Data are liability
- Swords cut both ways.
- -- Proverb
Data are liability (or "Data is liability") is a mantra in information security circles. It refers to the fact that whilst data can be useful to the user or holder, it can also be harmful to multiple parties, including the holder, subject, or others. Having, holding, collecting, contributing, or transferring data to another party, intentionally or otherwise, can have consequences.
A further factor is that the consequences are frequently not apparent. True risks may not emerge for considerable periods, and may be the result of unanticipated external changes: in relationships, in business ownership or control, in political events, or others. As such, data exist as a sort of toxic waste:
The metaphor is apt: the data collected by corporations and governmental agencies is positively radioactive in its tenacity and longevity. Nuclear accidents leave us wondering just how we're going to warn our descendants away from the resulting wasteland for the next 750,000 years while the radioisotopes decay away. Privacy meltdowns raise a similarly long-lived spectre.
Examples of consequences include: embarrassment, personal conflicts with friends or family, outing of personal, religious, sexual, or political beliefs, divorce, job loss, bullying or harassment, police investigations or arrests, blackmail, corporate espionage, financial disclosure, fraud, political vulnerability, national security matters.
If you choose to download, extract, process, and/or publish data, you are obliged to treat it with care, responsibility, and respect, to the data, those it concerns, and the potential risks to themselves as well as you.
The specific risks vary, but in general include:
- Data loss.
- Data exposure.
- Data modification.
- Denial of access.
- Out-of-date or inaccurate data.
- Change in ownership, control, beliefs, or orientation of data holder.
Data loss and denial of access principally affect the holder of the data. Data exposure principally affects the subject of the data. Data modification can affect both as the data may prove inaccurate, and hence, not useful, to the holder, or may create an unwarranted handicap or prejudice against the subject. Change affects all data in that reality moves one whilst records of it do not.
In addition to this, aggregation of information on a subject -- a person, group, organisation, or other entity -- may be used in ways detrimental to the subject's own interests, and quite often is. This may occur either by the rightful or intended holder of the data, or by unauthorised third parties.
The possibility of a change in ownership or control is particularly great. Amongst the more notable cases in recent history are use of ethnic and religious classifications, particularly in census records, during World War II. In multiple countries and under multiple occupations or continuations of government, previously benign information became weaponised. The United States interned residents and citizens of Japanese ancestry. Japanese occupation forces in China and the Philippines imprisoned, tortured, and killed residents. Dutch religious affiliation census records were used by Nazi Germany's prosecution of the Holocaust. Soviet forces utilised government records within occupied territories to similar ends. Though the degrees of badness varied, there were few if any good actors in this period on this score, and there are numerous other examples, most sufficiently recent to be far more contentious to discuss.
The list of data breaches is sobering: healthcare, social networking, ticket distribution, financial, online dating, geneology, retail, telecoms, credit ratings, and that's just the top of the list.
In the context of online or social media migrations, the risks are that a large trove of data previously held by a service provider or providers, is now in the hands of a user. The relative risks are shifted:
- Service providers often present single-point vulnerabilities for manipulating or extracting data, and are highly visible targets.
- Large, well-funded, diligent, competent, and reputation-aware service providers may be capable of detecting and thwarting such attacks.
- Attacks may be technical, social, legal, or involve the assistance or coercion of individuals with access or control over resources.
- Individual holders of data are not single points of failure (SPOFs), but frequently are not as capable of detecting or thwarting directed attacks.
- Individual holders of data generally have increased exposure to accidental loss, as with theft of storage (a laptop or desktop computer), natural or other disasters (fire, flood, severe weather), misplaced data, loss of access credentials, etc.
- Data archives contain not only information of, by, and about the accountholder, but by others they've interacted with. There are external parties concerned with any data extraction, processing, storage, and upload. This includes the risk of publicising data initially intended as private.
It is difficult to compare these relative risks. Large and sophisticated organisations have experience massive data loss. Individuals lose personal records all the time. Risk mitigations can be take. Most involve cost and convenience trade-offs.
- Cory Doctorow, "Personal data is as hot as nuclear waste", (The Guardian) 15 January 2008. https://www.theguardian.com/technology/2008/jan/15/data.security
- Marc Hochstein, "Customer data is a liability", (American Banker) 5 January 2017. https://www.americanbanker.com/news/customer-data-is-a-liability
- Marko Karppinen, "Data is not an asset, it’s a liability" (Richie.fi) 10 September 2015. https://www.richie.fi/blog/data-is-a-liability.html
- Marko Karppinen, "Why Data Can Be More of a Liability Than an Asset" (_Ad Age_) 28 October 2015. https://web.archive.org/web/20170209134005/https://adage.com/article/guest-columnists/data-a-liability-asset/301078/