Random Thoughts – Randocity!

Shadow Profiling: Should I be concerned?

Posted in botch, business, california by commorancy on April 25, 2018

Recently with Facebook’s fall from grace, another issue has surfaced at Facebook: Shadow Profiling. Yes, you should be concerned. Let’s explore.

Facebook and Cambridge Analytica

With Cambridge Analytica, Facebook got caught with its pants down. Facebook allowed Cambridge Analytica, a known data broker, to mine data from Facebook’s network at a time when Facebook was vulnerable to such attacks. Facebook has been, for years, skirting every privacy initiative. In fact, Facebook didn’t want to implement any privacy controls, truth be told. They wanted to keep everything as open and accessible as possible. On the one hand, I can understand this… because it makes it easier for people to find other people. On the other hand, people’s data is their own. These are two parallel lines that will never meet.

I won’t go into every single little problem that Facebook has run into along the way, but suffice it to say that Facebook has taken baby steps to implement privacy. In 2014 when Cambridge Analytica did its mining, Facebook hadn’t implemented many controls to prevent such data mining attacks via their APIs. In fact, one might even call Facebook egregiously wilful in not implementing such data protections. Sure, they had implemented some in their web UI for user-to-user control, but not on the backend where businesses operate.

After Cambridge Analytica performed its mining operation, Facebook claims to have plugged-that-hole the same year to prevent any further Cambridge-Analytica’s from doing the same thing. Likely, they saw what CA had done and realized they were gamed and closed the hole. Of course, too little, too late. And, they didn’t disclose this fact to the public. It wouldn’t be until 2018 (4 years later) when Facebook got caught.

I won’t get into just how close Cambridge Analytica was to Facebook between then and now (hint: they occupied the same office space in 2016), but suffice it to say that Facebook was well aware of Cambridge Analytica and what business line they are in. To feign ignorance about another business using your network is so disingenuous as to be a lie.

This is all the pretext that opened the door to further scrutiny for Facebook.

Government Hearings

As a result of Facebook’s conduct back in 2014, many governments have interviewed (and will continue) to interview Mark Zuckerberg over Facebook’s conduct at that time. In that process, many side things have been uncovered. One of those things coming to light is shadow profiling. What exactly is shadow profiling?

A shadow profile is data collected about you without your knowledge. It might be data from public records, it might be personally identifying information such as email address, phone number, birth date, home address, social security, public information you share on Facebook or Twitter or Amazon. In Facebook’s case, they are collecting data about you via photos of you (facial recognition), through text messaging through WhatsApp and via other messaging means. Even simply visiting a site where you do have a login and where Facebook hosts comments is enough to gather data about you. The list goes on and on.

Facebook and Profiling

Let’s understand that many companies have shadow profiles on you, not just Facebook. Facebook is obviously one in a long list of companies that perform shadow profiling, but don’t kid yourself, Facebook is not alone in this practice. Companies such as LexisNexis, insurance companies and credit bureaus collect this information. In fact, credit bureaus hold a mountain of personal data so important that even the tiniest leak could cause immediate irreparable damage to those affected. Damage such as identity theft. Theft that, in fact, could be so bad you’d need to have a new social security number issued (along with all of your credit card numbers, phone numbers and the list goes on). Equifax found this out the hard way… and, I don’t think we’re done with these credit bureau hacks yet. It’s only going to get worse.

I digress. There are many companies that collect data about you without your knowledge. Facebook just got caught at it after this information was unceremoniously disclosed. But, don’t kid yourself that Facebook is alone in this. Google does this also. In fact, Google probably has more data on you than even Facebook has… even if you’ve never ever had a Google account. Why? Because you’ve inevitably sent email to someone@gmail.com or to a domain hosted by Google.

Google has already said they scour emails for content that helps target advertising to the Google user. If they’re scouring emails, they’ve inevitably found your email address, your phone number, address, first and last name and on and on. Google doesn’t have to do anything with this data, but it is almost certain that they store it for use later. Why? Because if you ever do create an account, they’ll already have data on you and things you like. It will make targeting ads to you much easier.

Don’t kid yourself, Facebook isn’t the only company keeping shadow profile data on people who do and don’t use their networks.

Reviewing Shadow Data

Unfortunately, to review or delete any data that Facebook has collected on you, you must first create an account. As soon as you do that, they’ve roped you in. Once you create an account, you can then download the data and see what they’ve collected. Then, you can go through the request Facebook to delete that data and your newly created account.

However, that means you are firmly in their system. Even when you ask to have your data deleted, Facebook is under absolutely no obligation to delete any data from their systems. The only thing they need do is make it not visible through their APIs and Web UI, but that’s like hiding your iPad under your bed. You can’t see it, but it’s definitely still there.

Request Shadow Data Removal

So, you’ve decided to create an account so you can request deletion. Even if Facebook does delete some data, there’s no guarantee they’ll delete every copy of it. Companies today utilize many technologies to manage, mine, extrapolate and handle user data. These systems include short term storage (hard drives), long term storage systems, multiple copy offsite backup systems, local hard drives, AWS glacier, billing systems, text based log files, marketing and advertising systems and even analytics systems such as Splunk or Kibana.

In fact, companies today have so many systems storing bits and pieces of your personal data, it’s nearly impossible for a company to actually delete ALL of your data. There will be some amount of your data that will continue to exist in at least one system somewhere on their property. That’s a guarantee. Chances are, it will exist in a whole lot more places then one.

