> In the wake of the Equifax breach, Congress should require stronger cybersecurity measures at credit reporting agencies, as well as for any company that stores large quantities of sensitive data about individuals, even if those individuals are not the company’s customers.
Yes, they should, but that's not what they are doing. They are doing the opposite. [1] It doesn't matter what the majority want Congress to do when they don't listen or care and instead do what their special interests tell them. The 'bigger problem' the article mentions is not that the laws are tilted towards the corporations. It's that they will continue to be tilted towards them due to corruption.
> The FCRA Liability Harmonization Act is particularly noxious. Authored by Rep. Barry Loudermilk (R-Ga.), the bill would cap actual and statutory damages for class actions involving credit agencies at $500,000, and completely eliminate punitive damages.
Loudermilk said Friday that his bill “is aimed at curbing frivolous class action lawsuits against businesses under the Fair Credit Reporting Act,” which contains many of the rules for credit agencies.
People keep voting for representatives that do this kind of thing. And it's a bipartisan problem, but Republicans seem a lot more shameless about it, especially the "we must prevent the giant monopolistic business from lawsuits by wronged customers or bystanders" language.
Fortunately Wikipedia points us at Loudermilk's legislative history. We can see such gems as HR3441, which opponents say "creates a new definition of “joint employer” that strips
workers of their legal recourse for wage theft or unfair labor practices when multiple
employers jointly control
labor conditions." http://democrats-edworkforce.house.gov/imo/media/doc/2017-09...
"H.R.3330 - Ensuring Quality in the Unemployment Insurance Program (EQUIP) Act" = " To amend title III of the Social Security Act to permit States to
conduct substance abuse risk assessments and targeted drug testing as a
condition for the receipt of unemployment benefits, and for other
purposes."
"H.R.3312 - Systemic Risk Designation Improvement Act of 2017" = something to do with Dodd-Frank
"H.R.3257 - Promote Accountability and Government Efficiency Ac" = screw over the civil service. "Notwithstanding any other provision of law, any employee in the civil service hired on or after the date that is 1 year after the date of enactment of this Act shall be hired on an at-will basis. Such an employee may be removed or suspended, without notice or right to appeal, from service by the head of the agency at which such employee is employed for good cause, bad cause, or no cause at all."
"No employee or applicant for employment in the civil service may be awarded by any court a remedy (including damages, costs, or attorney fees) under any of the provisions of law listed in paragraph (3) in a dollar amount that, in the aggregate, exceeds $50,000."
Then a bunch of stuff removing national labour relations law that would otherwise pre-empt state law; allowing concealed carry in DC by holders of other state licenses; something to do with marine mammal protection, probably removing it; and a change to labour law to require a majority of employees not just of union members in certain votes, presumably making strike action much harder.
> People keep voting for representatives that do this kind of thing.
People don't vote (less than 40% in that election). Make voting mandatory, like in Australia (or at least make it a national holiday), and require a certain amount of real political coverage in the media -- politicians would then better reflect the needs of the people.
> Reduce allotted time for campaigning to something like 2 months, and maybe have it publicly funded like Australia
I do want to say that public funding also comes with its issues. Its the way most parties in Argentina fund themselves and because all of them do, all parties get to put their hand of the State coffers during elections. So much, they made an electoral reform to have another round of elections, just to be able to spend more money on pork.
There is no solution to funding political parties that wont screw someone. Its yet another example of diminishing the scope of government so they just steal less of it.
Direct political donations (known as hard money) are already capped in the U.S. Beyond that, the U.S. has a tradition of free speech, which means that direct public funding and limits on general political activity (party building, voter education spending) are unconstitutional. So those cannot be capped.
> Beyond that, the U.S. has a tradition of free speech
As well as a tradition of placing limits on free speech when appropriate.
Which is a larger threat to our country? Democratically elected officials not supporting the views of those that elected them? Or capping the amount of influence a single group can financially have?
People do not vote because their vote does not matter, politicians do not care what the majority voters want, they care about selected few elite voters want
Want to get more people voting there are a few things that need to change
1. End First past the post... Anything is better, IRV, Alternative Vote, something else.
2. End 2 Party Gerrymandering, Parties should not have any control over distracting at all Should follow some other function like Zip Code, or Taxing Jurisdiction, or some other government function, not just for voting
3. Implement the Wyoming Rule for for congress
4. Pipe Dream... Put the federal government back into constitutional limits and reverse Wikard v Filburn or pass a law that renders it void
1-3 would do alot, #4 would do the most good
Election reform, (not election finance ) is needed but too many people focus on the money, the money is just a symptom of the problem, not the actual problem. Solve the underlying systemic issue with the voting process and the money becomes pointless and will dry up on its own
If you can't get people to voluntarily participate in democracy then you have a failed implementation of it.
Furthermore, the ability to not vote is a powerful and necessary option, as it's hard for those in power to imply that they have a mandate if <10% of the population actually participated in it.
