"Just because you have access to something doesn't mean you're allowed to touch it without a valid business reason."

Then you should not have access to it? People will touch them if they can. That's why Access Control rules exist.

That might be how we deal with children who can't handle responsibility, but the absence of technical controls for every nuance of life is why ethics and code of law exists for adults.

Access controls are not a substitute for maturity.

> Access controls are not a substitute for maturity.

But maturity is not a substitute for access controls either.

In any organization of some size, no matter how much you hire for "maturity", eventually people will slip past who have all kinds of reasons they'll be able to justify to themselves for deciding it's too tempting to look at things they shouldn't.

Agreed, too bad humanity's level of maturity as a whole is very far away from ideal. If everyone did what they should we would probably be living in an utopia. But that's not the case.

I don't mean that everything should be super-locked down to the point where it's inaccessible, just tweak it enough to not be misused.

The idea of an audit trail is good, since you can go back in history and make any misbehaving parties accountable. Or design a system where the client authorize a rep to look into her records ---just like banks do when you ask for your balance.

> children who can't handle responsibility

Isn't the real concern bad actors? e.g., LOVEINT

Well, does Lyft's hiring process optimize for maturity? Do they often hire people in their 40s, for example?

There's a bit of pragmatism involved in the level of control.

If you add too much friction to the process of accessing information, then it can actually impede on actually handling user support. For example, having access to someone's ride history when trying to resolve a dispute seems relatively normal.

Of course in Lyfts case it seems pretty clear that there can be more programatic locks. And auditable logs are able very good idea in general.

But programatic locks are tricky. How do you transform and e-mail from a user confirming permission to history into an unlock code?

If only we had modern phone infrastructure that could actually transfer useful info to the appropriate person... Instead we have terrible phone support that requires me to repeat the same info 3 times.

That info should be unlocked the millisecond I am connected with a rep . It's not a moonshot

Yeah totally. It's doable

My feeling is that stuff is doable, but hard-ish. For example, for this case now you're writing something to interface with the phones? How do you know the phone number is for a certain client?

Though I definitely see someone writing a thing where your ticketing/support system grants partial data access, you end up either making the support system pull in information from the DB... or your DB access controls being controlled through the support system.

the latter one can potentially introduce security issues. The former one's easier but you can easily run into the "oh, this information's not gettable through the ticketing system".

That last bit is actually relatively straightforward - you send them a response with a link they click on taking them to a permission prompt.

Too much reliance on programmatic access controls causes people to think “if it’s allowed by the controls, it’s allowed by common sense” which is rarely the case.

On the flipside, systems that are too cumbersome to use because of access controls lead people to do things like maintain shadow systems in Excel spreadsheets just to get their work done. Of course with no security at all.