So I can’t remember a username again. It’s one of those that I didn’t put in my password-lockup software thingy yet, so I’m going to go through the (in this case) labyrinthine process of getting a new username and password. The irony is not lost on me that if I were of more nefarious bent, I could skip all these gates and last-four-digit checks and go straight to not only my information, but that of thousands of others besides.
April saw us forget the Epsilon data breach, and handwave many other “smaller” day-to-day encroachments (Facebook, Google) into our online presences, but April is truly the cruelest month. Especially if you’re a Sony PSP account holder. Not only did they get trounced… er, attacked, the company waited six days before beginning to let folks know that a huge chunk of their data was in the wrong hands.
So it’s time for a really important question. Whose are the “right” hands? The corporations and brands that we trust with our data seem to have very slippery hands. Their competitors for data-holding (read: hackers) have very grabby hands. I’d like to humbly propose that the best hands to hold onto my data are my own. At the very least, I should be able to find out quickly, what accounts I need to shut down, and exactly which companies have what data. And by quickly, I mean immediately. Not pouring-through-credit-card-statements and searching-on-the-word-“account” in my email files quickly.
The upshot of this is a completely cheeky question, especially given that I don’t have management of a huge bank of Oracle computers. The question is this:
Why do all these companies need to keep all this information about us on file?
Think about it. Redundant storage of anything is inherently insecure. The more buckets you put stuff in, the more buckets you have to guard. And each of these companies is storing (some, it seems, in antiquated, flat-file, come-hither databanks) the same data, over and over, and not using it (they promise), except once a year when they renew our accounts. Oh, and those few times they email us about new products. And, yeah, when they “loan” our contact information out to a new, related venture. So. If they’re not using our data on a daily basis, why should they be storing it? Why shouldn’t they assign a hash-tabled username and passcode, tied to an email of our choice (preferably one that we’ve developed to give out to all those companies we trade with), and boot the rest of our data off the books once they’ve confirmed that we’re a person they want to do business with (which is, for the most part, everyone, right?).
I’m not necessarily arguing for a single ID, and I’m not arguing for net anonymity. I’m asking a potentially very dumb question and hoping to get some really smart answers back. Why can’t companies who require my data take only what they need, and leave the rest with me, so that I can in some form manage it according to how I see fit? (Once I remember what my password is, of course.)