Facebook and the Next Breaches

We are somewhere in the age of data breaches– how close to the end, it would be presumptuous to say. But we have lived through enough now to have a history of the data breach and to anticipate what will come next. Mark Zuckerberg’s testimony today gives us a glimpse of that future.

Facebook did not invent the violation of data privacy. In fact, they have done far better than many of their peers when it comes to the unintentional exposure of personal data. The wide-ranging questions leveled at Zuckerberg underscore Facebook’s unique position in the history of data privacy: they have run afoul of our sense of what is right even if we can’t put our finger on why, or rather, even if we have theoretically consented to their business model long ago. Putting Facebook’s current maneuvers within the history of the data breach can help explain this mounting discomfort with an economy predicated on the continuous loss of confidentiality.

The Profit Motive and Structural Insecurity

We can understand each wave of breaches so far, and thus help predict those to come, by identifying the central problem in the business of technology at that time. What was the problem that innovators were competing to solve, where the existence of a solution was not yet a given? In these gold rush environments, security has necessarily been a secondary concern. After all, it’s irrelevant if a product is secure if the whole thing is abandoned or mothballed, or worse, gets to market too late because of the added cost of security. As a result, whatever does survive is likely to be built on insecure foundations that prove more costly to rectify as time moves on.

Wave 1: Vulnerabilities

The first wave of data breaches was the result of the birth of the internet itself. The business challenge was proving that there could be online businesses at all, or even that there could be enough people online to form an addressable market. As a result, insecurity was baked into the internet for decades to come as technologies created for communication between researchers were hastily repurposed for a consumer market. For example, there was the conscious choice not to make all traffic encrypted by default, as it introduced an extra layer of complexity for communication. Today, encrypted https connections are the expected standard because they provide a crucial layer of protection for stopping cybercrime. As a result of the decision to make unencrypted traffic the default, however, there have been countless pieces of sensitive information stolen and a years-long campaign to migrate extant sites to https. Had security been a primary concern in the original design of http, none of this would have happened.

Wave 2: Cloud Leaks

After it was established there was money to be made from the internet, the second question was how to do so at an industrial scale, and so we entered what has been called the digital transformation. Everything would be online; pick a service you received in the material world and that automated human labor would be replaced by application code. As businesses moved online they failed to update their mental model for document security. Rather than generating paper documents that were physically localized and difficult to replicate, businesses generated massive digital footprints that were trivial to replicate quickly, discretely, and remotely. In rushing to prove out the scale at which digital business could operate, security measures were outpaced by the scale of resulting data. Not only were breaches caused by vulnerabilities as before, but by inadvertent exposures resulting from the complexity of large scale data management. Data did not even need to be stolen; it was simply left in the open for anyone to take, forgotten and unattended.

Wave 3: Third Party Risk

The third wave has followed closely from the second. As businesses generated and stored more data, they began to outsource those capabilities. While software as a service has lowered the operational load for those businesses, it has multiplied the challenge of preventing data breaches. The response has been emergent regulations like the General Data Protection Regulation of the European Union. Because breaches are so commonplace and the contributing factors can be so complex– a factor that allows savvy legal and PR teams to avoid responsibility through diversion, obfuscation, and attention fatigue– the GDPR applies fines whenever personal data has been or could have been exposed. If personal data is exposed, at least one entity will be liable, which is both logical and just.

What’s Next: Zuckerberg Squares the Circle

What will come next as the effects of GDPR and similar legislation spread over the globe? Will we see an end to data privacy issues? Ironically, I do not think so, and we can see the seeds of the next wave of data breaches in the events of today. As long as data is generated by and about users there will be the management problem of preventing that data’s exposure. The momentum behind the creation of data is only increasing– think of all the IOT crap spewing data points into the ether– which means that the management problem will only increase as well.

The problem is that businesses want to generate data about people but they cannot afford to be responsible for that data. The result of this tension, I predict, is that individuals will become responsible for their data. From Mark Zuckerberg’s testimony to Congress it is clear that this is the path that Facebook, one of the companies that has profited most from the collection of personal data, has decided is best for its interests. Users can choose with whom they share their posts, with extensive customization of those access controls, and can even download their own data profile. This, Zuckerberg stated countless times, amounts to “ownership” of one’s data. The goal of this rhetorical tactic is to set up a direction for future concessions of greater individual access to that data– “ownership”– that is not contrary to Facebook’s interest in recording and processing that data in the first place.

Thus the amount of data will grow and its storage continue to fragment. Users will download their profiles to their laptops, then unwittingly back it up to cloud storage via a client they forgot was running, then email it to themselves so they can find it when they’re away from home. As individual “empowerment” becomes a watchword for data privacy, user data will continue to accumulate and the uniformity of its management will continue to degrade. Compromising one aspect of a user’s identity will lead to methods for full compromise of their social media history. And we will see a new wave of breaches as the surface area expands, just as we have several times before.

Uneven and Combined Insecurity

Trotsky used the idea of “uneven and combined development” to explain how different economic modes could coexist and affect how each other progressed toward a more or less inevitable industrialization. The same can be said of the digital world and its layers of susceptibility to data breaches. Vulnerabilities, the cause of the first wave of breaches, still exist and still result in massive exposures for technologically underdeveloped companies. At the same time, those companies are launching initiatives where they encounter problems like cloud leaks that attend other technology choices. All of these problems persist today, but we can also see the stirrings of a new trajectory for the vast data snowball that continue to grow in size. The data stores will not shrink, the breaches will not stop, but there will be new people to blame, and so allow the digital economy to lurch forward one more time