[kibwen]

Regulation can absolutely improve the state of privacy over the status quo. Defeatism like this does nobody any favors.

As far as companies are concerned, personal information should be considered hazardous material, and avoided at all costs.

[marcosdumay]

Government regulation is what created and propped up Solar Winds.

I have to believe it's possible, but I have never seen any reasonable proposal for government regulation of infosec. Even disclosure requirements become bullshit and only harm everyone faster than they can get published.

[lazide]

For day to day stuff sure.

But thinking it will actually protect you if you have an actual valuable secret is willful naïveté.

That isn’t defeatism, that’s a realistic appraisal of the situation.

If what you described was actually possible, we wouldn’t all be still able to browse all the top secret files leaked from Wikileaks for instance.

[kibwen]

While it's true that the best way to keep a secret is to keep it off the internet, regulation could absolutely improve the prospects of keeping secrets by requiring encryption in every context, imposing heavy penalties on companies that fail to properly secure sensitive data (much heavier than what we currently see, up to the corporate death penalty), and enshrining in law the people's right to strong encryption.

[lazide]

The best way to keep a secret is to never write it down, period. Or tell anyone.

If you do have to write it down (for practical reasons), it’s best to assume it will be leaked eventually and write it down with that in mind.

Even better, is in your operational assumptions, assume it will then be leaked shortly afterwards and build in ways to work around that.

So for instance - key material should have easy ways to be revoked, rotated, etc.

Operational rules should be easy to update/push new versions, etc.

Authentication shouldn’t rely on parroting a well known value (SSN, a plaintext shared secret, a biometric, etc.), and should be easily changeable/rotatable.

Most of these we’ve been steadily baking into our day to day lives anyway.

What you’re talking about is necessary, but insufficient for anyone who has a secret they actually need to keep. At least in the modern world. None of those penalties are ever likely to actually occur either, because no one wants to pay them. And they know they will end up paying them at some point, because anything else is just not how the world works.

For classified top secret information all those rules apply in some form, yet we’ve had numerous high profile leaks of TS information for years. The intelligence apparatus has done everything they can to destroy said leakers, but with limited success - and those secrets are still out there.

And that is without financial incentive!

That’s all. Most folks won’t have those kinds of secrets thankfully! And when they do, they usually just don’t tell anyone.