Continued Shadow Profiling

Even if you do request your data to be removed by Facebook, it’s an entirely fleeting effort. Why? Because as soon as you’ve logged in and requested deletion and they do so, Facebook will continue their data collections efforts right after. Your request for deletion is a single point-in-time request. That request isn’t perpetual going forward. It’s a one-shot-deal. Facebook will continue collecting data on you going forward from that point. It is then entirely pointless to request deletion because within 1 year, they will have collected it all again.

In fact, there is no way to permanently request Facebook to not shadow profile your data. It is left up to you to recreate your account and request deletion every year. You may not even be able to do this more than once. Once you’ve deleted a Facebook account, that placeholder may be held in a locked state preventing you or anyone else from opening it again. At this point, any data they may have collected after you’ve requested deletion is entirely locked out from you.

For this reason, I’d suggest not requesting data deletion at all. At least, not until some laws come into effect that require Facebook and similar companies to stop shadow profiling and permanently delete data from any shadow profiling efforts.

Note that if you have even one friend who continues to use Facebook and you interact with that friend on any Facebook property (text messages, email, etc), Facebook can continue to pull that data on you and create / add to your shadow profile. Don’t think you’re safe by logging in and requesting deletion. If you’re dissatisfied by this outcome, reach out to your state representatives and request them to introduce legislation to regulate this practice.

Advertisements
Tagged with: , , , ,

Marketing, Facebook & Data Privacy

Posted in botch, business, california by commorancy on April 14, 2018

FacebookLockHow is marketing related to Facebook and data privacy? These all fall under the same umbrella. Should you be concerned? Yes, you should be. Let’s explore.

Email Marketing

Let’s start with email marketing first, the precursor to social marketing. I’ve worked in the email marketing industry for the last 17 years at an operational level. I’ve worked on general email systems for over 25+ years. So, I fully understand at all levels how email and email marketing works and what is required to make it continue to work in today’s world.

Email marketing became a “thing” in the mid-late 1990s in earnest. Before that, people dabbled in email marketing to the chagrin of many early internet users. It was around this time that the term ‘spam’ was coined to denote unwanted / unsolicited email.

Over the years, email marketing has evolved into a big business with firms now utilizing marketing automation systems. These systems help you marketers manage their email marketing campaign efforts.

In the beginning, as a marketer, you had a list of emails and you sent content to those addresses. The content was the same to each user. There was no thought to personalization, tailored content or privacy of any of this data. Emails were sent using cron jobs via command line tools using Sendmail. This was initially the most basic form of email marketing. This would have been in 90s.

Evolution of Email Marketing

By the 2005, email marketing had evolved from its simplistic roots into more sophisticated systems using dedicated email marketing software from companies like Port 25 and OmniTI. These email server solutions facilitated the trend of building sophisticated marketing automation UI systems on top of these robust, fast, scalable and customizable email delivery systems.

By 2018, these underlying email softwares now include the ability to send push notifications to apps and also offer sophisticated clustering systems to allow for highly scalable, highly available infrastructure offering incredibly fast delivery times.

On top of these infrastructures sit today’s marketing automation solutions. These systems offer such features as list management, drip marketing, recipient nurturing, automagic feedback reporting and detailed reporting of how each campaign is doing.

List Management

Back in the early days, list management was a chore. You had to deal with adding and removing new entries yourself manually. In reality, few marketers ever practiced real list hygiene. Most would add new entries, but never remove people who didn’t want to see that content. It was just too much of a hassle culling through thousands of email addresses. This is why email marketing got such a bad rap. Marketer didn’t take the time to remove users from their lists.

As of today, it is now legally required to remove recipients timely from lists in most countries. If you don’t remove addresses timely, your company (and possibly even you personally) may be held liable for failure to remove an address.

If you use a legitimate email marketing company today (one that upholds legal compliance), they will automatically handle opt-out requests for every email you send. No need to worry about if you’re compliant as email marketing firms automatically add links to handle all of this for you, as long as you use their database.

Recipient Likes and Preferences

Email marketing has a huge drawback (well, two actually). The first and biggest drawback, the inability to understand the user’s likes and wants. There’s just no real way to get that level of detail out of a particular recipient simply because email interactions are so few and far between. You can’t get what you need out of email marketing to effectively target each individual user in a way that makes sense for their likes, product preferences, location and personal information…. at least, not without using more advanced features like drip marketing and advanced real-time feedback. Email marketing is typically just too hands-off for this type of experience. Enter the second problem…

Evolution of Social Marketing

The second drawback is that while email marketing today is still a very valuable form of communication, it is becoming old and dated technologically. Email clients haven’t been updated in a very long time, technologically and interactively speaking. Basically, the features that were commonplace in email by the late 90s are still the standards that we’re rocking today. In other words, email clients don’t support updated technologies like video and audio content right in the email. You have to click to a web page to see this type of interactive content. The best an email can do is an animated GIF, and that’s of little consolation when you’re wanting to offer much, much more interactive content.

In comes social media. Sites like Twitter and Facebook and Snapchat and, to some degree, even YouTube offer better ways to find like-minded folks and advertise to them. Marketers also have a lot of the same tools at their disposal, like list upload to find their existing users on Facebook. Unlike email which is pretty much a one-way system, social media offers two way interaction. People share their family information, their favorite products, their favorite restaurants, their friend information and so on. All of this sharing means more ways for marketers to mine that information about a specific individual. This information is, in fact, a gold mine for advertisers. It means that instead of the mostly one-way interactions and guessing with email, advertisers can now utilize the two way interactions of social media and find out what a user likes very quickly.

Amazon follows this trend with its own systems by targeting users with product ads that third parties purchase. It’s a way to target users with products and services the user is most likely to be interested in.

