A brief rant on converging compliance regimes. @ Irrational Exuberance

Hi folks,

This is the weekly digest for my blog, Irrational Exuberance. Reach out with thoughts on Twitter at @lethain, or reply to this email.


Posts from this week:

- A brief rant on converging compliance regimes.


A brief rant on converging compliance regimes.

Although I’ve never worked exclusively on compliance, much of my work over the past decade has touched on reconciling between product and compliance goals, and over that time I’ve developed something of a pet theory on the evolution of compliance over the next five to ten years: I expect customer-oriented compliance to converge on a unified set of controls.

While today there’s a wide distance between GDPR, CCPA, HITRUST, FedRAMP and SOC2, I generally expect the gaps between these various frameworks to narrow significantly over time around the premise of all customer data being treated as sacred. Consequently, I expect the necessary controls to implement these frameworks to converge, such that the burden to an organization to comply across multiple compliance regimes will shrink. However, this convergence will occur in a haphazard series of jerky, unpredictable steps as various countries, states and regulators push towards stricter controls.

Engineering, product, and legal teams will be able to save their organizations hundreds of years of engineering time by making reasonable, conservative guesses about where these frameworks converge. This will, however, be painful because these conservative positions will significantly limit what these businesses are able to do, in ways that make them less competitive in the short-run against more aggressive peers. Rapidly evolving your company’s approach to simultaneously future proof against regulatory convergence and maximize short-term windows to optimize growth through advertising and marketing efforts, may well be one defining characteristic of successful businesses over this stretch.

It’s not clear to me whether this will actually be beneficial to consumers, as this sort of regulation will certainly reduce 3rd party advertising and marketing, but seems much less likely to reduce 1st party advertising. This shift of momentum from 3rd to 1st party advertising will be particularly advantageous to companies who can already drive customer-facing network effects in their internal platforms (Meta, Google, ByteDance, etc), and particularly hard on new upstarts hoping to one day compete with those well-established tech businesses.

It’s certainly possible that antitrust regulators will step in to reduce the 1st party advertising advantage here, but by no means certain. The EU already seems intent on regulating these mega-platforms, but the US and China appear less interested, which is quite reasonable as their domestic platforms exert extraordinary influence across the world (and, awkwardly, domestically as well).

From the perspective of non-mega-platform companies, I think this is a natural continuation of the timeline evolution from “data as value” to “data as risk”, and these sorts of companies will increasingly want to approach all stored data with their eyes towards secure, restricted, and audited access.

If I had to pick just one implementation concept to focus on, I’d argue that field-level encryption should be a starting place for new application development, and in particular field-level encryption with distinct keys for each entity you might contract with (e.g. each business for a business-to-business product, each user for a consumer product).

Using field-level encryption as the foundational building block has some interesting advantages. Two mention three: (1) trivial deletion, including from backups, (2) database-level data exfiltration is less damaging, as data is not usable unless the paired keys are also extracted, and (3) it introduces the exactly right sort of pain to design a higher compliance system.

Conversely, this will generally be a pain to work with. Many nominally trivial queries will no longer be possible within the database tier. (You can, of course, build something like a trigger to allow retrieving the keys within the database, but that would significantly undermine the value of this entire enterprise.) It also means that many queries you’d like to perform for data analysis are much harder to perform. This isn’t permanently true, you can choose to expose metadata about a given field by deliberately shaping the encrypted data (as a contrived example, you could choose to prefix encrypted data from US with “us_” and encrypted data from Canada with “ca_”), but it certainly is more work.

Anyway, I don’t have an important point to make here, it’s just a thread in the evolution of the internet software industry that I find particularly interesting at the moment. I do think that some particularly interesting businesses will be built on this observation over the next few years, this will span across things like Vanta, others like MongoDB’s Client Side Encryption, and even more to make it possible to run performant data pipelines in a world where things are encrypted by hundreds of thousands of distinct keys. At certain moments, the internet feels static, immortal, and immutable, but the fun part is that it never actually stops changing.


That's all for now! Hope to hear your thoughts on Twitter at @lethain!


This email was sent to you
why did I get this?    unsubscribe from this list    update subscription preferences
Will Larson · 77 Geary St · co Calm 3rd Floor · San Francisco, CA 94108-5723 · USA

Email Marketing Powered by Mailchimp

Older messages

Lessons not worth learning. @ Irrational Exuberance

Wednesday, December 21, 2022

Hi folks, This is the weekly digest for my blog, Irrational Exuberance. Reach out with thoughts on Twitter at @lethain, or reply to this email. Posts from this week: - Lessons not worth learning.

2022 in review. @ Irrational Exuberance

Friday, December 16, 2022

Hi folks, This is the weekly digest for my blog, Irrational Exuberance. Reach out with thoughts on Twitter at @lethain, or reply to this email. Posts from this week: - 2022 in review. - 2019 - 2022

Company, team, self. @ Irrational Exuberance

Wednesday, December 7, 2022

Hi folks, This is the weekly digest for my blog, Irrational Exuberance. Reach out with thoughts on Twitter at @lethain, or reply to this email. Posts from this week: - Company, team, self. Company,

Twitter. @ Irrational Exuberance

Wednesday, November 23, 2022

Hi folks, This is the weekly digest for my blog, Irrational Exuberance. Reach out with thoughts on Twitter at @lethain, or reply to this email. Posts from this week: - Twitter. Twitter. I joined

The flying wedge. @ Irrational Exuberance

Wednesday, November 16, 2022

Hi folks, This is the weekly digest for my blog, Irrational Exuberance. Reach out with thoughts on Twitter at @lethain, or reply to this email. Posts from this week: - The flying wedge. The flying

You Might Also Like

24 SEO Tips for 2025 (Free PDF Inside)🎄

Tuesday, December 24, 2024

New year, new strategy – your guide to 2025 SEO success is here! Hi Reader, Merry Christmas! 🎅✨ I hope you're enjoying a cozy holiday season. As we look toward 2025, it's the perfect time to

Why The American Military Pretends to Track Santa Claus

Tuesday, December 24, 2024

They know when he's been sleeping, they know when he's awake. ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌

• Affordable Kindle Unlimited Promos for Authors •

Tuesday, December 24, 2024

Affordable KU Book Promos "I'm amazed in this day and age there are still people around who treat you so kindly and go the extra mile when you need assistance. If you have any qualms about

Level up like you are using cheat codes 🎓

Monday, December 23, 2024

Become CXL certified ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏

Reminder - Our best price yet💥

Monday, December 23, 2024

Get 13 months for $99 per month ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏

Jólabókaflóð

Monday, December 23, 2024

It's Icelandic and it's awesome. ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌

Kindle Unlimited & Paperback: YA & Literary Fiction for All Ages ~ Doll Face by Dianne Stadhams

Monday, December 23, 2024

Tiilly's view of complex issues goes viral. Welcome to ContentMo's Book of the Day "What a refreshing view of the world! Stadhams has crafted a plucky, resourceful heroine in Tilly

🧙‍♂️ Watch my video pitch

Monday, December 23, 2024

Plus how Adriana used LinkedIn to land a deal ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏

Who can cut the government?

Monday, December 23, 2024

Hi all, I hope you all get to enjoy an amazing holiday with your friends, family, and loved ones. Trevor Could we tell whether anyone in our galaxy uses a warp drive? (twitter thread) tldr: it would be

The Future of Health (Regrowing teeth!), AI of the week, and Success

Monday, December 23, 2024

Regrowing teeth with USAG-1 therapies, groundbreaking AI innovations, and success as a game of probabilities—embracing humility, courage, and patience makes all the difference. 3-in-3 The Future of