Other News

Equifax data hack shows that citizens have few rights when it comes to protecting personal information

By Bruce Schneier

Last Thursday, Equifax reported a data breach that affects 143 million U.S. customers, about 44% of the population. It’s an extremely serious breach; hackers got access to full names, Social Security numbers, birth dates, addresses, driver’s license numbers — exactly the sort of information criminals can use to impersonate victims to banks, credit card companies, insurance companies, and other businesses vulnerable to fraud.

Many sites posted guides to protecting yourself now that it’s happened. But if you want to prevent this kind of thing from happening again, your only solution is government regulation (as unlikely as that may be at the moment).

The market can’t fix this. Markets work because buyers choose between sellers, and sellers compete for buyers. In case you didn’t notice, you’re not Equifax’s customer. You’re its product.

This happened because your personal information is valuable, and Equifax is in the business of selling it. The company is much more than a credit reporting agency. It’s a data broker. It collects information about all of us, analyzes it all, and then sells those insights.

Its customers are people and organizations who want to buy information: banks looking to lend you money, landlords deciding whether to rent you an apartment, employers deciding whether to hire you, companies trying to figure out whether you’d be a profitable customer — everyone who wants to sell you something, even governments.

It’s not just Equifax. It might be one of the biggest, but there are 2,500 to 4,000 other data brokers that are collecting, storing, and selling information about you — almost all of them companies you’ve never heard of and have no business relationship with.

Surveillance capitalism fuels the Internet, and sometimes it seems that everyone is spying on you. You’re secretly tracked on pretty much every commercial website you visit. Facebook is the largest surveillance organization mankind has created; collecting data on you is its business model. I don’t have a Facebook account, but Facebook still keeps a surprisingly complete dossier on me and my associations — just in case I ever decide to join.

I also don’t have a Gmail account, because I don’t want Google storing my email. But my guess is that it has about half of my email anyway, because so many people I correspond with have accounts. I can’t even avoid it by choosing not to write to gmail.com addresses, because I have no way of knowing if newperson@company.com is hosted at Gmail.

Sen. Heidi Heitkamp says someone should go to jail for Equifax hack.

And again, many companies that track us do so in secret, without our knowledge and consent. And most of the time we can’t opt out. Sometimes it’s a company like Equifax that doesn’t answer to us in any way. Sometimes it’s a company like Facebook, which is effectively a monopoly because of its sheer size. And sometimes it’s our cell phone provider. All of them have decided to track us and not compete by offering consumers privacy. Sure, you can tell people not to have an email account or cell phone, but that’s not a realistic option for most people living in 21st-century America.

The companies that collect and sell our data don’t need to keep it secure in order to maintain their market share. They don’t have to answer to us, their products. They know it’s more profitable to save money on security and weather the occasional bout of bad press after a data loss. Yes, we are the ones who suffer when criminals get our data, or when our private information is exposed to the public, but ultimately why should Equifax care?

Yes, it’s a huge black eye for the company — this week. Soon, another company will have suffered a massive data breach and few will remember Equifax’s problem. Does anyone remember last year when Yahoo admitted that it exposed personal information of a billion users in 2013 and another half billion in 2014?

This market failure isn’t unique to data security. There is little improvement in safety and security in any industry until government steps in. Think of food, pharmaceuticals, cars, airplanes, restaurants, workplace conditions, and flame-retardant pajamas.

Market failures like this can only be solved through government intervention. By regulating the security practices of companies that store our data, and fining companies that fail to comply, governments can raise the cost of insecurity high enough that security becomes a cheaper alternative. They can do the same thing by giving individuals affected by these breaches the ability to sue successfully, citing the exposure of personal data itself as a harm.

By all means, take the recommended steps to protect yourself from identity theft in the wake of Equifax’s data breach, but recognize that these steps are only effective on the margins, and that most data security is out of your hands. Perhaps the Federal Trade Commission will get involved, but without evidence of “unfair and deceptive trade practices,” there’s nothing it can do. Perhaps there will be a class-action lawsuit, but because it’s hard to draw a line between any of the many data breaches you’re subjected to and a specific harm, courts are not likely to side with you.

