The Progressive Ensign

insights and analytics to build an economy that works for all

Category: Privacy

Our Economic Security is Threatened By Data Breaches

Image: npr.org

Six months ago the EU General Protection of Data Regulation (GDPR) was implemented setting major fines if user data was not adequately protected.  The GDPR required that users be able to ‘opt in’ for their use of their data – which is why users see cookie permission screens when they access a web site.  The regulation gives users primary control over their data, and where it is stored.  Information on a user must be stored in a non-identified manner.  Breaches must be immediately fixed and reported within 72 hours.  Companies are required to have a Data Protection Officer person who is responsible for GDPR enforcement and support to users. Users can require that their data be erased at any time. Individuals can request a portable copy of their data as well. Violators of the GDPR can be fined up to 20 million Euro or 4 % of their annual revenues.

Seer Interactive has surveyed both EU and U.S. sites and found that EU sites were much more secure than U.S. sites.  Using simple Google index commands experts were able to glean usernames, addresses, phone numbers, and dollar figures of purchases or donations.

Source: Statista – 2018

Data breaches reached a peak in 2017 at 1,579 incidents with over 178 million records accessed.  A super incident occurred at Yahoo with over 1 billion records accessed in 2017.  In 2015 Experian, suffered a data breach exposing 15 million records. About 1 year ago, Equifax was hacked exposing over 143 million user records including social security numbers, addresses, phone numbers and bank account information.  Hearings were held by Congress but nothing happened. Except that Equifax tried to fix the problem and eventually gave into offering a free account freezing service after major backlash at charging for the service.  Identity theft is a huge issue it is the most common type of data breach at 59 % of all data incidents. There are reports of a new trend in identity theft by perpetrators sending  a ransom email after an account has been hacked showing a user’s account and password, then threatening to post private information unless a major sum is not transferred to a Bitcoin account immediately.

Next steps:

Senator Mark Warner – (D-VA) declared after the Equifax incident, “It is no exaggeration to suggest that a breach such as this — exposing highly sensitive personal and financial information central for identity management and access to credit — represents a real threat to the economic security of Americans,” We agree data breaches of the Equifax and Yahoo magnitude are a real threat to the economic security of all Americans.

So, what has Congress done about making corporations running the Internet accountable to users for their lack of data protection?  Nothing. Though two Democratic senators have tried to get legislation passed to protect users.

Senator Elizabeth Warren – (D-MA) and Senator Warner introduced legislation in January of this year to hold credit reporting agencies accountable for data breaches and user data protection.

The bill, called “The Data Protection and Compensation Act”  would hold credit reporting agencies (CRAs) accountable for safeguarding all consumer information.  The bill establishes oversight by the FTC on cyber security at CRAs.  In addition, when breaches occur penalties are awarded $100 per consumer and an additional $50 per consumer personal identification record exposed.  In the Equifax case, the penalty would total $1.5 billion. The FTC is instructed to use 50 % of the award to compensate consumers who were victims of the breach.  In addition we believe that provisions should be inserted in every User Agreement requiring that the service provider be accountable to the user, make good any harm done and report directly to the user that their account has been hacked within 24 hours.

We do have a new House of Representatives being sworn in this January, where Democrats hold a majority, so it is possible that transforming legislation like the Warren – Warner bill could be introduced.  Yet, the Senate looks to be controlled by the GOP next year so any likelihood of passage with President Trump in power is nil.  Yet, we need to keep this issue in front our our political leaders and continue the national discourse because today Internet corporations are too complacent and will continue to be until penalties have teeth to wake them up to the priority of protecting user data tightly.

Our Internet Purchases Are Private, Let’s Keep It That Way

(Editor Note: Insight Bytes focus on key economic issues and solutions for all of us, on Thursdays we spotlight in more depth Solutions to issues we have identified. Fridays we focus on how to build the Common Good. Please right click on images to see them larger in a separate tab. Click on the Index Topic Name at the beginning of each post to see more posts on that topic on PC or Laptop.)

