data" - this is absurd.

Observations I make are mine, if I observe you it's my observation.

I can tell stories about my observations, but if I make public statements about you that are false, that's a tort.

This is what needs to happen. "identity theft" is what people fear. It would not happen if the banks got sued for big money and lost every time they lied to credit agencies about debts you did not default on. All this data breach stuff is mostly a bait and switch tactic from the real problem stemming from bank slander.

Your security clearance report stolen by the Chineese from the US government OPM database[1]. This could be a real problem for you. Information anyone can get by paying for it? This would not be a problem if credit fraud and credit reports were not such a big problem.

[1] https://www.nytimes.com/2015/06/05/us/breach-in-a-federal-co...

"if the banks got sued for big money and lost every time they lied to credit agencies about debts you did not default on" is pretty much the situation in most (all?) of EU; if you dispute the claim, then the debt can't be reported to anyone else unless they can prove that it was you, and no, "they knew your magic number and your mother's maiden name" doesn't count as evidence.

Coincidentally, we don't have the same types of mass identity theft issues that USA has.

You're not observing anything, you're asking for the data

If that were true, your "observations" of a movie would give you the right to reproduce it, and that's not the case today.

Generally facts can't be copyrighted. I think a lawsuit about copying the phone book contents is usually given as the basis for that legal precedent.

Observations of behaviour are not normally isolated to facts, they're integrated to create models of behaviour.

I was specifically giving an example of why your observations don't automatically mean you have ownership today. I'm personally in favour of laws that ensure such observations are more explicitly owned by the observee in corporate scenarios.

Sounds like a blockchain solution in the making... /s

Haven't you heard... It's all about blockchains of blockchains these days. Gives you ln(n) time instead of n. There is also interesting work in leader follower blockchains.

I assume they also give you n^2 of global energy waste instead of n...

I didn't think of that but yes that is an added benefit

Bruce Schneier had a blog post last year, 'Data is a Toxic Asset'. His ideas about what to do are... "We need to regulate what corporations can do with our data at every stage: collection, storage, use, resale and disposal. We can make corporate executives personally liable so they know there's a downside to taking chances. We can make the business models that involve massively surveilling people the less compelling ones, simply by making certain business practices illegal."

[0] https://www.schneier.com/blog/archives/2016/03/data_is_a_tox...

> Maybe the solution is a data tax

Credit reporting and debt is a dumpster fire that needs to be rebuilt from scratch.

We need a new system where knowing the right pieces of information does not allow you to buy a car in someone else's name.

> We need a new system where knowing the right pieces of information does not allow you to buy a car in someone else's name.

Identity is information. Ownership as a coherent social process is contingent on shared information.

I think the solution is more that "personal data" needs to stop existing.

Either it's private, and then NOBODY has it (i.e. stored on local machines, paper or just memorized), or it's not private, and then it's publicly accessible on a website, or it's confidential and then it's either service-specific data that is deleted as soon as possible (e.g. web searches) or given along with a physically signed contract containing an NDA and penalties for failure to keep secret.

The best way to achieve this is to require, by law, companies to publish on the web anything they learn from customers that is either not strictly part of their interaction with the service or has been stored for more than a month.

This will result in companies no longer asking for things that customers don't want to be public, and deleting interaction data unless the customer wants it kept and published.

Also it will result in a reduction of Google/Facebook/etc.'s monopoly powers since they will have a reduced monopoly on customer data.

I would love to introduce you to the GDPR. It does almost all of what you propose, and it goes into effect in May in Europe.

Given the data stories that happen pretty much daily now, at this point I'm waiting so hard for GDPR that I'm considering throwing a welcome party at 25th of May, 2018.

But why is it an asset to begin with? Why did it not stay a liability?

I hear things about how the data is the 'real' product, and how it's mostly used just to train algorithms that are then used to sell ads. More data, better training algos, better ad targeting, more money spent.

But that data can be remarkably easy to spoof and goof with. Garbage in = garbage out. That would be a liability to the algos, the real weak links.

So, I think that a tax is not the best idea.

Rather, the data needs to be made into 'garbage'. Yes, an obfuscation race will ensue, but there is always more trash than gold, more noise than signal.

If we really want to change the game, we need to have easy to use apps that will throw a minute amount of static on the instagram photos, that will put just a bit of background on the phone calls, and that will throw a small bit of random words into the emails.

Yes, PGP does this already, but we all know PGP is not easy to use (by design?).

We don't need 'total' security and safety, just a bit of fuzz will screw with the algos enough (thus the start of the obfuscation race/war)

Keeping personal data is fine. The issue is that everyone involved with handling the data has a cavalier attitude. They just shrug when it is leaked because it is no skin of their back.

The solution: lawsuits. The laws need to be relaxed where if a company leaks data, we are entitled to damages. Just like if someone assaults you on the street you are entitled to damages.

The most famous case is McDonald's. When their hot coffee scalded a woman, she was awarded damages. Suddenly, everyone food serving establishment too care to make sure the temperature was right, printed warning labels, and told customers to be careful...it's hot.

Pretty sure if some of these companies get stiffed with huge fines, everyone will take notice and clean up their act.

Instead of a tax, how about extending the cumbersome PCI Compliance regulations to all personal data? How many of you would store credit card numbers willy nilly today even if asked by a client? :-)

> Personal data right now is considered an asset. It needs to be seen as a liability.

What an excellent insight. You changed my conception of the problem. Thanks!

Virtually all ... assets / goods / services ... have both some positive and potential negative value. There's a component of risk.

