Technology and Society
Data Breaches, Betrayals, and Broken Promises
October 6, 2016
Poor old Yahoo. Three weeks ago, we found out that, oopsie, 500 million of their users had their data hacked, the biggest breach of a single company (that we know of – yet). Yahoo says it was probably the work of a state actor and they only recently realized information stolen in 2014, including passwords, security questions, and personal information like date of birth and addresses, is being sold on the underground info-market. The trouble with this kind of information is that it can be linked with other information that, combined, can cause a lot of havoc. Though Yahoo isn’t the major player it once was, it still has a billion monthly users. Verizon, which was all set to buy it, must be renegotiating the terms. I mean, they want all that personal information, but it’s worth less if it’s not exclusive.
Now, another controversy. On Tuesday Reuters reported Yahoo’s leadership decided to hack their own users by building a tool to scan all users’ communications to comply with a secret government surveillance request which might have been unconstitutional. The story, backed by unnamed sources who provided Reuters with a copy of the secret order, is particularly intriguing because it may have been a way to get around the encryption that, increasingly, users demand to avoid things like having state actors hack their personal information and sell it online. Encryption is not going to protect us from our own state if the key-holders willingly carry out searches for the state. This was the root of the conflict between Apple and the Department of Justice that played out last February. Yahoo, of course, says it did nothing wrong, and every other major corporation holding enormous amounts of data about you says they would not do what Yahoo did, whatever it was. But clearly all of that personal data which we are required to surrender for a chance to find stuff out, share stuff, or talk to each other is vulnerable in countless ways.
One of the proposed solutions for the fecklessness of having massive amounts of personal data collected in places that cannot be kept secure without a great deal of trouble is to make companies that collect this data “information fiduciaries.” Bruce Schneier mentioned this concept briefly in his book, Data and Goliath. Jack Balkin (who Schneier cites) and Jonathan Zittrain have just written about this idea in The Atlantic.
In the law, a fiduciary is a person or business with an obligation to act in a trustworthy manner in the interest of another. Examples are professionals and managers who handle our money or our estates. An information fiduciary is a person or business that deals not in money but in information. . . . the important question is whether these businesses, like older fiduciaries, have legal obligations to be trustworthy. The answer is that they should.
To deal with the new problems that digital businesses create, we need to adapt old legal ideas to create a new kind of law—one that clearly states the kinds of duties that online firms owe their end users and customers. The most basic obligation is a duty to look out for the interests of the people whose data businesses regularly harvest and profit from.
Certainly, one could argue that Yahoo failed to act in a trustworthy manner by allowing state actors (including our own) to gain access to information that we entrusted to the company.
There’s another kind of trust that these giant information companies frequently breach: we voluntarily give them content, which they fail to preserve or protect when they lose interest, drop a product line, or get acquired by another owner. True, they never said they would take care of our stuff in that incredibly long and dense TOS that we agreed to. But our culture is happening in these digital spaces, and the owners of these spaces have no commitment to it.
Yahoo owns the rights to a conversation about books that I’ve been part of that started in 1999 and is still going. Thousands of people have played a part in that Yahoo Groups conversation over the years, and there are thousands of groups like it. Other people have built lovingly-curated albums of photographs on Flickr, which Yahoo bought and is trying to sell. Others have built beautiful Tumblrs that Yahoo is also trying to unload. That’s a lot of culture in the hands of people who don’t care. I have no doubt those conversations and albums and weirdly beautiful collections of connected and commented-on stuff will be lost because the host company doesn’t care about the stuff; they only care about tracking your personal data to sell targeted advertising, the great Tulip Craze or South Sea Bubble of our era.
If you read nothing else today, let me introduce you to Deep-Fried Data, a talk given at the Library of Congress by Maciej Cegłowski, who may be my all-time favorite talker, even though I’ve never heard him speak. He talked about how what we entrust to corporations like Yahoo isn’t just data, it’s the history and the heart of communities, something hackers may not want, but which we shouldn’t lose through carelessness. “A URL is a promise,” he writes. And too many of them are broken.
Our new Librarian of Congress will be thinking about how to preserve our digital culture, a tall order when the companies that hold it let our personal information get hacked and ransacked but have no commitment to the communities that thrive on their platforms or to the cultural artifacts they create there. Cegłowski reminded me today that when these companies lose track of our information, they not only lose our trust and our personally identifying information, they lose our conversations, our family albums, our attics, our hope chests.