If you don’t like how careless Equifax was with your data, don’t waste your breath complaining to Equifax. Complain to your government.
_________________

Bruce Schneier is a lecturer at the Harvard Kennedy School and a fellow at the Berkman-Klein Center for Internet and Society. He blogs at www.schneier.com.

  • StillWatching

    This guy lost me when he said that the answer must come from government. All the statists, collectivists and socialists will buy into that nonsense and arguing with them is like trying to teach a pig to sing. All you do is waste your time and annoy the pig.

    • From Bruce Schneier’s Wikipedia page:

      “Bruce Schneier is an American cryptographer, computer security professional, privacy specialist and writer. He is the author of several books on general security topics, computer security and cryptography.

      “Schneier is a fellow at the Berkman Center for Internet & Society at Harvard Law School, a program fellow at the New America Foundation’s Open Technology Institute. He has been working for IBM since they acquired Resilient Systems where Schneier was CTO. He is also a contributing writer for The Guardian news organization.

      “Field: Computer science.

      “Institutions: Harvard University, Counterpane Internet Security, Bell, Labs, United, States, Department, of, Defense, BT Group.”

      I.e., not “This Guy.”

      • StillWatching

        When he tells me to seek answers to my problems from government, he’s relegated to “this guy” status. You can worship at his altar if you like, I don’t choose to.

      • sueb4bs

        huh??

  • Finn O’Gorman

    This is a fine complement to Frank Foer’s Monday piece.Kudos to Cuenca High Life for once again publishing a thoughtful, relevant article on a matter that affects each one of us.

  • I got this from ISSurvivor in 2005. A lot of it applies to this situation.

    [begin quote]

    Timely advice, forwarded from [a reader], who says “I bounced this off of a few attorney buddies. Basically the feedback I’ve received is that the advice is sound. The only other input was that before taking action #2, check with the holder of your charge card …”

    ATTORNEY’S ADVICE-NO CHARGE Read this and make a copy for your files in case you need to refer to it someday. Maybe we should all take some of his advice! A corporate attorney sent the following out to the employees in his company.

    1. The next time you order checks have only your initials (instead of first name) and last name put on them. If someone takes your checkbook, they will not know if you sign your checks with just your initials or your first name, but your bank will know how you sign your checks.

    2. Do not sign the back of your credit cards. Instead, put “PHOTO ID REQUIRED”.

    3. When you are writing checks to pay on your credit card accounts, DO NOT put the complete account number on the “For” line. Instead, just put the last four numbers. The credit card company knows the rest of the number, and anyone who might be handling your check as it passes through all the check processing channels won’t have access to it.

    4. Put your work phone # on your checks instead of your home phone. If you have a PO Box use that instead of your home address. If you do not have a PO Box, use your work address. Never have your SS# printed on your checks. You can add it if it is necessary. But if you have it printed, anyone can get it.

    5. Place the contents of your wallet on a photocopy machine. Do both sides of each license, credit card, etc. You will know what you had in your wallet and all of the account numbers and phone numbers to call and cancel. Keep the photocopy in a safe place. I also carry a photocopy of my passport when I travel either here or abroad. We’ve all heard horror stories about fraud that’s committed on us in stealing a name, address, Social Security number, credit cards.

    Unfortunately, I, an attorney, have firsthand knowledge because my wallet was stolen last month. Within a week, the thieve(s) ordered an expensive monthly cell phone package, applied for a VISA credit card, had a credit line approved to buy a Gateway computer, received a PIN number from DMV to change my driving record information online, and more. But here’s some critical information to limit the damage in case this happens to you or someone you know:

    1. We have been told we should cancel our credit cards immediately. But the key is having the toll free numbers and your card numbers handy so you know whom to call. Keep those where you can find them.

    2. File a police report immediately in the jurisdiction where your credit cards, etc., were stolen. This proves to credit providers you were diligent, and this is a first step toward an investigation (if there ever is one).