I don't know what mandatory voting accomplishes except giving those in power the ability to say, "Tut tut! No complaining! You got your vote, after all."
You still have the ability to not vote, Australia just fines you for not voting. What's more powerful of a statement: not voting with no obligation to vote, or not voting in spite of the punishment?
This is not true. The first amendment says the government can't pass laws to suppress free speech. And in fact the press is required to do all sorts of things for the public good, such as:
Here's an idea: use leaked data that has become publicly accessible to find real constituents of every congressperson and then impersonate those people to complain about these bills enabling identity theft. Best done by snail mail, with a CC to the "victim".
IANAL and haven't explored the feasibility of this, but the CRA firms got your data via your banks because in the fine print when you opened an account there's a phrase about "We will share your data with our trusted third parties".
Well, the third parties haven't proven to be all that trustworthy, so suing your bank & credit-card firm(s) for releasing your information might be an interesting approach to take. If the CRAs have the source of their data cut to a trickle, they might start taking this seriously.
Not to defend this congressman, because I've never heard of him and I don't know anything about him, but frivolous lawsuits are a thing, and though you'd expect a judge to recognize them, by the time it gets to that point a lot of time and money has already been wasted.
And not to defend Equifax, because how can you, but a lot of people make their living there and in general corporations deserve reasonable protection under the law just like individuals do. After all most of them are net positives for society: they provide employment, benefits, and many support their local communities in a variety of other ways.
If you're going to defend this congressman and Equifax, at least lose the weasel words prepending your defense.
Getting some slimy congressman to introduce legislation to preemptively cap the restitution people can get when Equifax messes up isn't "reasonable protection under the law", it's an attempt at stripping away of the rights of individuals to the great benefit of the corporation. Gross.
Of course frivolous lawsuits are a thing, but this law is a fucking joke. It limits the TOTAL recovery of the CLASS to $500,000, not just for the lawsuit, but also of any following "series of class actions arising out of the same failure to comply".
Meaning that if they lose their court case, they can still continue to behave badly, and not face any additional fines once they hit that measly total.
Oh, and just in case that $500,000 might hit some small "mom-and-pop" credit reporting agency, the total damage that can be awarded (again IN TOTAL TO THE ENTIRE CLASS), is the lesser of $500,000 or 1% of the net worth of the person/corporation the suit is being brought against.
Meaning we are basically saying "you can't actually bring a suit against them that could cause them enough damage to actually change their shitty behavior"
>but frivolous lawsuits are a thing, and though you'd expect a judge to recognize them, by the time it gets to that point a lot of time and money has already been wasted.
Yes, but I would guess, more frivolous lawsuits are filed by corporations looking to silence critics or competition more so than ambulance chasers. They certainly have deeper pockets.
And, I guess we should have some faith in our legal system to ultimately sniff out frivolous lawsuits and dismiss them. I understand that there's a cost to a lawsuit on both sides but it seems this could be (and possibly already is in the form of counter suits for costs) addressed.
> they provide employment, benefits, and many support their local communities in a variety of other ways.
I mean I hear you - corporations are important, as they're a great way for a group of people to accomplish something together - but if the most important thing you do for society is employment, you sound like a pretty shit corporation.
On the other hand, The New Deal did a lot of that. Hmmm.
I don't think he was saying it's sole importance was employment. If you had read the sentence in a more critical manner, the purpose of the corporation is to generate value. They can't provide employment to citizens, tax money for the government, or help in charity work without generating monetary value for it's products or services.
The New Deal(s) did not really do the above. Although it really provided value in the form of infrastructure as well as employment to citizens it had to take money from people as well as borrow large amounts to do it.
Hating on corporations and trading them for the government as a pseudo-corporation is just as bad. Sounds like a comment dripping with naivety from a college history class as if it's a final 'gotchya' against someone who is looking at the situation from all avenues.
Where in the sentence is the purpose of corporations mentioned?
There are definitely corporations that provide employment, tax money, and/or charity work without generating monetary value (how long until Facebook actually sold anything?). But you're larger point is correct; those companies either don't last, or don't stay in that state.
The entire point of the New Deal was to provide employment first and foremost (then, why not do something possibly useful with those employees? Hence the infrastructure.)
> take money from people as well as borrow large amounts to do it.
How is this different from any other corporation? Every company I interact with - including the ones I don't pay - takes value from me; and most (if not all) have taken loans and/or investment. Usually it is money, and I get back something; but it's not like I gave Equifax my personal info [from which the took monetary value].
While yes, taxes ARE categorically different than prices (and bonds are different than stocks), you can still definitely adopt the perspective that they're how you pay for all the civilization supplied by the society you're a part of. And if you don't want to pay for those things, there's still ways to stop; and you don't even have to give up all the things you're getting for the price you're no longer paying.
I'm not hating on corporations. I'm saying that I would expect a corporation whose primary purpose is employment of people to do a poor overall job of adding value to society; at least compared to corporations with goals of delivering products or services.
