One thing about data breaches always blows me away, no matter how many times it happens or how commonplace it becomes: late disclosures. I mean WAY late disclosures. I’m talking about the ones that get disclosed YEARS later. Like the Uber data breach where 57 million rider and driver accounts had information like email addresses, phone numbers, and even driver’s license numbers stolen possibly as far back as 2014, but wasn’t publicly disclosed til November 2017. Or the 128-million iPhone hack from September of 2015 that only went public last month as part of the court documents in the ongoing Apple v Epic lawsuit. These are the stories that drive me crazy as a privacy educator because to me, these illustrate a critical point often overlooked. Data breaches have become a fact of life. I no longer sound crazy when I cite them as a credible threat that applies to every human being who’s so much as visited a developed nation because even if you somehow have never used the internet (first off, how are you reading this?), your sensitive information is still in some database somewhere. We all know and accept that data breaches are a thing and it’s becoming harder every day to meet anyone who hasn’t been caught up in one. But these late disclosures illustrate a scary scenario: for years those people were exposed and didn’t know it. Imagine finding out that five years ago a criminal made a copy of your house key and has been selling copies to anyone with $5 ever since.
One of the biggest reason I think privacy matters for everyone is because of the irreversible nature of exposure, and this is also one of the hardest thing for me to communicate to others. My identity was one of those stolen in the 2017 Equifax data breach and thus it will never be safe again. I can never be certain that it has been completely erased from every corner of the internet, and even if I could I have no way of ensuring that somebody didn’t download it. It’s now out there forever. Of course, not all data breaches are like this. A password, for example, can be changed. An email address or a home is often a bit less fluid, but still technically impermanent. But even in the password example, that’s assuming you get a notification in a timely manner. I regularly remind podcast listeners that most companies are under no legal obligation to inform you of a data breach at all, let alone in a timely manner. You may get lucky and get a company ethical enough to email you and suggest you change your password or you may find out five years later in a news article. That’s why being proactive is such an important concept in privacy and security. There’s a saying that the best time to plant a tree is 20 years ago, but the second best time is today. In other words: better late than never. But at the same time, why put off til tomorrow what you can do today? Privacy doesn’t happen overnight, and being proactive can save you a lot of headache, especially in the cyberspace where you may not always have a chance to be reactive.
A common pushback I get from people when I talk to them about privacy is “how can this data collection be used against me anyways?” There are lots of answers to this question, but perhaps one of the most important is “we don’t always know.” We know some ways right now – phishing attacks, social engineering (depending on your threat model), rogue employees, stalkers – but there may be more down the road that we can’t conceive of right now. Who ever would’ve believed twenty years ago that someday Facebook would know so much about you that they could actually sway elections and be directly responsible for terrorism? Or that Google would eventually create an interactive map of the entire world? Or that people would be able to run successful stores out of their bedrooms? You would’ve been laughed off as a madman. Yet, here we are. The preposterously absurd has become common sense. And now, in that sense, it’s too late to be reactive. We can’t tell Google to erase their images and shut down Google Earth. We can’t get Facebook to dump all the data they’ve collected on us. The only reactivity we have left is to try to prevent them from getting more data to prevent the unforeseen abuses that unarguably lay ahead.
In a blog post late last year, I wrote about top ways to fail at privacy. One of those pieces was “not making time to implement.” Humans are – for lack of a better word – lazy. Our evolutionary instinct is to put off til the last minute, to save energy in case of emergency. But in privacy and security, it’s best to be proactive now. Once you have a stalker, it’s too late to start planting disinformation. Once the media is at your doorstep, it’s too late to get an anonymous home. This is your call. If there’s a part of your defense that’s lacking, now is your chance to fix it. But I strongly encourage you to examine yourself for those flaws now and act on them. Don’t find out in five years that you’ve been exposed this entire time. Be proactive now.