    But here’s what is perhaps most important of all : (I never even thought to do this.)

    3. Call the 3 national credit reporting organizations immediately to place a fraud alert on your name and Social Security number. I had never heard of doing that until advised by a bank that called to tell me an application for credit was made over the Internet in my name. The alert means any company that checks your credit knows your information was stolen, and they have to contact you by phone to authorize new credit.

    By the time I was advised to do this, almost two weeks after the theft, all the damage had been done.

    There are records of all the credit checks initiated by the thieves’ purchases, none of which I knew about before placing the alert. Since then, no additional damage has been done, and the thieves threw my wallet away This weekend (someone turned it in). It seems to have stopped them dead in their tracks.

    Now, here are the numbers you always need to contact about your wallet, etc., has been stolen:

    1.) Equifax: 1-800-525-6285

    2.) Experian (formerly TRW): 1-888-397-3742

    3.) Trans Union: 1-800-680-7289

    4.) Social Security Administration (fraud line): 1-800-269-0271

    Disclaimer: While this sounds like great advice to me, I’m not an attorney. Apply your own judgment.

    The author of this advice gained no business advantage from writing and distributing it. It was simply an attempt to make the lives of the employees in his company a little bit better. Which, I imagine, they appreciated. Which strengthened their relationship with their employer. Which, come to think of it, is a business advantage after all.

    [end quote]

    Also, and more up to date, I read a great piece last week at Kalzumeus, (the writings of Patrick McKenzie) titled “Identity Theft, Credit Reports, and You”. I’m leaving out the URL because the gods here jealously delete such things, but you can find it if you want. Worth a read.

    • StillWatching

      Seems like very sound advice, all without the involvement of big brother.

    • Ken

      I quote from your comment: “Unfortunately, I, an attorney, have firsthand knowledge because my wallet was stolen last month. Within a week, the thieve(s) ordered an expensive monthly cell phone package, applied for a VISA credit card, had a credit line approved to buy a Gateway computer,”

      If you had a CREDIT FREEZE with all three credit reporting agencies, none of this would have happened. Be proactive. Freeze Your Credit Today.
      Here is how:
      http://clark.com/personal-finance-credit/credit-freeze-and-thaw-guide/

  • Ken

    We must talk about the only effective tool to protect yourself against what Equifax has done:
    Repeat after me: FREEZE – YOUR – CREDIT – NOW.
    Equifax has waived it’s fee temporarily to do this. Don’t sign up for the Equifax bullshit Credit Monitoring Service.
    Here is how to freeze your credit. Do it today.

    http://clark.com/personal-finance-credit/credit-freeze-and-thaw-guide/

  • sueb4bs

    Worked in the computer consulting biz in the U.S> This credit reporting hack is beyond terrifying. PERIOD.

    CHL, thanks for the good article, rational and importantly lays the truth out there. Here in Quito no Net quality for the past few days. So I am praying because there is NO EASY SOLUTION on this one..

    Appreciate your playing this story twice as it needs to be read with care…

  • Amanda Josh

    After too many disappointments with hackers. O my God i still can believe the world still have legit hackers like this out there. i came across Sabina Roman’s post on a blog where she talked about a hacker whom helped her out with a bank hack so I contacted him to see if its truth because of my experience with some hackers that I had to stop looking for a hacker until I saw the post and I decided to try for the last time. its actually impossible to put in words how much of a Genius he is and also can’t stop thanking him for helping me through my divorce case because I needed to hack into my husband’s telephone to get some proof before going for the bank hacking .Jonny Belter is a Black-hat hacker and very capable of any type of hack in the hacking world as they call it. He is actually one of the best out there and also very good to understand what so ever you are going through, in my own case the money wasn’t the problem and i can gladly say every money spent was so worth it. I made a promise to him that I must tell the world of his good works and if you are interested in any type of hacking jobs you can contact him through his email hackwithjonny-AT-gmail-DOT-com and please tell him Amanda Josh told you about his good works and I keep saying thank you Jonny belter and God bless you for everything.