I’ve been thinking a lot about cybersecurity recently. But when news of the Equifax data breach surfaced recently, I was more alarmed than usual. Although Equifax is the latest of a long line of data breaches where personal information has been stolen, this one was different.
There was the usual furor, of course, (US Senate hearings, questions in the House, newspaper headlines raging, stock tanking, etc.) when the fact of that massive data breach occurred was finally disclosed (a full five months after the breach occurred). More details on the scale of the breach have trickled out since then. But by now it’s off the front page and out of mind for many. Thankfully, it seems Canadians were largely unaffected.
We must not become complacent, however. Equifax is a data breach on a significant scale. Significant not because of the numbers of individuals affected, but of the quality of information stolen. Equifax, you see, is a corporation that has the careful compilation of a detailed profile on each of its subjects as its sole objective.
In the Yahoo data breach, the largest data breach in the world (so far), names, email addresses, telephone numbers, security questions and answers, dates of birth, and hashed passwords of 3 billion account holders were taken. From the details of the Equifax hack disclosed so far, we know that personal information on over 145 million Americans has been stolen, including vital information such as social security numbers. And we have just recently learned from the Wall Street Journal that 10.9 million driver’s licenses have also been stolen. <https://www.wsj.com/articles/equifax-hack-disclosed-drivers-license-data-for-more-than-10-million-americans-1507664315> Yahoo may collect personal information to provide free email accounts, but Equifax has a detailed file on everyone who uses financial services, most of it sensitive information from a variety of sources, often held without your knowledge. This breach is scandalous.
With a mounting number of acknowledged data breaches, how do we continue to verify our identity online? Well, we use passwords of our choice, now fortified by questions to which only we should know the answer. The reason for the additional layer of security is that the passwords can be reset by hackers accessing email (see Yahoo data breach, above). These questions started out as Place of Birth or Father’s Middle Name. Now that those questions and answers have been stolen, it’s “Who did you admire most when growing up?”, or “What’s your oldest nephew’s name?” For sensitive information, we provide SINs or driver’s license numbers. Once these details have been compromised, as with Equifax, what are we left with? How will we actually identify ourselves online, when every significant detail of our lives could be out in the wild?
And when I say that every significant detail about our lives could be out in the wild, I do not think I exaggerate. There is very likely information about each of us that would make a dictator blush available on the dark web for a few hundred bucks. Compare the following passages from two articles I read recently.
In the first article, Judith DuPortail used EU Data Protection laws to access her own file from dating app Tinder. She was staggered at the granular detail of information that was held about her. She writes in the Guardian that:
“Some 800 pages came back containing information such as my Facebook “likes”, links to where my Instagram photos would have been had I not previously deleted the associated account, my education, the age-rank of men I was interested in, how many Facebook friends I had, when and where every online conversation with every single one of my matches happened … the list goes on.”
You might smirk at the inanity of the information collected, but compare that passage with this nugget from Oxford University historian Timothy Garton Ash, buried in a piece about Europe for the National Post on surveillance by the East German secret police, the infamous Stasi:
“Back in the early 1990s, after the Berlin Wall had fallen and the East German security state was opened to the world, Garton Ash discovered the file the Stasi kept on him. It was 325 pages long, including details of his wardrobe, his love life, and his fondness for dumplings.”
It seems that one innocuous app routinely collects more detailed information on individuals’ lives than the world’s most infamous secret police service, which at its height employed 274,000 spies and informants – almost 4% of the population. We must wonder how the retention of that volume and quality of information can be justified. At least with the Stasi, unlike apps, the information collected was kept securely in the files in their East Berlin headquarters, until the collapse of East Germany.
How can we have reached the stage that the last line of defence of the sanctity of personal information (without two factor authentication) rests with being one of the few people to know the city in which one’s secondary school is located (assuming, of course, that that question and answer has not already been compromised)?
The failure of the private sector to effectively safeguard our personal information and to notify of us breaches in a timely manner is such a cause for concern that may lead to dangerous unintended consequences.
It may, for example, lead us to question whether controlling access to our personal information can be entrusted to the private sector. In the same way as in the physical world, where a driver’s license is without doubt the key to authenticating our identity, perhaps governments will follow the Indian government’s example of mandating biometric identification on every citizen for authentication purposes. Such a development, however, would also give that government unparalleled access to citizens’ personal information. Lawyers and the courts would be the last line of defence of individual privacy, as they are in India.
It seems that the best hope for retaining control over individuals’ personal information lies with lawyers being diligent to ensure that our privacy laws are sufficiently robust, regularly reviewed and uniformly enforced. But Canada has never suffered a repressive regime routinely collecting information on citizens, unlike the experience in Europe. However, that fact notwithstanding, we must remain vigilant in this age of private sector electronic surveillance. The amount of personal information held about individuals must be strictly minimized to what is relevant. Personal information should not held for longer than is necessary for the notified purpose. Lawyers must be alert and proactive to prevent further data breaches leading to further erosion of our privacy and of our liberties.