By Mackubin Thomas Owens and Matthew Daniels
Yahoo was forced last week to stop concealing the largest data breach in American history. In one sense, the disclosure was no shock since Pew Research reports that 91% of Americans realize they have lost control of critical personal data to corporations. But the Yahoo breach does reveal something more sinister: corporate data addiction is becoming one of the greatest preventable threats to our nation’s security.
Since hacking is a permanent feature of life in the Digital Age, the best way to reduce the damage to the public and our nation is for corporate America to go to data rehab.
We need to replace data binging with moderation. But the personal information of the American public has become a form of corporate cocaine for many companies in the era of big data – a drug that is plentiful, highly addictive and toxic.
As we transition from the advent of the Digital Age to the Internet of Things, the security risks associated with the unprecedented commerce in personal consumer data will increase exponentially. The 8.7 billion devices currently connected to the Internet are expected to increase 10-fold within five years. Each such device not only constitutes a point of individual vulnerability, but collectively, they put our national security at risk.
Beyond their intended purpose, these devices will also collect and transmit vast amounts of private user data to the manufacturers and other third parties – under the aegis of privacy waivers that are effectively “contracts of adhesion” designed to create a legal fiction of meaningful consent to protect the insatiable corporate appetite for personal data mining.
Theoretically, citizens are free to protect their privacy by opting out, but in reality, it is simply not possible to do that and still be full participants in the modern economy or society. While these devices provide convenience, the data they transmit can be used in ways that harm the public.
For example, although companies can use such information to target their marketing better, others can also use it to screen out potential clients or employees unjustly. So, while drug stores want to know when your browsing history indicates you might have an ailment for which they have a remedy, health insurers may also want to know that same information so they can alert client companies’ HR departments to avoid hiring prospective employees who might drive up those companies’ health care premiums.
What’s worse, our data can also be stolen and then used fraudulently, broadcast, held for ransom, used for blackmail or worse. These threats are particularly dangerous because they can come from so many different sources – disgruntled contractors or competitors; cyber vigilante groups like Anonymous or Crackas With Attitude (CWA); crime syndicates, drug cartels, and gangs; terrorist organizations such as Al Qaeda and the Islamic State; or foreign governments such as Russia, China, North Korea and Iran.
Following on the pattern of the 2014 Sony Pictures hack, last week’s Yahoo data breach epitomizes how easily data can turn into a toxic liability for a company. Yahoo is already facing a federal class-action lawsuit for damages. In recent years, stolen data has cost businesses at least $100 billion annually. With the Internet of Things, this figure will skyrocket.
Bear in mind that the companies themselves are not the only victims. So are their insurers, employees, partners and customers – including police, military and intelligence personnel, elected officials and their families. The credit reporting agency Experian admitted last year that hackers accessed its systems and stole personal data on 15 million individuals, to include names, addresses, PIN numbers, passport numbers and military IDs.
CWA hackers recently accessed the personal e-mail accounts of CIA Director John Brennan, Director of National Intelligence James Clapper and FBI Deputy Director Mark Giuliano. Imagine the havoc that could be created with the data of our police, military personnel and senior government officials if hostile regimes or groups were to hack their mortgage, credit, banking, medical data or other records. The homes and families of American business leaders are also prime targets. If these episodes teach anything, it is that the term “cyber security” is one of the enduring oxymorons of the Digital Age.
Given that the exponential growth in the collection of such data is now our biggest preventable vulnerability – economically and militarily – drastic reform is inevitable. Congress and the courts can compel it, but the results will likely be: (1) reactive, driven by political pressures in response to a crisis; (2) technologically outdated, and inflexible; and (3) punitive in nature. So, the time has come for responsible corporate citizenship to advance the public good through voluntary reform that will be a win-win for everyone.
We are already paying far too high a price for the corporate addiction to personal consumer data – a toxic asset that clearly undermines our national security. As with any addiction, the time to stop the toxic habit is before it becomes lethal, whether for addicted companies, the growing number of innocent victims or our nation.
Owens, Ph.D., is the Dean of Academic Affairs, and Daniels, J.D., Ph.D. is the Chair of Law & Human Rights, at the Institute of World Politics in Washington, D.C.