On September 17th, in my
When a Hack is Worse Than a Bad Cough blog, I presented combination of the
relative naiveté of some our most powerful political leaders, the severe impact
of the cyber leaks and hacks and the ability of outsiders, notably North Korea
and Putin’s operatives in Russia, to impair our election process and our most
basic economic institutions. The risks are obvious, from every level, and the
information can change political systems and decimate careers of the rich and
famous. Think Wikileaks and the Panama Papers.
Want information of the
bigwigs or top business/government officials? The new strategy is not to go
directly there: “These days, intelligence and security experts say, nearly
anyone can be the target of government-sponsored hackers. By perusing the personal
accounts of people with even the thinnest thread of a connection to power,
hackers can unearth the occasional gold nugget, like the low-level Democratic
operative whose private email correspondence, published online by hackers on
Thursday, detailed the movements of Vice President Joseph R. Biden Jr. and
Hillary Clinton and what appears to be Michelle Obama’s passport.
“This expanded hacking
strategy presents a new challenge: While top-secret material is usually kept in
more secure computer systems, it is hard — if not impossible — to predict what
information people are exchanging in personal email accounts. And it is even
harder to know if hacking into one person’s account can set off a cascading
chain of events that could lead foreign spies to more useful information.” New
York Times, September 23rd. And there is the down and dirty, greed-driven
commercial deal-making that comes from such data intrusions.
The dark side of the Web
manifests a plethora of economic transactions – bundling stolen personal information,
from Social Security numbers to credit card accounts and medical records –
where cyber criminals can buy personal data that they can turn into hard cash
(lots of it) at your expense. Other cyber-criminals can hijack government and
corporate accounts, lock data or threaten to leak it, unless large payments are
made. You’d be shocked at how many government agencies, even police
departments, have paid these ransom demands.
We see constant
revelations of massive leaks of sensitive consumer information, the largest
just reported by Yahoo! on September 22nd. Half a billion accounts were hacked
and the personal information made available to cyber-criminals and freelance
voyeurs with the digital competency to access that data. A class-action lawsuit
filed almost instantly suggests a potential liability that could stop Verizon’s
acquisition of Yahoo! The Washington Post’s Daily 202 (September 23rd) posted
the above graphic. It is stunning when you think of the magnitude of data
breaches. And if you want to extract any overall conclusion from all of this,
it clearly has to include the most basic notion that our current password
system is an utter failure that is no longer sustainable.
Everything you have ever
posted online is up for grabs in a world where so much of our most basic
interpersonal communication and commercial transactions are the Web.
Fingerprints (maybe different fingers for different accounts), retinal
analysis, voiceprints, facial recognition or even a combination of these
bio-authentication markers are vastly better, but also vastly more expensive to
implement. So since it is clear that what we have now just plain does not work,
why, asks the Post’s James Hohmann, haven’t we really taken the steps to move
to a much better system? Pretty obvious question and leads rather quickly to a
second Hohmann question: what’s in it and for whom in keeping our inadequate
cyber-access platforms… er… inadequate and deeply vulnerable?
Hohmann notes that our
focus has been on national security hacks but that we have become so used to
consumer information falling into the wrong hands, it almost isn’t news
anymore… when he correctly believes it should be. Our individual privacy seems
expendable, and our outrage seems to be relegated to government leaks. Why?
Hohmann first looks at
Trump and Clinton:
“Both presidential
candidates have talked about the need to improve cybersecurity, but neither
wants to be too out front on this issue:
“Hillary Clinton – who
the director of the FBI has called ‘extremely careless’ about her email use –
does not want to draw attention to how vulnerable private accounts are to being
hacked…
“And Donald Trump has an
abysmal record when it comes to safeguarding the data of his customers. Trump’s
hotel chain disclosed this April that its computers had been attacked, but Eric
Trump refused to say just how badly. Last year, Trump’s company admitted that
hackers had installed malicious software into their payment systems –
potentially collecting the credit card information of anyone who stayed at one
of the GOP nominee’s hotels over more than a year.