Of course, these are not perfect systems. There’s still a certain amount of guessing involved. Social marketing are only offering seemingly relevant best guess suggestions based on other people’s social and purchasing habits. However, social guesses at least based on actual data of purchase history and other shared information, rather than a near completely blind guess that email marketing uses.

Facebook and Privacy

In order for these suggestion systems to work, they must have enough information about your buying habits, what you already own, how many people are in your family, their ages, if you have pets, what car you drive and so on. The more companies know about your personal habits, the more they can target products that make sense to you. It’s a catch-22 though. The more they know, the more dangerous it is for you. Sharing your personal information means someone could learn about you and your habits and then steal your identity.

Enter Facebook. Facebook collects all of this data and more about you. They then mine this data on behalf of their advertisers. Advertisers submit their product(s) to Facebook for advertisement on its platform. The system then finds folks, based on their shared content and interests and displays an ad for a product you might be interested in. If you talked about cancer in a wall post, an ad might pop up for oncology services.

This heavily personalized advertisement system is a far cry from the old cold guess email marketing. However, social marketing was born from the idea of email. Email has now been trying to catch up and compete with this more interactive and interest-based advertising system. Unfortunately, email is firmly entrenched in the past. It’s great for individual communication. For predictive communication, email sorely lacks. Worse, it’s not likely to ever catch up in this area. Though, it’s still a good medium when combined with social marketing. Meaning, if you can mine people’s interests out of social platforms, you can then target them with products and services via email.

Data Privacy

Here’s where Facebook has failed time and time again. When someone uses a social platform to share information, it is expected that that information will remain private and only be shared with those folks whom have been allowed to see it. Or, more specifically, shared with people licensed to see it based on the agreed terms and conditions.

However, Facebook only offers a very basic permissions system. Extensive permissions systems have been available on operating systems for years. Yet, Facebook’s platform didn’t start out that way and still isn’t anywhere close. Facebook started with no privacy at all. Your data was published for everyone to see. As time progressed and people complained, Facebook added more and more user controllable permissions.

For each step that Facebook took, it consisted of tiny baby steps. They’d add incremental protection of that data, just enough to satisfy a single complaint. But, they’d leave plenty of other data exposed. As they would take more baby steps, they would implement one more control, then another, then another and on and on to where we are today. Instead of designing a system that offered robust privacy from the beginning, Facebook opted to build it piece by piece as they went along… sometimes backtracking in certain areas,

While Facebook’s user privacy controls were fairly robust by 2014 (user to user), Facebook still didn’t have much in the way of privacy when using its application programming interface (API). Developers could sign up and extract data via this API with far fewer boundaries. It wouldn’t be until later when Facebook, yet again, took another baby step that they would limit what developers could extract. By then, it was too late for Facebook to do anything about Cambridge Analytica, a company whose data brokerage business model is all about selling collected data.

Abuse

Email marketing has long recognized abuse to be a big factor in the industry. Handling abuse is what distinguishes good actors from bad. Sites such as Spamhaus exist to watchdog and prevent such email abuse and enforce industry best practices. While email marketers have had to grow much more knowledgeable about email marketing best practices, Facebook is entirely new territory for marketers with no such outside policing as Spamhaus. Even new email tools such as DMARC, DKIM and SPF have grown to help protect and legitimize the email marketing industry. Nothing like these exist for social marketing.

While Spamhaus helps to protect and prevent unwanted spam from random third parties, there is no such watchdog to protect your data from unwanted prying eyes within companies like Facebook or Twitter. With email abuse, there are also organizations like MAAWG to also help manage that email abuse. Again, there’s nothing offered on Facebook, except whatever Facebook decides is necessary. You’re at the mercy of Facebook to give you those tools, and currently their solutions are limited and swayed entirely to Facebook’s best monetary interests.

On the one hand, most people are very protective of giving out their email address to random people. Yet, on the other these same folks are completely willing to log into Facebook, Instagram, Snapchat, Whatsapp and Twitter and give up their every day lives, their pet’s name, their employer, their spouse’s name, their location and sometimes even their phone number, email address or other personally identifying information (PII). Worse, Facebook now requires the use of what appears to be a valid First and Last name, though you can put any data you want into those fields and there’s no way for Facebook to verify this. Other social platforms don’t require this. This Facebook requirement ensures the lack of privacy and that users can be targeted by outside third parties. It also ensures that data can be e-pended by outside parties.

Abuse of email has real tangible penalties behind it. Abuse of social networks only has a single company behind it, like Twitter or Facebook. There are no industry standard watchdog groups out there helping guide marketing organizations towards best practices. In fact, such a watchdog group couldn’t really exist because, unlike email, there are no sanctions that could work to stop bad actors short of asking their ISPs to stop routing traffic for those companies. Such a move would likely be met with a huge legal backlash from the company. After all, the ISP did sign contracts to supply service to Facebook. If they cut off peering to them, Facebook would have them for legal lunch. Nope, there’s no sanction against a company like Facebook that could work. Not even a lawsuit could be all that effective.

Instead, these unstoppable organizations are in it to make money off of your data. For this reason, this is why companies like Cambridge Analytica can come to exist on Facebook and steal 87 million (or more) users’ data. This is why there’s nothing Congress can do to Facebook. No laws means nothing to enforce. The only thing Congress (or each state) can do is enact laws to protect each person’s data and force Facebook to become legally compliant with those laws. Of course, Facebook might face other laws they could have run afoul, but because the US has no real data privacy laws, there’s nothing here to enforce… even with companies like Cambridge Analytica.

Protecting Your Privacy

Only you can protect your privacy and your data. You can’t leave it to companies to do this for you… particularly if you live in the United States. If you want to share everything you do with the world, then you can’t easily protect your privacy. Note that even if you never put a single piece of personally identifying information online, you still may have shared enough other minimally identifying information that when put together, someone can eventually identify you.

