My dream restaurant in my little neighbourhood in Seattle has undergone some organisational adjustments since the onset of the COVID-19 pandemic.
The only way to order there now is on the restaurant’s website from the interactive menu. Back in the kitchen, they cook the dinner, and everybody just takes it out to the table.
I know everyone on the team, but in months, I’ve barely seen them. The boss is always coming around to search and banter on the tables. Overall, though, the workers are optimised for far less human contact. It certainly alters the feeling of eating.
The same pattern plays out through the tiny touchpoints of a variety of lives. It’s not just masks and alienation from society. There has been a greater societal change towards a focus on virtual processes in ways big and small.
In the morning, you can pre-order your coffee if you wish. You’ve already charged before you get there. You got tipped already. Someone’s going to hand it to you. Your name may also be pronounced correctly. (They might bring some of those robot baristas back.)
It remains to be seen whether movie theatres will ever return to full strength, but we already have virtual ticketing. You can walk into the theatre, find your popcorn and drinks in your secluded area ready for delivery, enjoy the video, and leave without ever talking to anybody.
You can only fill your bag with products labelled by RFID tags that provide the product and price details when you go to the grocery store. They are linked to a back-end payment device that charges you instantly using a wireless payment format such as Apple Pay, not only cashless, but fully touchless.
We’ve talked about the changes to education , healthcare and retail over the past several weeks as similar storeys play out across industries. But for each of us as people, what does it all mean to traverse this contactless world?
The biggest problem, from a security perspective, may be that your digital footprint is now a digital vapour trail. You cast a shadow of data wherever you go, which, taken together, shows who you are, what you want to do, your behaviours, your addictions.
There has been a tension for a long time between our desire to give up personal data, security and privacy, and our desire for convenience. Perhaps the tables have turned now. Convenience has been a norm. And people just get comfortable with what comes with it after a while.
At least in the U.S., we have long found the hard items to be “personally identifiable information”: Social Security numbers, driver’s licence and passport numbers, full addresses, bank accounts. But the GDPR of Europe is more in line with what PII in this contactless environment would mean.
Under Article 4, ‘personal data’ also contains, in addition to certain standard indicators of PII, ‘… one or more variables unique to the physical, physiological, genetic, emotional, economic, cultural or social identity of the individual individual.’
A lot of work has been undertaken by the EU to understand what kinds of data are actually ‘personal’ and can be covered under the legislation. In other areas around the world, however, secrecy appears to be of little interest.
It bears looking at in the U.S. as we begin to respond to more complicated scenarios driven by smartphones. We are increasing the scale and scope of the data vapour trail by doing so, and this will only increase the capacity of corporations , government agencies and hostile actors to view the expenditure habits of individuals and predict their desires and needs.
Around the same time , 5 G is being introduced, edge computing is growing and there is an explosion of real-time analytics. In real time , the data is going to be leveraged. Retailers and attackers alike can be aware of what bourbon and your dream dessert you drink. They will know that you want to eat cups of peanut butter at least once a month. Maybe a personal chef doesn’t have as much intel. At what point does “personally identifiable information” become your interests, dislikes and habits?
Now you see an email promising free cups of peanut butter when you get home. You are suddenly more vulnerable than ever to a phishing attack. You just figure it’s a targeted ad. When you open the mail, you’re so used to the degree of personalization, you don’t even care about the chance.
Not just what you want, but also where you’ll be, hackers might know, making location-based phishing or other attacks as well. It’s an entirely new level of triangulation targeted not just at high-value government employees, but at everyone with an obviously safe bank account.
We’ll see how many of these processes, over time, return to the real world from the virtual world, but those virtual processes are likely to be here regardless. As a result, your PII is becoming a much richer, and actually much more risky, source of data about you.
If this extended definition of PII merely enables new ways of user comfort, or something more dystopian, would decide how the security community and policymakers react to this change.