“Here’s a bandaid”​ – musings on the T-Mobile data breach and what we need to do next

This week, T-Mobile acknowledges a new data breach that has affected 40M+ people, and as does every breach, the impact of this event will continue to affect them for years to come (Paz, 2021). To those impacted, T-mobile is offering a bandaid, a free McAfee Identity Protection license. Offering an identity protection monitoring service or similar bandaid following a breach is an industry-standard practice. The practice of offering the bandaid however provides little salve, what is even worse and unfortunate, as some action is better than nothing, is that most people don’t take advantage of it when it is offered1.

Is T-Mobile’s offer a start? Yes. Is it enough? In my opinion, no. We need to do more. People worldwide are concerned for their privacy and data (Auxier et al., 2019; Langer et al., 2021); they have been for a long time (Warren & Brandeis, 1890), and rightfully so as evidence by the fact that there have been more than 10,000 data breaches since 2005 (2020 in Review Data Breach Report, 2021; “Data Breaches,” 2021; U.S. Data Breaches and Exposed Records 2020, 2021) and 11.5 billion breached passwords have been recorded out in the wild (Haveibeenpwnd?, 2021). And, the problem is only going to get worse as we become more and more connected in the coming years, one estimate predicts that by 2025 people will be interacting with and leaking their identity and data to IoT devices 4,800 times a day, i.e. about every 3.3 seconds (Reinsel et al., 2017), and the ITRC predicts in 2021 we’ll experience the most data breaches ever in a single year; the good news is the number of people impacted will be lower than in previous years (“Data Breaches Are Up 38 Percent in Q2 2021; The ITRC Predicts a New All-Time High by Year’s End,” 2021).

People lack and want control over their physical and digital self (aka data) (DMA & Acxiom, 2015). They want their privacy, they don’t know where to start, they lack the tools and education to manage their data (Babun et al., 2019; “Computer Services & The Harris Poll,” 2019).

Identity Protection Services Is Not Enough: The Harms & Costs Caused by a Data Breach

Identity protection services, like those being offered to the affected, can remind us that we have a problem, that the “Cows” have gotten out of the barn, but they don’t offer a solution. These services will tell someone that a personal attribute, e.g. an email address or social security or government ID number, has been found on the dark web. They rarely tell someone much more, e.g. how their data got leaked in the first place or any other meaningful, actionable insight2. Moreover, they don’t address the emotional, time, economic, physical (inc. life), reputational, relationship, chilling effect, discrimination, thwarted expectations, control, data quality, informed choice, vulnerability, disturbance, autonomy, social, civic, and political harms that people may immediately experience following a breach or that may befall them years after a breach has occurred (Calo, 2010; Citron & Solove, 2021), i.e. long after the identity protection monitoring service bandaid has dried up and fallen off.

The total cost of the potential immediate and long-term harm exposure from a breach far exceeds the $39.99/year value of the identity protection service bandaid. For many, it can take days, weeks, or even years to find out their data was compromised, and it can take many hundreds of hours and upwards of thousands of dollars to recover (“Data Breaches Are Up 38 Percent in Q22021; The ITRC Predicts a New All-Time High by Year’s End,” 2021) from a severe breach or misuse of their data.

And so far we’ve just been talking about “material” past or current harms. What about future harm, i.e. lost opportunity? For example, the lost opportunity to buy a car or house, but you can’t because the breach trashed your credit score and you can’t get the inaccuracies removed. The FTC reported that 20% of people have at least one error in their credit report (Fiano, 2019). Or, the opportunity that can be gained by having control over one’s data (e.g. in the form a personal data store or personal information management system) and using it to learn about one’s self, to more efficiently navigate life, or even profit from one’s own records, attributes, labor, or capital data?

It’s time to give people a seat at the table

The elephant in the room, and one not taken nearly seriously enough, is that our personal data has value and this data and value should be in control of the data subject, i.e. the person that it relates to or is generated by. As the former EU commissioner Maglena Kuneva noted as far back as 2009,

“Personal data is the new oil of the internet and the new currency of the digital world” “Meglena Kuneva – European Consumer Commissioner – Keynote Speech – Roundtable on Online Data Collection, Targeting and Profiling”  Meglena Kuneva – European Consumer Commissioner – Keynote Speech – Roundtable on Online Data Collection, Targeting and Profiling” (2009).

Why is it not addressed? Possibly, because the industry says people don’t care about their data? Or, we think regulations will take care of it. More likely, it is because it threatens the efficiency of existing operations and business models and that it is just not practical at scale today and is too hard to implement at this time (Pinarbasi & Pavagadhi, 2020). In aggregate, people’s data is worth trillions of dollars. Corporations are taking the lion’s share of the benefits while individuals are left holding unmitigated risks. The Identity Nexus equation, the equilibrium state where benefit and risk is equally shared throughout society, is out of balance.

