> things like simple customer service become either insanely expensive or outright impossible
This is true. It is hard to design a CS backend that user user friendly and privacy cognizant at the same time.
However, the other issue is sticky habit of the companies to grab on to as much data as possible and keep it just in case. For example, this breach had SSN next to user's phone number, name and address. Why does it need to store SSN at the first place after initial verification? It is not necessary for most of it's operation. The only reason I can think of is if they want to report defaulted payments to credits bureau. Although, storing SSN can be avoided in a similar way, how payment APIs allow you to minimize handling of credit card number, of course you need support for this from credits bureau. If they aren't cooperative, you can still design the system in compartmentalized way, that simply does not keep an association between SSN and other user info in one place, because SSN is used in very narrow scenarios. There is not enough pressure on the companies right now to do that.
This is true. It is hard to design a CS backend that user user friendly and privacy cognizant at the same time.
However, the other issue is sticky habit of the companies to grab on to as much data as possible and keep it just in case. For example, this breach had SSN next to user's phone number, name and address. Why does it need to store SSN at the first place after initial verification? It is not necessary for most of it's operation. The only reason I can think of is if they want to report defaulted payments to credits bureau. Although, storing SSN can be avoided in a similar way, how payment APIs allow you to minimize handling of credit card number, of course you need support for this from credits bureau. If they aren't cooperative, you can still design the system in compartmentalized way, that simply does not keep an association between SSN and other user info in one place, because SSN is used in very narrow scenarios. There is not enough pressure on the companies right now to do that.