Delete Your Data

Transcript

1. DELETE ALL THE DATA Jake Bathman @jakebathman

2. GOALS ➤Convince you that you need very little user data

   ➤Set a baseline for data retention ➤Almost nothing is secret ➤Using privacy as your guide is more productive than security ➤Privacy is a thing to be removed— sparingly—instead of given

3. DELETE YOUR DATA EXCEPT DATA YOU REALLY NEED * *

   * * *

4. “Data is not the new gold, data is the new

   uranium. Sometimes you can make money from it, but it can be radioactive, it's dangerous to store, has military uses, you generally don't want to concentrate it too much, and it's regulated. Why keep uranium you don't need? -Filippo Valsorda (@FiloSottile) Google cryptographer & security researcher

5. YOUR THREAT MODEL

6. H4CK3RZ ➤ Not your main threat ➤ Should be countered

   systemically ➤ Open-source tools and your own custom encryption algorithm best practice standards will stop most hacking attempts

7. NATION STATES ➤ They’ll get your stuff if they want

   ➤ There’s nothing you can do to stop them ➤ Don’t even consider them if you’re a small-to-medium sized site

8. EVERYTHING ELSE ➤ internal malicious actors ➤ accidental logging of

   sensitive data ➤ application misconfiguration ➤ accidental public disclosure (e.g. committing logs or a key to GitHub) ➤ API exploitation ➤ Normal use of your application

9. DELETE YOUR DATA EXCEPT DATA YOU REALLY NEED * *

   * * *

10. DELETE YOUR DATA EXCEPT DATA YOU REALLY NEED * *

    * * *

11. DELETE YOUR DATA EXCEPT DATA YOU REALLY NEED ➤ Allow

    users to delete most of their own data, and make it easy for them to do ➤ Really, truly delete it if you can ➤ No, don’t soft delete it. ➤ Yes, really delete it.

12. DELETE YOUR DATA EXCEPT DATA YOU REALLY NEED ➤ Re-frame

    your database in your mind as a set of other people’s information, instead of “your” data since you wrote the application ➤ You should be user record #1 (in production) ➤ Add the personal info for every dev that works on the application ➤ Full names ➤ Address, email, phone numbers ➤ SSN or other sensitive identifiers

13. DELETE YOUR DATA EXCEPT DATA YOU REALLY NEED ➤ I

    am not a lawyer ➤ You are not a lawyer ➤ Things to consider: ➤ Record retention laws ➤ Corporate policies ➤ If you can’t delete, consider (in order): ➤ One-way hashing ➤ Encrypting (reversibly) ➤ Pruning/limiting ➤ Archiving elsewhere (e.g. in an “old users” table stored not in the production environment)

14. DELETE YOUR DATA EXCEPT DATA YOU REALLY NEED ➤ Data

    hoarding is a natural tendency ➤ It’s not your data, it belongs to the user. Consider what actions they might need to take on your application and if the data is necessary ➤ SSN for background check, but delete when check is complete ➤ Birthday to authorize for mature content, but don’t store after checking

15. DELETE YOUR DATA EXCEPT DATA YOU REALLY NEED Consider the

    form of data that you might need ➤ Required in plain text ➤ Email, name, phone number ➤ Plain text, but ephemeral ➤ Tokens, sessions, server logs, app logs ➤ Stored one-way hashed ➤ Passwords, SSN last-four ➤ Never ever stored ever ➤ Plain-text passwords

16. WATCH HOW FACEBOOK DOES IT And do the exact opposite

    Or Equifax, Yahoo!, Twitter, Capital One, Marriott, eBay, Target, Uber, OPM, Sony PSN, Adobe...

17. console.log(“thank you”);