This gets complicated when the interactions themselves are complex and indirect. I'm looking at some general notion of complexity, in terms of scale, structure, and depth, but one general notion I'm working toward is that of intermediation -- the distance, think of it as a depth in nodes -- between the observer and observed. The shallower that depth, the simpler the interaction, the less intermediated the relationship.

Node complexity also matters. Jumping through dumb pipes is one thing, passing through complex relays another. The children's game of "telephone" exemplifies this -- contrast that to simply passing a note down the chain. The note (written on paper) is physically transported. The verbal message is passed from one person to the next.

(We're ... starting to see bits of this emerge as our comms networks become more complicated, and powerful in processing capabilities.)

Back to value/liability: any given opportunity or action has some positive potential and some negative one. We tend to pursue actions with a high probability of success, and where negative consequences are either rare, or, and this is problematic: vaguely defined or difficult to articulate. That is, there's a risk, but you don't know how big that risk is. And in cases it's huge: tetraethyl lead, asbestos, tobacco, CFCs, fossil hydrocarbons.

But it takes years or decades to establish the risk. And there's a strong motivation to denying it or suppressing the message.

Data falls into that class of goods (or bads).

Currently it is illegal to sue a company for personal harm that results from a data breach.

We could start by repealing that nonsense.

Taxes are good for discouraging directly harmful activities or internalising externalities. I'm not so sure they're the right mechanism for costing risk, though as an alternative to insurance, that's a possibility.

Personal data is already a liability in the medical space. How’s HIPAA made that any different? Are those databases breached just as often, but of little interest?

A relative of mine works in IT for a non-US hospital. (Avoiding naming it because of backlash potential, both for him and myself.)

When he started there, as bottom level IT support, he had access to everything. Admin passwords, doctor's passwords, he could write prescriptions and put a doctor's name on it. He could order anything and everything, and send it anywhere. He could read your medical files, if you were a patient there at any time. There were no restrictions, only some logging.

The place is only >>this week<< securing the network, because the last security guy quit and a new guy started.

I don't know what it's like in the US, but where he is there should be regular audits and criminal negligence charges for this kind of thing.

For the first 100 years, we just arrested folks who actually faked records or stole things. Now we do it if they don't make it impossible?

I know, networks change everything. But inside a secure facility its often (always) the case that personal integrity (and maybe some audits) is used to ensure correctness most of the time.

Somebody working in a hospital could steal prescriptions off of patient's tables, could lift wallets and purses, heck could even take a knife and attack people. But instead of hobbling everybody and locking everything up, we instead trust folks. And take action when somebody un-trustworthy violates that.

> For the first 100 years, we just arrested folks who actually faked records or stole things. Now we do it if they don't make it impossible?

First, "impossible" is taking the argument to the extreme. Second, the insecure network OP described is negligence. Perhaps they were even reckless. That's not a new concept.

You're going to make the cost of doing business prohibitively high.

Most businesses don't need to store sensitive private data, it's a convenience and marketing benefit for them. The few domains that really do have a need for this data can afford to handle the data properly; and all other business should consider the cost of handling that data prohibitively high, and simply do their business without that data.

Good. If your business depends on collecting tons of personal information from people, and storing it in a way that puts innocent people at risk, your business does not deserve to exist.

Sounds real easy to implement and very easy to regulate.

maybe, but how do you quantify this data? and also there must be away to not let this affect small businesses

now this would be a great use case for a blockchain based database.

Its both!

> If you have a breach of data, your tax goes up for a period of 10 years.

You do know it is impossible thwart all data breaches right? You can have the most sophisticated security system created and Zero-day attacks are still bound to occur. Data breaches occur without the companies themselves even knowing they took place... Geniuses are on the offensive side, if they want in, they will get in. No company in the right mind would agree to pay a tax when the inevitable happens. Just my 0.02

> You do know it is impossible thwart all data breaches right?

False. No system, no breach. No data stored, no possibility to lose it. Accept the liability for having the data or don't have it.

If you can't keep the data secret, then maybe don't store data worth stealing. Yeah, breaches will always occur, but this data shouldn't have been piled up in the first place.

> You do know it is impossible thwart all data breaches right?

As RcouF1uZ4gsC's proposal contains measures to be taken when it happens, I strongly suspect that he does, in fact, know that.

> Zero-day attacks are still bound to occur... Geniuses are on the offensive side.

Most of the breaches have required neither of these. The goal is to improve the practice of security to the point where the only successful attacks would require both.

> No company in the right mind would agree to pay a tax when the inevitable happens.

You have a very unconventional idea of how companies generally operate.

> I strongly suspect that he does, in fact, know that.

His proposals imply that he does not in fact realize that zero-day attacks occur. Negligence is one thing, but having state of the art security systems and still being punished for a breach is another thing. A state sponsored group with enough time and money can repeatedly infiltrate a system. A tax certainly wont solve the problem

I think you're missing the point entirely.

If your business is such that a tax penalty on a breach would make you no longer able to afford to do business, then you have two options: 1) don't store the data in the first place - your risk no goes to 0 2) scrap your business plan as the cost of holding the data given the impossibility of preventing every breach is greater than the economic value it would generate

Today you don't have to really think about what the cost of losing the data is because your portion of it is 0. That's stupid. It's like every startup deciding to include a new type of coffee machine that includes a small nuclear reactor - sure, we can't prevent all possible disaster scenarios, but the marketing people and data people REALLY LIKE having this type of coffee available, and the government isn't giving us any reason NOT to have it, so why not?!

So if a tax either makes you put money aside to account for the risk, or shuts down a bunch of frivolous examples of personal data collection, it's solved a huge part of the problem.

You are using rare, worst-case events to, in effect, excuse the currently abysmal state of security. When we have reached the point where zero-days account for almost all the remaining successful attacks, we can revisit the question.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact