Amongst the steady stream of marketing emails for gift cards and other last minute gifts in the days before Christmas, buried in the noise sent when people are least likely to see it, was a notice. It was an all-too-familiar “we take your privacy seriously, but” email. Perfectly timed to make it clear that privacy wasn’t that important.
This wasn’t just my email address being leaked, this was everything. Name, address, income, employer, social security number. Each record stolen was essentially an identity theft kit; everything needed in one place. From a privacy and data security perspective, few things are worse.
Yet the only thing remarkable about my reaction to that notice was that it was entirely unremarkable, more blasé than nonplussed. This was far from the first such notice, not even in the first dozen such notices. This has in fact become so routine that I’ve simply lost count of the number of occurrences thus far, it’s in the dozens.
The state of privacy and data security has become so deficient & dysfunctional that my oldest child had his first data breach notification, revealing his social security number to attackers, at less than 6 months old. He never had a chance to protect his information.
While I’ve focused on – and fought for – user privacy for much of my career, this unending series of failures has changed how I see my own privacy.
As an industry, we have solved some of the hardest technical problems, we’ve devised solutions to many of the thorniest issues, and we’ve created tools and techniques to make finding and fixing issues easier than ever. Annual spending on security is now estimated to be an incredible $200,000,000,0001. That’s a remarkable number of zeros.
Yet, hacks have far from stopped. But for some, myself included, the caring has.
While I still fight for the privacy of users, I’m generally a privacy nihilist when it comes to my own information. I’ve given up. Call it emotional exhaustion or cynical realism, I’ve accepted that my data has been leaked and stolen so many times that there’s no point in making any extraordinary effort to protect it.
That said, that doesn’t mean we should abandon protecting others, forgetting what we owe each other in a moral sense, or abdicating the responsibility that comes with skills and abilities we’ve developed.
We can, and should, do better. We can, and should avoid such absurd situations as babies receiving data breach notifications, yet this is the world that we live in. And I have some thoughts as to why.
In 2018, I drafted an article about a breach – that article wasn’t published at the time – I’d like to share a portion of it here. It seems to have aged fairly well.
There is much said about the cost of a breach, on stock prices to fines, fees, and lawsuits. However there is little agreement on these numbers and there is a common opinion that many of these estimates overstate the cost. One analysis from this year 2018 puts the cost at $141 per record stolen, however looking at the impact to specific well known breaches, this number appears to be vastly higher than the actual cost.
When a business makes budget decisions, they look at many things, from regulatory and contractual requirements to estimates of breach costs (legal, public relations, sales, &c). All of these factors feed into the decision on what can be spent on security while maximising profit. This makes the cost of a breach extremely important: the lower the cost, the easier it is to justify spending less to prevent one. This is an unfortunate reality of business; in every decision there is a certain amount of risk accepted, and reducing that risk by too much means a loss of profits that investors expect to see.
There have been efforts in the United States and around the world to fine those companies that fail to properly protect sensitive data, however at least in the United States, the regulations that have made it into law so far have fairly limited impact. In the case of credit card data being stolen, the issuing banks absorb much of the cost. In some cases the banks are able to recover some of the losses, however the amount recovered isn’t substantial.
In the 2013 Target breach, approximately 40 million cards were exposed, banks sued Target claiming hundreds of millions in losses. Target settled for $106.4M, or roughly $2.66 per card lost. According to the 2016 Target annual report (the most recent available in 2018), the cost of the breach was approximately $300M, though with insurance and tax deductions, this was reduced substantially. This is for a company with around $3B in annual profits. While having 40M cards stolen seems like a devastating breach, the long term cost and impact has been effectively inconsequential.
This leads us to a disturbing realisation if you care about your data: many companies are investing just enough to achieve legal & regulatory compliance, but not enough to keep your data from being stolen.
In the 8 years since I wrote those words, they have weighed on me, and my view of how most companies treat the data they’re entrusted with. Some companies work hard to protect data, limit what they collect, and invest heavily in avoiding the need to send out one of those emails. Others, not so much.
Show me the incentive and I’ll show you the outcome. - Charlie Munger
Incentives are often aligned towards simple solutions, shifting responsibility, compliance often as theatre, and security too often seen as a means to avoid liability instead of achieving actual results.
One of the simplest ways to look at business leadership is that it’s a continuous balancing act of risks. Often, investments are focused on bringing these risks down to the point that the probabilities shift to the favour of the business. Once that’s done, it can be difficult to justify spending more. This is especially true for costs that are largely externalised to other parties, and especially individuals who have little opportunities to resist the imposition of these costs.
The challenge for those in the industry has long been finding ways to protect users, with the resources available.
For much of my career I’ve focused on protecting the privacy and security of users, from my work in applied cryptography, to writing and speaking on privacy & data security, and of course, advocating for end-user privacy protections everywhere I go. Not because I’m zealously protecting my own information – that ship has sailed – but because we can and should do a better job of protecting people.
One thing I’ve always loved about the security community is that we will always do everything we can to help others, to protect people, to put in the time, effort, and energy needed to go beyond what should be possible with the resources available. A group of people that still solve problems just because they are hard.
Personally, I’ve little hope for my information, though I will never give up on protecting everyone else. Some who saw the title of this essay likely assumed that this was an abdication of privacy and the need to protect data. I hope you see the point is actually quite different: even if the effort is futile for some of us, the collective effort is more important than ever to achieve results.
We can and should do better.
Gartner forecast - $212B in 2025. ↩︎
