I appreciate your point, I really do, but I think that ship has sailed a long time ago. Your password to that website? If the website is popular and has some financial value, its on the shortlist too. They're not only going after microsoft cloud servers. Yes, a central location makes it easier to get a large dataset, but then again, penetrating some random e-commerse website is way easier than hacking microsofts cloud servers. Your personal data and billing info is already in tons of places, and all those places - are not using the best security engineers to secure it. Your documents? Well unless you're not sending those documents out, they're already on the cloud in some form, everytime you email them to someone, or hand them on a usb drive. The network effects of this are so strong that its simply impossible to escape any of this. Without regulation, there is little chance of reversing these worldwide trends.
>Do I trust Microsoft to safeguard my passwords, preferences and files against attacks, not just today, but over the next ten or twenty years, at a time when Windows isn't really the focus of their business anymore? I'm gonna say a pretty big no to that.
>Do I have any guarantees that, twenty years from now, Microsoft's personal data storage systems won't give way, between budget cuts, incompetent management (twenty years is a long time, maybe Satya Nadella's successor is going to be worse than Steve Ballmer...), technical debt and increasing capabilities from malicious actors? Can I be sure that Microsoft is never going to lower their security standards? That they won't make any compromises that they aren't willing to do today, even, say, if they were on the verge of bankruptcy?
Do any businesses exist that you can apply this guarantee to?
Well, thats a fair criticism. But I'm saying its like trying to avoid being kidnapped when you're already in the trunk of someones car. Sometimes the trunk is nice and large and roomy... :)
The fact that the state of security or privacy is already bad is no reason to make it worse. Sure, "that ship" might have sailed a long time ago but that's no reason to send the rest of the fleet after it.
At one point, "the ship" of every tide that humanity has turned "had sailed". For example, there was a time when virtually every potent means of human transportation ran on heavily-polluting fuel -- and while we're by no means back to stone-age levels of environmental friendliness, we're still better off than in the 1960s.
> Do any businesses exist that you can apply this guarantee to?
No, but that's also why there is no company that I trust with a significant portion of my data over an indefinite period of time, nor with any data that I'm not comfortable sharing. (In fact, I don't trust any company that doesn't have a good retention policy -- thankfully, the GDPR makes it a little easier to filter those out now).
The value of data increases exponentially with its amount. For example, mounting a convincing ID theft based on passwords to my LinkedIn account and the local computer shop is difficult, but doable, with the right skills and the right motivation, and for reasonably simple things (e.g. impersonating me to get interesting, but not particularly sensitive data from a former colleague who still works at a former workplace). Mounting an ID theft based on all the data that Google or Microsoft store about a person is a whole different story.
Well, I'm saying that you're already trapped in the thing you're trying to avoid. I am too, everyone is. I'm not saying things will always stay the same or that we shouldn't do anything - I mentioned that we need more regulation. I'm just acknowledging that we have only a notional amount of control over our data. The data is distributed over such a large surface area and each node on that graph has a weakness to it. A large node like Google or MS will be a tough nut to crack, but a few small nodes (e.g. 150 million SSNs and other personal info from Transunion) will be far easier.
>The value of data increases exponentially with its amount. For example, mounting a convincing ID theft based on passwords to my LinkedIn account and the local computer shop is difficult, but doable, with the right skills and the right motivation, and for reasonably simple things (e.g. impersonating me to get interesting, but not particularly sensitive data from a former colleague who still works at a former workplace). Mounting an ID theft based on all the data that Google or Microsoft store about a person is a whole different story.
Right, so they would just hack Transunion and directly get SSNs and other personal info on 150 million people. Of course practically speaking, there are no 150 million "new" people who are just waiting to assume the identity of someone else.
Also as an aside if you were given the documents folders of 150 million people, you'd need a massive amount of storage space and compute power to run indexing, de-duplication and other automated tasks on all the various document formats before you can even begin mining any data from it. Though I'm sure the cost of that will come down over the next decade...
>Do I trust Microsoft to safeguard my passwords, preferences and files against attacks, not just today, but over the next ten or twenty years, at a time when Windows isn't really the focus of their business anymore? I'm gonna say a pretty big no to that.
>Do I have any guarantees that, twenty years from now, Microsoft's personal data storage systems won't give way, between budget cuts, incompetent management (twenty years is a long time, maybe Satya Nadella's successor is going to be worse than Steve Ballmer...), technical debt and increasing capabilities from malicious actors? Can I be sure that Microsoft is never going to lower their security standards? That they won't make any compromises that they aren't willing to do today, even, say, if they were on the verge of bankruptcy?
Do any businesses exist that you can apply this guarantee to?