It's not a question of "does this not produce value", it's a question of which kind of value is most produced.
...And I'm probably wrong anyway, because that's basically what temp agencies do.
Overall, your reply sounds like a comment arguing with an imaginary person you disagree with as if your imagined reality resembles the real thing. Try starting with a question next time, it'll help you figure out if what you think is going is actually what's going on.
If I could make 1 frivolous lawsuit at 500,000 a year I guess I would be reasonably happy.
And why exactly is it that the size of the lawsuit is a strong indicator of frivolity? I would expect the oppsosite, as a frivolous lawsuit business I believe my interests would lie in doing 100 lawsuits at 10,000 a year rather than one at a 1,000,000.
The credit system as is massively contributes to wealth inequality in this country. You can't get credit without money, and you can't (easily) get more money at a reasonable interest rate without credit. Couple that with underreporting agencies like utility companies, and landlords, it really only benefits the middle class (and then only if they are upwardly mobile).
Removal of the credit system won't help either. Assuming no one was able to borrow or ask others to borrow (since it would probably just bring back the current system eventually), the rich would still be rich and the poor would still be poor except the poor and middle class would have no way to raise capital at all for a venture that could propel them.
Why should someone whom is asking for money with no way to pay it back get the same preference as someone asking to borrow money who has a history of solid payments and has enough capital they could liquify to pay off at least 50% of the amount tomorrow?
I don't think that utility companies or landlords under report although I understand that it would be nice if they reported more for beginning creditors. The distinction for why they aren't included is that they aren't lending you money. You are only paying for their services as you use them. Once in default, they are effectively loaning to you at that point though with a balance to be paid. Do you think the IT technician whom invoiced you for $2500 in work should also report as well? [shrugs] Guess I don't want all balanced from whom provided me a service to be in a credit report for 7 years but I understand that is just me.
The point I'm really getting at here, when I say underreporting, is that I would make a guess that those who have good rental and utility payment history would also be safer bets for credit than those who do not.
While I agree that the proposed legislation is probably terrible, this opinion piece uses weasel words like "republicans" and "democrats" when they only cite I think 2 republicans that are supporting the proposal- out of all of the republicans in Congress! While it may be technically accurate (they are republicans) it is important to remember the spin on political pieces like this.
Not all 'republicans' and not all 'democrats' are the same.
That's not a weasel word, that's literally a party descriptor. The 2 republicans are the sponsors of the bill. While it's possible that it's not widely supported by the party, there's at least four names on it which are mentioned in the text, all of which appear to be R. https://www.congress.gov/bill/115th-congress/house-bill/2359...
It was introduced in May -- Equifax was breached at least as far back as March. Given that C-level executives made substantially beneficial trades 'without knowledge' of the breach, I wonder how far back this goes. Especially because their original story had the date of breach happening after this bill was introduced. /tinfoilhat
A less weaselly way to say it would have been to say " Rep. Loudermilk, Barry [R-GA] along with 13 republican co-sponsers proposed ..." and then linked to the list of who they are, like you did.
Further, this was filed long before the breech, yet the piece tries to say that these representatives were doing it "despite" the breech was made public. Some of those listed may still be backing this, and it was (likely, I haven't read it myself) terrible legislation to begin with, but based on the evidence available, it is stretching to make the claims that the opinion piece does about them doing it "even as" the fallout from the breech is settling.
While I am glad they are covering the proposed legislation and bringing it to the publics attention, the piece is worded in a very weasely way.
I'll give you the point about the way it was worded w.r.t. when the breach was announced. On that though, I did want to point out that if you look at the list of co-sponsors, the last person to sponsor it was Rep Williams of Texas, ON 9/7/17, the day Equifax announced the breach, which is probably just really bad timing that day on his / his staff's part, but also looks LOOKS really terrible, regardless of the actual reason behind it.
Just as a point of reference, in The Netherlands there is a central agency for recording the debt of people who mostly have fallen behind on payments. They only record debts that last longer than 3 months and of those delete all record of them after 5 years after being paid off. It is forbidden for this agency to record that you have a mortgage unless you fall behind on payments. Only negative information is stored on borrowers. If you pay your loan down on time nothing will be stored about you.
Also, it is forbidden for information in this agency to be used for identifying purposes by banks and the like. This means considerably less risk for me as a citizen, and it also means the information is less valuable for hackers. Mortgage interest rates are currently 1-2 points less in The Netherlands than they are in the USA, so there's no correlation I can see between America's vampire capitalism credit model and cheaper loans.
That is interesting. Do banks have any way of telling how much debt someone has? Are credit cards very common there?
Many Americans have so much debt that lenders are very interested in the whole picture when they consider making a new loan.
Old debt do drop off American credit reports, too. For most bad marks, they only stay on for 7 years (10 for bankruptcy). I don't know how long paid off loans are reported, but they generally have no negative impact (but might impact privacy). see this blog post http://blog.readyforzero.com/how-long-does-a-bad-mark-stay-o...
