Taken to the extreme, a person could read the data and then literally handwrite it down on a piece of paper. That’s storage. It is nearly impossible to prevent that.
Also, if it’s illegal to duplicate the data, then it would have no purpose to be read from. For example, the system needs to access your birthdate field. Is using that piece of info somewhere considered storage, if it persists in any way? Probably.
So what this means is that the next best thing we can do is enforce read access to trustworthy parties only, with confidence for now and the future.
but there could be very clear rules just how many $$$ in fines you have to pay per data point if you ever get caught with your pants down. The issue with these leaks is that the perps never have to pay for them.
edit: that being said, I don't think a single such pool is a good idea since it would become the prime target for every hacker on the planet, right next to 1pass.
Right now it is considered normal for every company to keep personal data, but what if it was forbidden to store anything for longer than say 10 minutes and it is only allowed to keep anything in random access memory, not persistent storage? What if the person dealing with a company could generate a random identifier to allow for time-limited access to their data through a standard API?
What if the companies/organizations were by law required to ONLY access personal data through that API with all access being logged and auditable by the individual? If during an audit code (due to reasonable suspicion) it is found that the company is storing the data instead of reading and forgetting immediately, the company would face heavy fines.
Would this be enough? Probably not to deter bad actors... Maybe companies should not have access to any personal data in the first place? Only post office/delivery company would need to know where the mail for temporary ID must be delivered to.
Same with phone numbers, they don't need them. Only phone companies need to be able to resolve the temporary ID to make a call. It would FINALLY deal with the spam even though I guess phone companies are skimming money off that, so they won't be too happy if the legislation required it.
Exceptions can be made, but if there are fewer exceptions, the data would be far more tightly controlled.
A pixel is a powerful thing.
I suppose theoretically one could use a small handful of pixels to encode a lot that way though.
This is a very common pattern.
Also, all tax records in my country used to be public until recently and I think even now that information is somewhat easy to get.
You might be mad at the cheap (or not so cheap) Chinese (or not so Chinese) smartphone manufacturer whose firmware updates come with crap apps and even trojans preinstalled, but that little business only wants to have a tiny piece of cake the big guys share. Can we scold it for swindling data if famous corporations do the same?
