October 6, 2017

Online accounts need a clearly defined lifecycle

As part of a thought experiment, I was thinking about the implications of the internet becoming mainstream in a short time frame. One of the points that came up was the lifecycle of online accounts and their associated data. The lack of a clearly defined lifecycle means that users are at the mercy of each services’ policies. Some services retain data indefinitely, some services sell user data to third parties for ad targeting and most services don’t allow deleting accounts. This is one area where the big tech companies seem reasonable : most allow deleting user accounts and the associated data, but it’s unclear what data deletion really means. What happens to the user data stored in the database backups? What happens to the data shared with third parties? Are they instructed to delete data once the upstream user deletes his account?

As we move away from tech companies and focus on ones whose core competancy is not tech, things get worse. Many companies collect intimately personal details such as location data, education history, billing address, photos and scanned copies of id proof. This sensitive data is often submitted over http, stored unencrypted on servers with poor access control mechanisms. There have been multiple instances of user data being stored in publicly accessible S3 buckets or databases. I won’t name specific companies, but I’m sure you can come up with a list of such companies.

Given a long enough timeframe it’s a given that a data breach is going to happen. As a single data point, Yahoo once seemed invincible, look at their sorry state of affairs now. It shows how quickly a company can go from seeming invincible to becoming a joke. Take a look at other sites in the Have I been Pwned database which allows you to check if your data was leaked in a breach. If that does not scare you, I don’t know what will.

It’s worth pointing out that once your data is leaked there is no “unleaking” the data. The data is out there and any determined bad actor can get their hands on the data if they know where to look. As pointed out by Maciej, data leaks that seem harmless today can come back to haunt you in the future and in ways that are impossible to predict. That’s really what makes data breaches truly scary.

What can companies do to improve the current state of affairs?

  1. Have a clearly defined lifecycle for user accounts and data and make it clear how user data will be used. Current terms and conditions are walls of text followed by “I will do whatever I want with your data”. As I understand, these vague clauses are put in for legal reasons to protect the company in lawsuits, but such clauses are often abused by companies.

  2. Allow users to delete their accounts and associated data. I think the term deletion needs to be clarified. Delete all data about the user, including from the backup databases. When I brought up the topic of deleting user data with certain companies, I was told that financial records cannot be deleted for legal reasons. If that’s the case, the law needs to change to allow the records to be deleted after verifying that all the transactions associated with a user account were legitimate.

  3. Collect only the minimum information that’s required. Random SaaS provider does not need to store my billing address. If you need to collect billing address for AVS, collect it, verify that the user is not a fraud and then delete the address. There’s no reason to store that data indefinitely.

Additionally, companies need to be held accountable for data breaches and the resulting impact it has on users. Currently, data breaches have no impact on the company that’s responsible. CEOs who oversaw data breaches collect their millions and walk away into retirement as if nothing happened. There needs to be accountability for companies to take security seriously, until then not much is going to change.

To bring about any meaningful changes though, there needs to be Government regulation and guidelines on how user data can be used, how long data can be retained and also guidelines to prevent shady practices such as building shadow profiles of users. Unfortunately, privacy issues are almost always an afterthought for Governments around the world. Even massive data breaches such as the Equifax breach are not enough to make Governments take security and privacy seriously.

What can we do to move in this direction?

  1. If you run a business, try and implement the above suggestions.

  2. Any chance you get to bring up the topic of account/data lifecycle with companies, do it. Tell them you care about it and ask them to spell out their policies unambigously. From experience, most support staff claim they will forward my concerns to their seniors but I never hear back from them.

  3. Talk to friends and family about secuity, privacy and the risks of having personal data leaked on the internet.

All these actions won’t move the needle much though, but doing something is better than hoping things get better automatically. Even writing a shitty blog post like this helps raise awareness and makes people think.

If you have any thoughts or suggestions, feel free to share them in the comments section below.


© Plogging Dev - Powered by Hugo Theme by Kiss