2008-08-22

UK Gov't and Lost Personal Data

Slashdot is running a story on UK Gov't Lost Personal Data On 4M People. I follow these stories (as previously posted here) because the management of Personally Identifiable Information is probably one of the hardest and most vital issues we have in front of the internet in the next decade.

As I have observed previously in this blog, computer programmers are beginning to build systems that substitute for subtle key social infrastructure that we (as mere programmers) have no idea that we are replacing. As computers take over the duties of identifying social standing, trust-worthiness, and other faculties that used to be purely human domains the protection of key information for each person either becomes deathly important or our ideas about how to verify identity have to be re-designed on a global scale.

Daunting, serious issues that will probably not be addressed until there are truly severe consequences to either the financial system or civil liberties. These are the core issues I set out to explore in this blog originally. In the simplest terms, the software engineering and the software design of the world's information systems need to grow up. And fast.

Unfortunately, the concept of "data guardian" feels like a hack and not a good one. I think we need to design information systems that obviate the need to keep PII secret at all... or systems that eliminate the need for the transmission of PII. Such systems would probably have to operate in radically different ways on the human level.

A fundamental property of information is that it is easily replicated the idea that we must prevent the spread of a specific class of information is like fighting the tide. Instead redefine identity and authority. If you must have a "secret ID key" (aka Social Security Number in the US) allow it to be easily changed.

Until society adapts to these ideas we all must carefully protect our personal information and those of us that write software to deal with credit, visas, or medical data must be vigilant beyond the immediate call of duty. Your web application might lead to someone's identity being stolen. Please think about that.