As bad as it is, the Equifax incident may have come just in the nick of time. The US Congress must act now and pass a law to prevent the looming danger of pervasive personal data theft.
Of course, credit bureaus, consumer credit suppliers and especially large technology companies will oppose such a law. They want Congress merely to require free credit freezes and similar palliatives.
But this sort of reaction would obscure the real issue: unauthorized data surveillance. Having thought about this question since the 1990s, we are convinced that America needs comprehensive new data protection laws.
The real issue behind the Equifax incident is that credit bureaus are just one of an escalating class of companies that surveil almost every individual in the country without our consent. These firms, of course, deny this.
They rationalize that since consumers sign a clause handing over their data when they apply for a credit card, mortgage, lease or car loan agreement, they have consented to sharing their data. But this claim is disingenuous.
You can only opt out of approving this surveillance if you do not rent or own your home, borrow money for a car, take out a student loan or use a credit or debit card. Basically, you have to go off the grid to avoid consenting to being subject to constant financial observation.
The credit bureaus are by no means the only — or even the worst — culprits. Behind claims of transparency, virtually all of the mega-technology companies (including but not limited to Facebook, Apple, Amazon, Google and Microsoft) also constantly surveil their customers without our free will consent.
What the large technology companies mean by “transparency” is that they make decisions behind closed doors to maximize their revenues and then hide all of their exploitative conditions behind user agreements and amendments that are incomprehensibly opaque.
Even contract law professors admit to just clicking on the “agree” button without bothering to read thousands of words because wading through the morass would only result in them needing a glass of genuinely transparent alcohol. And all of this works because companies leverage consumers’ desire to use their products.
The data mega-technology companies collect is even more valuable than credit payment statistics. Knowing your network of Facebook friends can be highly predictive of your financial behavior. Information from personal payment systems opens up a world of financial conduct that credit providers highly covet.
Even better, the online data is much more current and constantly updated. Often, the data itself is sold to other companies. While those who sell it say the data is anonymized, this claim is dubious. Famously, Netflix’s “anonymous” users were de-anonymized by researchers as long ago as 2006.
More than a decade later, such de-anonymizing is becoming ever-easier, with more data points to triangulate and logarithmically more computing power.
The bottom line is that all our personal data are subject to breaches just as much as our credit data. That is why responding to the Equifax breach with just credit freezes will not suffice.
Instead, we need comprehensive laws that go well beyond the Graham Leach Bliley Act to address the three roots of the problem: the disparate leverage of the consumers and large data collectors; the whole business model for personal information collectors of all stripes; and, the lack of a regulatory body to protect citizens.
First, the law would invert the current power matrix by requiring credit bureaus to compete for consumers. Presently, these bureaus compete with prices and ease of access to credit providers while consumers are neutered. For example, the new law would require consumers to authorize one bureau to collect and possess their information, perhaps every two years or so.
Each bureau would then be obliged to compete for consumers by offering free and easy credit freezes and presumably other perks, possibly even cash. Credit bureaus with too few consumers or who have data breaches would ultimately go out of business.
Second, the law would require all social media and technology companies to have at least two options for allowing individuals to access their platforms. At least one of these options would bar the company from sharing their data with any other company, no matter how anonymized.
The data, as it were, could not leave the building. This might mean consumers would have to pay to use some social media sites, but at least they would know the value of their data and be able to choose. It would still permit the company to place those (creepy) micro targeted ads provided it is only the company in question doing it.
These companies would also be obliged to maintain certain standards of cybersecurity, timetables for notices of breaches and the like.
Lastly, and what might be the controversial proposal, the law must establish a new bipartisan agency with an equal number of members from each major party for oversight. The objective of this agency would be to protect the public from data breaches as best as possible.
This agency can either fall within the Department of Homeland Security or act independently as Congress thinks best. Currently, it is beyond the ability of any private company or individual to defend itself against an aggressive hack attempt by a determined foreign intelligence agency.
American companies and citizens are not being adequately defended by our government. While we certainly don’t endorse the Chinese approach of creating a “Great Firewall” to prevent cyberattacks, the current status quo means a significantly harmful attack is virtually inevitable.
We therefore recommend that this new bipartisan agency be empowered to protect American companies and citizens. This would entail cooperation with our intelligence agencies to fight any attempts to hack our nation’s companies, our physical infrastructure or perhaps even government elections and virtually everything else that can be penetrated via the internet.
Without any such agency focused on this now, we remain susceptible and at risk. The establishment of this new agency could be equally as important as the FDA or EPA when they were initially established.
We can’t let the Equifax crisis be wasted. We must learn from our mistakes.
Previously published in The Hill