Is It Time to Shut Down the Internet?
I got another data breach notification this week. Another company. Another apology. Another offer of free credit monitoring for a year, as if that undoes the fact that my personal information is now in the hands of whoever stole it.
It got me thinking: why is that information even accessible via the Internet in the first place?
The Internet is still the Wild West
Decades in, the Internet has not matured. It’s still insecure by design. Scammers have unfiltered access to billions of people. Your personal data sits on servers that are directly reachable from anywhere in the world. There’s no DMZ, no air gap, no meaningful barrier between “the internet” and “your medical records” or “your financial history.”
It didn’t used to be this way. Corporate networks had demilitarized zones — buffers between the public internet and internal systems. Sensitive data lived on machines that were not connected to the outside world at all. You had to physically be in the building, or on a dedicated line, to access certain things.
Now everything is on some server that’s directly accessible via the Internet. Convenience won. Security lost.
Companies treat your data as an afterthought
When a breach happens, the script is always the same: we’re sorry, we’re investigating, we’ve implemented additional security measures. Then the next company gets breached. And the next.
The incentives are wrong. The cost of a breach — fines, legal fees, reputation damage — is often less than the cost of building systems that would have prevented it. So companies underinvest. They collect more data than they need. They keep it longer than necessary. They expose it to more systems and third parties than they should. And when it leaks, you get a form letter and twelve months of credit monitoring.
Your personal information should not be the default thing to put on an internet-connected server. It should be the thing that requires extraordinary justification to put anywhere near one.
What would actually help
Stronger liability. Companies that hold personal data should face real consequences when they lose it. Not just fines that get negotiated down. Actual accountability. If the cost of a breach exceeded the cost of prevention, behavior would change.
Data minimization. Don’t collect what you don’t need. Don’t keep what you’re done with. The less data that exists, the less there is to steal.
Segmentation and isolation. Not every system needs to talk to every other system. Sensitive data can live in environments with stricter controls, limited connectivity, and real access controls. It’s more work. It’s also the right thing to do.
No more “trust us.” Consumers can’t audit corporate security. Regulators often don’t have the resources or expertise. Independent audits, mandatory disclosure of security practices, and consequences for negligence would move the needle.
Shut it down?
No. The Internet is too useful to abandon. But the question is worth asking because it forces us to confront how broken the current model is.
We’ve built a global network that connects everyone to everything — including scammers to your personal information, and your personal information to servers that weren’t built to protect it. That’s not inevitable. It’s a choice we’ve made by default, by convenience, by underinvesting in the hard work of security.
Companies need to do better. Regulators need to demand it. And until that happens, expect more breach notifications in your inbox — and ask yourself each time: why was this data on the Internet at all?