Michael Becker, discusses the ramifications of the recent T-Mobile data breach and their response and actions to aid those affected by the loss of personal data.
Last week, T-Mobile acknowledges a new data breach that has affected 40M+ people, and as does every breach, the impact of this event will continue to affect them for years to come. To those impacted, T-mobile is offering a bandaid, a free McAfee Identity Protection license. Offering an identity protection monitoring service or similar bandaid following a breach is an industry-standard practice. The practice of offering the bandaid however provides little salve, what is even worse and unfortunate, as some action is better than nothing, is that most people don’t take advantage of it when it is offered.
Is T-Mobile’s offer a start? Yes. Is it enough? In my opinion, no. We need to do more. People worldwide are concerned for their privacy and data, they have been for a long time and rightfully so as evidence by the fact that there have been more than 10,000 data breaches since 2005 and 11.5 billion breached passwords have been recorded out in the wild.
And, the problem is only going to get worse as we become more and more connected in the coming years, one estimate predicts that by 2025 people will be interacting with and leaking their identity and data to IoT devices 4,800 times a day, i.e. about every 3.3 seconds (Reinsel et al., 2017), and the ITRC predicts in 2021 we’ll experience the most data breaches ever in a single year The good news is the number of people impacted will be lower than in previous years (“Data Breaches Are Up 38 Percent in Q2 2021; The ITRC Predicts a New All-Time Highby Year’s End,” 2021).
People lack and want control over their physical and digital self (aka data). They want their privacy, they don’t know where to start, they lack the tools and education to manage their data.
Identity Protection Services Is Not Enough: The Harms & Costs Caused by a Data Breach
Identity protection services, like those being offered to the affected, can remind us that we have a problem, that the “Cows” have gotten out of the barn, but they don’t offer a solution.
These services will tell someone that a personal attribute, e.g. an email address or social security or government ID number, has been found on the dark web. They rarely tell someone much more, e.g. how their data got leaked in the first place or any other meaningful, actionable insight.
Moreover, they don’t address the emotional, time, economic, physical (inc. life), reputational, relationship, chilling effect, discrimination, thwarted expectations, control, data quality, informed choice, vulnerability, disturbance, autonomy, social, civic, and political harms that people may immediately experience following a breach or that may befall them years after a breach has occurred, i.e. long after the identity protection monitoring service bandaid has dried up and fallen off.
The total cost of the potential immediate and long-term harm exposure from a breach far exceeds the value of the identity protection service bandaid. For many, it can take days, weeks, or even years to find out their data was compromised“
The total cost of the potential immediate and long-term harm exposure from a breach far exceeds the $39.99/year value of the identity protection service bandaid. For many, it can take days, weeks, or even years to find out their data was compromised, and it can take many hundreds of hours and upwards of thousands of dollars to recover (“Data Breaches Are Up 38 Percent in Q22021; The ITRC Predicts a New All-Time High by Year’s End,” 2021) from a severe breach or misuse of their data.
And so far we’ve just been talking about “material” past or current harms. What about future harm, i.e. lost opportunity? For example, the lost opportunity to buy a car or house, but you can’t because the breach trashed your credit score and you can’t get the inaccuracies removed. The FTC reported that 20% of people have at least one error in their credit report. Or, the opportunity that can be gained by having control over one’s data (e.g. in the form a personal data store or personal information management system) and using it to learn about one’s self, to more efficiently navigate life, or even profit from one’s own records, attributes, labor, or capital data? It’s time to give people a seat at the table
The elephant in the room, and one not taken nearly seriously enough, is that our personal data has value and this data and value should be in control of the data subject, i.e. the person that it relates to or is generated by. As the former EU commissioner Maglena Kuneva noted as far back as 2009,
“Personal data is the new oil of the internet and the new currency of the digital world” Kuneva (2009).
Why is it not addressed? Possibly, because the industry says people don’t care about their data? Or, we think regulations will take care of it. More likely, it is because it threatens the efficiency of existing operations and business models and that it is just not practical at scale today and is too hard to implement at this time. In aggregate, people’s data is worth trillions of dollars. Corporations are taking the lion’s share of the benefits while individuals are left holding unmitigated risks. The Identity Nexus equation, the equilibrium state where benefit and risk is equally shared throughout society, is out of balance.
It is time we empower people and give them a share of the riches they are generating, which is worth far more than a free account, recommendation, or article they are getting today. It is time we get The Identity Nexus equation back into balance. Our privacy should not be a luxury good, as it is today. Today people are the entre being served up to industry, primarily in the form of marketing, risk mitigation, and people search. It is time we move them off the table, and give them a seat at the table. If we enable them to be active participants in the collection, management, and exchange of their data, the personal, civic, social, and commercial bounties will be plentiful.
This is not an idea problem, nor a technology problem, it is an imagination and will problem. The ideas have been with us for decades, and the technology is maturing at a breakneck pace. There are pockets of innovation happening today where people are working on putting people in control of their data, like MyData (see Langford et al. (2020) MyData operators report), the Mobile Ecosystem Forum PD&I working group meetings, the Internet Identity Workshops, and the many self-sovereign identity working groups at the W3C Decentralized Identity, Decentralized Identity Foundation, Trust over IP Foundation, and The Good Health Pass Collaborative (a group working on a self-sovereign COVID testing credential), to name just a few. The problem is, we’ve simply gotten too comfortable with the status quo and the collective we simply can’t imagine a different world.
We need systemic change
“We’re entering an age of personal big data, and its impact on our lives will surpass that of the Internet” (Maney, 2014). Being reminded that there is a problem is not enough to address the problem. We need to prevent harm, or at least mitigate it, before it occurs, as well as address other harms, i.e. the illicit and legal misuses or non-permitted use of our data, and the lost opportunity that people may realize from having cross-sector access and control of their data. In the end, the individual can be the only only have a complete view of themselves. We need to create opportunities for personal fulfillment. Identity protection is a start. But, what people need is control. Contracts, terms of service, and privacy policies are not enough. Regulation is not enough. Trust in commercial and non-commercial institutions to do “the right thing” is not enough. People need to be in a position where they can “trust but verify.”
Five-pillars of digital sovereignty for the phygital human
To control their digital self, people need a systematic framework to embrace the five pillars of digital sovereignty–awareness, intention & behavior, insurance, rights, and technology–all of which rests on education. People need education to understand the problem, to know how and when to use the utilities and services, and how and when to take specific actions that suit their personal circumstances. Moreover, regarding rights, they need regulation that recognizes privacy harm, not just privacy law. As an industry, we should not just be offering bandaids; we should be providing a suite of convenient, unobtrusive, passive and active, value-generating utilities, services and education (aka privacy-enhancing technologies and personal identity management capabilities) that help people take back control of their data, their digital self. We need to put in the time to build exceptional customer experience, user experience, and contextually relevant content.
“Content is King, but Context is God”
We live in a connected digital age. We have become phygital beings (physical + digital). Today, for many, the digital part of us has more personal, social, and economic value than the physical self. It is time for people to have control of what matters most–their digital self, alongside their physical self. We need to be whole again.
Join the MEF Personal Data & Identity working group
The MEF Personal Data & Identity working group is undertaking a PD&I market assessment effort.
Please reach out to Michael Becker if you have insights (consumer insight, operational insight, solutions and technical insight, use case, recommended organization and leaders) that you think can help the MEF and its members make an impact.