EDIT: Even though bad marks are supposed to stay on only for seven years, the industry is very scummy and will often try to keep the bad marks on your report longer, requiring you to take action sometimes to actually get it cleared off. The CRA's and debt collectors don't follow the law, and we certainly need better enforcement of the laws.
Much less prevalent than in the US. There are much fewer cash back/air miles/etc credit cards...actually, literally the only I'm sure exists is that for the department store De Bijenkorf. There may of course be more I haven't seen before.
Debit cards are the dominant payment method. Credit cards are most useful for things like hotels abroad, online shopping abroad (w/n Netherlands there is the iDeal payment system for online shopping). It's not uncommon to find shops that will not accept them.
If there is substantially less consumer debt in the Netherlands, that could explain the difference in credit risk. It could be small enough there that banks just don't worry about the total load, and trust consumers to fully disclose things on their loan application.
If they don't record debt in good standing, is there anything that prevents people from taking on far more debt than they can possibly handle, other than unusual things like common sense?
FYI historically we did away with many of the debt related laws and centralization, because that could / will likely lead to debters prison. That being said, obviously things need to change, but based on your description, it's not really a credit agency. If they can't determine how credit worthy you are (historic payments are the #1 indicator), then they really don't have any information besides current debt.
your ability to pay is better determined by looking at pay slips, which a bank can (and probably will) demand from you. the fact that you paid X dollars monthly for Y years is not sufficient to determine the upper limit of your paying ability. so, i think a combination of nice pay slips + lack of defaults in the past is quite sufficient.
It's also worth noting that right now, student loan data in the Netherlands is not shared with this agency. Which kinda defeats the purpose of doing a credit check on anyone Living in the Netherlands, in their 20's and 30's.
> They only record debts that last longer than 3 months and of those delete all record of them after 5 years after being paid off
That's the same as the US, except that here they expire after 7 years instead of five.
> Mortgage interest rates are currently 1-2 points less in The Netherlands than they are in the USA, so there's no correlation I can see between America's vampire capitalism credit model and cheaper loans.
That's a rather meaningless way to look at it, because there are a myriad of factors that affect aggregate mortgage rates, and credit ratings are just a tiny piece of it.
It's like saying "Well, they keep tell me that the world is getting warmer, but it's still pretty cold in my neighborhood".
It's worth nothing that though that this breach also affected some non-US citizens as well, most reports mentioned UK residents and Canadian residents as well.
I think the false "identity theft" idea that the banks have promoted has started to really get people confused. The idea that a person can own the facts about their behavior toward others, when you think about it, is very strange. In theory a credit report is just a report from people you have borrowed money from on how well you repaid the loan to them. I don't think anyone would feel that they should legally be able to prevent people from telling other people how they have truthfully interacted with them.
I don't think most people feel it is unfair or immoral to release "unfavorable" information. If one didn't pay back a credit card, most reasonable people think, "OK that's true and on my report. My bad." What people think it is deeply wrong is for a fraudster to get a loan from a bank, the fraudster does not pay, and the bank libels them by sending a false report to the credit agency saying they defaulted on the loan. This agency and bank have no penalties for propagating the libel/slander and this libel will hurt the person in many ways. Everyone knows that getting this libel to stop is very difficult and the credit agencies and banks don't care about fixing the errors. The run-a-rounds people go through are legendary. People fear getting libeled by banks and other issuers of credit, so much so many buy insurance for "peace of mind". The credit reporting agencies are like Ticketmaster, a company set up to take the heat and misdirect the anger when some other entity is screwing you. Ticketmaster plays front man for the concert promoters/venues/bands whereas the credit agencies play front man for the banks.
>I don't think most people feel it is unfair or immoral to release "unfavorable" information
I feel your overall argument, and you should know your idea here is not exactly accurate. For instance, in Europe there are actually laws against unfavorable information.
I'm in the US where these credit reporting companies are and "identity theft" is a big fear. Is there a similar problem in Europe? For example do you see ads on TV and the internet for insurance against "identity theft"? Things do drop off your credit report in the US, even bankruptcy after 7 or 10 years, so people do have a general idea that some past mistakes should not haunt you forever. But never get a felony in the US. You will truly discriminated against for life.
Ok so: a third party (Equifax) has collected sensitive personal data on citizens without their consent and is asking a fee to prevent other third parties from accessing this information. isn't this technically blackmail?
Assuming you're serious, probably not. Intent matters and they aren't threatening to release the data, only monitoring if someone else uses the already released data.
I am not a lawyer, this is not legal advice. Before deciding to blackmail, you should consult a qualified attorney in the appropriate jurisdiction.
No, the fee they require you to pay to lock your credit profile has nothing to do with them monitoring anything. They require you to pay money in order to stop doing something you never authorized or asked them to do - releasing your credit profile to anyone who asks.
While blackmail is a specific case of extortion where unfavorable information is released, what the agencies do by requiring you to pay for protection(the freezing of your credit)seems to qualify as extortion.
"What Is Extortion?
Most states define extortion as the gaining of property or money by almost any kind of force, or threat of 1) violence, 2) property damage, 3) harm to reputation, or 4) unfavorable government action."
I think you could make a case for number 3 - gaining money for threat of harm to reputation. Your credit score is very much your financial reputation.
Unfortunately, there's no law I'm aware of that's going to help you here - although there /possibly/ should be a law governing ownership of someone else's private data, that's not currently the case, as far as I know (IANAL). It's also not immediately obvious to me how you'd construct such a law without causing problems for many other areas of the financial system.
> They require you to pay money in order to stop doing something you never authorized or asked them to do - releasing your credit profile to anyone who asks.
That's incorrect. CRAs can only release information to others if the requester has "permissible purpose". Under ordinary circumstances, that means you've asked the requester for some sort of service that allows them to pull your credit report.
The purpose of a freeze is to prevent someone from trying to impersonate you and use your credit file. If you just want to be paranoid about it (or "proactive" if you prefer) then you can pay to have your file frozen and unlocked on demand. If you're already a victim of identity theft or legitimately expect to be, then you can get the freeze for free, I believe.
> A credit report could be stored in an encrypted form so that it could be thawed only with a key held or managed by the consumer.
This is a nice idea. In practice the keys would have to be accessible via some kind of password to make them usable to ordinary people. And then those passwords would need to be re-settable via email or phone. There are security issues with that I guess, but we'd probably be better-off than we are now.
This isn't true. Almost all "ordinary humans" manage to keep and use a pair of physical keys to there home, among other things. We only need a physical key with one simple piece of software that provides the key when asked for it, the user says yes by physically pressing a button on the key, and the key is "connected" (phy or wless). This isn't because ordinary humans can't use and manage protecting a key, it's a UX problem, and IMO a simple UX problem that hasn't been solved because it will destroy the major technological incumbents major source of revenue.
> Almost all "ordinary humans" manage to keep and use a pair of physical keys to there home, among other things
And what happens when someone loses their encryption key? This happens often enough with house keys that there are entire businesses set up for emergency locksmith services.
> And what happens when someone loses their encryption key?
DigitalLocksmith.io (YC S2018)
Jokes aside, this is why combining accessible and strong cryptography is hard. Certainly not impossible but hard. And historically, not at all within the competency of companies like Equifax.
I guess it couldn't be worse than no key, even if most people's passwords are terrible and poorly handled.
But presumably the credit agencies would need the key as well, to enable those resets and so they can add to the records, which probably negates much of the benefit.
One could have a signed audit log, and that's fine.
But no matter what you do the CRA has to be able to write to the data, and read from it to give it to third parties, and be able to reset passwords. AFAIK that requires that they have the keys to decrypt the data.
And when you fail to pay a debt to me, and I go to add it to your encrypted credit report, you provide the key at that point as well to facilitate this?
As an American currently in the middle of an EU-GDPR implementation I am envious of the level of protection EU citizens will receive. Fortunately, there will be some collateral benefits when companies (such as mine) decide to apply GDPR to all their customers, not just their EU customers.
When the article got to mentioning encryption... I do not understand what they are proposing. How would it be possible for the customer to hold the key necessary to decrypt the credit record? Credit records are not read-only. Other parties have to be able to submit additions to your credit record, like if you fail to pay your water utility bill or something. So how exactly are they going to append to your locked credit record? Would creditors have to contact the customer and get them to provide the key in order to encrypt a new addition?
Public-key encryption. The report item could be encrypted with the customer's public key, but to read the report after it's added, the customer would need to provide access to a private key.
This article completely fails to address the main issue: conflating identity and authentication. If credit reports required some sort of attestation of secret knowledge in order to apply for things the issue would be dramatically lessened. A social security number should be no more damaging to know than someone's email address.
What you really need is a standardised login portal for government and private services that deal with personal information. Then you can have multiple service providers for the actual login, e.g. your bank's proper 2FA login, YubiKeys etc. We've had this for years in my country (with ~2% of the population of the US) and it's working great. Typically the SS number is used for identification, and you have password + one-time code on top of that.
I disagree. Centralizing the data and the access control would only create more issues. If somebody got into your account they'd have the keys to your life. We need to embrace decentralizing data and access control along with healthy security habits like proper secret generation and frequent rotation.
NemId, as it is called in Denmark, is a paper card with many one time keys, or a dongle that creates a new key every so often. Every time you login, or perform a transaction in the online banking, you need a new and different key. If they get access to your keys, which would probably be because you did something stupid like taking a picture of the card, you can revoke access, and there is a paper trail of every single time the adversary impersonated you.
