The ancient story of Spartacus offers a great example for better online anonymity

The Third Servile War was over. The slave army had been defeated, and their Roman captors offered the survivors a pardon. The only requirement was that they identify Spartacus, their leader (a sun-bronzed, cleft-chinned Kirk Douglas).

Rather than give away his identity, however, each of them cried out “I’m Spartacus!”—thus preserving his anonymity. The Romans could not identify him; they could not discern which of the men standing before them had been the leader of the rebellion.

(Spoiler alert: they all die as a result.) In short, their actions ensured a crucial part of Spartacus’ privacy—his right to be forgotten.

The right to be forgotten is considered a fundamental human right by numerous governments. Legislation such as GDPR and the California Consumer Privacy Act of 2018 (CCPA), for example, aim to establish this right for EU citizens and California residents, respectively.

In the past, the implementation of such regulations has revolved around search engines and the rights of users to request that their search results be removed — given they are no longer necessary or that they have a legitimate objection to their existence.

The <3 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

(One assumes that in this case a request by Spartacus to delete coverage of his being the leader of a massive slave army would be rejected by Google as neither of those.)

However, the Facebook and Cambridge Analytica scandal and a series of large-scale breaches have recentered the discussion on the privacy implications of this human right.

Now, privacy advocates have renewed their calls to have their account and personal data removed from social media platforms and other online services.

This seems to have widespread support, as most people agree that users should have the ability to remove accounts and material that they have created in the past—but with this comes new difficulties for today’s enterprises.

The solution here is clear: enterprises must offer the capability for users to delete accounts and any associated personal data. However, this is not as simple as it might seem at first.

Organizations are reluctant to give up this data as it helps them to improve their business models and might prove to be profitable information to have on-hand.

To realize the extent of the value of this data, one only needs to look at the cases where businesses, like free VPN services, resell user information to third parties. Enterprises need to feel compelled to part with this perceived value.

Governments are attempting to make parting with their customer’s personal data more compelling by imposing fines – enter GDPR and CCPA.

However, beyond the necessary business case lies technological challenges. Lingering personal data can be cause for concern, even if an online service has built-in deletion or removal options.

If this personal data is located in a structured database or an application, then the process is relatively straightforward. In this case, eliminate the associated account and the data stored within that account is also removed.

If the sensitive data is in files, detached from applications which are governed by the organization, these files will behave like abandoned satellites orbiting the earth, forever floating in the void of network-based file shares and cloud-based storage.

If the right to be forgotten is to be realized, then an essential task is locating that personal data and enabling its deletion to ensure the privacy of the end user.

As our online identities continue to expand and proliferate on the web, we must work to safeguard them as it is our fundamental right. The right to be forgotten, or to choose to withdraw from online services without leaving our data behind, is essential to our privacy foundation.

Organizations who value their customers’ privacy and their right to be forgotten will demonstrate so by taking measures to protect their sensitive data – effectively yelling “I’m Spartacus!” on behalf of the user.

Story by Mike Kiser

Mike Kiser currently serves as Senior Security Strategist in the Office of the CTO at SailPoint. He is insecure. He has been this way since (show all) Mike Kiser currently serves as Senior Security Strategist in the Office of the CTO at SailPoint. He is insecure. He has been this way since birth, despite holding a panoply of industry positions over the past 20 years—from Security Strategist to Security Analyst to Security Architect—that might imply otherwise. In spite of this, he has designed, directed, and advised on large-scale security deployments for a global clientele. He is currently in a long-term relationship with fine haberdashery, is a chronic chronoptimist (look it up), and delights in needlessly convoluted verbiage. He has been a speaker on topics ranging from identity governance to security analytics, network security, and various related privacy issues, and is the co-host of a podcast illuminating all things identity. He warmly embraces the notion that security is more of a state of mind than a destination.