If you’re one of the millions of Americans feeling like it’s time to start better protecting your personal data, you’re pretty much out of luck, according to cybersecurity experts.
The recent data-sharing controversy surrounding Facebook and its failure to prevent improper data harvesting by Cambridge Analytica is only the tip of the iceberg when it comes to the ways both corporate data sharing and corporate hacks affect ordinary people’s lives.
The ongoing Facebook scandal is just one of many incidents related to data overreaches and breaches that have recently jeopardized millions of Americans’ personal information. The information lost includes everything from names and contact information to more sensitive data, like social security numbers. There have been dozens of major corporate hacks in the past few years, ranging from headline-grabbing hacks like the Uber data breach that exposed 57 million customers’ information, to breaches at LinkedIn, Target, JPMorgan and more. At this point, virtually no industry remains untouched by hackers, who usually steal consumer data for financial gain by selling it on the dark web.
But while all the attacks ultimately have the same end result — people’s personal information is put at risk — there is a big difference between companies being hacked by third parties (Uber, Target, Equifax) and companies voluntarily sharing information with or selling information to third parties (Facebook).
“Comparing Facebook to Equifax, Facebook takes significant effort to avoid being breached. They spend a significant amount of time and money focusing on not being breached,” said Michael Borohovski, co-founder of Tinfoil Security, a company that monitors website security. “Facebook was not a failure of security, it was a failure of maturity or ethics — whereas Equifax was negligent in terms of a failure of information security.”
When asked what people can do to prevent their data from being harvested without their direct knowledge, security technologist Bruce Schneier’s answer was chillingly straightforward.
“You can’t do anything. That’s the fundamental problem with this,” he said.
And he’s not the only one. MONEY talked to a handful of cybersecurity experts and all of them agreed people have little to no power over their personal information once it’s in the hands of a third party. (To be clear, it’s still a good idea to follow cybersecurity best practices like using complex passwords, never repeating the same password for different services, and using two-factor authentication whenever possible.)
Why is it so hard to protect your personal data from being collected without your knowledge?
Schneier pointed the finger at Uncle Sam, saying the U.S. has no laws in place to regulate data brokerage companies and what is known as “surveillance capitalism,” a new kind of business model in which corporations profit off of people’s personal data. And he says the only way consumers can take control of their personal information to prevent it from being used by companies to make profits is by demanding change at the legal and regulatory level.
“You live in the United States and the United States doesn’t regulate surveillance capitalism. Your data can be bought and sold without your knowledge and consent. That’s the way it works,” he said. “If you don’t like that, lobby your congressman. That is your only option.”
Schneier argues that these non-consensual data grabs aren’t a bug inside corporate data collections — they are a feature. “Their business model is collecting your data without your knowledge and consent and selling it to companies who want to manipulate you with it,” he said. “That’s their business model. And it’s a legal business model.”
What he means is that when you sign up for services like Uber or Facebook, you’re usually prompted to accept that company’s terms and conditions by checking off an “I have read and agree” box, otherwise you can’t use the service. This concept is called mandated disclosure, and it’s inherently problematic for consumers because you’re required to sign away your rights to your own information in order to engage with a product.
And signing it makes whatever that company decides to do with your data completely legal. Companies get away with using mandated disclosures for two reasons: There are no federal laws preventing them from requiring it and because the average person doesn’t read dozens of pages of fine print to make sure a company will not surreptitiously profit off of them. (To check how consumer-friendly a terms and service agreement is before you sign it, Borohovski recommends using the website tosdr.org, which spells out users’ rights).
“When was the last time you clicked ‘I agree’ to these terms and conditions check box and actually read the terms?” Borohovski said. “I do that, most people don’t. A lot of people have kind of given up,” trying to protect their data, he said, assuming there is nothing they can do to stay in control of their information. And those people aren’t entirely wrong.
A prime example of how this opaque business model serves the financial interests of corporations at the expense of Americans’ personal information is 2017’s massive Equifax hack, which exposed the data of nearly 148 million Americans. Most people think of Equifax as a regular credit reporting agency, but it is also a data broker, and that’s the part of their business where they make the most money (and where the data breach actually happened).
“The breadth and depth of information that data brokers have is astonishing,” he says. “These brokers collect demographic information: names, addresses, telephone numbers, e-mail addresses, marital status, profession, income level, political affiliation … they collect lists of things we’ve purchased, when we’ve purchased them, and how we paid for them. They keep track of deaths, divorces, and diseases in our families. They collect everything about what we do on the Internet.”
Equifax isn’t just an average company that provides you, the consumer, with one free credit report a year. It also sells your personal data — including your social security number — to private companies that have nothing to do with credit reports for pure profit, without telling you or asking you. Equifax did not immediately respond to a request for comment.
These companies “deliberately hide their actions and make it difficult for consumers to learn about or control their data,” Schneier said. You can try to “opt-out” and tell Equifax that you don’t want your data collected, but it will still collect it anyway — and your data won’t actually get deleted, Schneier says.
So what exactly does that mean for consumers? You are the product, not the client. Therefore, Equifax has no incentive to protect your data. Rather, it’s incentivized to serve the banks and retailers that pay it millions of dollars for the information they have collected on you without your knowledge. These types of companies mitigate the risks of this furtive data brokering by making it a requirement for consumers to agree to their legal terms and conditions, in order to use their services.
Who is safe from this type of data collection?
The short answer: no one. Because there are no laws preventing companies from doing this, you are essentially helpless when it comes to preventing the sale of your own data even if you are meticulous about avoiding entering important information on computers or phones, according to experts.
“Until some innovative company comes along and dis-intermediates these companies, I don’t see anything changing,” said Brian Krebs, a security expert and independent investigative journalist.
And real regulatory changes that would help safeguard people’s personal information may not be on the horizon anytime soon. History has shown that companies like Equifax responsible for some of the most egregious recent lapses in corporate responsibility aren’t facing many consequences. Even after the breach became public knowledge, the Internal Revenue Service still awarded Equifax with a $7.25 million dollar contract for personal identification services.
“Check back in a year – nothing. And it if they get a fine, it’ll be a fine that was cheaper than the lawyer fees,” Schneier said.
Another potentially worrying aspect of these widespread cyber attacks is the lack of sophistication required to carry them out, experts said. In the case of Equifax, the company would have had to put in minimal effort to secure your data, Bas van Schaik, a researcher at analytics security firm Semmle, told Wired in September.
So there’s not much I can do to protect my personal information?
Experts told MONEY people can do a few things to have a little more control over their financial information. Specifically, they can freeze their credit reports, get regular copies of their credit report and call to complain when they see something on their report that shouldn’t be there.
But ultimately, there is not one action people can take that will prevent companies from collecting their information without their direct knowledge.
Krebs says he’s hopeful innovations like blockchain technology will eventually put credit bureaus and data brokers out of business in favor of an approach that gives consumers more control over their financial lives, but he’s not holding his breath. For now, Krebs said as long as people continue to check the “I agree to the terms and conditions” box with these companies, data will still continue to be legally collected by every company and service you use.
“I tell people be really careful about the information that you give away whether it’s on social networking on the internet to marketing companies to surveys,” Krebs said. “Invariably this information you give away about yourself is used to profile you.”