This morning, I had a conversation with Karl H. Richter about data. He argues that data is money — and I mostly agree with him:
Sometimes we may want the tech companies to be trustworthy custodians, holding our data safely without being stolen or used without our consent – or we may want them to actively invest some of our data on our behalf, to work productively in the economy in exchange for a risk‐adjusted return.Karl on expectations with regard to handling data
I quite like this change of perspective. But I think there is something missing here — what happens if these custodian or „investment managers“ fail to keep our data safe? If we stick to the „money“ analogy, that would mean that the data is simply gone.
And yes, occasionally, this actually happens; just ask MySpace. Most of the time, though, data doesn’t get lost, but instead gets copied. It is a pet peeve of mine when these get labeled as "data loss" or "data theft" by those who report on it. Often this gets confounded by saying that the company who was the custodian of that data would be the victim here.
Please, nothing could be further from the truth, let me explain why and how:
- The data is usually still there. The company whose database was breached still has all their data. They can continue their normal operations, deliver goods and services, write bills, everything.
- The incident involved the companies servers, but they are not the true victim in these cases — it’s the users whose data became compromised! I would rather say, that the companies in question were more of an accomplice in this, by being (often willfully) negligent about their security practices.
The more fitting analogy for most data breaches is an environmental disaster. Think of it as a containment breech in a nuclear reactor. The reactor still produces energy, but the environment around it is damaged in ways we cannot entirely foresee. The long term effects are rather unknown and vague, depending on lots of external factors no one can fully control.
Worse: As with environmental disasters usually hit hardest on the most vulnerable or marginalized people, so do do breaches. And as with environmental damage, they are cumulative: Once the data is out there, it usually never goes away. And the more small pieces of my private data are known, the more they can be combined into something more dangerous.
For the privileged, it is easier to cope with data breaches. If I’m a millionaire, I can simply move when my home address gets compromised. Sure, it’s a nuisance, but it is completely doable. If I am living on minimum wage in an area that is under gentrification pressure, I won’t be able to afford a move.
If my sexual orientation, religion or race gets published (I’m a white, cisgender heterosexual atheist), I’ll have exactly nothing to fear. If I were gay and lived in Saudi Arabia, the same data piece suddenly becomes life‐threatening.
So, we should think about data as if it were radioactive money. Whoever controls it can use it to generate wealth with it, but if it spills, there will be long lasting unfathomable damage.
We need to hold the custodians of our data accountable to the highest standards. And if they fail at their jobs, we shouldn’t let them get away with it as easily as we do today.