{"id":290,"date":"2017-09-13T08:50:49","date_gmt":"2017-09-13T12:50:49","guid":{"rendered":"https:\/\/dwan.org\/?p=290"},"modified":"2019-10-25T15:12:26","modified_gmt":"2019-10-25T19:12:26","slug":"identity-equifax-and-google","status":"publish","type":"post","link":"https:\/\/dwan.org\/index.php\/2017\/09\/13\/identity-equifax-and-google\/","title":{"rendered":"Identity, Equifax, and Google"},"content":{"rendered":"

I\u2019ve been reading Who Owns the Future<\/a> by Jaron Lanier<\/a>. It\u2019s a good book, and you should probably read it. It\u2019s particularly important if you\u2019re a person who participates in the economy \u2013 which is most of us.<\/p>\n

Among the good points he makes is the importance of our online identity and how it must persist \u2013 stable and reliable \u2013 for many, many years. This should be on your mind because of the Equifax data breach.<\/a> Critical identifying data on nearly 200 million people was apparently stolen, including social security numbers, birthdates, addresses, and so on. Basically, all the stuff that I talked about in my post about zero knowledge proofs<\/a> is now known<\/b> to be out in the wild.<\/p>\n

I reacted by putting a \u201ccredit lock\u201d on my information with all four major credit reporting agencies. You should probably do that too. It took about an hour, all online (I made zero phone calls), and cost less than $50 in total. Frankly, I\u2019m horrified and disappointed. These companies make a living accumulating data about me, and I have to pay what amounts to protection money<\/a> to get them to even make a pause in selling it.<\/p>\n

I have the option of paying protection money on my credit rating because the major credit ratings agencies are federally regulated. There is no plausible way to opt out of their databases, but at least I can insist on a bit of a firewall.<\/p>\n

Meditation: The data that Equifax lost is exactly and completely<\/b> the data that those same credit agencies<\/b> (along with every one of my credit card companies and banks) use to \u201cverify\u201d my identity in the event that I want to make changes \u2013 including unlocking that very same credit report. They did offer a personally identifying number (PIN) with each lock. For accounts where the lock pre-dates the breach, my bet is that the PIN went into the wild along with the other information.<\/p>\n

I was, at least, able to register a mobile number and email address with one of the services \u2013 Transunion \u2013 so that I\u2019ll get word when changes happen. If I was a bad actor, that\u2019s the first thing that I would disable. Hopefully I will also get notification from my bank if someone calls up and asks to transfer my retirement accounts to some other institution. My experience with a recent rollover transaction suggests that I can do the whole thing with one phone call, with no second factor required.<\/p>\n

Conveniently, the data that a bank might check on a drivers license is also among the data that was leaked<\/b>. Fortunately, they don\u2019t need a picture of me for the fake ID \u2013 they can use their own picture for that part.<\/p>\n

We need something better.<\/p>\n

Unfortunately, one major alternative on offer is going to turn out very, very badly.<\/p>\n

That alternative, of course, is to let Google or Facebook handle identity for us. It\u2019s already an option on many websites. The link to \u201csign up with a different email\u201d is getting smaller and smaller on the signup pages. Google and Facebook provide, effectively, a Single Sign On<\/a> service at no direct cost to the user.<\/p>\n

One problem with this idea is that Google and Facebook will not remain in their current form for long enough to serve as a stable source of identity. At some point, they will change, be purchased, split up, merge, or something. Along the way, they will modify their business plans. At that point, any online services that rely on Google and Facebook for identity services stand to be disrupted.<\/p>\n

If enough of our digital life relies corporate credentials, we will wind up regulating them. That\u2019s how the government got into the business of roads and electrical power. Even if it doesn\u2019t rise to that level, we all stand to lose access to a lot of our online identity and social history when social media sites undergo change and growth.<\/p>\n

If that\u2019s uncomfortably complicated \u2013 just consider what will happen when Google exits the business of providing free email accounts. How will you recover a lost password on the various sites where you\u2019re using that gmail.com address?<\/p>\n

We are already in the bad place, and the SSO thing makes it easier and far worse.<\/p>\n

The other problem, of course, is that Google and Facebook, just like the credit reporting agencies, are not in the business of serving us as their customers. That\u2019s why these identity services are provided at no direct cost to the user. Their primary product is information about<\/b> us. They are, without putting too fine a point on it, gigantic, barely regulated, commercial spy operations. As we move from email to SSO, we move from less to more tracking \u2013 which amounts to still more data about me, all in one place, which will eventually be compromised.<\/p>\n

The incentives and trends do not point in the right directions.<\/p>\n

A better solution, in my opinion, would be a very lightweight bit of regulation coupled with identity solutions whose incentives are aligned with human interests rather than corporate ones. Technologies like blockchain will almost certainly play a part in this, though the simplistic solutions being floated now are premature. This should be a long, thoughtful social conversation about identity and privacy in the digital age. Anyone who tells you that they\u2019ve already got all the answers is (a) wrong and (b) trying to make a quick buck.<\/p>\n

Speaking of making a quick buck, we should revoke Equifax\u2019s corporate charter and hold their business and technology leadership personally accountable for this mess. There is redundancy in the credit ratings system \u2013 I\u2019m paying protection money to three -other- firms to moderate the amount of my data that they sell. Equifax did lasting damage to nearly 200 million of us, and they need to be made to close up shop.<\/p>\n","protected":false},"excerpt":{"rendered":"

I\u2019ve been reading Who Owns the Future by Jaron Lanier. It\u2019s a good book, and you should probably read it. It\u2019s particularly important if you\u2019re a person who participates in the economy \u2013 which is most of us. Among the good points he makes is…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34,13],"tags":[],"class_list":["post-290","post","type-post","status-publish","format-standard","hentry","category-equity","category-infosec"],"_links":{"self":[{"href":"https:\/\/dwan.org\/index.php\/wp-json\/wp\/v2\/posts\/290","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dwan.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dwan.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dwan.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dwan.org\/index.php\/wp-json\/wp\/v2\/comments?post=290"}],"version-history":[{"count":5,"href":"https:\/\/dwan.org\/index.php\/wp-json\/wp\/v2\/posts\/290\/revisions"}],"predecessor-version":[{"id":1154,"href":"https:\/\/dwan.org\/index.php\/wp-json\/wp\/v2\/posts\/290\/revisions\/1154"}],"wp:attachment":[{"href":"https:\/\/dwan.org\/index.php\/wp-json\/wp\/v2\/media?parent=290"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dwan.org\/index.php\/wp-json\/wp\/v2\/categories?post=290"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dwan.org\/index.php\/wp-json\/wp\/v2\/tags?post=290"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}