Exactis data leak: Blockchain can’t come soon enough
This data leak is a problem. The next one will also be a problem, as will the next and the next and so on.
Distributed ledger technologies like blockchain are all about trust. Specifically, its complete absence. The idea is that "trust" implies a certain level of faith, and an understanding that extending that trust might be a mistake. As such, the blockchain is about trustlessness. You don't need to trust, because you can know with 100% mathematical certainty that it's decentralised beyond the reach of a single entity and completely immutable.
For example, data stored on the blockchain can be mathematically proven to be inaccessible except to people with the appropriate login details. It's not perfect – someone might lose their logins, or their home computer might be hacked – but trustless data storage is infinitely more secure than today's norm.
Anti-blockchain advocates will argue that the technology isn't useful, that trust has served society well for millennia and that decentralisation is too inefficient to be worth it. The Exactis data breach says they're wrong.
The Exactis data leak
Exactis (official website) is a marketing and data aggregation firm, and it collected exceptionally detailed data on some 340 million people. The data appears to have been acquired from various sources, including publicly accessible records and some of the customer data that's routinely bought and sold. They were trusted with this data, but instead just let it all hang out on a publicly accessible cloud server.
Anyone who cared to look for it could just head over to the database and find detailed information, including people's phone numbers, home address, email, age, gender, how many children someone has and their children's ages and gender, pets, interests, smoking status and hundreds of other data points.
It's not clear how long it was hanging out in the open air or how many people scraped up all its data while it was, but it went unnoticed until someone happened to stumble across it by accident.
When WIRED asked the discoverer to pick ten specific individuals out of the database, he quickly managed to find six of them without trouble. Whoever you are, there's a good chance your data was among the trove that was just hanging out on the Internet for anyone to pick up.
"What makes the Exactis breach noteworthy is not only for the number of customers impacted, but also for the depth of compromised data," said Bruce Silcoff, CEO of the Shyft identity management network. "It's been reported that every record includes more than 400 variables of personal characteristics."
Do you remember giving Exactis, which apparently can't even secure a server, the permission to harvest, store and profit from your data? You probably didn't. Instead, you ticked a box somewhere on some website, or simply provided necessary data to a company so it could serve you as a customer. Those companies then sold your data onwards and it trickled around the Internet, landing in many different hands, including Exactis.
Sensibly, given its poor data security habits, you never chose to trust Exactis. You never chose to trust many other companies with your data either, but their databases are also hanging out on the Internet, vulnerable to hacking.
All centralised databases are vulnerable, and there's something very unfair about shady companies making money by recycling your data between them. Effective personal data security for the future needs to start with individual identity itself, and give every individual control over their own data. No entity can be trusted with this data, so the only solution is trustlessness.
"The reality is that we live in a digitised world and all our interactions on social channels are recorded, and this isn't stopping anytime soon. The centralised storage of user information makes institutions like Exactis hacker bait. Never has there been such urgency nor opportunity to introduce a disruptive alternative to an antiquated system and solve an urgent global problem," Silcoff says.
The only alternative is to keep on blindly trusting companies like Exactis.
"As a society, we have an unfounded level of trust in institutions to collect and store our highly coveted personal data," Silcoff notes. "Unfortunately, the way that institutions handle data continues to put users at risk. The Exactis breach is the largest example to date of a centralized database that has compromised user data on a grand scale – further demonstrating the global identity epidemic at hand and desperate need for a remedy. Fundamentally, we have to change the way we define identity, how we use data, and help individuals take back control of their digital footprint."
The good news is that solutions are on the horizon, with Shyft and other companies coming at the problem from different angles.
Shyft is focused on an interoperable network for securely managing the supply chain of data, from the individual users who provide it to governments and companies that use it. This kind of system might have made it much easier to see where exactly everything in Exactis' database came from.
Others, such as Civic are coming at it from a cryptocurrency angle, focused on solving the data security problem while directly serving the business purpose of reducing the redundancies of customer verification. Or the Pillar Project, which is focused on creating a secure way for individuals to actually control and use their own data. Established companies are also getting involved, with Microsoft hoping to release a blockchain identity management system sometime in 2018.
It would be nice if blockchain really was, as its critics say, a solution in search of a problem. That would mean there isn't actually a problem, and that your personal data isn't being pimped out all around the world right now.
Disclosure: At the time of writing the author holds ETH, IOTA, ICX, VET, XLM, BTC, NANO