As hacks seem to occur daily, what is a reasonable expectation of security for us regular folks?
In one of many of their posts covering the topic, Ars shared a brief writeup a short time ago on some of the cause, negligence, and aftermath of the Equifax breach that was made public in early September. For those not yet aware, Equifax, one of the three main U.S. credit bureaus (i.e., the guys who give credit scores to people), had over 140 million people’s credit information stolen.
The Equifax breach that exposed sensitive data for as many as 143 million US consumers was accomplished by exploiting a…arstechnica.com
Not only did Equifax wait months to inform anyone of the breach (it happened in May), but the breach was preventable. The vulnerability to the software systems that led to the breach appears to have been a two-month old exploit that could have been plugged by an active security team. Presumably Equifax had such a team on staff or contracted with one, considering their database is quite literally the holy grail of identity and credit information. But who knows yet. We’ll see a lot more come out about this in coming weeks, I’m sure. And that’s not even counting all the years of litigation that I’m sure will emerge from this incident.
This leads me to questions I’ve been pondering this week related to this story:
- What is the expectation of security and privacy in today’s life, even when not intentionally using digital services (such as the case with Equifax)? [also, I’m using privacy and security as two different concepts here]
- Who is responsible for pursuing the battle against would-be hackers and invaders of privacy?
- If this hole was known to security professionals and researchers for two months, is Equifax liable and negligent for not implementing fixes?
- Or does a company with which you do business only have to only perform some baseline privacy and security protocols to meet a level of security we consumers expect and not necessarily keep up with every to-the-minute change in security practices?
- Finally, if we want a baseline level of expected security and privacy that we should impose on companies that take private, identifiable information, what should that baseline level consist of?
The above questions also have a big assumption underlying them when considering our expectation of privacy and security with tech use: that we intentionally choose to be a part of a technology, app, or software and expect our interaction with the companies that make these tools to have some guaranty of privacy and security. But there’s a twist in this case: Equifax collects information on people even if they don’t want them to. The streams of information are often invisible, and requests are made for this information sometimes daily by potential creditors or others seeking information. Unfortunately, the Equifax hack victims didn’t sign up for their service nor have a choice. They did not necessarily do business with Equifax (like when Target had a breach of their credit card terminals) although Equifax does offer some services. In short, most victims did not sign up for the main service that Equifax offers: collecting your credit history and identity information in a sort of monopolistic way and dishing it out to creditors who submit qualified queries. Thus, anyone with a credit history has a profile on Equifax — some of the most sensitive information that a person owns.
People didn’t ask to be a part of Equifax’s database, but instead are signed up by default whenever credit is used, even if there’s no lines of credit are extended (e.g., setting up a cell phone plan or paying for power or gas to an apartment). There’s no signup process, and opting out of the credit bureaus is like opting out of society and going off the grid. I can’t believe that individuals can be responsible here, and so Equifax must be responsible at some level. They took custody of all this data, so part of that is a continued defense of that data in today’s digital security climate. The idea that security is expected becomes more complicated because many people never even asked Equifax to interact with them but they maintain a database that rivals that of state records divisions and the federal government social security or IRS offices. There is only one direction in the invisible flow of information from the consumer to the credit bureau. And the government is cool with them collecting and storing all this incredibly sensitive information.
There’s also a decent parallel here to educational technologies that collect data on students in schools. Students do not typically opt in to participate with the tech that is chosen for their classroom. Instead, it is a part of the curriculum or its use is expected during normal everyday educational contexts. As such, there’s again an expectation of privacy and security that is not unlike that of the more adult version of the credit bureau data stewardship. We should expect that kids’ information be secure, with privacy and security a chief concern of ed-tech vendors. However, this is frequently not the case, leading many to join movements to push vendors to make explicit their commitments to securing student data and not distributing it to third parties. Examples of this recent push for ed-tech privacy include ed-tech companies’ voluntary commitment to the Student Privacy Pledge and the U.S. Department of Education’s Student Privacy initiative. Parents and teachers likely have at least some level of expectation that this data remain secure and private, considering students don’t always have a choice in the matter.
If we can agree that there should be some effort on part of data collectors to maintain privacy and security, I’m left wondering what a good effort toward maintaining security looks like? Does everyone who participates on the web (or maintains some kind of website, social media profile, or web server) need to add security to their list of responsibilities when deciding to participate online and publishing information? For a smallish website owner that only shares stuff in one direction and doesn’t collect info from people, this would probably consist of keeping abreast of best practices in security and knowing the most common attacks that website owners face (or contracting with someone who does know). For those who run internet shops or otherwise collect and save personal information from folks (i.e., 2-way information flow), this responsibility to others becomes significantly more complicated. When I do business now on the web, or share any personal info (even usernames/passwords), I think I make an assumption that the info is secure and will be held in stewardship by those with whom I’m sharing. We internet citizens place a level of trust in those who take our information, but I’m unsure that we know the degree to which this trust is acknowledged on the other side. And it’s different for every website and service we visit (or in the case of Equifax, those we don’t use or visit).
I think more responsibility for security and privacy should be on Equifax’s plate, largely because they are trusted to take and store this information by the government (in the form of policy) and to be a clearinghouse for the most of your sensitive data. Should they likewise have a responsibility to be the most dedicated to the security of this data? I think so, but I don’t know enough about the regulations and policies on the matter. What I am certain of, though, is that we’ll see a great many court cases play out in the coming years to see just how far the law protects consumers and expects companies to protect data and privacy.
I’m not sure what the legal precedent is here, but I think the collection of personal information brings the expectation of privacy to a much more robust level. In the Equifax case, this is a breach of the highest order. Their dataset is the definition of identity in our connected society. Nobody is at fault here but the credit bureau. I think the reasonable expectation of privacy and security increases with the complexity and degree of personal identification of the data you’re collecting. Because nobody asked to be monitored by a credit bureau, it passes the buck further to Equifax.
Should Exquifax have been expected to patch up a two-month old hole in their code? Should they have been actively monitoring security updates and news to stay up on the latest thoughts in the field? Should they have been creatively anticipating scenarios of breaches and ways to manipulate the system? To all these questions, an unequivocal yes.
You can find out if you were included in approximately 143 million people affected by the Equifax leak by going to this site. They’re giving some paltry services out to those affected, but those who are concerned are better off putting a fraud alert on their credit profile (in which creditors have to contact you) or by freezing their credit profile (no creditors can check the service unless you lift the freeze). Except, Equifax’s fraud alert submission form did not work week when I tried to use it as a precaution. And today, The Verge reported that someone can easily overturn a freeze at Experian (another credit bureau) with info that was released in the breach. Ugh.
We’ll see how this debacle unfolds. Something at this scale may require some congressional input or regulation, or at the least some deliberation in the courts on if consumers will be liable for theft of information. I think we’ll also see some dialogue on improving the recourse that consumers have if they’re the victim of information theft. ~140 million people is close to half of the United States’ population…