It is time we empower people and give them a share of the riches they are generating, which is worth far more than a free account, recommendation, or article they are getting today. It is time we get The Identity Nexus equation back into balance. Our privacy should not be a luxury good, as it is today. Today people are the entre being served up to industry, primarily in the form of marketing, risk mitigation, and people search (Dixon & Gellman, 2014; “FTC to Study Data Broker Industry’s Collection and Use of Consumer Data,” 2012). It is time we move them off the table, and give them a seat at the table. If we enable them to be active participants in the collection, management, and exchange of their data, the personal, civic, social, and commercial bounties will be plentiful. This is not an idea problem, nor a technology problem, it is an imagination and will problem. The ideas have been with us for decades (Bush, 1945; Laudon, 1996; Personal Data, 2011), and the technology is maturing at a breakneck pace. There are pockets of innovation happening today where people are working on putting people in control of their data, like MyData (see Langford et al. (2020) MyData operators report), the Mobile Ecosystem Forum PD&I working group the Internet Identity Workshops, and the many self-sovereign identity working groups at the W3C Ddecentrailized IdentityDecentralized Identity Foundation or Trust over IP Foundation, and The Good Health Pass Collaborative (a group working on a self-sovereign COVID testing credential), to name just a few. The problem is, we’ve simply gotten too comfortable with the status quo and the collective we simply can’t imagine a different world.

We need systemic change.

“We’re entering an age of personal big data, and its impact on our lives will surpass that of the Internet” (Maney, 2014).

Being reminded that there is a problem is not enough to address the problem. We need to prevent harm, or at least mitigate it, before it occurs, as well as address other harms, i.e. the illicit and legal misuses or non-permitted use of our data, and the lost opportunity that people may realize from having cross-sector access and control of their data. In the end, the individual can be the only one that has a complete view of themselves (Brohman et al., 2003). We need to create opportunities for personal fulfillment. Identity protection is a start. But, what people need is control. Contracts, terms of service, and privacy policies are not enough. Regulation is not enough. Trust in commercial and non-commercial institutions to do “the right thing” is not enough. People need to be in a position where they can “trust but verify.”

Five-pillars of digital sovereignty for the phygital human

To control their digital self, people need a systematic framework to embrace the five pillars of digital sovereignty–awareness, intention & behavior, insurance, rights, and technology–all of which rests on education. People need education to understand the problem, to know how and when to use the utilities and services, and how and when to take specific actions that suit their personal circumstances, their context. Moreover, regarding rights, they need regulation that recognizes privacy harm, not just privacy law (Gilliland, 2019).

As an industry, we should not just be offering bandaids; we should be providing a suite of convenient, unobtrusive, passive and active, value-generating utilities, services and education (aka privacy-enhancing technologies and personal identity management capabilities) that help people take back control of their data, their digital self. We need to put in the time to build exceptional customer experience, user experience, and contextually relevant content.

“Content is King, but Context is God” (Vaynerchuk, 2017)

We live in a connected digital age. We have become phygital beings (physical + digital). Today, for many, the digital part of us has more personal, social, and economic value than the physical self. It is time for people to have control of what matters most–their digital self, alongside their physical self. We need to be whole again.

ENDNOTES

  1. Bernard (2020) reported that only 1 in 10 Americans took advantage of the settlement offered following the 2017 Equifax data breach that impacted 147 million Americans.
  2. The reality is that due to the prevalence of data sharing and exchange and the sheer number of data breaches tracked insect 2005, it is nearly impossible to track the original source of breached data. It is estimated that there have been well over 10,000 data breaches since 2005 (2020 in Review Data Breach Report, 2021; “Data Breaches,” 2021; U.S. Data Breaches and Exposed Records 2020, 2021). And, according to the ITRC, 2021 is on track to be a record year for data breaches. The number of breaches in Q2 2021 was up 38 percent over Q1 2021. For the year, the H1 2021 breaches account for 76 percent of the 2020 totals. The good news, however, is the total number of people impact in 2021 is going down (“Data Breaches Are Up 38 Percent in Q2 2021; The ITRC Predicts a New All-Time High by Year’s End,” 2021)

REFERENCES

2020 in review Data Breach Report (pp. 1–29). (2021). Internet Theft Resource Center. https://notified.idtheftcenter.org/s/

Auxier, B., Rainie, L., Anderson, M., Perrin, A., Kumar, M., & Turner, E. (2019). Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information. In Pew Research Center: Internet, Science & Techhttps://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/

Babun, L., Celik, Z. B., McDaniel, P., & Uluagac, S. (2019). Real-time Analysis of Privacy-(un)aware IoT Applications.