For example, if you visit Starbucks every day to take a photo of your coffee cup each morning, someone could find that particular Starbucks and stalk your movement there. They could hear you give the cashier your name or other personal information. They might listen for your name to be called. They might bump into you intentionally to make you drop your stuff. They might watch you get into your car and take down your plate number. They might even follow you home. This is why sharing your everything you do online can be dangerous.

Even if you never give your real first name, last name, address, phone number or other information, you (or your friends) may have shared enough photos, locations and friend information to eventually identify you. This information isn’t considered personally identifying information alone, but when pieced together, it is. With enough data pieced together, someone might find out who you are, where you live, your address and possibly even your phone number… maybe even other data such as SS#, CC# or anything else were they to obtain some of your mail.

This is, of course, all made worse by companies like Facebook that don’t take data privacy seriously and only produce half-baked “security theater” mechanisms designed to look like they protect you, but that in reality they don’t. You’re continually putting your data into the hands of folks like Mark Zuckerberg who has, time and time again, shown that his platform cannot be trusted to store personal data.

Security Theater

While email marketing now has a robust set of industry checks and balances, technological measures, industry watchdogs, laws and best practices… social marketing offers very limited controls. The reason for this 1) it’s so young, 2) it doesn’t interact with third parties like email and 3) Systems like Facebook won’t offer such controls. Email must interact with many unrelated parties along the way to get your email to an inbox. Social marketing has a captive audience inside a single platform operated by a single company, whether inside of Twitter’s network or Facebook’s network or whomever.

This means that while email marketers must comply with laws, technical standards, best practices and other data collection and use controls, sites like Facebook face far fewer data handling laws. This means that your data is effectively open to the highest bidder. Yes, Facebook claims to have taken strides to help protect and safeguard your personal data, but you don’t know if that’s true or not. No one audits Facebook to make sure these claims are, in fact, true.

With email marketing, it’s crystal clear when a customer uses an inappropriately collected list. With Facebook, there is no way to know whether your data has been appropriately or inappropriately used because Facebook gets to make the rules. Rules that can change one day to the next.

I’ve worked for enough high tech companies to know that most companies create lot of security and data privacy theater in place of actual mechanisms. Meaning, they state in their policies that they do something, but the technological measures to back up those policies don’t always exist. This facade, otherwise known as “theater”, is what let’s companies get away with policy breaches unaware. It’s usually driven by a case of “Easier said than done”. Implementing technical measures to enforce a policy isn’t always easy, particularly if said data is terabytes in size. Instead, companies perform it on a case-by-case basis. It also might take them weeks to complete the task. The policy is may be written into the legal terms and conditions. However, when a customer actually wants to know if that policy is enforced, the company will then manually enforces that policy on that person’s data, assuming they even give you an honest response to your question.

You’d be surprised to find that this situation happens a lot more often than you might be aware. Even many legal teams are unaware of this situation in their own companies. They think that what’s in the policy is always carried out every time. In fact, that’s not true much of the time. This is simply because legal teams rarely carry out internal audits to ensure that written, published policies are being followed internally. Even then, some legal teams are both aware and complicit in allowing the technical teams to not follow the policies to the letter.

I would also be remiss by not mentioning that some legal teams write data policies without informing the necessary internal teams of the policy changes or additions. Without buy-in and support from the appropriate technical teams, the written word can’t always be translated into functional technical procedures. This means that the legal team is out of step with what is technically feasible. Legal teams should always propose and write policy in conjunction with the teams that must support those policies. As a lawyer on an in-house legal team, you can’t just write policy because it sounds good and then assume it can be implemented easily. That doesn’t always work. Hence, security theater.

Data Deletion and Right to be Forgotten Laws

Here’s the outcome of security and data privacy theater. If you request a company to delete your data, you won’t know if your data has been irrevocably deleted. Many companies hang onto long term backups for exceedingly long periods of time. This means that while your personal data may no longer exist on a live hard drive and may not longer be visible via a web interface, it could still exist on a long term data backup solution the company uses. It might even exist via an API system. Note that some data backup solutions exist on live disks, such as using the Cassandra or Elastic database system or even such reporting systems like Splunk or Elastic’s ELK. Some of these internal systems may never or rarely get purged. Even basic text log files, which may contain some or all of your personal data, may be retained for years due to Sarbanes Oxley and other data retention requirements.

Early in the life of email marketing, you might not expect to be unsubscribed. Today, laws require email marketers to remove your email address from their list within 10 days. The word remove is subjective. The actual term is unsubscribe. Even after unsubscribing, the company can continue to hold onto your email address in their database so long as they never email you. In fact, an opt-out request is simply to unsubscribe you from their mailings. It doesn’t ensure your email address will be deleted from their list. This is how your email address can accidentally be mailed again in the future despite a previous opt-out request.

Data deletion has no laws in effect in the US. US companies are not obligated to delete your data even if you so request it. They can leave it on systems within their organization. This, unfortunately, leaves your information vulnerable to data breaches by unauthorized persons. This is why you can request a company to delete your data and later find out your data was involved in a data breach years later. Or, you may find identity theft from a data breach where you had asked a company to delete your data. There are no laws that require companies to delete data when requested… at least, not in the United States. In the UK and EU, the right to be forgotten laws have been written and will apply to UK and EU citizens under the GDPR. Whether those laws continue to exist after Brexit in the UK, I’m unsure. Canada appears to be working towards (or has enacted) a similar data purge law for its citizens.

