Every American has now watched the same script in the same theater several times. You know, when yet another big corporation announced that they have lost customer data that should be private. Then, after much delay, they publish some legally-vetted mumbo-jumbo, which contains a lot of words but nothing useful. (The latest example is this masterpiece by AT&T.) This is a script without plot or character development: indeed, in this theater, all characters remain nameless, hidden from the audience, not even on stage.
The script will definitely say that they have notified customers (for AT&T, over 100 million!), which is akin to the security company sending you a note after a burglar took everything from your home (and all your neighbors). The security company will have washed their hands off of this fiasco by sending such a note while accepting zero legal, or moral responsibility (such is our politics!). The note will turn congratulatory, like a script needing a happy ending: it will let customers know they have been involuntarily enrolled into some third-party's credit monitoring service - which, mind you, does not promise to stop further theft, rather that they would also notify you after another burglar cleaned out whatever still remains in your home.
Think twice about that for a moment. It would have been hard to live in the U.S. without having already been enrolled in such a credit monitoring service due to prior data leaks. So, one of the following two scenarios applies to the recent case of AT&T: either the credit monitoring service notified the customer of the AT&T leak before AT&T did, or AT&T's note arrived first. It almost surely can't be the former since the entire post-leak operation is so carefully scripted - this just shows why the credit monitoring service is lip service: it is as if the home owner's association is sending a note to your emptied home, after the security company's note has already landed.
After the year of "free" credit monitoring is over, you realized that you have become a prospective customer of the credit monitoring agency. By this one act, AT&T has transferred the contact information of 100 million customers to some third party - to the absolute delight of the marketing division responsible for generating sales leads.
***
Here are some of my working assumptions about data leaks that I want to share with you. (They aren't in the official scripts, of course).
- If my data exist in any server not under my control, they have been, or will be stolen. If any of my data reside in the cloud, they have been or will be taken. If any business secretly moves any of my data (held on my devices) to the cloud, they have been or will be leaked. If I use any cloud-based services, what I do there are effectively public - regardless of logins, passwords, authentication schemes, encryption, https, or whatever other cosmetic countermeasures.
- Whatever you think these businesses know about you, they know more. (For example, when AT&T claimed the thieves didn't take contents of calls and messages, they have tacitly admitted that they have records of the contents. You might recall that some time ago, they denied that they held such records, claiming that they only gave our government access to "metadata" i.e. who called whom, in those controversial domestic spying programs.)
- Most (probably over 90 percent) of all data leak incidents have never been detected, and therefore, are not known or reported.
- The harms of these data leaks are inconspicuous. Thieves sell the data to others who use the data to influence our behavior or take actions (such as setting your healthcare premiums). By observing the actions taken, and/or their outcomes, you can't infer the source of the data. You almost never get a straight answer for what data were used (trying asking OpenAI what they used to create ChatGPT!) Because the dots can't be connected, we are vastly underestimating the harms of data leaks.
- If our data security were finally improved, then we should notice technologies becoming more inconvenient and less efficient. Conversely, if new technologies are more convenient or efficient, our data security has been further compromised.
Comments
You can follow this conversation by subscribing to the comment feed for this post.