While it's true that the best way to keep a secret is to keep it off the internet, regulation could absolutely improve the prospects of keeping secrets by requiring encryption in every context, imposing heavy penalties on companies that fail to properly secure sensitive data (much heavier than what we currently see, up to the corporate death penalty), and enshrining in law the people's right to strong encryption.
The best way to keep a secret is to never write it down, period. Or tell anyone.
If you do have to write it down (for practical reasons), it’s best to assume it will be leaked eventually and write it down with that in mind.
Even better, is in your operational assumptions, assume it will then be leaked shortly afterwards and build in ways to work around that.
So for instance - key material should have easy ways to be revoked, rotated, etc.
Operational rules should be easy to update/push new versions, etc.
Authentication shouldn’t rely on parroting a well known value (SSN, a plaintext shared secret, a biometric, etc.), and should be easily changeable/rotatable.
Most of these we’ve been steadily baking into our day to day lives anyway.
What you’re talking about is necessary, but insufficient for anyone who has a secret they actually need to keep. At least in the modern world. None of those penalties are ever likely to actually occur either, because no one wants to pay them. And they know they will end up paying them at some point, because anything else is just not how the world works.
For classified top secret information all those rules apply in some form, yet we’ve had numerous high profile leaks of TS information for years. The intelligence apparatus has done everything they can to destroy said leakers, but with limited success - and those secrets are still out there.
And that is without financial incentive!
That’s all. Most folks won’t have those kinds of secrets thankfully! And when they do, they usually just don’t tell anyone.