However, no such ‘right to erasure / right to be forgotten’ law has been enacted in the US. Companies in the US are still free to store and keep your personal data for as long as they see fit. Yes, even after your deletion request. This means that your data is still at risk of a data breach, even after you’ve requested Facebook, Snapchat, Whatsapp, Instagram, YouTube, Google or Twitter to delete your data. US companies are just not obligated to irretrievably delete your data. Even in the EU, the laws may not fully protect you from irrevocable deletion of your data. Meaning, it may be enough for a company to actively delete visibility of your data on their web site, but that doesn’t ensure irrevocable erasure from all media in that company’s possession. Worse, as long as that data never surfaces in the future, that company can hold onto it… even if they are considered ‘breaking laws’. The only way to make sure irrevocable deletion occurs is by adding incredibly stiff penalties when the laws are willfully broken.

Social Networks and Marketing

Facebook, Twitter, Instagram, Whatsapp and more bank on their ability to collect your data, store it and use it freely. As long as you digitally agree to their terms and conditions regarding their data collection and use, then you have little recourse against them when a situation like Cambridge Analytica occurs.

In email marketing, selling of lists has been taboo for years and has always been considered an email marketing dubious practice. In fact, list purchasing is considered one of the worst email marketing practices. In Social Marketing, no such rules have been laid down. Facebook has been hitting these walls one-by-one since at least 2008. Each time, they put up yet another road block to stop that particular practice (aka, baby steps). Facebook doesn’t want to stop these practices, they’re just forced to by public outcry, the media and the government each and every time.

They knee-jerk by enacting new policies each time, but only because of duress. Policies, I might add that email marketers have been adhering to for years. Policies that now have laws like the CAN-SPAM Act and individual state laws. Yet, here we are again, reliving this same abuse pattern over again in another form.

Marketing Today

Marketers have always wanted to do the least work possible and gain the most money from their efforts. That’s the whole reason email marketing exists. That’s the reason advertising exists. They want to create the most effective campaign and Facebook allows them to do this with their personalized marketing.

Cambridge Analytica took that one step further. They mined Facebook’s data and stored it in their own offsite database. A database that Facebook claims they thought had been deleted. They then combined that data with other data to create an even more comprehensive profile of each person. Yes, even more comprehensive than Facebook alone. If they had first and last name along with at least one piece of identifying information, they could have gone to LexisNexis and gotten even more identifying information. Who knows, they might have?

Marketers today are looking for the easiest way to target ads to the people they need. Hence, the reason Cambridge Analytica can even exist as an organization. There are many, many data brokerage services available to buy list and user data. Data that can be populated into databases and targeted with ads. Most of these outside brokerage services sell with the intent of using email marketing, but there may be more today that are using Facebook to present their ads. Cambridge Analytica is but one in many data brokerage services that exist on the Internet. You can bet many others also exist and may have taken advantage of Facebook’s situation, just the same as Cambridge Analytica.

That Facebook claimed to believed that a data brokerage service, whose sole business is in selling data, would ever delete data they had legitimately collected from Facebook is entirely naïve and disingenuous. Facebook had to have known the business Cambridge Analytica was in at the time they were extracting data from the platform. One only needs to visit Cambridge Analytica’s web site for a few minutes to understand their line of work. Even then, if you weren’t certain, you could certainly pick up the phone, call them and ask what it is they do. Companies are always eager to talk about their line of business, particularly if they think they’re about to make a sale.

Ad targeting is not going away and is only likely to grow as artificial intelligence systems grow. The data privacy issue will continue to be ever more important as time goes on. To protect yourself, you must ask yourself, what should I share and what should I not? For example, publishing a single cute puppy or kitty photo or video is probably fine. However, many cameras today also add EXIF data to store location data and possibly other information about where and when photo or video was created. Data that might be used to link you to that photo. However, taking a photo every day of your cup of coffee might reveal things about the location that you visit (names, people, location identifiers, etc). These are things when you need to be cautious before posting. Even if the photo appears innocuous, you might want to think twice because someone else might see something that you don’t see.

Social platforms, while fun, are big business for their owners. Don’t be fooled into thinking it’s all fun and games. Those games and fun have a price to pay. That price is what they get to do with your user data. As has been said, if the service is free, you are the product… or more specifically, your data.

How to protect yourself from the Equifax breach

Posted in botch, business, security by commorancy on September 11, 2017

Every once in a while, I decide to venture into the personal financial security territory. This time, it’s for good reason. Unfortunately, here’s a topic that is fraught with peril all along the way. It also doesn’t help when financial linchpins in the industry lose incredibly sensitive data, and by extension, credibility. Let’s explore.

Target, Home Depot and Retailer Breaches

In the last few years, we’ve seen a number of data breaches including the likes of Target and Home Depot. While these breaches are severe problems for the companies, they’re less problematic for the consumer in terms of what to do. As a consumer, you have built-in protections against credit card fraud. If a thief absconds with your number, your liability is usually limited to around $50, but that also depends on the card… so read your fine print.

With the $50 you might have to pay, the inconvenience to you is asking your credit card company to issue you a new card number. This request will immediately invalidate your current card number and then you have to play the snail mail waiting game for a new card to arrive. That’s pretty much the extent of the damage with retailer like Target or Home Depot.

No one wants to go through this, but it’s at least manageable in time… and you can get back on with your life. For breaches like Equifax, this is a whole different ball game, let’s even say, a game changer. Breaching Equifax is so much more than a simple credit card inconvenience.

Credit Reporting Agencies and Breaches

With Equifax breached, this is really where the government needs to step in with some oversight and regulations. What your social security number is the the government, your credit reporting file is to your personal financial health. This breach is a dangerous game… and worse, Equifax is basically taking it lightly, like it’s no big deal. This is such a big deal, you will absolutely need to take steps to make sure your data is secure (and even then, that only goes so far).

