Forget Equifax. Facebook and Google Have the Data That Should Worry You
Just for a minute, imagine that hackers have gained access to a database containing sensitive information about hundreds of millions of people. In this totally hypothetical scenario, the theft would be comprehensive—including enough details to do real damage to those whose data had been exposed—and would involve a company that wasn’t widely recognized as a security risk. This large company would’ve exposed you, and everyone you know, to possible financial ruin.
No, I’m not talking about Equifax, the Atlanta-based credit reporting agency that disclosed a massive hack late last week. Think of a comparable breach at Google, Facebook, or Amazon.com.
Those companies, plus Slack, Tinder, and a half-dozen others, possess more than enough financial and personal data for hackers to steal our identities and, possibly, rack up fraudulent charges. They also have private messages, photographs, and most of our secrets. A large-scale attack on any one of these companies could make the Equifax hack, the theft of some 143 million Social Security numbers, look like petty larceny.
For a sense of the potential problem, I recommend John Lanchester’s recent polemic about Facebook in the London Review of Books. Lanchester dislikes Facebook on a visceral level, and his complaints are sometimes unfair, but his central point is underappreciated. “What Facebook does is watch you, and then use what it knows about you and your behaviour to sell ads,” he writes. “It knows far, far more about you than the most intrusive government has ever known about its citizens.”
Lanchester sees Facebook as a means of control and blames the company for the election of Donald Trump. Thanks to a recent disclosure, we know that Russian propagandists got at least some mileage out of the company’s ad program. But that’s not the most obvious way Facebook’s data could cause harm. What’s more likely than some dystopic mind-control scheme is simple and just as scary: The company could get hacked.
Your personal Facebook data, as well as the data the company uses to target ads, contains information about your interests, your income, your sex life, your kids, and lots more. Google has a lot of this, plus the email inboxes of more than a billion people. It’s hard to imagine either of these companies—which employ some of the best security researchers in the world and have nearly unlimited resources—falling down on the job, but their potential adversaries are formidable, and even a small-scale hack of someone’s Facebook or Google data could do a lot of damage. Just ask John Podesta.
There’s some comfort in the fact that Silicon Valley’s tech giants generally seem way more trustworthy than your typical credit reporting agencies, which have at times been comically hostile to the interests of consumers. For decades, Equifax and its competitors—with the blessing of regulators—collected information about pretty much every American adult, offering us no way to opt out. These companies routinely report false information to lenders, potentially causing innocent consumers to be denied loans. If you don’t want this to happen to you, Equifax’s solution is a $17-a-month credit “monitoring” service. A student of the Godfather films might ask if “monitoring” is quite the right word for the sort of protection Equifax provides.
After getting hacked in July, Equifax waited more than a month to inform the general public, even as three of its executives cashed out some of their company stock. Last week, when the announcement finally came to light, all Equifax offered us was a bug-ridden website and a year’s worth of the same old credit monitoring. There are ways to protect yourself, but the truth is that this hack could mess with people’s lives for decades. Equifax, on the other hand, may actually wind up making money on the breach, as New York Times columnist Ron Lieber points out.
Managing the risk posed by these enormous data sets seems like an obvious job for regulators. Next year, new privacy rules in the European Union will, among other things, institute severe financial penalties for companies that fail to safeguard consumer data, making them less likely to profit in spite of screw-ups. The new rules will also require hacked companies to notify customers of a breach within three days. That wouldn't have stopped the Equifax hack from happening, but it would’ve cut a month off the thieves’ lead time. Something similar in the U.S. would make a lot of sense.
Unfortunately, the federal government has been moving in the other direction, eroding its data-protection laws when it should be strengthening them. In April, over the objection of privacy advocates, President Trump signed a law that allows internet service providers to sell information about their customers to advertisers. This was part of an effort to put the likes of Comcast and Verizon on a level playing field with the Valley’s data brokers. The move was seen as a setback for Facebook and Google. The Equifax hack shows it was a setback for consumers, too.