“Trump, of course, also
encouraged the Russians to hack Clinton’s emails during the Democratic National
Convention. And Rand Paul, who made privacy and opposition to government
surveillance centerpieces of his campaign, failed to catch fire during the
primaries.” The Post (Daily 202). But then, Hohmann looks at those with vested
reasons not to improve cyber-security.
“Most lawmakers don’t
want to rock the boat too much because they want to keep collecting as much
money as possible from the tech titans. Many Republicans and Democrats crave
photo opps with Silicon Valley CEOs to make them seem hip and friendly to
innovation.
“Apple CEO Tim Cook, who
has as much to lose as anyone if Congress ever took action to safeguard
consumer protections online, has hosted fundraisers this year for both Hillary
Clinton and Speaker Paul Ryan. He’s also maxed out to Republicans like Rob
Portman and Democrats like Chuck Schumer.
“-- The official party
apparatuses also don’t want the laws to change because they want to accumulate
as much information about voters as possible to assist with their targeting
efforts, and they don’t want to be held accountable for failing to properly
safeguard all that data.
“-- The main reason
Congress can get away with not passing cybersecurity and privacy legislation,
at the behest of technology company’s high-priced lobbyists, is that lawmakers
do not feel the heat from the American people. Americans on the whole just do not
care as much about privacy as people in places like Europe.
“-- By their nature,
Americans are more worried about the feds keeping data on them than
corporations, even though there are fewer legal and constitutional checks on
big business than big government. Remember when a top executive at Uber said
that the ride-sharing company could publicize the details of journalists’
personal lives in retaliation for unfavorable coverage?
“Uber’s senior vice
president of business, Emil Michael, apologized in 2014 after BuzzFeed reported
that, during a dinner with reporters, he floated the idea of spending ‘a
million dollars’ to hire ‘four top opposition researchers and four journalists’
to ‘help Uber fight back against the press.’ ‘Nobody would know it was us,’ Michael
said according to Buzzfeed. He still works at the company today. Think about
that next time you order an Uber.” The Post (Daily 202).
In fact, if anything,
U.S. governmental actions are actually making consumer privacy even more
vulnerable. For example, in August, a federal court severely limited the
Federal Trade Commission’s power to monitor and control social media’s use of
personal tracking data – “the bits of information that tell advertisers how old
you are, what brands you like and how long you lingered on that must-see cat
video” (Washington Post, August 31st). Unless that decision is reversed on
appeal or Congress fills the void, this arena may have become virtually
unregulated.
Companies routinely
change their privacy policies, usually at the expense of consumers, with few if
any consequences. Meanwhile Congress just dithers: “‘Although President Obama
proposed a federal law in 2015 that would give companies 30 days to notify the
public about a discovered hack, lawmakers have yet to approve a single national
standard,’ Hayley Tsukayama, Craig Timberg and Brian Fung note in [the
September 23rd Washington Post]. ‘Companies now face a messy patchwork of state
disclosure laws but no federal standard for reporting about breaches, including
when, how and who was affected.’
“‘Action from Congress to
create a uniform data breach notification standard so that consumers are
notified in a much more timely manner is long overdue,’ Sen. Mark Warner
(D-Va.) said in a statement last night.” The Post (Daily 202). Indeed, one of
the most basic planks in the GOP platform is deeply anti-business-regulation of
any kind, and nothing is likely to change consumer cyber-protections anytime
soon given the current and expected near-term configuration in Congress. Those
tech companies will keep funneling campaign cash, SuperPac support and really
well-funded lobbying efforts to make sure consumers remain rather completely
deprioritized by the federal government.
I’m
Peter Dekom, and unless we as citizen-consumers scream loudly enough at our
elected representatives for genuine protection, we can just sit back and read
about the next and perhaps larger data breach… and the next… and the next.
No comments:
Post a Comment