back to article If you didn't store valuable data, ransomware would become impotent

Sixteen years ago, British mathematician Clive Humby came up with the aphorism "data is the new oil". Rather than something that needed to be managed, Humby argued data could be prospected, mined, refined, productized, and on-sold – essentially the core activities of 21st century IT. Yet while data has become a source of …

  1. Doctor Syntax Silver badge

    If data is to be sold valuing it shouldn't present any problem at all. It's based on what customers* are prepared to pay for it. Ironically the data that's hard to value is that held by businesses who are more ethical and don't sell it on.

    * That's the data customers, not the customers who are mere data subjects

  2. Prst. V.Jeltz Silver badge
    Paris Hilton

    Let your customers hold their own data, and ask them for (limited) permission to use it

    who is this article aimed at exactly?

    1. Josco

      Me.

      I think it was aimed at me, I found it interesting.

    2. Anonymous Coward
      Anonymous Coward

      I tend to agree. Felt like a bit of a non-article. Would have been better with some thoughts on a foward strategy rather then just tapering off..

    3. logicalextreme

      Tim Berners-Lee advocates, I think.

      https://solid.mit.edu/

    4. doublelayer Silver badge

      As far as I can tell, it's aimed at companies that don't do anything. Sure, a company asking users for permission to get data from them and not store it sounds great, but for privacy reasons not for ransomware protection. No company that's willing to bypass restrictions on data collection is going to take that approach because they don't want users to have privacy from them. However, none of that matters, because whether they get user's data from them or from storage, they'll still have valuable data of their own. Their financial records, the code they analyze data with, their communications and contracts, and all the other data generated by the process of doing business is valuable to the company and not owned by someone else. They don't have the option of asking their customers for that because it's not the customers' data, so ransomware still has something to take from them.

      The solution to ransomware is not some mythical privacy-supporting process, as nice as that would be. It's a good set of backup arrangements. There is no way to avoid having to back up your data if you want to have it later.

  3. 2+2=5 Silver badge

    So instead of...

    So instead of holding all your customer's data centrally the idea is to store it de-centrally and somehow this protects from ransomeware attacks?

    1) Ransomeware will evolve to encrypt the remotely held data.

    2) The author assumes that the only valuable data a business has is its customer database. What about payroll, tax payments, bank information, product designs, supplier contacts and details etc.? There's plenty of data that a business needs to survive which is not linked to customers.

    1. Charlie Clark Silver badge

      Re: So instead of...

      Presumably the article is a prelude to some kind of product recommendation (Pesce has form) involving distributed personal data storage using a blockchain…

    2. Doctor Syntax Silver badge

      Re: So instead of...

      There's a lot of data a business needs to survive. It's their data and possibly they may be a little more motivated to look after it. Maybe they won't but if they suffer a breach it's just their problem.

      If it's customer data it's a lot of other peoples' problem. The significant difference there is trust: the customer's trust the business and the business fails to live up to that trust despite all the protestations about that after the event.

      As to decentralising data, the general thrust of the article seems to be that it's the customer who looks after their own data. Let's say I want to order something online on this basis. What needs to happen in data handling:

      1. I select what I want to buy, I go to the checkout page. I enter my name and delivery address. That's in my own memory where it's not open to a ransomware attack.

      2. I enter my bank account details which I copy from my hard copy bank card. This may well be verified by the bank's own pop-up app. The bank already holds my details, that's inevitable. I hope that my bank is a lot more secure than the average retailer. It's not 100% but ultimately it's the bank's problem if they're not, they're regulated more effectively than the retailer. That last statement is worth reflecting on.

      3. The bank confirms the purchase to the retailer.

      4. The transaction is confirmed back to me on screen, possibly offering a PDF to download and I can take a note of that. No email is needed. I am, however, holding my copy of that, possibly on my computer although I could make a written note or print the PDF.

      5. The retailer prints a picking/despatch note and a shipping label.

      6. At this point the company doesn't really need to keep personal information online any longer and can delete it. A summary of the transaction without these details can stay on their system.

      7. When I receive the goods I can retain the packing note and delete any reference to it on my computer or retain it at my own risk - I'm not placing anyone else at risk.

      Before anyone gets het up about needing to keep this in case of delivery problems, warranty claims etc. they have this on the picking note with the personal data on it; once delivery is confirmed they can dispose of that. If I have a complaint down the line it's up to me to produce my copy of the despatch note or the electronic copy of the order acknowledgement if I chose to keep that.

      The retailer's holding of my PII is limited to the time needed to print out the paperwork. My holding is at my choice. The long term holding of information by the retailer is more or less what they'd have held if I'd walked into a shop and paid cash for the item, a business model which has worked for a few thousand years.

      1. stiine Silver badge

        Re: So instead of...

        But they do, sort of, because zero trust also means they won't take your word that a 9 month old widget has broken and you think they need to replace it.

      2. AVR

        Re: So instead of...

        If your business is an online shopfront with no obligations to the customer and nothing more you can make this sort of distinction. That's fine if you're selling scented candles but what if...

        You're selling new cars. There's a load of data you've legally got to have for service and product recalls.

        You're providing financial services. You've got to know your customer well enough to meet anti-money laundering and tax legislation, and your customer may well expect you to provide personalised service.

        You're providing legal services. Like financial services except now add holding legal documents for the customers.

        You're providing medical services. Now the customer data is stuff you have to hold, customers may have to have access to it (depends on jurisdiction and the exact business), and losing it is bloody terrible.

        Sure, there are businesses which can get away with having an online orders server which talks to nothing else, or a service provided by someone else for that, but I think more will be like the above.

      3. Stork Silver badge

        Re: So instead of...

        In some cases, vendors are required to keep details on their invoicing system for a period after the sale.

      4. Allan George Dyer Silver badge
        Joke

        Re: So instead of...

        @Doctor Syntax - "I enter my name and delivery address. That's in my own memory where it's not open to a ransomware attack." - Yet. Someday soon Google is going to announce a brain interface where they can access your memories.

        Icon - I hope!

        1. Anonymous Coward
          Anonymous Coward

          Google Brain Interface

          No, Google will not announce it. They will build it into products and quietly sell them to governments with out-of-country interrogation sites.

    3. Matthew Brasier

      Re: So instead of...

      This is the kind of argument that normally appears before someone tells you that Web3 will solve everything. Early web technologies such as PKI, web servers, email, etc envisaged high levels of decentralization, with everyone running their own web server, managing their PKI trust chains, etc. People don't want that. Cryptocurrencies and NFTs are already showing us that if you leave end-users to control their own security permissions they get scammed left, right and center. Giving people even more fine-grained permissions and asking them to take responsibility for managing that themselves is a recipe for disaster.

    4. My-Handle Silver badge

      Re: So instead of...

      The author assumes that the only valuable data a business has is its customer database

      I was thinking the same, just from reading the headline. An ex-employer of mine got hit with ransomware a while ago. They ran an e-com platform, which didn't actually store any data beyond a customer's address and order details. And that data was secure on a web server, segmented from the compromised internal network. No, the biggest damage that the ransomware attack did was the cost incurred from loss of production while the network and machines were cleaned of the nasty and restored from backups. The second biggest damage were some proprietary product design files that had been backed up to an online NAS disk. It being online, it was also compromised of course. There were offline backups of these files, but they were months old and nearly useless.

      Neither of these issues would have been helped even slightly by "getting the customer to store their own data". As a course of action, it wouldn't even have been relevant.

    5. Vir_Floridanus

      Re: So instead of...

      This is not a solution it’s a shift of the problem although distributed data will avoid the multi-million record mother lode hacks associated with centralized repositories.

      Also, even if businesses have no data at all, their operations are just as valuable and encrypting or disabling OT can cripple any business and be exploited for extortion as well.

  4. Anonymous Coward
    Anonymous Coward

    A pattern emerges...

    "Let your customers hold their own data, and ask them for (limited) permission to use it."

    AKA "Give the responsibility to the person with the least amount of knowledge and ability to deal with it and pretend you have solved the problem because it's no longer yours.".

    Sheesh.

    Co-incidentally, I have literally just finished doing my company's Data Protection course. After reading this article I see the course in a much better light...

    1. Doctor Syntax Silver badge

      Re: A pattern emerges...

      Do you not already hold your name and address in your own head? Can you not enter them into an online order form as required?

      Don't over-think this.

      1. My-Handle Silver badge

        Re: A pattern emerges...

        And it's widely known that most cyber attacks tend to start with some form of social engineering. It's amazingly easy to persuade someone to part with some of their sensitive information. At least large companies tend to train their workers to be resistant to these kinds of attacks (yes, I know some don't. And that the training isn't always effective).

        The above is a pretty good analogy, if you substitute the humans for machines. In a centralised location, you can take co-ordinated steps to secure data. If that data is spread amongst customers' machines, it's a more diffuse but an easier compromised target. And, potentially, an attack vector.

    2. This post has been deleted by its author

  5. Mike 137 Silver badge

    Definitions?

    "Businesses now face not just data loss but data theft

    In English law at least, loss and theft have the same outcome, as theft is defined as to 'permanently deprive' the victim of the asset in question.

