Taking Control of Digital You (Part II)

Taking Control of Digital You (Part II)

When did our identities become data to be bought sold and traded and why?

The concept of identity as we know it began to break down at the dawn of the internet. Under digital conditions, “Identity is neither singular nor fixed, no matter how administratively convenient it might be to think of it that way” (Birch, 2014). Government ID’s, such as social security numbers, are just data on the internet with a tangential connection to a person. People are defined by social, legal and digital identity. Social identity is represented by who we are in the day-to-day world in relation to others. Our legal identity is made up of birth certificates, social security numbers, and government-issued identification such as passports. However, these are not to be confused with digital identities. For the first time in human history, social and legal identity can be separated from a person at the click of the button. For example, a hacker can take personal data and pose as someone else on Facebook. Until there is a way to trust a digital identity, attacks on companies holding personal data will persist.

While getting hacked is expensive and time-consuming to the victim, to a hacker your information isn’t worth much. Below is a break out of how much discrete elements of your identity are worth. “Prices are culled from 2013 and 2014 Dell SecureWorks reports” (Skowronski, 2015).

For hackers to make a profit they have to sell in bulk; thus, you see hacks where millions of records are compromised.

For example, Marriott, Yahoo, and Equifax have sustained massive hacks of personal data with little to no repercussions. As recent as November 30, 2018, “Marriott revealed a massive hack to the theft of personal data of a whopping 500 million customers of its Starwood hotels” (Brewster, 2018).  Marriott and specifically its Starwood properties have experienced repeated attacks from Nigerian and Russian hackers from 2016 through 2018. US, EU and other countries are looking into the incident and leveling fines against the company. In the case of the EU, GDPR was violated. As security is outsourced to Dell, SecureWorks, it has yet been determined if they will be held responsible along with Marriott. While Marriott doesn’t appear to make use of personal information on the level of a Yahoo or Experian, it is key for customers to know their data is adequately protected.

In addition to the recent attacks on Marriott, hackers compromised every Yahoo account that has ever existed in August 2013 (Larson, 2017). Approximately three billion accounts were affected (Larson, 2017). This hack includes email, Tumblr, Fantasy and Flickr accounts (Larson, 2017). This attack is easily the biggest on record and was perpetrated by Russian hackers (Larson, 2017). Verizon, the current holder of the Yahoo portfolio, would not provide any further information to outside experts (Larson, 2017). Consequently, Yahoo experienced another attack that affected five hundred million people in 2014 (Larson, 2017). In both cases, the company wasn’t held liable for the theft of personal information. Yahoo and companies like it use personal data to profit from your personal information but appear unwilling to protect it.

While not the largest, the Experian hack of one hundred and forty million people is likely the scariest (Mainelli, 2017). To interact with financial institutions to buy a house, car and potentially get a job, you have to consent to have your payment information reported to central authorities such as Experian. These authorities then use algorithms that use your salary and payment history to determine if you are credit worthy. Experian and institutions like it hold the keys to peoples lives and yet there is no way to directly interact with them and no real way to opt out of their services. A person can freeze their account, but that comes at a price. Not only do these companies have the keys to your digital identity, but they will also charge you when you try to opt out of their services by freezing your account.

Furthermore, Experian exacerbated the problem by initially charging people for protection needed because of the theft of personal data from their servers (Lieber, 2017). The level of outrage at having to pay for these services because of their inability to protect the information was so high, Experian backed away from charging people for it. The Experian hack highlights the helplessness and frustration that people feel around these types of data breaches because there is little to nothing an individual can do to achieve some level of justice from these companies.

Remedying this problem isn’t a matter of fining companies for not protecting personal information, it’s a combination of both smart legislation and leveraging of emerging technologies. When looking at the dimension of cybersecurity, companies are responsible for shouldering the burden of protecting personal information with existing technologies. Further compounding the difficulty of safeguarding PII data is the level of invasiveness of technology (Byrnes, 2015). With an explosion in IOT (Internet of Things), technology is embedded in everything from clothing to cars (Byrnes, 2015). This is an explosion of connected devices, with little protection, that grants access to infrastructures such as electric, water, agriculture, and manufacturing services (Davidson, 2018). Traditionally companies tackle these problems from centralized and decentralized points of view. As evidenced by the hacking examples above, “Centralized storage of data increases the vulnerability of that location to attack, and it potentially limits a system’s capacity to absorb attacks” (Byrnes, 2015).

References

Birch, D. (2014). IDENTITY is the NEW MONEY. London Publishing Partnership.

Brewster, T. (2018, December 3). Revealed: Marriott’s 500 Million Hack Came After A String Of Security Breaches. Retrieved December 3, 2018, from https://www.forbes.com/sites/thomasbrewster/2018/12/03/revealed-marriotts-500-million-hack-came-after-a-string-of-security-breaches/

Byrnes, N. (2015, June 2). EmTech Digital: Reaching Maximum Invasiveness. Retrieved December 6, 2018, from https://www.technologyreview.com/s/538016/emtech-digital-worrying-about-privacy-and-security/

Casey, M. J. (2018, April 9). In blockchain we trust. Retrieved December 6, 2018, from https://www.technologyreview.com/s/610781/in-blockchain-we-trust/

Davidson, R. (2018). Sponsored Feature: Centralized, Model-Driven Visibility Key to IT-OT Security Management, 2. Retrieved from https://www.isaca.org/Journal/archives/2018/Volume-2/Pages/centralized-model-driven-visibility-key-to-it-ot-security-management.aspx

Downes, L. (2018, April 9). GDPR and the End of the Internet’s Grand Bargain. Harvard Business Review. Retrieved from https://hbr.org/2018/04/gdpr-and-the-end-of-the-internets-grand-bargain

Guide to Identifying Personally Identifiable Information (PII). (2017, February 14). Retrieved December 6, 2018, from https://www.technology.pitt.edu/help-desk/how-to-documents/guide-identifying-personally-identifiable-information-pii

Larson, S. (2017, October 3). Every single Yahoo account was hacked – 3 billion in all. Retrieved December 4, 2018, from https://money.cnn.com/2017/10/03/technology/business/yahoo-breach-3-billion-accounts/index.html

Lieber, R. (2017, December 22). Why the Equifax Breach Stings So Bad. The New York Times. Retrieved from https://www.nytimes.com/2017/09/22/your-money/equifax-breach.html

Mainelli, M. (2017, October 5). Blockchain Could Help Us Reclaim Control of Our Personal Data. Harvard Business Review. Retrieved from https://hbr.org/2017/10/smart-ledgers-can-help-us-reclaim-control-of-our-personal-data

Nakamoto, S. (n.d.). Bitcoin: A Peer-to-Peer Electronic Cash System, 9.

Orcutt, M. (2018, April 25). How secure is blockchain really? Retrieved December 6, 2018, from https://www.technologyreview.com/s/610836/how-secure-is-blockchain-really/

Skowronski, J. (2015, July 27). The Black Market Value Of Your Identity. Retrieved December 3, 2018, from https://www.bankrate.com/finance/credit/what-your-identity-is-worth-on-black-market.aspx