Image: scienceprogress.org

A year ago, Mastercard sold consumer store transaction data to Google, who sells the store transaction information and correlates it to searches for the same product or service to advertisers.  Advertisers can see patterns in consumer behavior from the ads that are run and whether a prospective buyer went to the store to buy the item or online (online tracking databases). This strategy by Google is focused on Amazon’s business, and their recent moves into in store retail to dominate emerging sectors.

Google is dominant in digital advertising:

Sources: eMarker, Recode – 2018

In digital advertising Google has 2 times the share of its next largest competitor – Facebook.  In mobile advertising, Google has a 1.5 times greater share of the advertising business. In short, Google is the digital advertising player for most advertisers to work with, and Google is interested in maintaining that dominant position versus possible competitors like Amazon. Amazon now has 50 % of the eCommerce business in the U.S. The eCommerce behemoth is in a position to both track consumer behavior and offer point of decision purchase capabilities.

So, what does this mean for us as users and our privacy?  Google is no longer a company just setting up a partnering relationship with Mastercard, they are controlling the retail market and manipulating data to put us under constant surveillance. We did not give our permission to Google to constantly put us under surveillance.  It is dangerous to our private lives to have a big corporation or partners knowing everything we are doing and buying.  What happens if hackers break into these databases and begin to use the data to find us or siphon off our purchases or find out our transaction information or credit card data?

Next Steps:

First principle is that we own our data, and we own the patterns of our searches that is our propriety information because it is our behavior and is not owned by the company. When users search on Google, they are looking for an idea, a product or a service or a person – not to be spied on.  Recently, Google was still keeping user location even when the user turned off  location services.  A couple of years ago Google tracked words in user email messages and sold the information to advertisers, so if a user mentioned their child’s bike, all the sudden bike ads were showing up in the side bar – they finally ended this practice after a lot of complaints it was just too spooky.

Second, Google and Internet companies can’t build trust with users if they are constantly telling us one thing and doing something else to their benefit and not ours. The U.S. should look at implementation of a policy like the EU General Data Protection Regulation (GDPR) plan which could be widened to include schemes like the Google – Mastercard deal. The GDPR provides users with control over their personal data and how or if it may be transmitted outside of the country. The GDPR policy particularly focuses on personally identifiable information and how this information is to be handled in a confidential manner, not disclosed to third parties and the information made anonymous to outsiders.  In a provision we particularly like the information processor (ie Google) must enable users to be able to erase their information on the system.

We need to take a stand as a user community that user rights come first. User’s own their data not the processors.  Users should have control over any processing of that data and who has access to their personal data. Otherwise, we are opening our citizens to corporate spying for any reason, and targeting of the linked Mastercard – Google profile data to hackers.

EU Defends Social Media User Privacy – We Should Follow

 

Image: fbi.gov

The EU has been working with social media companies to comply with new regulations protecting consumer privacy on social media called the General Data Protection Regulation or GDPR.  It will begin enforcement of the act in May, the commissioner leading the privacy protection effort, Vera Jourva found that both Google and Facebook were implementing software features to support the new regulation. The GDPR regulations seek to limit the actions of huge social media companies to take control of customer data in exchange for services.  The regulations require that an affirmative consent be obtained before all social media companies can give access to users to their advertising clients.

Google has told website owners and app publishers they must explicitly obtain user’s consent for targeted ads or they will be cut off from the Google ad network.  Facebook has placed pop pages on it European sites to invite users to affirm their receptivity to targeted ads.   Their marketing clout has put small ad tech companies that work directly with site providers in bind as advertisers don’t want users hit with many consent pop ads from multiple sites.  Google and Facebook make it easy and simple for digital advertisers to reach their audiences with targeted ads with one permission screen.  The two social media behemoths are forcing many ad tech companies into a difficult position with their clients, and some may go out of business

Source: The Wall Street Journal – 4/23/18

Google and Facebook track the majority of web page loads for surveillance of users and targeting ads. This means they have unchecked marketing power with advertisers and users to promote their digital channels to the exclusion of other players.

