I will guard them with my life. They are mine and mine only. I will never share my list with anyone, not even those within my house who may want proof that I am actually trying to build something rather than sitting in my office playing video games.
A new age
This all being said, we’re at the dawn of an era where companies are going to start being more careful with our data, at least in the EU. Don’t worry if you work for Equifax, you can continue to be completely haphazard and lax. After all, it’s not like you had any permission to gather and keep all the data you let out into the deep dark recesses of the Internet. We all hate you for that, and would willingly spend money to put you out of business.
That’s what’s changed. Consumers now know that certain companies have bad controls. I can tell you definitely after getting a master’s degree in information security, we’re all screwed. There’s a “risk versus reward” attitude that basically has companies gambling on nothing happening. Until the risk is too great (something GPPR is trying to create) companies will continue to be lax, get hacked and our data compromised.
My degree was more about policy than control. Implementing a policy was the important part because that’s the part someone, an external auditor, can look at and judge. Good information security isn’t that difficult, actually. Keep all hardware and software up to date, and use access control lists to only give access to people who need it.
Protection against stupid
But, the problem is deeper than simple technological issues. As the Senate pointed out in the Equifax hearing, “I don’t think we can pass a law that…fixes stupid.” And that’s the crux of what we’re facing. We are being protected by stupid, and stupid will make mistakes, it’s the nature of stupid. So how does one lone writer protect their data against stupid?
That’s a good question. One that makes me a little nervous if I’m honest because I have to trust external sources with my data. I use Evernote, and while I feel comfortable that I can get my data out of them at any time if they do something stupid, all my content could be exposed, or worse, removed. Hold one moment while I manually export all my content. And… the export failed because I have a title somewhere in 593 notes that’s too long. Guess what I’ll be doing later? This is a great example of the problem we will all face. Since one title caused a problem on my Evernote export, the export failed completely. It didn’t export everything except that one bad apple. Doesn’t that sound very similar to stupid to you? It does to me. It also highlights the problem with data being protected. Companies don’t really care about our data, they care about our money.
What choice do we have?
So let’s look at someone like WordPress.com or Medium.com. I have data up on both of those sites as well. I have to trust that they will protect me from evil. WordPress.com has an easy way to export my data, and I do so regularly (and will do again today). But I haven’t checked into Medium’s ability to do this.
I also have to trust MailChimp. As I do grow things, that data will be exported daily because that list will be my lifeline. That’s my customer list! Unlike these other companies, I will have that data sitting backed up four ways to Sunday. I run several Linux servers just for that purpose. They will also be encrypted because it is sensitive data, even if just a name and email address. But I realize what it really is, it’s the core of my business. Everything starts and ends with someone’s ability to purchase something from me (once I have something for sale, that is). That list of purchasing customers is the difference between me working for myself and me working for “the man” for the rest of my life. Don’t get me wrong, I like the man, he’s done me right. I just want to be in charge of my own destiny and feel what it’s like to have to pay for all of my own healthcare. I kid, I’m not looking forward to that at all, and I’m hoping this whole healthcare mess gets ironed out before I venture out on my own.
Gendarmes are the answer
Honestly, though, we’re all screwed when it comes to letting third parties protect our data. They don’t care about our data until they’ve fucked it up. Guard yourself. I have a series of posts about being safe online, there are some things you can do to mitigate any one breach. If you only give them unique data, you only have exposure one time. Equifax was another story, since we didn’t authorize them, and we can’t hold them accountable. We’ve all seen how well our government will respond to this crisis. They’ll call someone back to Washington and call them stupid. I’m sorry, but that just isn’t good enough for me.
I’d love to hear from you, please subscribe here.