First, I’ll discuss what this breach means to you and how it might affect you. Second, I’ll discuss what you can do to protect yourself. Let’s start with some basic information.

There are 3 primary credit reporting agencies (aka credit bureaus):

  1. TransUnion
  2. Experian
  3. Equifax

Unless you’ve never had a credit card, you probably understand what these businesses do. I’ll explain for the uninitiated. These agencies collect and report on any outstanding credit card or revolving lines of credit you currently have. If you have a mortgage, these entities know about it. If you have a credit card (or many), they know. They also know lots of other data (i.e., previous and current address), what loans you’ve had in the past, what bank accounts you have, what balances are on your outstanding lines of credit, any collections activities and the list goes on and on. It also lists your birth date, social security number and full credit card numbers and account numbers.

Based on all of your credit lines, how well you pay and so on, these companies create a FICO credit score. This score determines how low of interest rates you’ll receive on new loans. These companies are not only a bane to actually exist, but they are your lifeline if you need new credit. Even just one blemish on your record can prevent you from getting that loan you need to buy your new house or new car. Without these linchpin companies, lenders wouldn’t be able to determine if you are a good or bad credit risk. Unfortunately, with these companies, consumers are at the mercy of these companies to produce accurate data to lenders (and to protect that data from theft)… a task that Equifax failed to do.

What did Equifax lose?

Equifax lost data for 143 million record holders. While that number may seem small, the damage done to each of those 143 million record holders will eclipse the damage produced by Target and Home Depot combined. Why? Because of how these credit reporting agencies actually work.

Equifax (and pretty much all of these credit reporting agencies) have flown under the radar in what they do. If you go to a car dealer, find a car you want and fill out loan paperwork, that dealership will pull a credit report from one or more of these agencies. Your credit report will contain a score and all loans currently outstanding. It also shows how well you pay your loans, any delinquencies in the past and other financial standing metrics. This credit report will be the basis of whether you get a loan from the car dealership and what what interest rate.

Hackers had access to this data between May and July of 2017. The hack was found on July 29th, but not reported to the public until September 8th. That’s over a month that Equifax sat on this news. It’s possible that they were requested by law enforcement to hold the announcement, we just don’t really know.

What was lost?

According to the Washington Post:

Hackers had access to Social Security numbers, birth dates, addresses, driver’s license numbers, credit card numbers and other information.

According to the New York Times:

In addition to the other material, hackers were also able to retrieve names, birth dates and addresses. Credit card numbers for 209,000 consumers were stolen, while documents with personal information used in disputes for 182,000 people were also taken.

Those dispute documents being PDFs of bills, receipts and other personally identifying information. I’ve also read, but have been unable to find the corresponding article, that the hackers may not have had access directly to the credit report database itself, but only to loose documents in a specific location. However, even with that said, do you really trust Equifax at this point? I certainly don’t.

Why is this such a big deal?

Because the credit reporting agencies have played it fast and loose for far too long. They make boat loads of money off of each credit report that’s pulled. If you pay $50 as part of the loan process to pull your credit report, the dealership will keep part of that money and the rest goes to Equifax. Because many loans applications are processed every day, some credit reporting agency is making money. Making money isn’t the problem, though.

These agencies will pull a report for anyone willing to spend money. This includes people with stolen credit cards. However, that only gets thieves so far before being caught. Instead, breaking into computers at the agency allows them to not only pull credit reports for anyone who has a record, they can get access to lots of sensitive information like:

  • Social Security Numbers
  • Birth Dates
  • Addresses
  • Places of employment
  • Home Addresses
  • Credit card numbers
  • Dispute Documents
  • Etc..

Basically, the thieves may now have access to everything that makes up your identity and could steal your identity and then attempt to divert bills away from your house, create new cards, and do other things that you may not be able to see. If they managed to get access to your credit report, they can open cards out the wazoo. They can charge crap up on those cards. And, they can perform all of this without your knowledge.

Credit Monitoring

You might be thinking, I’ll set up a credit monitoring service and have the credit reporting service report when activity happens. Even that, while only somewhat effective is still subject to being breached. If the thieves have access to all of your identity information, they can request the credit reporting service to do things like, reissue passwords to a new email address and send sensitive reports to a bogus address. These thieves can even undo security setups like a credit freeze and reassign all of that information to their own address. You won’t see or even know about this unless you regularly check your credit reports.

This problem just barely peeks into the can of worms and doesn’t even open it fully. There are so many things the thieves can do with your identity, that by the time you figure it out, it could be far, far too late. So, don’t think that signing up for credit monitoring is enough.

Sloppy Security Seconds

In fact, it wasn’t seconds, it was almost 2 months before the breach was known to the public. A move that not only shows complete disregard for 143 million people’s financial security from a company who should be known for it, Equifax doubled down by creating a lead generation tool in their (ahem) free TrustID tool. Keep in mind that that TrustID tool is only (ahem) free for one year, after that you pay. Though, protecting against new account creation is only half the problem. The other half to which TrustID can’t help is protecting your existing accounts. Because credit reports contain every account and every account number you own, if your data was compromised (and with 143 million accounts worth of data lost, it’s very possible), you need to do so much more.