I'm not familiar with the system but centralizing critical data is strictly less ideal than decentralizing it. If your key seed or the central server are compromised everything is compromised.
Revoking keys is great but doesn't help after they've given full access.
No data is centralized. There is a central service that grants access tokens. You can revoke the login name (default is CPR, our equivalent to SSN, but can be changed to anything, mine is for instance), card or dongle seed. It is in essence a public login name, a secret password, and a one time key. It is state of the art security for every single individuals interaction with the government and when applying for financing, banking, ect. Should the central service be compromised, there is a kill switch in the system until the service is secure again.
There is multiple layers of security at play here, including seperated logging entities such that there is no traffic that isn't logged, always leaving a paper trail of what services was used by the adversary. If you want to gain access to impersonate someone, there are others a significantly more effective ways utilizing social engineering. Not to say it's easy, because you need to obtain an official card (sygesikringsbevis), then use that to request a new passport with your photo, hope they do not have old photos in record, then use the passport to change address and then order NemId key card, and hope the person is not reading the mail and text about a new card being send.
Only once you've noticed it. Automated systems could be used but there's always the potential for large impacts before automated systems recognize the issue.
And if the keys are ID related you can easily revoke it. You can't revoke a SSN, fingerprint, DNA, or a face scan.
>Typically the SS number is used for identification, and you have password + one-time code on top of that.
Isn't that what this was addressing? The attacker has to get both your password and one-time codes before you change either. All the ID related stuff is used like usernames, not keys.
If an attacker does get both, you presumably go in to a government office, have your fingerprints taken, choose a new password, and get given a new set of codes.
> along with healthy security habits like proper secret generation and frequent rotation.
While having the populace in general be security aware would be a great thing, it's barely possible to get them to do even basic shit like not putting credit card numbers and other secret information into an email and sending it to anyone who asks nicely.
Educating people on why 'healthy security habits' and 'key rotation' doesn't mean locking the front door and hanging their housekeys differently is pretty much a non-starter.
No, they won't. They'll stop using tech as much as they can.
That's basic UX. If you make the experience shitty, people will avoid it. No amount of experts waving their hands wildly will help that.
If you can't wrap up your healthy habits and your key rotation in a simple device/card/whatnot that people can carry around and use just like a key, your security measures have already failed.
"Because I said so" doesn't work on kids, it sure as heck doesn't work on adults.
> No, they won't. They'll stop using tech as much as they can.
That's doubtful, especially as technology becomes increasingly ubiquitous. For systems like SS force users to use it so opting out isn't currently even an option.
> If you can't wrap up your healthy habits and your key rotation in a simple device/card/whatnot that people can carry around and use just like a key, your security measures have already failed.
Who said we won't?
Seat belts were also avoided for a long time but eventually people have realized they're a good idea.
> Seat belts were also avoided for a long time but eventually people have realized they're a good idea.
I take it, then, you were not around in the 80s :) People did not "realize" seatbelts are a good idea. We made people wear seatbelts, using quite draconian laws and relentless PR.
> Who said we won't? [... wrap security habits into a handy device]
You'll have to explain to me how that jives with your idea of decentralizing data and access control. A key/security device will need to be manufactured - and there are only a few commercial entitites that can and/or will do that. And if you think they won't centralize key management, I admire your optimism.
I was not around in the 80s, but I know that campaigns to support seat belts and the potential outcomes of not doing so had eventually gotten people to be much more careful.
Regarding devices, things like the Ledger or Trezor Bitcoin wallets could easily be adapted to allow users to control their own data securely and simply. There's no reason end users need to understand what's going on in the background. They just know you have a secure usb device you use to authenticate yourself.
"could easily be adapted to allow users to control their own data securely and simply"
If you can solve the UX problems associated with those, you'll win a lot of praise.
To be clear, even something as simple as contactless payment/transit cards are still too difficult for many people to manage.
I had to physically take a wireless payment terminal out of a taxi driver's hands when he insisted on trying to do a contactless payment by taking the card in one hand, the reader in the other, and then as if he were playing a game of 'slap', slapping the credit card against the terminal and then immedidately pulling it back up and away. He repeated this several times, cursing each time the terminal displayed the message 'Read Error'.
I've repeatedly seen people of all ages: try to press contactless cards against screens, wave cards back and forth at varying distances from the reader, and all manner of other behaviors. And we're talking with basic cards that have no option for input here.
Key rotation that requires installing software, using a computer, etc - it's all going to be far too complex for many to understand.
I'm hardly socially in-touch. I just observe people's interaction with technology both at my job (Devops), and in the wider world.
If you want to have some idea of the challenges - read reddit's Tales from Tech Support[1] subreddit. For a non-IT focus, the Just Rolled Into the Shop[2] subreddit has a similar theme - that people refuse to read instructions, educate themselves, or even listen to basic instructions on things.
Better still - do a 'ride along' with someone who does hands-on IT support for a few weeks.
