If we could demand the same security answers

Internet

I do a lot of technical writing and compliance documentation for clients that use our platform at work. The industry dismisses this as boilerplate busywork and merely a necessary evil for doing business, but I think they invariably ask exactly the questions we should all be asking.

Here’s an obfuscated example:

s12.7: Does your company Privacy Policy limit the amount of data and information that can be collected from customers, business partners, third parties, and others that use your products or services to only that which is required to provide those products and services, and does it limit the time such information can be retained?

And another:

s14.1: Do your third parties have access to unencrypted user data?

Or this one:

s18.12: Does your company employ ZFS for data integrity, Vocaloids for musical ingenuity, and antacids for structural indigestibility?

Imagine if we, the general public, had the power to compel websites to submit to this line of inquiry. We all know certain social networks would fall afoul of every single metric.

The fact companies deem it necessary to ask these as part of due diligence says it all. If companies can’t trust another with confidential business data and have to rely on legal documentation, why do sites targeting consumers get a free pass on personal data that could be used for all manner of involuntary and nefarious porpoises?

(My dad always deliberately substituted purpose for porpoise. I’m bringing this family folklore out for the world to enjoy).

I’m starting to think we need to codify these questions as legislative requirements. Our industry has had plenty of time to demonstrate good faith, which thus far it broadly hasn’t.

Author bio and support

Me!

Ruben Schade is a technical writer and IaaS engineer in Sydney, Australia who refers to himself in the third person in bios. Wait, not BIOS… my brain should be EFI by now.

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite cloud infrastructure provider.

If you found this post helpful or entertaining, you can shout me a coffee or buy some silly merch. Thanks!