Even the Security Checking Tool (which was questionably put up on a brand new created domain???) seems to have been a sham and had its own share of SSL certificate problems leading to some browsers showing the site as a scam. Some Twitter users have entered bogus data… and, this checking tool seems to have stated this bogus data was included in the breach. The question is, does that tool even work or is it merely security theater? Yet another black eye in among many for Equifax’s handling of this data breach. To wit…

and then this tweet…

To sign up for Equifax’s TrustID premium service, you have to enter even more personally identifying data into a form of a company that has clearly demonstrated they cannot be trusted with your data. Why would anyone do this? Seriously, signing up for a service with a company who just lost a bunch of information? No, I think not. Instead, Equifax should be required to pay victims for a monitoring service with either TransUnion or Experian (where breaches have not occurred.. yet).

On top of entering even more personal information, the service requires you waive your right to lawsuits against Equifax and, instead, requires binding arbitration. Yet another reason not to sign up.

It’s not as if their credit monitoring service is really going to do you a whole lot of good here. If you really do want a credit monitoring service, I’d suggest setting it up with Experian or TransUnion instead. Then, figure out a way to get Equifax to pay you back for that service.

Can’t I reissue credit card numbers?

While you can do this, it won’t protect you fully. The level of what the thieves can potentially do with your data from Equifax goes much deeper than that. Yes, changing the numbers will help protect your existing cards from access. However, it won’t stop thieves from opening up new accounts in your name (and this is one of the biggest problems). This is why you also need to set up a credit freeze.

Because the thieves can now officially pretend to be you, they can do such things as:

  • Pretend to be you on the phone
  • Call in and request new pin codes based on key identifying information (address, SS#, phone number, etc)
  • With your old address, they can then transfer your bills to a new address
  • They can reissue credit card numbers to that new address

You’re probably thinking, “What about the security measure my bank uses? Won’t that protect me?” That depends entirely upon how convincing the thief can be over the phone. If they can answer all of your identity information and find a representative who can bypass some of the banks security steps, they can get a foot into the door. That’s all it takes for them to basically take over your credit accounts… which is one step away from potentially hijacking your bank accounts. A foot in the door is enough in many institutions to get the ball rolling towards full hijacking.

How do I protect myself?

If your data was involved in the breach (unfortunately, the tool that Equifax provides is sketchy at best), the three bare minimum things you should do are

  1. Contact one of the three credit bureaus and ask for a free 90 day fraud watch
  2. Contact all three and ask for a credit freeze on your records at each credit reporting agency
  3. Set up credit monitoring at TransUnion or Experian

The 90 day fraud watch means they will need to let you know when someone tries to do anything with your credit report. However, this watch is only good for 90 days and then expires. The good thing about requesting this watch is that you only have to do it at one bureau. All three will receive this watch request from your contact with one of them. The bad thing is, 90 days is not nearly long enough to monitor your credit. In fact, the thieves will expect the 90 day fraud watches, wait them out, then go after it hard and heavy after these begin expiring.

A freeze, on the other hand, lasts until you unfreeze. A freeze puts a pin code on your credit record and that pin is require each time a company needs to pull a copy of your credit report. This will last far, far longer than a 90 day watch and serves to stop the thieves in their tracks. To freeze your records, you will need to contact all three separately and perhaps pay a fee of $5-10 depending on where you live.

Setting up credit monitoring means you can be alerted to whenever anything changes on your credit report. But, credit monitoring won’t stop the changes from occurring. Meaning, you’ll be alerted if a new card is opened, but the monitoring service isn’t a preventative measure.

You can contact each bureau as follows to set up any of the above services, including a credit freeze (links below):

  1. Equifax or call 1-800-349-9960
  2. TransUnion or call 1-888-909-8872
  3. Experian or call 1‑888‑397‑3742

Neither a fraud watch nor a credit freeze will impact your credit score. A freeze simply prevents any business from pulling your credit report without having your pin code. Companies for which you already do financial business or have loans established can still pull reports as needed. However, any new loans will be required to have your security pin code.  You can learn all about the details of a credit freeze at this FTC.gov web site.

Unfortunately, because the breach may have been more extensive than it appears, a thief can now contact the credit bureaus over the phone, pretend to be you and have any pin codes removed and/or reissued. Then, gain control over your credit records. This is why this breach is so treacherous for consumers. You need to be on your guard, vigilant and manually monitor your credit report for at least the next 12 months regularly. This is the part no big box media site is reporting. Yes, this is a very treacherous landslide indeed that is at work. Even if you do all of the protections I mention above, thieves can still subvert your financial records for personal gain by knowing your key personally identifying information.

How do I stop the thieves?

This is the fundamental problem. You can’t, at least not easily. To truly protect yourself, the scope of changes would include all of the following:

  1. Get a new social security number
  2. Reissue all of your credit card and debit card numbers
  3. Open new bank accounts, transfer your money into the new accounts
  4. Close the old bank accounts
  5. Reissue new checks
  6. Change your telephone number
  7. Move into a new address (or obtain a P.O. Box and send your bills there)
  8. Legally change your name
  9. Change all of your passwords
  10. Change all of your email addresses
  11. Set up multifactor authentication to every financial app / site you log into that supports this feature.

Unfortunately, even doing all of the above would still mean the credit bureaus will update your credit report with all of this new data, but your prior history would remain on the report… possibly up to and including all of the old account, name and address information. It is very, very difficult to expunge anything from a credit report.

In addition to the above, I’d also suggest closing any credit lines you don’t regularly use. If it’s not there, it can’t be exploited. None of this is a magic bullet. You just have to wait it and shut the thieves down as things materialize. Being diligent in watching your credit report is the only way to ensure you nip things in the bud early.

Tidal Waves and Repercussions

It is yet unknown the extent of their breach or the extent to which each consumer may have to go to protect themselves from this deep gash in the financial industry. Not only does this gash now undermine each account holder’s personal financial well being, it undermines the credibility of the very industry holding up the world’s economy. This is some serious shit here.