I suspect the only way we will get it if Apple decides to make an ID platform that integrates with the iPhone.
I've done a fair amount of tech support in my career. The divide in our thoughts seems to be that I'm not thinking of a system that will be quickly popular and adopted, but rather one that is secure and eventually wins over users. Users may be reluctant but as they continue to suffer from data loss they'll slowly learn to use proper security regardless of the UX hurdles.
[2] is basically an enthusiast sub and filled likewise filled with unrealistic expectations of normal people. The mechanical equivalent of "what kind of neanderthal doesn't run no-script?"
Milton friedman talks quite a bit about the seatbelt debacle which he was contemporary for.
A report-book was written by Ralph Nader called Unsafe at any speed, talking about motor accidents which prompted some outcry and political action that ended with the seatbelt legislation and other safety features.
Some time after the book was published, it was shown to have inaccuracies and wrong statistics.
In just the same way that if someone compromises your email they can probably take control of all of your online accounts.
If you have to have many accounts to access government services people are just going to use the same password for all of them and never rotate them. A single authentication service used by all gov't services would be a huge gain for security.
This is essentially a new form of luddism. The world is moving forward, with systems evolving by consolidating, grouping and analyzing every aspect of us, our world, and the things we do. Centralization is the answer to so many of our world's ills. Everything from crime, to poverty, to inequality, to disaster-relief. You name it, they can all benefit from a centralized store of all of humanity's knowledge. That is the entire point of the web: connected and cross-referenced knowledge.
Fighting that is fighting progress due to fear. And blanketly decrying "centralization" of data because of the fear that it may get lost doesn't address the problems. We should move our society forward, but we should do it while solving the individual security concerns piecemeal and as they happen.
Basically, the US needs a national ID "card" with PKI system... not to rob people of their privacy but to free them from the tyranny of marketplace anarchy which resulted in the absence of global unique person identifier de-facto globbing onto a number meant for
pensioner and disabled benefits. Basically, it should be illegal to use SSNs for anything but Social Security. Taxes should have a tax ID for taxes alone. Instead, secure public key systems to authorize or refuse requests with authenication and nonrepudiation, using a public identifier that can be shared widely but isn't also a magic access authorization detail.
As it happens, IIRC, circa 2000, US schools and universities had to change their databases and systems to not use SSN's as student IDs because of identity theft problems extending from this very core problem.
The US through law must deleverage SSNs and make them public-safe, and promote/mandate a real PKI non-profit system for authentication and authorization for the greater good.
Good luck. There's a significant part of the US that gets their panties in a bunch whenever you mention something close to a national ID - which this would be.
So, instead we have an extremely crappy national ID in form of SSN cards, but I'm fairly certain that same crowd would also be happy to end social security - so at least they're consistent.
Would there be a point to a national ID outside taxation? Is that the only reason a State would need to have identifiers for its citizens? Credit can be managed without centralized identities so what is the nessecity of a State ID?
State IDs manage state administered stuff. E.g. your driver's license. Pretty much every state has a ID that can stand in place of a license for ID but doesn't have anything to do with driving.
With current technology there's no technical or practical (other than inertia) reason federal services couldn't use state IDs. There's only 50 states, not N states. A 50-case switch wouldn't be that bad. ID requirements between states aren't so disparate that you couldn't get a good enough mapping.
The biggest hurdle to ANY effective ID system for individual people is that ID is a composite key. There are many Joe Smiths in the US. There are many Joe Smiths in a state. There are probably a handful of Joe smiths with the same birth date. There are possibly multiple Joe Smiths born on the same day that look similar and share a zip code.
People don't have unique identifiers other than DNA and even then if you don't do a good job processing it you're not guaranteed accuracy and I don't think we're at a point where we trust any .gov with that level of info about us.
So far we've been able to squeak by with just using really ugly composite keys.
We're in the process of figuring out composite keys don't work :)
And yes, State + State ID is a decent substitute for a national ID. Because it is a national ID. Except that some states will implement it in the shittiest way possible, and so we end up with even more of a lowest common denominator than if the states negotiated a standard.
And one could reasonably make the case that in this day and age, IDs fall under the Commerce Clause.
Here's the ugly truth: People are objecting to a national ID because it's an easy-to-parrot talking point. The rational objections are on thin ground. (Basically, the downsides are already existing anyways, we're just not getting the upsides. Because ideological purity. Yes, I mean you, ACLU)
The air travel system in the US is run by the Feds. They require identification documents from passengers. This creates a defacto need for a national ID, although at present the issue is being fudged by use of state-issued driver's licenses (which the Feds won't accept as usable in the case of several states).
All online (various different services). This is in Norway.
Actually the electronic state ID systems supports multiple identity providers, I mostly use the one from my bank. Which them also covers all my banking needs.
You should at least present their argument charitably if you're going to call them hypocrites. They have no issues with state IDs which is what would be presented at the polls since you vote in your state's elections.
