Monday, September 11, 2017

Equi-Fu**ed

I've written about on-line privacy before and the utter helplessness surrounding it for the individual citizen.  The Equifax hack highlights this again and takes it to new and more horrifying heights.

Equifax, one of the three credit reporting agencies used by every US entity that needs to decide if any one person is trustworthy, had 143 million records stolen out of their supposedly secure database.  That is roughly two-thirds of the population with a credit report (approximately 246 million people aged fifteen and up).  Bottom line: your information has been exposed.

There have been many data hacks in the past, from Target to Sony to G-Mail and on.  This one is worse.  While those others have had some information, often including social security numbers and credit card information, Equifax makes its business collecting all of that information: credit card payment histories, utility payment histories, mortgages, employment, bank accounts and more.  On everyone who has ever opened any of those.  They collect all of this so that they can help banks and employers and others decide if you will pay your bills on time.  If you are someone who is responsible.

But how can any of that be trusted if the company collecting it proves not to be responsible?

Criminally Negligent?


Part of the issue is how the law treats companies like Equifax.  They fall under the purview of the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau.  Equifax even appears to have followed the security guidelines set forth by those entities.  This means that, as far as the data breach is concerned, Equifax probably did not do anything illegal that lead to this hack.  After the hack? We'll get to that.

What this highlights is that the regulations around Equifax and the other two credit agencies, Experian and TransUnion, are behind the times.  It takes time to write regulations and then to implement policies related to those regulations.  Time that the black hat community is using to develop new and more capable tools.  They do not have regulations to hold them back, just time to poke at the various security protocols.  Following the letter of the law, in this case, is not enough.  All of these reporting agencies need to be more proactive than that.


 Civilly Negligent?


How Equifax chose to handle the data breach is another issue.  And more telling.  Instead of immediately recognizing the breach, admitting it and working on a solution for the hundreds of millions of people affected, they sat on it.  For almost two months.  Then, just prior to going public, several of their managers sold off company stock before the bottom dropped out of it.  That is illegal and the Security and Exchange Commission will no doubt be taking a long, hard look at the whole mess.

They are also playing the time-honored game of passing the buck and blaming a flaw in a vendor's software for allowing the breach to happen in the first place.  This may be true, but certainly does not put them off the hook.  Where is their due diligence in checking out what that vendor has to offer and how they are keeping up to date?

Finally, on the moral side, they have tried to turn their lemons into lemonade by getting everyone concerned about the hack to sign up for their (suddenly free) credit checking service and waiving their right to legal action.  They have since backed off on this requirement, but their hack checking site still has a ton of problems.  Problems that include not being able to trust the results.

In all of this non-legal, post-hack court-of-public-opinion, Equifax is at best incompetent and at worst fully up their ears in deliberate mishandling of the situation.  They are definitely open for civil proceedings, individual or class action (some of which have already been filed).


What CAN We Do?


I'm not a lawyer or expert in protecting yourself.  Plus there are a ton of guides that offer all kinds of advice.

But that is all short term advice.  At best, it protects you for 90 days.  Or until the next hack at a different company.  And the one after that.  And on and on.  These hacks will continue as long as the information that these companies collect is valuable and accessible.

And that is where those attempting to solve this mess need to focus their time.  Accessibility and Value.

Accessibility


These major companies are doing their best to make this information in-accessible and failing.  That means that someone else needs to take a shot.  One of the newer technologies out there that is tailor made for tracking information and keeping it safe are the new Smart Contracts that are the foundations of crypto-currencies.  Think BlockChain for BitCoin.  These systems are designed to control access across huge databases, providing security and anonymity.

This is the medium term solution.

Value


The long term solution is to find another way to trust each other.  This is a bit more (a lot more) Utopian in tone.  Much of these trust issues have to do with people who swindle and steal for their own gain.  That is what needs to be fixed.  How we value and track a person's worth can no longer be around the type of car they drive or how big their house is or the quality of their clothes.  Instead, it needs to be built on things that cannot be stolen or swindled: their thoughts and accomplishments.

This very much gets back to Universal Basic Income as catalyst for this change.  Without having to worry about food or shelter, what could we accomplish?



No comments:

Post a Comment