If half of the US’s residents are now available to identity thieves, those organizations who help protect the small amounts of identity theft throughout a normal year cannot possibly withstand a financial tidal wave of identity theft paybacks which could seriously bankrupt many credit organizations. In fact, if this tidal wave is as big as I suspect it could become, we’re in for some seriously rough financial waters over the next 6-12 months. By the time the holidays roll around, it could be so bad, consumers cannot even buy the goods needed to support the holiday season. Meaning, this could become such a disruptive event in the US’s financial history, many businesses could tank as a side outcome of consumers not being able to properly spend money during the most critical season of the year.

This has the potential to become one of the most catastrophic financial events in US history. It could potentially become even more disruptive than the 1939 stock market crash. Yes, it has that much potential.

Since I have no reason to believe that Equifax has been totally honest about how much data has actually been lost, this is the reason for this level of alarm. I’d be totally happy if the amount of data lost was limited to what they have stated, but the reality is, nothing is ever as it seems. There’s always something deeper going on and we won’t find that out for months… possibly at the point where the economy is hit hard.

Equifax Aftermath

Because the US is so pro-business, Equifax will likely get a slap on the wrist and a warning. Instead, this company should be required to close its doors. If it is not providing adequate data security measures to protect its systems, then it needs to shut its doors and let other more capable folks handle this business. This sector is far too critical of a service and that data too risky if lost to allow flippant companies like Equifax to continue to exist in that market.

Tagged with: , , , ,

Security tip: Don’t sign-up for sites without ‘delete account’ function

Posted in data security, security by commorancy on April 2, 2012

As security of data becomes more and more important and as security breaches become more and more frequent, the ‘delete account’ link becomes very important.  So many sites today allow you to import information such as credit cards, birth dates and other sensitive information, but many times they don’t allow you to delete that information (or your account) easily.  In some cases, you can’t delete your data at all.  It’s important to understand why it’s critical to have the option to delete your account (and all data associated with it). Let’s explore.

Account Security

Few people consider account security when signing up for an internet service like Facebook, Twitter, MySpace or even Yahoo or Google.  As more and more sites become victims of security breaches, without deletion of old dormant accounts, your data is sitting out there ripe for the picking.  In some cases, these accounts may have stored credit card, social security or other potentially sensitive or revealing data.  So, when you begin that sign-up process, it’s a good idea to check the help pages on how to delete your account information before you sign up.

Old Dormant Accounts

We all have them.  We signed up for a site 4 years ago and then either never used it or used it only a few times. Don’t leave old dormant accounts sitting unattended.  Delete them.  You don’t need some random hacker gaining access to the account or, worse, obtaining the password through a break-in to that site.  If they obtain an old password, it’s possible that they may now have access to all of your accounts all over the net (assuming you happen to use a single password at all sites).

If you are using a single password, change them to all be unique.  If you can’t do this, then find the delete button on all these old accounts.  If you can’t remember what you’ve signed up for, then that’s beyond the scope of this article.  Still, deletion is the best option at avoiding unintended intrusion into other important accounts, so delete old accounts.

No Delete Function?

Two ways to handle this one.

  1. Delete all data that you can from the account, then find a random password generator and change the password to a randomly generated password.  Do not keep a copy of the password and never use it again.  Basically, you have locked the account yourself.  If someone does access the account through the web, they won’t get anything.  If they break into the site and gain access to the passwords, they will get a randomly generated password that leads them nowhere.
  2. Contact the site administrator and ask to have the account completely deleted without a trace.  Sometimes they can, sometimes they can’t.  Depends on how the site was designed.  It’s always worth asking.

New Accounts at New Sites

When signing up with new accounts, if you cannot find a way to delete the account, then contact the administrator and explain that you would join the site, but you cannot find a way to delete the account when you no longer wish to have one.  If they state that there isn’t a deletion function, explain to them that until they implement this function, you can’t use the site.. and walk way.  Note that there is nothing more important than your own personal data security and you have to be the champion of that security because no one else will.  If sites refuse to implement deletion functionality, then don’t use the site.  There is no site functionality that is more important than your data security.

No Reason for Lack of Delete Function

In fact, there is absolutely no reason, other than sheer laziness, to not implement a delete function in any internet web site.  If it can be added, it can be deleted.  It’s very simple.  I know, some developers are going to say, “Well, it’s not that easy”.   That’s a total crock.  It is that easy.  If you have developed software that is incapable of deleting user account information, then you are either seriously inept as a programmer or you simply don’t understand what you are doing.  There is no excuse at all for not adding a delete function to any site (including deletion of a user account).  To my knowledge, there is no operating system or database that does not have the ability to delete data.  Not adding this feature is just not acceptable.  Always demand this feature if you cannot find it.

Pre-existing Site Accounts

I know that some of you may have joined sites ages ago when data security breaches were less common than today.  Back then, account delete functions may not have been available.  This may have been carried forward and these sites may still not have delete functions.  Demand that the developers add this functionality.  If you are an avid user, you should always demand this functionality.  You never know when something may change that may require you to delete your account at that site… like a data breach.  Security is important and your personal ability to delete your account is your right and should not be undermined.  Again, always demand this feature from the sites you frequent if it is not present.

I challenge you to visit all of the sites you regularly use and locate the delete account function.  I’ll bet that more than 50% of the time, it’s not there.  Demand that this feature be implemented if, for nothing else, than your own personal peace of mind in case you need it.  It’s like that insurance policy you buy, this is the same.  The delete account feature is your insurance policy to prevent unauthorized access whenever you need to exercise this option.  However, you cannot delete your data if the functionality is not there, so always make sure the delete feature exists before you sign-up.

%d bloggers like this: