Saturday, September 24, 2016
On September 17th, in my When a Hack is Worse Than a Bad Cough blog, I presented combination of the relative naiveté of some our most powerful political leaders, the severe impact of the cyber leaks and hacks and the ability of outsiders, notably North Korea and Putin’s operatives in Russia, to impair our election process and our most basic economic institutions. The risks are obvious, from every level, and the information can change political systems and decimate careers of the rich and famous. Think Wikileaks and the Panama Papers.
Want information of the bigwigs or top business/government officials? The new strategy is not to go directly there: “These days, intelligence and security experts say, nearly anyone can be the target of government-sponsored hackers. By perusing the personal accounts of people with even the thinnest thread of a connection to power, hackers can unearth the occasional gold nugget, like the low-level Democratic operative whose private email correspondence, published online by hackers on Thursday, detailed the movements of Vice President Joseph R. Biden Jr. and Hillary Clinton and what appears to be Michelle Obama’s passport.
“This expanded hacking strategy presents a new challenge: While top-secret material is usually kept in more secure computer systems, it is hard — if not impossible — to predict what information people are exchanging in personal email accounts. And it is even harder to know if hacking into one person’s account can set off a cascading chain of events that could lead foreign spies to more useful information.” New York Times, September 23rd. And there is the down and dirty, greed-driven commercial deal-making that comes from such data intrusions.
The dark side of the Web manifests a plethora of economic transactions – bundling stolen personal information, from Social Security numbers to credit card accounts and medical records – where cyber criminals can buy personal data that they can turn into hard cash (lots of it) at your expense. Other cyber-criminals can hijack government and corporate accounts, lock data or threaten to leak it, unless large payments are made. You’d be shocked at how many government agencies, even police departments, have paid these ransom demands.
We see constant revelations of massive leaks of sensitive consumer information, the largest just reported by Yahoo! on September 22nd. Half a billion accounts were hacked and the personal information made available to cyber-criminals and freelance voyeurs with the digital competency to access that data. A class-action lawsuit filed almost instantly suggests a potential liability that could stop Verizon’s acquisition of Yahoo! The Washington Post’s Daily 202 (September 23rd) posted the above graphic. It is stunning when you think of the magnitude of data breaches. And if you want to extract any overall conclusion from all of this, it clearly has to include the most basic notion that our current password system is an utter failure that is no longer sustainable.
Everything you have ever posted online is up for grabs in a world where so much of our most basic interpersonal communication and commercial transactions are the Web. Fingerprints (maybe different fingers for different accounts), retinal analysis, voiceprints, facial recognition or even a combination of these bio-authentication markers are vastly better, but also vastly more expensive to implement. So since it is clear that what we have now just plain does not work, why, asks the Post’s James Hohmann, haven’t we really taken the steps to move to a much better system? Pretty obvious question and leads rather quickly to a second Hohmann question: what’s in it and for whom in keeping our inadequate cyber-access platforms… er… inadequate and deeply vulnerable?
Hohmann notes that our focus has been on national security hacks but that we have become so used to consumer information falling into the wrong hands, it almost isn’t news anymore… when he correctly believes it should be. Our individual privacy seems expendable, and our outrage seems to be relegated to government leaks. Why?
Hohmann first looks at Trump and Clinton:
“Both presidential candidates have talked about the need to improve cybersecurity, but neither wants to be too out front on this issue:
“Hillary Clinton – who the director of the FBI has called ‘extremely careless’ about her email use – does not want to draw attention to how vulnerable private accounts are to being hacked…
“And Donald Trump has an abysmal record when it comes to safeguarding the data of his customers. Trump’s hotel chain disclosed this April that its computers had been attacked, but Eric Trump refused to say just how badly. Last year, Trump’s company admitted that hackers had installed malicious software into their payment systems – potentially collecting the credit card information of anyone who stayed at one of the GOP nominee’s hotels over more than a year.
“Trump, of course, also encouraged the Russians to hack Clinton’s emails during the Democratic National Convention. And Rand Paul, who made privacy and opposition to government surveillance centerpieces of his campaign, failed to catch fire during the primaries.” The Post (Daily 202). But then, Hohmann looks at those with vested reasons not to improve cyber-security.
“Most lawmakers don’t want to rock the boat too much because they want to keep collecting as much money as possible from the tech titans. Many Republicans and Democrats crave photo opps with Silicon Valley CEOs to make them seem hip and friendly to innovation.
“Apple CEO Tim Cook, who has as much to lose as anyone if Congress ever took action to safeguard consumer protections online, has hosted fundraisers this year for both Hillary Clinton and Speaker Paul Ryan. He’s also maxed out to Republicans like Rob Portman and Democrats like Chuck Schumer.
“-- The official party apparatuses also don’t want the laws to change because they want to accumulate as much information about voters as possible to assist with their targeting efforts, and they don’t want to be held accountable for failing to properly safeguard all that data.
“-- The main reason Congress can get away with not passing cybersecurity and privacy legislation, at the behest of technology company’s high-priced lobbyists, is that lawmakers do not feel the heat from the American people. Americans on the whole just do not care as much about privacy as people in places like Europe.
“-- By their nature, Americans are more worried about the feds keeping data on them than corporations, even though there are fewer legal and constitutional checks on big business than big government. Remember when a top executive at Uber said that the ride-sharing company could publicize the details of journalists’ personal lives in retaliation for unfavorable coverage?
“Uber’s senior vice president of business, Emil Michael, apologized in 2014 after BuzzFeed reported that, during a dinner with reporters, he floated the idea of spending ‘a million dollars’ to hire ‘four top opposition researchers and four journalists’ to ‘help Uber fight back against the press.’ ‘Nobody would know it was us,’ Michael said according to Buzzfeed. He still works at the company today. Think about that next time you order an Uber.” The Post (Daily 202).
In fact, if anything, U.S. governmental actions are actually making consumer privacy even more vulnerable. For example, in August, a federal court severely limited the Federal Trade Commission’s power to monitor and control social media’s use of personal tracking data – “the bits of information that tell advertisers how old you are, what brands you like and how long you lingered on that must-see cat video” (Washington Post, August 31st). Unless that decision is reversed on appeal or Congress fills the void, this arena may have become virtually unregulated.
Companies routinely change their privacy policies, usually at the expense of consumers, with few if any consequences. Meanwhile Congress just dithers: “‘Although President Obama proposed a federal law in 2015 that would give companies 30 days to notify the public about a discovered hack, lawmakers have yet to approve a single national standard,’ Hayley Tsukayama, Craig Timberg and Brian Fung note in [the September 23rd Washington Post]. ‘Companies now face a messy patchwork of state disclosure laws but no federal standard for reporting about breaches, including when, how and who was affected.’
“‘Action from Congress to create a uniform data breach notification standard so that consumers are notified in a much more timely manner is long overdue,’ Sen. Mark Warner (D-Va.) said in a statement last night.” The Post (Daily 202). Indeed, one of the most basic planks in the GOP platform is deeply anti-business-regulation of any kind, and nothing is likely to change consumer cyber-protections anytime soon given the current and expected near-term configuration in Congress. Those tech companies will keep funneling campaign cash, SuperPac support and really well-funded lobbying efforts to make sure consumers remain rather completely deprioritized by the federal government.
I’m Peter Dekom, and unless we as citizen-consumers scream loudly enough at our elected representatives for genuine protection, we can just sit back and read about the next and perhaps larger data breach… and the next… and the next.