We have a massive personal data problem, but ‘value’ is the real sticking point.
Updated: Mar 3
Any list of the tangible effects of a misuse of data, having a tangible effect on our lives would include the Cambridge Analytica scandal and the UK’s ISO authorities’ findings that Facebook was largely complacent in allowing one million user accounts to be harvested for information.
The penalty for this was £500,000, or roughly 1p per ‘hacked’ account. A tiny sum for a company which generates more than $70bn. To put this into perspective, the company generates this kind of cash every 4 minutes or so – it would have taken Zuckerberg longer to read the summary judgement, that to earn the cash to pay the fine.
Other industries have long faced fines which are proportional to the size of their business. In April 2017, VW was found to have mislead consumers and ‘cheated’ on emissions tests. Most governments-imposed fines which varied is size, but a fine of around $30,000 dollars per car become roughly standard, and VW eventually ended up shelling out around $33bn un compensation. Putting this in perspective, Facebook was fined the emissions test cheating equivalent of 20 family sized hatchbacks, your personal data about everything that you do, your habits, your friends and your behaviours, is valued 3 million times less by our legislation, than a gassy car is.
Now, emissions have serious repercussions which can result in premature death and cheating these should have consequences. But the difference in the magnitude of fines betrays a lack of respect for and understanding of, the impact that digital crimes can have. In the case of the misuse of personal data and the all-too-common data breaches, consequences can include anything from credit card phishing and loss of personal savings to de-railing of democracy.
But how prevalent is this problem?
To underline how commonplace these are, and how little repercussions there can be I urge you, right now, to go to the website https://haveibeenpwned.com and enter one of your email addresses.
Using my personal email, I have been subject to no less than 10 data breaches in the last two years, which include Canva in May 2019, Covve in Feb 2020, DataCamp in December 2018, MyFitness in February 2019 and Zynga in September 2019. Through no fault of my own, my username and various passwords, my location data (scary), and authentication for my google account has been harvested, packaged and shared through various dark corners of the web – or traded for hash on Silk Road. When Canva failed to protect my data, they did so alongside 139 million other users. The data was stolen by powerful hacker group Gnosticplayers who have listed (and most likely sold) around 1bn compromised records this year.
Disney was forced to issue a statement earlier this year, in response to accusations that Disney+ accounts had been hijacked. In this case Disney claimed that they had not suffered from a data-breach, but instead so many username and password combination have been stolen, that when users created a new account, using old usernames, they were immediately stolen. We are constantly being told to use unique combinations for every site, and to never share our details, but if these sites were half as responsible as we are supposed to be, we would have to.
My own username/passwords are now stolen an average of five times a year, from companies that supposedly have a duty to protect my data. Most likely yours are too, and yet very few consequences exist for companies that were not prepared to pay the expense to fulfil the legal obligation to protect you, their customer.
The misuse of personal data has serious repercussions and the protection of it is woefully lacking. While misusing this data is criminal, it’s also far too late to catch and punish the individuals who have stolen the data, years after a user or country has had their life disrupted by the data loss.
Financial Vectors Needed
Companies in general may like to pursue ethical avenues, but economic studies indicate that the only real way to enact broad change is to create a financial vector. Companies may at conceal the truth against the law, but this is always in the name of profit – not just because they feel like it. Therefore, altering the behaviour of companies must also lead from a profit standpoint.
Again, cars are a great example, having grown much more efficient over the last 15 years, using technology invented in the 1930s (high pressure intakes). This came about though simple legislation, which placed a cost on inefficient engines. Consumers immediately looked for the cheaper stuff, and companies created better and better products to fill their needs.
Data needs to be treated the same way. We can pass whatever moral judgements we like, but until we create financial vectors that force the companies that use our data, along the route that society needs, a few companies will change, but the majority will not. In the case of data breaches – this needs to take emissions as an example and impose fines big enough to hurt when companies do not comply.
A sunny lining
While for years, companies that do not protect data have been punished, the severity was laughable. But the new raft of legislation being passed now, services to correct this, and importantly is scalable for the future.
In the UK, new legislation aim to deal with online harm, which includes data protection, but also the protection from harmful content. The fines will not be limited £500,000 but up to 10% of global turnover for companies like Facebook, meaning a current cap of £5bn which is 10,000 times greater or 36 days of revenue, rather than 4 minutes. Ofcom, which is experienced in the investigation and enforcement of duty of care type legislation will be taking charge, which is generally seen as a progressive move as the organisation has both the experience and the manpower to take on high-profile cases with international mega-corps.
The European Commission is also upgrading its powers to deal with big tech with the Digital Services and Digital Markets Acts. These laws again increase the level of fines that can be imposed on tech companies and again include duty of care requirements. In addition, these also start to regulate competition between the larger groups and independent bodies. Mainly this takes aim at ringfenced ecosystems, while this also has a smaller role in dealing with unintended consequences of GDPR, which disproportionally effected smaller companies.
The next battleground
Data breaches are very definable, but there are more issues which need to be tacked, which recent events have brought into the foreground.
Facebook is once again in the spotlight in the US and this time legislators seem to have done their homework, not only understanding that ad-funded companies “sell ads” but are beginning to question whether having three of the six major social and messaging services owned by one company potentially bad from a competitive standpoint.
A serious decision against Facebook could lead to the company being split up with Facebook main, being separated from WhatsApp and Instagram. Facebook, for its role will need to prove that the functionality of these three divisions are suitably different as to not represent a strangle-hold on the industry when combined.
Social media demanded legislation when asked about their responsibility to protect the public. They were right to so, as a company censoring its users without any true public mandate is troublesome at best. But the extent of the laws now being passed reach far above what they wanted. Expect a number of high-profile lawsuits and arguments at the top level of government over the next few years as legislators and tech clash over the exact meanings of the new far-reaching policies.