[makeitsuckless]

Schneier is missing one major reason why companies keep data: regulation.

So many regulatory bodies and laws requiring companies to keep all kinds of data for all kinds of reasons for a wide variety of periods, so that simply having a policy to "store all the things" is way, way simpler to implement than to carefully study and adhere to each individual rule.

Nothing really new here, even before cheap storage and ubiquitous computers, companies kept boxes and boxes of all the paperwork ever, just in case some audit may require them to dig it up. Only physical limitations sometimes caused them to throw away stuff labeled "a decade ago", and today there simply is more data and zero incentive to destroy it.

[aethertron]

Good point, here's an example: EU VAT, which obliges companies selling digital goods in Europe to store customer and transaction details for 10 years.

https://www.gov.uk/guidance/register-and-use-the-vat-mini-on...

[ross-life]

How does this work with digital stores (Steam/App Store/Play Store)? Do you even get that data from them as a developer?

[aethertron]

I think those stores take care of VAT and all the requirements around that, so the developer doesn't need to worry about it. That's what the 30% cut is for.

[jacquesm]

The laws are totally insane when it comes to data, one law says you can't store it and if you do you have to enable the user to remove it, change it and view it, the other says you should keep it secret and should keep it for many years.

[hvindin]

Buy the concept of taking data offline or to another network applies to this.

For example, while banks are required to keep tons of data for legal reason, the ones I've worked with have procedures where, for example, tellers are required to shred everything and send it for incineration. Then, the digital copies, once they can only be required if theres legal compulsion going on (ie after x number of years), are transfered by batch jobs which encrypt everything with a key generated by a CA that is offline most of the time, to a tape library which is only online for batch writes and can only be brought online manually by physically going into the data center. Then, after a little more time, but still within legally required reporting periods, the tapes are moved into a warehouse which very much resembles a bank vault.

And as soon as theres a reason that the data isnt mandatorily kept, the tapes are destroyed.

Honestly the security around those tapes is higher than bricks of cash, and they're destroyed even more readily.