Mobile IT Roach Motel: Data checks in, but it won't check out

Even if a company were willing to expunge personal data that it had been authorized to collect, the realities of IT systems mean it probably could never completely do that

In a perfect world, consumers and employees would have complete control of any data that is specifically about them. They could choose who gets it and how it can be used. Crucially, they would have constant access to a list of where and how their data is being used, and they could edit it at whim.

But you might have noticed that we don't live in a perfect world.

Various privacy advocates have sought such user privacy controls, with European telecom giant Orange being the latest to champion the idea. Beyond the calls for action, little has actually happened. This will be hard for many of you to believe, but the company that has come closest to delivering a tool that could give users more control over their data was Google, which tends to view privacy the way Superman views Kryptonite. Rest assured, though, the release of that tool to the public was unintended and Google quickly shut it down. Perhaps when Google saw the Electronic Frontier Foundation applaud the tool, the company realized that it had accidentally served up something that was Google poison.

The question of whether such privacy controls would be good or bad for business and society is complicated. Used properly and respectfully, personally identifiable information (known as PII, in IT's acronym-loving way) can truly help companies deliver far better services. Amazon is perhaps the best example of a company that loves to leverage PII while being disciplined and restrained enough to (usually) not be obnoxious about it.

As for consumers, unless they really understand at a fairly sophisticated level how their information is to be used, most of them are not in a position to make the decisions about their own data that best serve their own interests.

As it turns out, though, the practical realities of IT spare us from having to make these decisions at a "what is best for society" level. That's because the only privacy call that can pragmatically work is to refuse from the get-go to let a company collect any of your personal data. The reason is that, once data is in a system, it really can't be removed -- at least not completely. It's as if the data has entered a Mobile IT Roach Motel: Data can check in, but it can never check out. (If you recognize the tagline from those iconic Roach Motel ads of the late 1970s, you can watch one on YouTube. But I should note that roaches don't seem to have it as bad as data: There is evidence that some German cockroaches have developed an aversion to glucose, which is used as bait in the traps, and are passing this trait on to their offspring. Yeah, I think it's safe to conclude that cockroaches will indeed outlive humans.)

Getting back to consumers, their data is really difficult to take back. It is not as if the data exists in only one place and can easily be deleted. That simply isn't how it works. Once duly authorized and collected, consumer data gets plugged into dozens of databases and shared with just as many departments, consultants and partners. The data is parsed and backed up, and the chances that anyone can accurately list every place where that data exists are roughly nil. That's why it's ludicrous to believe that you can change your mind and demand that all the data you let a company collect be removed. Block it initially? Sure. Get it back later? Not going to happen. There will always be copies floating out there somewhere.

And that's true even with the anonymous/aggregated approach. Yes, a company that aggregates the consumer data it collects only analyzes that data in the aggregate, and the aggregated data is anonymous. But all that data arrived in unaggregated form and far from anonymous, and that raw data certainly still exists in a database somewhere. Probably more than one, which brings you back to the question of how to corral all those data roaches that are running around the company's systems.

The cynical view of all this is that corporate advocates of privacy want to offer consumers the illusion of privacy control without having to deliver actual control, since the consumers have no way of knowing whether the data they have decided to "take back" has been actually removed. It's the business equivalent of the time-honored politician's trick of voting against a bill unpopular with constituents, knowing full well that it will pass anyway.

I can think of no practical way for a Wal-Mart, Exxon, Nabisco or Hilton to remove specific pieces of data once they've been absorbed. That means that corporations are going to have to stop making consumers privacy promises that they can't possibly keep. Assuming, of course, that you want to be honest. If you don't, that's something you really want to keep private.

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for, RetailWeek and eWeek. Evan can be reached at and he can be followed at Look for his column every Tuesday.

Read more about privacy in Computerworld's Privacy Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags GooglesecurityorangeElectronic Frontier Foundationprivacy

More about Amazon Web ServicesElectronic Frontier FoundationGoogleindeedNabiscoOrangeTopicWal-Mart

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Evan Schuman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place