Shostack + Friends Blog Archive


Carole King said it best

“It’s too late, baby”
Yeah, I’m dating myself, but Tapestry was huge, and she and Goffin had some serious songwriting chops.
Anyway, the “it” about which it’s too late is, yes, a relationship. An important relationship. A relationship which, while admittedly not exclusive, is “open” in a hopefully honest, fulfilling, respectful way. That relationship is the one you have with your personal information.
Well, bad news. That info is all over town, for anybody who can pay the bills, and you don’t know the half of it. That, at least, is the opinion of David Cowan, a VC at Bessemer Venture Partners, blogging about Lifelock:

It would be quite a stretch for you to imagine that somehow your data remain safely stored among all the vendors, doctors, banks, web sites, and government agenices[sic] whom you’ve engaged in your lifetime. More likely, your personal credentials are all for sale in black market exchanges like this one.
In other words, the horses are out of the barn. There’s little point trying to re-tool or regulate the world’s IT infrastructure to contain consumer data. Even if your concern is future generations whose identities are still safe from thieves, there are so many ways for data to leak that it’s futile to expect brittle secrets like our social security numbers to be both useful and sustainably confidential.

Here, Cowan echoes the response I got over a beer when I asked a knowledgeable observer of the financial industry how he’d estimate the number of compromised identities (I figured he’d know about fraud detection and so on). I knew I was in for some fun when his response began with “You’re not going to like the answer…”. It seems that in his opinion all our PII belongs to them. It’s merely a question of monetizing it. (Listen closely — that sound you hear is Lindstrom saying “Yessss!!!”)
I am not qualified to assess whether Lifelock or Debix, or any other player in this space is a sensible investment. I will say that, as I understand it, their value proposition could be obliterated with a stroke of the pen, which leads me to a conclusion, and to a question.
That smart people are willing to attach their names and wallets to these enterprises shows me that US consumers won’t have true control over access to their personal information for the foreseeable future because legislation providing it is seemingly not forthcoming.
To those who argue that the data are already all out there, my question is “Is that a falsifiable hypothesis?”

7 comments on "Carole King said it best"

  • Chris, you ask whether the problem (together with the value of Cowan’s investment) might be eliminated by legislation, “with a stroke of the pen”. But I think you have answered this question yourself by quoting Gerry Goffin and Carole King – “It’s Too Late Baby”.
    See my post on Service-Oriented Security

  • Chris says:

    I was a bit unclear. I said I was led to a conclusion and a question. My conclusion is that such legislation is not forthcoming (evidence: VCs supporting businesses due solely to the absence of such legislation). My question is how would one go about testing the “The data are already all out there” claim.

  • Adam says:

    I’m jetlagged and worn out, so maybe its obvious, but how can the value of these companies be wiped out with a stroke of the pen? Both are moving to make identity consumer-centric, rather than database-centric, and I think that has staying power.

  • Chris says:

    We’re both right.
    Congress could legislatively make identity consumer-centric, is what I meant (eg., by altering the allocation of property rights to give us some variant of ownership over information about ourselves). That’s the “stroke of a pen”.
    The status quo has staying power because such a change is quite unlikely. The fact that smart people are betting on the status quo being maintained reinforces my belief on this issue.

  • Pete says:

    Not sure why you like to characterize me as some sort of gleeful demon.. so, to be clear, I am not saying “Yessss!!!” at all. It never occurred to me that the situation was otherwise, and believe it or not I don’t get a whole lot of satisfaction over other people feeling worse. So I am not saying anything.

  • Chris says:

    Sorry, Pete. I meant that if you’re gleeful, it’d be over the fact that just as you said this stuff is already out there to such a large degree that protecting it is a misallocation of resources. I certainly don’t think you’re a demon, especially in the metaphorical sense of being glad that our personal info is “out there”. I apologize if my remark seemed any broader than that, because it was not meant that way.

  • Robin Wilton says:

    Chris – have you tried registering with for their Data Patrol service? It won’t tell you all of them, by any means, but I think I can guarantee you’ll be fascinated to see some of the ‘hits’ they get.

Comments are closed.