Bernard, T. S. (2020). Equifax Breach Affected 147 Million, but Most Sit Out Settlement. In New York Times (Online). New York Times Company. https://www.nytimes.com/2020/01/22/business/equifax-breach-settlement.html

Brohman, M. K., Watson, R. T., Piccoli, G., & Parasuraman, A. (2003). Data completeness: A key to effective net-based customer service systems. Communications of the ACM46(6), 47–51. https://doi.org/10.1145/777313.777339

Bush, V. (1945). As We May Think – Vannevar Bush – The Atlantic. In The Atlantichttp://www.theatlantic.com/magazine/archive/1945/07/as-we-may-think/303881/?single_page=true

Calo, R. (2010). The Boundaries of Privacy Harm. Indiana Law Journal86(3). https://papers.ssrn.com/abstract=1641487

Citron, D. K., & Solove, D. J. (2021). Privacy Harms (Public {{Law Research Paper}} ID 3782222). GWU Law School. https://doi.org/10.2139/ssrn.3782222

Consumers have concerns about cybersecurity, value education on best practices. (2019). In HelpNetSecurityhttps://www.helpnetsecurity.com/2019/10/07/consumers-cybersecurity-awareness/

Data Breaches. (2021). In Privacy Rights Clearinghousehttps://privacyrights.org/data-breaches

Data Breaches Are Up 38 Percent in Q2 2021; The ITRC Predicts a New All-Time High by Year’s End. (2021). In Identity Theft Resource Centerhttps://www.idtheftcenter.org/data-breaches-are-up-38-percent-in-q2-2021-the-identity-theft-resource-center-predicts-a-new-all-time-high-by-years-end/

Dixon, P., & Gellman, R. (2014). The Scoring of America: How Secret Consumer Scores Threaten Your Privacy and Your Future(p. 1~89). World Privacy Forum. https://www.ftc.gov/system/files/documents/public_comments/2014/08/00014-92369.pdf

DMA, & Acxiom. (2015). Data privacy: What the consumer really thinks (p. 1*29). The Future Foundation. https://dma.org.uk/uploads/misc/5a857c4fdf846-data-privacy—what-the-consumer-really-thinks-final_5a857c4fdf799.pdf

Fiano, L. (2019). Common errors people find on their credit report – and how to get them fixed. In Consumer Financial Protection Bureauhttps://www.consumerfinance.gov/about-us/blog/common-errors-credit-report-and-how-get-them-fixed/

Forum, T. W. E. (2011). Personal Data: The Emergence of a New Asset Class (p. 40). The World Economic Forum. http://www.weforum.org/reports/personal-data-emergence-new-asset-class

FTC to Study Data Broker Industry’s Collection and Use of Consumer Data. (2012). In Federal Trade Commissionhttp://www.ftc.gov/news-events/press-releases/2012/12/ftc-study-data-broker-industrys-collection-use-consumer-data

Gilliland, D. (2019). Privacy law needs privacy harm. In TheHillhttps://thehill.com/opinion/cybersecurity/459427-privacy-law-needs-privacy-harm

Haveibeenpwnd? (2021). Have I Been Pwned: Check if your email has been compromised in a data breachhttps://haveibeenpwned.com/

Langer, B., Becker, M., Lacey, J., Betti, D., Craig, T., Berg, S., Imperi, V., & Ibrahim, D. (2021). MEF 7th Global Consumer Trust Report. Mobile Ecosystem Forum.

Langford, J., Poikola, A. ’Jogi’., Janssen, W., Lähteenoja, V., & Rikken, M. (2020). Understanding MyData Operators (pp. 1–40). MyData. https://mydata.org/wp-content/uploads/sites/5/2020/04/Understanding-Mydata-Operators-pages.pdf

Laudon, K. C. (1996). Markets and privacy. Communications of the ACM39(9), 92–104. https://doi.org/10.1145/234215.234476

Maney, K. (2014). ’Big Data’ Will Change How You Play, See the Doctor, Even Eat. In Newsweekhttps://www.newsweek.com/2014/08/01/big-data-big-data-companies-260864.html

Meglena Kuneva – European Consumer Commissioner – Keynote Speech – Roundtable on Online Data Collection, Targeting and Profiling. (2009). European Commissionhttps://ec.europa.eu/commission/presscorner/detail/en/SPEECH_09_156

Paz, I. G. (2021). T-Mobile Says Hack Exposed Personal Data of 40 Million People. The New York Timeshttps://www.nytimes.com/2021/08/18/business/tmobile-data-breach.html

Pinarbasi, A. T., & Pavagadhi, J. (2020). 3 benefits for businesses to adopt PDShttps://iapp.org/news/a/3-benefits-for-businesses-to-adopt-pds/

Reinsel, D., Gantz, J., & Rydning, J. (2017). Data Age 2025: The Evolution of Data to Life-Critical Don’t Focus on Big Data; Focus on the Data That’s Big (pp. 1–25). IDC. https://www.seagate.com/www-content/our-story/trends/files/Seagate-WP-DataAge2025-March-2017.pdf

U.S. Data breaches and exposed records 2020 (p. 1). (2021). Statista. https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/

Vaynerchuk, G. (2017). Content is King, But Context is God. In GaryVaynerchuk.comhttps://www.garyvaynerchuk.com/content-is-king-but-context-is-god/

Warren, S., & Brandeis, L. (1890). The Right to Privacy. Harvard Law Review4(5), 193–220.

Tags: , , , ,

Top