Today concludes the Equifax hack podcast. But the story of the Equifax hack is much bigger than a tale of lost Social Security numbers. It’s about corporate greed. Exploitation of a natural resource (us) for gross profit margins. It’s about control. Epidsode 6 zooms out and returns to the key question: Is privacy dead? As frequent readers of this site, I hope you know what my answer is: It’s very sick, perhaps even on life support, but it’s not dead. I think falling for the notion that privacy is dead is a trap: If it’s dead, then who cares about exploitation of personal information? Who cares about the sanctity of private relationships, of our deepest feelings, or our ability to make decisions, or of our political process.
We have a lively discussion, brought home by Gartner’s Avivah Litan, a name most of you know. She’s probably the most-quoted security analyst in English-speaking media. We also talk to Catherine Fleming, a Seattle-based consumer attorney who is spearheading one of the class-action lawsuits against Equifax. She is a crusader, but she’s also abundantly wise.
Below is a partial transcript, but I hope you’ll listen to our discussion.
You can listen to episode one by clicking play below, if that embedded link works for you. If not, click :
AVIVAH: Not really. I mean I wish I had some parting words of wisdom. I guess my
parting words of cynicism is I don’t think anything’s gonna change in the future either.
The only thing that could potentially change the situation is a consumer backlash and
consumers are not organized to, to rebel and that’s the problem because businesses
have no incentive to change the status quo.
BOB: So is privacy dead?
AVIVAH: Privacy’s been dead for years and consumers need to worry about that. And
ALIA: So, I mean, if privacy is dead, who killed it?
AVIVAH: Businesses killed it by not taking good care of our data and the criminals killed
it by stealing the data. They stole it for years it’s been dead.
BOB: Is there a date in your mind?
AVIVAH: I remember thinking it was dead like back in 2004 or five and my colleagues
saying, no, it’s not dead. You can’t say that. But yeah, it’s dead. Don’t you think it’s
BOB: Life support, life support.
BOB: One of the things you hear again and again with the Equifax breach is “Oh well you know
nothing bad’s come of it”, some have said there’s been no proof of identity theft from Equifax —
but Catherine has heard from a lot of people with stories to the contrary. Anecdotes like –
CATHERINE: A car was rented across the country – in a state where they never set foot
and was never returned in their name. Um someone got a small business loan in their
name — multiple credit cards, stayed in vegas and ran up a huge bill and now the hotel is
asking me to pay. That type of thing.
ALIA: Of all those examples of “harm” from the Equifax breach, one of Catherine’s clients stood
out to me. At the time of the breach, she was in the state equivalent of the witness protection
CATHERINE: And so when you seek that type of protection, there’s very, very important
safety reasons, life and safety reasons why you want that protected, that information
ALIA: So this woman alleges that because her private information was breached, and in the
wrong hands, she had to move.
CATHERINE: She was very concerned about her young son. I want to say he was
around 9 or 10 at that time. His life was also gravely at risk. And so that was probably
one that really caught my attention because it was such an interesting set of facts and,
and so devastating to her and she was frantic.
BOB: How awful. You’re in witness protection program and suddenly Equifax loses your data.
BOB: This is the unique challenge for data privacy cases like this – proving harm. You don’t
show up to court in a neck brace to prove your injury.
CATHERINE: That’s the question that would come up in those meetings, at the tables
with a partner saying, look, and they would say, well, what’s, how are you going to argue
damages? How are you, what’s the harm and how are you going to get paid? How are
we going to get paid?
BOB: And if you’re Catherine, you have to show harm to a variety of different judges with
different viewpoints in different regions.
CATHERINE: The decisions vary across the country in different Jurisdictions.
BOB: Harm can be seen as one thing in Washington DC and another thing entirely in California
which has far more progressive data protection laws.
CATHERINE: Harm is in the eye of the beholder. And in the court’s eye it just, it varies.
CATHERINE: Data privacy is a basic right, it is our life.
BOB: See, this is why it’s so dangerous to think that our privacy is dead. There are a lot of
forces in the world that want us to think that. If our privacy is dead, there’s nothing we can do.
There’s nothing to worry about. It’s also this fatalistic notion like all our rivers are polluted so why
should we bother regulating companies anyway? Let’s just make a bunch of money. All our
data’s already out there, so why should we bother worrying about this? We can’t do anything,
your privacy is dead, get over it. It’s not true. That’s what they want us to think, but it’s such a
dangerous thought because privacy, privacy is intensely human. Privacy is what protects our
humanity. If you think about the most intimate moments that you have in your life, and this is
true in every culture and every time, you have them privately. You go off by yourselves. But
even among friends–you think about these circles that you live in, these concentric circles–your
closest friends are in a tiny circle, and then your acquaintances, and outside of them are your
coworkers, and then maybe people you only see a couple of times a week or people you see
once in your lifetime. If we can’t control the size of those circles and who gets in them and who
gets blocked out of them, we lose something absolutely essential to our humanity. So: privacy
might be really ill, we might have to give it some kind of extreme treatment, it needs CPR it
needs chemotherapy it needs something, but if we give up on the idea, I think we give up on a
very sense of humanity.
AVIVAH: But how can you say it’s not dead if all your data’s out there? I guess if we. We
have a different, um, interpretation of what data privacy means. To me, what it means is
that No one has my data except people that really protect it and they consent with me.
They, they consult with me before they share it. That’s not been the case for many
years. That’s what data privacy means to me.
BOB: Was that ever the case?
AVIVAH: Well, it wasn’t as noticeable until everything became so automated and
BOB: I’m sitting here thinking from the invention of data itself
BOB: Companies have taken it and done things with it that you didn’t know about.
AVIVAH: That’s true. Data, there has never been data privacy in that sense
So to me, what’s your definition of. Why do you say it’s on life support?
BOB: Because I imagine a situation where I, I get to decide who has it, when they have
it and what they do with it.
ALIA: You get to get, it’s like consent.
AVIVAH: But you don’t. You have no say over your Equifax data.
BOB: Well today, no, today I don’t, but I can imagine a world where I do.
BOB: Like, you’re describing it, actually.
AVIVAH: Oh it’s dead temporarily.
AVIVAH: I don’t think it’s dead permanently. Oh.
BOB: I like to think of something being- can we agree it’s in a coma, then?
ALIA: Is it a vampire?
AVIVAH: I think data. No, to me data privacy is dead but. All right. I’m sorry. Data
privacy died but it can be reborn. You’re saying it could never be reborn. I think it died
and it can be reborn.