So a security hole in one?
Fore-get about privacy, golf tech biz leaves 32M data records on the fairway
Nearly 32 million records belonging to users of tech from Trackman were left exposed to the internet, sitting in a non-password protected database, for an undetermined amount of time, according to researcher Jeremiah Fowler. Trackman is a technology company that uses Doppler radar to analyze golf swings and shots. The PGA Tour …
COMMENTS
-
Thursday 10th October 2024 14:50 GMT Anonymous Coward
Data custodians + access key
That's why most companies should be forbidden to collect or store personal identification data.
Instead everyone should choose from a few reliable custodians. For example Apple, Google, etc. Those could also be national bodies, like tax authorities etc. But all must use a common standard to help compete and enable changing a custodian. A large data leak should make the custodian lose the data holding license. Governments should pay custodians for the service.
Other companies should only have unique person's number, generated for a specific contract/service. And a key to access necessary data from custodians ONLY for specific transactions. The person should be messaged on each access. Data should never be shared with 3rd parties. Instead they will get keys as anyone else.
Blockchain can be used to keep the data consistent: people do not change addresses, emails or phone numbers often. This will also protect from identity theft or reveal scammers. Users or custodians should not be able to modify or delete the data, unless for specific policy/reasons.
-
Thursday 10th October 2024 15:48 GMT IanRS
Re: Data custodians + access key
No! No! No!
You want to give companies who are already the world's biggest trackers the information about where everybody is going for every site which is personalised enough to require an individual's data? And make it so that when their systems go down, nobody can get into anything at all? If you think they can make it 100% reliable, just consider Office364. And then store everyone's data on a blockchain? The whole point of a blockchain is that it is public so that data and changes to the data on it can be seen by all parties.
-
Friday 11th October 2024 11:43 GMT Anonymous Coward
###
> where everybody is going for every site
They are already custodians. Every single service with PII asks for my email to send updates, to register etc. Your phone OS is a single point of virtually ALL your personal data.
> when their systems go down
With multiple custodians it is possible to create distributed database with fallback if one is down. As a user you would chose, say, 3 of them.
-
Monday 14th October 2024 08:22 GMT Valeyard
Re: ###
Your phone OS is a single point of virtually ALL your personal data.
if you choose it to be; my nokia 2660 can't be lumped into that statement. In fact a deep analysis of my phone will only show the outgoing and incoming calls will have a 100% correlation with when my wife went into one shop while i went into another and we had to find each other again afterwards.
-
-
-
Friday 11th October 2024 06:29 GMT DS999
Re: Data custodians + access key
Blockchain allows correcting mistakes just fine, what it doesn't allow is erasing old data. So not only would your current address be in that database, but all your previous addresses. If someone erroneously input your SSN in place of your telephone number, it will be stuck in that blockchain forever!
-
-
Saturday 12th October 2024 10:21 GMT Richard 12
Immutable is wrong, though
It is a core requirement that errors can be corrected, with the wrong values expunged entirely and irrecoverably - although not the fact that a correction was made.
And of course one of the possible errors is that the user identity never existed, but was an unauthorised clone of some other identity.
There is an argument for a "cooling off" period before permanently erasing, but not a long one.
These are legal requirements, and if you think about it you'll realise why any immutable system is rightfully unlawful.
-
-
-
Friday 11th October 2024 06:27 GMT DS999
Putting all your eggs in fewer baskets
Just means more eggs are in jeopardy when the basket gets swiped. Google, Apple, Amazon, Microsoft, etc. aren't immune to data theft, they just know that they have a lot of it so they have a bigger budget to protect it. Even if they had perfect protection against outside threats, I'll bet all are vulnerable to insiders. The more data they hold, the more someone on the outside would be willing to pay an insider to compromise it.
Heck, even the NSA was vulnerable to an insider attack, and I wouldn't be at all surprised if they were still vulnerable - requiring "two in the box" for any access to sensitive data massively increases your costs, while making a few feel-good changes to your employee evaluations claiming that'll catch potential insider threats before they act is much less expensive!
And the licensing? Please. Even if the political will existed to pull the license of a Microsoft or a Google, imagine the massive headache for a million apps to be updated to migrate their data to someone new. Some of those apps no longer getting updates, or maybe the developer thinks "pulling Google's license was a political hit job, I'm keeping my stuff there even if they aren't licensed!" Then what, does the government go after him for using an unlicensed custodian?
And of course throwing in the magic "blockchain" word at the end, as if that helps at all. Blockchain does not protect against data theft in any way, its only benefit is allowing many people to update a common database without being able to overwrite the history. There is zero benefit to say Google using it to protect the data they are custodian of. Clearly you don't understand what blockchain is good for, and are behind the times with magic technologies - you should be claiming AI as the solution!
-
Friday 11th October 2024 12:01 GMT Anonymous Coward
Re: Putting all your eggs in fewer baskets
> more eggs are in jeopardy
I bet your PII flows through at least 100, if not 1000 companies and their partners. So purely probabilistically, it is impossible not to leak them. Especially that great majority have no clue how to manage data properly.
Only a few data points need to be held by custodians: identifiers such as address, social security number, phone, passport data. Service-specific data, such as X-ray, or health history will be held by each company. But PII-stripped, with a unique person ID number, year of birth, first name, initials and user-chosen nickname maybe.
Anyway, every person uses email daily, therefore why cannot a customer service use 3rd party socket to get your full name, when they need to call you.
-
Friday 11th October 2024 19:24 GMT Anonymous Coward
Re: Putting all your eggs in fewer baskets
> I bet your PII flows through at least 100, if not 1000 companies and their partners.
I assume you're in USA based on your use of the term "PII". in Europe data protection law uses the term "Personal Data" which includes more things than the USA-prevalent term "PII" covers.
> Anyway, every person uses email daily
I don't use it daily (i.e. EVERY day), am I the exception that proves the rule? I might use it most days or many days of the week however.
-
-
Friday 11th October 2024 12:35 GMT Anonymous Coward
Re: Putting all your eggs in fewer baskets
> headache for a million apps to be updated to migrate
Only new ones. One has to start somewhere.
Custodian database should be distributed between several custodians. So if one is out - the rest will take over immediately, also for reliability of the system.
-
-
Friday 11th October 2024 07:28 GMT Ball boy
Re: Data custodians + access key
'That's why most companies should be forbidden to collect or store personal identification data.
Instead everyone should choose from a few reliable custodians. For example Apple, Google, etc'
Your opening salvo was a great start and had promise but I fear the cracks started appearing at choose from a few reliable custodians. For example Apple, Google, etc
-
-
This post has been deleted by its author
-
Friday 11th October 2024 21:32 GMT Terry 6
Tech company
You can sort of understand if a commercial organisation makes a mistake/is stupidly negligent in such a matter. If you are making shoes or peanut butter you may well not be too tech aware.
But if you are actively doing tech stuff as your business then this should be bread and butter.
A tech company not employing basic security is like a soft drink company not putting the lids on the bottles.
-
Saturday 12th October 2024 10:31 GMT Anonymous Coward
Re: Tech company
A tech company not employing basic security is business as usual.
Fixed it for you.
Almost all "tech" companies launch without any thought of security. They wait until a massive leak becomes public knowledge, then announce that "security is very important", and at that point usually do ... nothing much, unless they think they might be able to claim back the cost of developing the security they should have had in the first place.
The real problem is that in most of the US, for most businesses the absolute maximum cost of abject failure appears to be around $1-5 per person for "one year of credit monitoring".
In some other places it's much higher, but as most "tech" company CEOs think the US is the only place in the entire world...
-
Saturday 12th October 2024 10:47 GMT Anonymous Coward
Re: Tech company
When we live in a world where a company could "steal" its own data, sell it, pay the fine and still come out ahead, did we think the story would be different? Certain expensive security now or uncertain cheap fine later? What is a CTO to do?
(Fortunately, my employers don't behave like this, but I'm still posting anonymously! There is cowardice and there is keeping your head below the parapet).
-
-