    We really should start to distinguish between loss and exfiltration. 'Loss' means the data is no longer available to the victim (as in the legal definition of theft) but exfiltration does not. Data may be exfiltrated by copying it, while still leaving the original available to the victim.

    1. Slipoch

      Re: Definitions?

      The difference is legal,

      Data Loss - the data is gone but no-one unpermitted has it.

      Data theft - the data is in the hands of a 3rd party that is not permitted to have it normally.

      This argument is essentially an argument based on limiting the liability of a company and very little to do with protecting data. If someone gets that far into your systems, they would be able to put monitors and keyloggers on your website and steal the data direct from the customers anyway using a MITM attack between the site and the payment processor.

  6. mevets

    If you stare at anything long enough, blockchain emerges as the solution.

    Kidding aside, this is rather pointing towards a world where I own my data, which I permit companies to make restricted transactions upon. A block-chain like structure may be a viable way to enable those transactions.

    1. Doctor Syntax Silver badge

      Let's settle for something easier. How about a standardised name and address entry form? For those who really can't - or can't be arsed - to type it in themselves they could have a matching text file and copy and paste it.

      Yes, I'd put myself in the second category.

      It would need some thought: no assumption that everyone lives in a "city", not assumption that all street addresses have a number and no assumption that postal codes are numeric.

      1. Fred Daggy Bronze badge

        ... and that not everyone lives in "some state" or "Canada", but somewhere else entirely.

        1. Allan George Dyer Silver badge

          and no assumption that every place has a postcode at all.

  7. The BigYin

    An old idea

    I am pretty sure this very idea did the rounds ~15+ years ago.

    It jives well with us nerds/geeks who want to control our data (becasue we understand the risks) and know how to. Not so well with Granda Miggins who just wants their cat pictures.

  8. Fading
    Coat

    The other option....

    Is everyone has all the data. May seem crazy but stick with this thought for a moment:

    In this situation if I need to prove that you are who you say you are (lets say for purchasing) - then I can use as much of the data as I want to satisfy myself that not only are you that person you say you are but you also have the means and funds to purchase what you want. That purchasing record then becomes another piece of data that everyone has access to. This omni-data model would initially need to be inviolate (well at least cascade change proof) (blockchain all over again) - but as contradiction cannot exist in nature the data would self-correct as more is collected.

    Ransomware only exists because companies and individuals hold data no one else has got - if we all have it all there is nothing to ransom.

    And if this omni-data is used nefariously - well that becomes part of the data and the nefarious agents become visible for all to see....

    Hmm might have overdone it with the meds.....

    1. Doctor Syntax Silver badge

      Re: The other option....

      "Hmm might have overdone it with the meds....."

      You might indeed. The value of PII isn't that only the data hoarders hold it, it's that it is unique for a given individual. The value to the data subject is intrinsic and not determined by the number of people holding it.

      I can't off-hand think of a closer equivalent but this will do: it's like saying that if everyone were burgled then nobody's any the worse off because everyone else is in the same situation.

      1. logicalextreme

        Re: The other option....

        Companies aren't bad at using that line though.

        "I don't have time to do this in addition to my actual job, we need dedicated resource or nothing will get done properly".

        "Well I'm afraid everybody's under pressure, not just you".

        1. logicalextreme

          Re: The other option....

          Or, not related to the OP's topic, but also a stupid thing that companies say that I like to rephrase within the analogy of burglary and then repeat back to them, is something akin to "we don't need alarms/locks/doors/to hide our valuables/to reduce the number of unnecessary valuables we have; burglary's against the law so it can't happen to us, and if it does the perpetrator will go to jail".

    2. logicalextreme

      Re: The other option....

      It's not a model that's unheard of. I'm somewhat of the opinion that everyone's healthcare/genetic data should be fully accessible to anyone who wants to see it, as anybody from doctors to script kiddies would be able to mine it for patterns and we'd hopefully be able to propose formal studies and trials that had a lower chance of failure, meaning lower drug prices/decreased mortality. However it would also have to be the case that there was no stigma surrounding medical/mental health conditions (opening it all up would hopefully accelerate the reduction of such stigmas, but not eliminate them) and that it would only be used for good (e.g. not selling people stuff/making outrageous profits from healthcare, no genocide, no eugenics etc). People would only be less prissy about their data if all those conditions were met, which is certainly not a possibility given current evidence; and furthermore even if you could trust everybody right now the potential risks would still be there. Once you'd opened the door there'd be no going back except for new data.

      Completely open healthcare data is a common enough pipe dream that it's mentioned in some of the NHS documentation about data protection/consent regs — essentially saying that there are plenty of people who don't care who has access to their healthcare data, but you still have to get their consent to use it or transfer it for the most part (this predates whatever the hell shady crap happened last year where they tried to change the rules on the QT).

      1. doublelayer Silver badge

        Re: The other option....

        That is never going to happen, at least the "no stigma" part. It's also insufficient. You don't only need to remove stigmas about medical history, but every single possible bad use of the data. For example, use for discrimination, tracking, or impersonation. Eliminate all of those and we can talk. Until you have done so perfectly, I will oppose this suggestion in every way I can.

    3. doublelayer Silver badge

      Re: The other option....

      There speaks someone who doesn't know what can be done with your data. If you've ever had a chance to tell someone something and didn't, you should know why we don't want every action we've ever taken to be publicly recorded for everyone to use. Take a simple example from your own data: if all our financial records were available, it would easily lead to people using them to decide what we can be paid or charged. An employer would look at our purchasing history and decide we don't need a raise and in fact could take a pay cut without harm. A store could look at it and decide that we can easily afford to pay more for the product. That's just a simple algorithm, and I assure you there's much worse to do with that data alone.

      By the way, nefarious uses would not become easily obvious, because an attacker would read the publicly-available data and approach their target offline for whatever use they had in mind. Unless you want all conversations recorded and uploaded, there will be ways to hide some things. If you do want them all recorded and uploaded, you assume that someone will listen to all of them to identify unethical activities even though it would be infeasible, and you have a very bad understanding of how that can cause problems. I'll assume you weren't going that far. In short, your suggestion is infeasible and fragile, which is at least somewhat reassuring because, if implemented, it would be dangerous and frightening.

    4. Allan George Dyer Silver badge
      Big Brother

      Re: The other option....

      @Fading - I think you needed this icon, once each for the world population:

  9. Gene Cash Silver badge

    How?

    Let your customers hold their own data, and ask them for (limited) permission to use it

    If I order something, they're going to need to remember my address to ship it to me.

    They're also going to need to remember my phone number or email, in order to update me on the progress or resolve any issues.

    That's the valuable data a business is built upon.

  10. VoiceOfTruth

    Sony

    -> Sony barely survived the reputational damage of the serious attack it endured in 2014

    And what about Sony's own rootkit infiltration of users' PCs? I would have a few more nanoseconds of pity for Sony if they weren't hackers themselves.

  11. VoiceOfTruth

    Valuable data

    Perhaps it is time to stop seeing data as valuable, but as a debt. The more you have, the more debt you have. Assign it a negative value in £$€ terms, then try to minimise how much of a loss you have.

  12. Pascal Monett Silver badge
    Trollface

    "Who will want to do business with you in the future?"

    Ask Talk-Talk.

    Somehow, they're still in business.

  13. steelpillow Silver badge
    Thumb Down

    Let your customers hold their own data, and ask them for (limited) permission to use it.

    But customers are lazy. We all flock to the "let us store your data securely, so you don't have to" services. Refusing to store it means we will just use some other more convenient but less ethical service.

    Then again, with the modern trend fort web browsers to open their souls and assholes to every prying bit of XSS javascript out there, combined with the WWI-pilot life expectancy of the average teenager's iPhone, who in their right mind will store their data locally?

  14. TiredNConfused80

    ...(and regularly test)....

    Oh look at you with your actual budget..

  15. Anonymous Coward
    Anonymous Coward

    Nothing financially valuable on the home PC. Do have a lot of photos, videos and (bad!) reason projects that I would like to be able to go back to.

    There's a reason I keep multiple backups on different media types.

    The work machine on the other hand, were ransomware to get out into the wild through that and disrupt something important that would be headline news. Assuming the news were still functioning that is...

  16. js6898

    How's this for an aphorism - data isn't data unless it's read-only.

  17. Auntie Dix
    Mushroom

    Pot-Headed Article

    "...your inability to keep private data private... Who will want to do business with you in the future?

    In an ideal world, no one, but in this world, we neglect to euthanize the apathetic, as Fecesbook's stunning worldwide membership total proves.

    Piss-poor and absent privacy laws result in quick (news, today; forgotten, tomorrow), PR-spun, minimum-disclosure, minimum-consequence rebounds for all security-breached businesses, from mega-retailers such as Home Depot to essentially unregulated credit-bureau cartels, including members such as Equifax.

    An apathetic public continues to shop just as before at breached Home Depot, Michael's, Target, [insert long list, here], etc., and remains ruled by Equifax et al.

    As long as America's Injustice System pats itself on the back while Big Biz lobbie$ corruptible lawmakers, you and your data will be raped.

  18. Tron

    Data can work from home.

    We need distributed software and we need it now. Kiss goodbye to most of your bandwidth and storage costs.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022