The Burden of Understanding

Sept. 21, 2018

Prologue

I started this blog because of my cousins. Every family holiday, I get a chance to sit down with my brilliant, successful cousins and their equally impressive significant others. We talk about important news stories, politics, global affairs; the list goes on mostly how you'd expect. Perhaps inevitably, given that I work at one of the largest Internet companies in the world, the conversation often steers to the Internet. "So, Shane," they'll ask, "no more Gmail, huh?" And so we dive into a deep conversation about data, privacy, security, social networking and social engineering. The conversation usually lasts the full train ride back to the city, only to be paused and continued at the next holiday.

After each of these conversations I have the same thought: Internet users are considered responsible for the burden of understanding the intricacies of how to protect themselves, and that burden is simply far too large. So here we are, and here is this blog. The title is only partly tongue-in-cheek; my goal is to convince that even though you shouldn't be responsible for the burden you hold, you are, and how you deal with it is important.

Some Context

I'm a Frontend Software Engineer. I build stuff on the Internet. I am not an expert on security, privacy, or even web technologies. My self-assigned role in this blog is to convey my understanding of these topics, gathered from experts, to you. That is, to reduce your burden of understanding, and hopefully allow you to make more thoughtful, intentional decisions.

Breaches Are Bad

Some time between May and July of 2017, criminals exploited a vulnerability in Equifax's website and retrieved credit card numbers, social security numbers, and driver's license information on up to 143 million Americans. 143 million is over two thirds of the total population of Americans over the age of 25. This is a truly staggering number, and the amount and nature of data stolen forced me to look at my online presence in a new light. The first question I had was: "How many companies have databases like this?" The answer, it turns out, is 60. The Consumer Financial Protection Bureau has a big list of all consumer reporting companies. It's worth taking a look through.

Equifax didn't report the data breach publicly until September of 2017. For almost 4 months, the majority of Americans were at huge risk for identity fraud, and Equifax said nothing. When they finally did come clean, consumer response was massive; more than 90 percent of consumers have taken some action to protect themselves from identity theft in the aftermath. Some of them had the same question that I did: "When did I give Equifax permission to store that personal information about me anyway?" Turns out, any time you sign up for a credit card, a loan, a mortgage, the fine print gives that lender permission to report your information to one or all of the credit reporting companies. To participate in the American economy is to have your financial activity perpetually tracked and recorded.

This, to put it lightly, was a disappointing discovery for me. There is a bit of good news; partly as a result of investigations and hearings that resulted from the breach, Congress amended the Fair Credit Reporting Act to require reporting agencies to freeze reports for no charge. You should use this. It won't stop the credit bureaus from collecting your data, but freezing your report is easy, free, and generally considered one of the strongest ways to protect yourself against identity theft.

Bears, Beets, Cambridge Analytica

The data stolen in the Equifax breach was private data. Worse, it was identifying data; with only the information obtained from that breach, a criminal could quite easily perform identity theft. This is the kind of data that most consumers know they should keep safe. The boogeyman of identity theft is one we've been taught to fear for decades. In response to the breach, consumers largely changed their behavior to avoid negative outcomes, and that's a good thing. But there's another category of data that was stolen in a large scale recently, and the response was... Different.

In the summer of 2014, an app was created that presented users with a variety of surveys. It was called This Is Your Digital Life, and connected to your Facebook account, asking for permission to read your profile information and information about your friends. The app had about 300,000 users, and the network of friends whose profiles the app had access to totaled over 87 million. Its owner, Soviet-born American researcher, Aleksandr Kogan, had been hired to make the app by a U.K. affiliate of the U.S. political consulting firm, Cambridge Analytica.

Cambridge Analytica uses "psychographic" modeling to target voters with specific political appeals. That is, instead of using models based on rough categories of people (demographics), they use models based on psychological profiling. It's important to understand the power of this modeling: Cambridge University researchers Michal Kosinski and David Stillwell were able to evaluate a participant's basic personality traits better than the participant's coworkers, using the exact same system as were used by Cambridge Analytica. These profiles are a propagandist's wet dream, and all of the data needed to construct them is just sitting on Facebook's servers.

If the discovery about the nature of information held by Equifax was disappointing, this revelation is downright frightening. The moment I learned about Cambridge Analytica was the moment I started constructing my tinfoil hat. But unlike after Equifax, there were no regulations passed after Cambridge Analytica to force Facebook to make it easier for users to lock down their data. There was some public outcry on Twitter (I hope I'm not the only one that sees the irony there), but Facebook claims to have seen no significant changes in usage since the reveal. This event was different. This wasn't important data, related to financial wellbeing, or even private information. By most measures, Facebook likes can reasonably be considered publicly visible. This wasn't the identity theft boogeyman that we've been warned about our whole lives. It was a new boogeyman, one that's almost invisible. And so, nothing has changed. In all likelihood, Cambridge Analytica still has all of the data it gathered from Facebook.

If your next question is "So what do I do?", then good. With any luck, this blog will help answer that question. The road forward is full of compromises and careful consideration, but I think it's one worth taking. I hope you do too.