Uh, no. The ACLU has many merits, but no, their ideas are not implicitly worth discussing. They're also the ones in favor of Illinois Nazis.
They represent both the best (a strong belief in an ideal of humanity, and a fervent desire to make the world a fair and open place) and the worst (ideological purity über alles) of the left.
it is not that someone has access to your credit history that is a problem nor who manages this information. the real issue is that agencies extending credit will lend without verification. it is not even credit agencies that do this, to many companies allow charges against all sorts of accounts; an example is spurious charges that sneak onto phone bills.
any company extending credit or charging a customer should be required to reach a level of proof required by law, to the point I would think that above a certain level of credit it requires a notary or such.
Looks like Equifax gets a junk bond rating in the personal information handling. This company should be shut down. 3.1B revenue and can't secure data, not even really trying. Greed.
Which company can secure data? Are we're just assuming it's viable and reasonable, there are a lot more examples of failure than success, Sony, Apple, AT&T, Snapchat the US Army, https://en.wikipedia.org/wiki/List_of_data_breaches
I'm not really sure the protocol is up to the job, while theoretically it would appear possible to secure data on the internet, the reality seems to be that the complexity of the systems involved means there is no reliable solution.
Holy crap, that list of data breaches is incredible. And by incredible, I mean really difficult to believe. If anything should be #1 on hacker news for an entire month it should be that page right there.
And that entry is missing a bunch as well. Specifically It doesn't list the most recent T mobile breach. This breach was notable in that it was called a T Mobile Breach but the data was stoled from Experian's servers. T Mobile pointed the finger at Experian and Experian said they were just storing the data at T-Mobile's request. This breach affected 15 million people. The asshole's at T Mobile as well as Experian offered one years of free credit monitoring from Experian as a resolution. In order to elect to participate in the offer you were required to enter your social security number into a sketchy looking web page.
What is remarkable, and it pains me to say this, is that Microsoft isn't on that list. With all the telemetry data they collect, they might have some good data stored. I'm sure people are trying to hack it, even right this minute.
They seem pretty capable, so far, of keeping their own collected data secured.
Some of these breaches, for instance the Gmail/Google breach, might have not been a breach of there systems at all. So far for that example (but there are more), one could apply that to Outlook/MS and get identical results. Aka; hack some service that has millions of emails/password (accumulated), filter all gmail emails, try to login to gmail with that compbi and if it works, put them into the list of 'hacked gmail accounts'.
Not trying to stick up for Google here, but, like MS, there seems to not be a real breach there.
This reminds me of the famous Scott McNealy quote from 1999 ("You have zero privacy. Get over it.")
A lot of people are making the assumption that digital information can be somehow protected when in fact it seems the opposite assumption is more likely to be correct--any information in digital form accessible on a network will be compromised. It's just a matter of time and not even a very long time in most cases.
What if we take this as a starting assumption for information management? I think this leads you to a different way of thinking of information protection, specifically that we need to come up with ways to extend the time that private information remains protected. For example, what prevents us from having physical "information wallets" that we carry around with us and unlock only on demand and in return for specific services? This sounds a lot like an iPhone. Why don't we put things like medical records in them?
I think the technology to do this is already on the horizon, especially if you assume that the information that people truly need to protect (e.g., financial records) is not that large.
DNA should be the only fully trusted proof of identity. To apply for a credit of any important amount (or any other important procedure) you should be required to be pinched to extract a drop of blood and determine if you are who you say you are according to the DNA database.
I think the argument would be that it's easy to get a sample of a person's DNA, but you can't fake it when the person authorizing you takes a fresh sample.
Of course, they take a hair from your head; and it was exactly the fake hair they had prepared, and then they take a drop of blood from your finger; and its the fake finger you prepared; then they check your iris and its the eye transplantation from the victim just like you prepared.
"real time" PCR and other such techniques could make (will/is) something like this feasible... but you wouldn't need to get pinched or poked.
It could probably extract DNA in real time from your sweat or breath.
But then DNA will become just another identifier, because we'll be able to synthesize it too, and then amplify it again, use it to trick the machine, and so forth.
EDIT: leaving the error, but real time PCR is actually a lab technique. I meant basically super fast sequencing
Synthesize it? You can change your DNA in the future? Like they are looking at the blood going out from your body and they can fake that too? Future is amazing.
I think it's actually could be a pretty good system. It's a piece of information that uniquely identifies you and even if it's totally public it doesn't help someone impersonate you. Sure someone could easily produce a sample of your DNA but they couldn't fake a fresh blood sample taken by the person authorizing you.
Yes, they should, but that's not what they are doing. They are doing the opposite. [1] It doesn't matter what the majority want Congress to do when they don't listen or care and instead do what their special interests tell them. The 'bigger problem' the article mentions is not that the laws are tilted towards the corporations. It's that they will continue to be tilted towards them due to corruption.
[1] http://www.latimes.com/business/lazarus/la-fi-lazarus-republ...