Next Steps:

Frankly, the EU regulations don’t go far enough, the law should establish that users own their content and they license its use to the social media corporations for certain limited business purposes. Besides explicit consent for allowing tracking, users should be able to opt out of tracking if they want and still be able to use the service – leaving advertisers to reach users when they are only on their site.  We don’t allow cable broadcasters to track their viewers (even though digitally they know who is watching) and place ads based on what channel they are watching.  Targeted advertising is a form of spying on the users, and needs to stop. Google and Facebook should make their consent information available to websites that use their services to make a level playing field on ad networks as well. We need to carefully examine the business processes of these new giant companies to ensure that market rules are setup for a level playing field for all participants and further review breaking up services where undue market clout is being exercised.  For example, Google has over 7 different services which 1 billion people use at least once per month. A detailed investigation should be conducted by the DOJ to evaluate the anti-trust and public good issues inherent in such market power. We note in our blog on Identity Theft that corporations need to be held accountable for securing our content and they have a fiduciary responsibility to us to safeguard our content for us as  content owners.

Corporations Are Not Protecting Us from Identify Theft

Image: consumer.ftc.gov

There is a contract between users and the online service provider that our privacy and identity will be protected called a User Agreement.  When Internet platform providers do not protect our privacy and account information they are violating the agreement and should be held legally accountable. These voluminous agreements are completely written from the company point of view forcing the user to turn over content rights to the platform provider.  This is just not fair it is our content we created it, like writing with a pen, the pen company does not own the article I just wrote. Neither should Internet platform providers like Google, Facebook and Apple be allowed to do whatever they want with the content I create – they didn’t create it and should not own it.

We bring this starting point up because in the latest data breach announced belatedly by Facebook of 50 million users is another case in point.  Executives causally looked at the problem as their spokesman would not even call it a breach because ‘no passwords were broken into’ no instead Facebook just gave access to Cambridge Analytica and then sent a form asking if Cambridge had deleted the data, the respondent checked a box that said Yes.  Facebook never bothered to do the due diligence on the firm to see if the 50 million records were actually deleted that to begin with the firm never should have had access.

Source: Identity Theft Resource Center – 2017

The majority of the breaches are into businesses while banking and credit institutions are bringing down the number of incidents.  Yet, the percentage of incidents that involve social security and credit card numbers is holding steady as hacking into systems increases. Experts at the Identity Theft Resource Center estimate for 2017 that 171 million records compromised, with a 44 % increase from 2016.  Based on announced incidents the 171 million records compromised is probably on the low side of all the incidents during the year.

Today, Orbitz announced a breach into payment records for 850,000 users, Equifax disclosed last fall that 148 million users had their payment records compromised, though now they say it was ‘only partial driver’ license numbers and names’, not social security numbers or full drivers’ licenses or credit card numbers.  Yahoo discovered that in 2013 over 1 billion user accounts were compromised 2 years later.  The list goes on and on, what is clear is that the online industry is approaching user privacy and security in too causal a way.

Next Steps:

During the Obama administration a bill was introduced to strengthen privacy protections and make corporations accountable for data breaches.  Senator Elizabeth Warren (D-MA) and Senator Mark Warner (D-VA) has introduced a bill to force credit reporting agencies to pay fines when data breaches occur, providing immediate disclosure and tools for remedying the problem to consumers.  Senator Warner also introduced a bill to require that credit agencies make credit freezing services available free of charge. Firms like LifeLock actually had an agreement with Equifax on a per user basis to make money from the breach when Equifax users signed up for identity protection.

Plus, we propose a complete review of all online User Agreements to force platform providers to insert clauses protecting user data from hacks with accountability, noting that content is user owned and allowing for class action law suits in the event of a breach to remedy the damage to users who need to repair their credit records and financial information from identity theft.

Powered by WordPress & Theme by Anders Norén