Simpler is more secure - why £183 million British Airways GDPR fine is harsh but the right thing to do

Complexity vs simplicity.PNG

The whopping, record-breaking £183 million fine for British Airways dished out by the ICO is a huge amount of money, but it’s a necessary incentive for companies to invest more in securing our private data.

To be fair to BA, the likely cause of this latest huge data breach (as suggested by a fascinating break-down by RiskIQ) isn’t the most egregious of errors that we’ve seen recently.

For example, it’s not like Attunity leaving terabytes of company backups (including things like emails, OneDrive backups, passwords, contracts, project specs) for half of all the Fortune 100 companies publicly exposed on the internet in an Amazon S3 bucket. S3 buckets are private by default - you have to explicitly do work to leave them exposed, begging the question how on earth this happened.

It’s not like the IoT vendor Orvibo collecting (for no obvious reason) and leaving publically exposed more than 2 billion logs from smart home devices (usernames, passwords, email addresses, precise coordinates of people’s homes).

It’s not like millions of Bluetooth LE devices being vulnerable because hardware vendors had copied and pasted sample code from the BLE specification straight into their source code, without changing the sample encryption private key it contained.

British Airways on the other hand, from what we can tell from RiskIQ’s analysis, has probably been caught out by a fairly sophisticated and targeted attack which has somehow changed a 3rd party Javascript file which was being used on a payments page. The reason this went unnoticed is complexity.

One of the problems with the modern internet is that it’s become crazily complicated. Everything that needs to be done to serve a payment page, with pretty and flashy animations and graphics, that can securely log you in, accept multiple forms of payment in multiple languages and served instantly across the globe, with multiple failovers, encryption, backups, fraud detection, and that works perfectly on phones, tablets and computers, through different types of web browsers and screen sizes - it’s actually quite insane how complicated it all is.

As an article in The Atlantic in 2017 pointed out, this increasing system complexity is something we need to address. Complexity leads to completely unexpected flaws, because no one person has a clear understanding of how everything works. Computer software engineering is unique in this respect - unless there is incentive to do otherwise, you can just keep building layer upon layer of complexity, and just about manage to keep things running, because it’s actually easier and cheaper to do that than build something simpler from scratch.

That’s why we need a powerful incentive to force companies to invest more in clever, simpler, more robust and secure internet services, and at the moment the best way to do that is through harsh fines for data breaches. Public outcry won’t work - it seems every day there is a more shocking data breach than the last, so it's just become background noise.

That’s why I’m designing the Chronic Insights community feature, which allows people using a symptom diary for chronic conditions to optionally contribute their anonymous symptom data to a free, open symptom data set, to be as simple as possible. The data set contains absolutely zero personal information - no emails, names, passwords, or anything else about you except the symptom data you put in. All we use is a cryptographic hash of a randomly generated RSA public key as an anonymous identifier. For sure, this arguably makes the data set less valuable for researchers and advertisers, but it also means it has zero value to hackers, and retains immense value to the people who matter: our users, people with chronic conditions.

James Allen