A huge bugbear for many years now, excessive data collection is getting worse. Photo / 123RF

OPINION:

Excessive data collection on the Internet has been a huge bugbear for many years now, and the problem's getting worse. Just about every app and website demands that you sign in, usually with your email address, a notion that should never have been allowed.

It wouldn't matter so much if the data you give out was kept secure, but we're talking about information technology which is anything but. Data breaches are a dime a dozen.

Like the Shanghai Police which leaked information on a billion people, not through a fiendishly clever hack but because someone left an online portal passwordless.

Over at the HaveIbeenpwned site that tracks data breaches and hacks the tally of compromised accounts stands at 11,863,763,133 as of writing. It's a huge number, and it'll continue to grow.

This isn't an easy problem to fix, however. On the one hand, leaked unique identifiers like phone numbers and email addresses that associate accounts and services with individuals can cause enormous damage over a long period of time.

Changing your phone number or email address to "fix" the issue of them having leaked out is certainly possible, but it can lead to a world of pain like getting locked out of online banking and other important services.

The longevity of leaked identifiers is a big part of the problem. Bad people know that it's almost impossible to change a personal email address and who wants to get a new phone number and go through the rigmarole of notifying others of it?

On the other hand, without unique identifiers, personalised offerings are simply not possible. What to do here then?

The answer, partly so, is somewhat oblique: don't give out your unique identifiers in the first place, and authorities shouldn't allow them to be collected either.

Instead, you firewall off your online identity while still proving you are who you say you are, by using abstraction and proxy services.

This sounds more complicated than it is and done right, it won't be inconvenient for users, quite the opposite.

Apart from making sure that as little user data is collected as possible, it should be single-use too.

Stolen credit card details are a major pain for the likes of Visa and MasterCard, which have developed "tokenisation" to deal with the problem. This essentially creates a single-use new credit card for each transaction.

That way, users' actual credit card data never reaches merchant terminals. If there's a data breach, hackers can't make off with working credit card details. Not everyone supports tokenisation, unfortunately, so banks and issuers are experimenting with dynamic card verification values (CVVs) that change for each transaction.

Changing CVV numbers does seem difficult to implement, and it means consumers have to continue to enter credit card details and other information into e-commerce checkout pages instead of just clicking a button, or verifying purchases on your smartphone's banking app, which is protected with biometrics.

That level of convenience should be a major drawcard for vendors as it makes transactions as simple as paying with cash, only more secure. You can see the Google or Apple Pay card on your phone or computer, but the merchant doesn't.

In one go, skimmers for both physical credit card terminals and e-commerce shopping carts - the latter is a colossal problem - become useless as the only transaction data they might capture is single use only.

You can apply that kind of abstraction elsewhere too. Apple introduced several privacy enhancing features for its iPhone, iPad and Mac operating systems which hide your important information, yet lets you have the required personalisation.

Sign in with Apple for example means you only hand over a minimal amount of personal information, and the service now works with the more recent Hide My Email feature that generates a random address that forwards to your real one.

Apple also lets you hide your IP address when browsing the web to avoid fingerprinting that could collect identifying data, and strips out advertising trackers as well.

They are not bulletproof technologies and flaws in the implementations pop up every now and then. The biggest bug as such is of course that users risk being locked into single or just a few vendors that they entrust with their real information. Luckily, this has been recognised by almost all tech industry heavy hitters, who are working through forums such as OpenID to create universal standards that everyone can use.

Not Facebook though, which unsurprisingly enough preferred to create its own system.

Progress on this issue has been slow, however, and it would be great if there was some serious official pressure from authorities to stop the excessive data collection that's happening currently. Yes, it would hurt some players, like Facebook when Apple made tracking users across the internet for advertising sales purposes much harder.

If we don't do it, however, with the advent of powerful artificial intelligence and machine learning systems trained on colossal amounts of data, we can kiss our privacy goodbye. And probably won't have to log in or provide card details as the computer already knows who you are and how you're paying.