That ain’t workin’ that’s the way you do it
Money for nothin’ and chicks for free… ~ Dire Straits (“Money for Nothing”)
We’ve all heard Dire Strait’s old song “Money for Nothing” and that’s what monetizing web traffic is like for website owners. Publishers like NYTimes do it to stay alive as do behemoths like Amazon to generate additional revenue. So can we blame Equifax for wanting to make some do-re-mi off the tens of millions of new website visitors coming to their site? (cue the crickets…)
Equifax visitors, who wanted to determine if they were affected by breach, were led to the page above. Clicking on Free or Discounted Credit Report is how Equifax visitors would get served 3rd party malware. Not Equifax’s system, sure – but it’s definitely because they wanted to monetize that traffic. For those reporting Equifax’s line about “not our system that was hacked,” is similar to casting blame on Apache Struts for its issue. Let’s put on our thinking caps, shall we?
The Equifax hack news of the day seems unbelievable. After all the beating that the company and its ex-CEO has taken, you’d expect that it would have its act together by now. Right? Not so fast… On closer inspection, today’s news is predictable-–once you understand that problems will continue for Equifax as long as it has the same corporate mindset that led to the mammoth breaches of May-July 2017.
A closer look at the latest hack…
The problem starts from the fact that Equifax apparently uses a 3rd party, FireClick, as its provider for hosted application service. The purpose of using FireClick is to collect and store Web analytics re usage and data for its clients, like Equifax.
BTW: If you try to visit FireClick’s site right now, don’t bother. It’s apparently a defunct company still listed as a wholly owned subsidiary of Digital River:
The issue stems from how Digital River/FireClick integrated its ad network, including bad adware (i.e., Adware.Eorezo) in tracking, collecting and reporting Equifax’s site activity. To boil this down to the most basic terms:
- The unsuspecting consumers visit Equifax’s site
- When wanting to get details on Equifax’s Credit Report Assistance,
- The visitors are prompted to complete a form on a separate page—NOT on the original Equifax website. This is where the third party ad network comes into play. This is why Equifax is crying, “Not our system!”
- Of course, most unsuspecting visitors will proceed to fill this out and then get a prompt to download Adobe Flash Player.
- Once downloading this malware, voila! The website visitor’s machine is the happy new home of the newly acquired malicious program(s) (e.g., spyware, ransomware, etc.)
As with the Equifax breaches, one can always point to a third party (Apache struts for the May – July 2017 breaches). But the brutal fact is that the buck needs to stop with Equifax. For those naysayers who want to say that class actions don’t help, I will direct them to the Anthem Data Breach settlement terms, which requires Anthem to spend tens of millions of dollars and subject itself to security audits for years. As a class action attorney, you can bet that one of my major goals is to have Equifax (and hopefully all credit reporting agencies) subjected to external, rigorous security standards. And, as with my other data breach cases, I will fight for my clients tooth and nail (they’ll speak to you, if you are still incredulous).
A key takeaway for consumers for now (& especially for my many Equifax clients) – you are wise to steer clear of websites that Equifax and its competitors direct you to for now.
P.S. Check out Digital River’s site below. Yep – they claim that they are the “Industry Leading (sic) Fraud Prevention.” #Irony
A Seattle law firm is announcing a class action lawsuit against Equifax after a data breach exposed information of 143 million customers.
Posted by KING 5 on Tuesday, September 12, 2017
The Equifax data breach has sent shock waves like we’ve never seen before. Some consumers are only now starting to realize the lasting damage and harm that this breach will have on their lives. Thank you for all of your calls and emails. Please continue to send concerned family, friends, co-workers to us at Equifax@Stritmatter.com. Yes – we have heard from folks from New York, Florida, Virginia, Arizona, California, etc.– a former employee of Equifax, data privacy experts, and reporters who are trying to separate fact from fiction.
I promise to write more soon, as I continue to try to respond personally to as many emails/calls as I can. But please let me address one pesky fiction that occasionally rears its head on corporate-leaning media outlets and individual’s social media posts: A class action against Equifax will address a deep-rooted systemic problem that puts all of us at risk. I cannot speak for all lawyers. But please think twice before rushing to judgement against those of us who are committed to advancing consumer rights. I will point to our work in the massive Anthem data breach litigation: Significantly, as a result of the Anthem settlement, a team of us have helped all affected from the breach by holding Anthem accountable. The agreement includes a court enforced term that will hold Anthem to a more rigorous standard in its safeguarding of Personally Identifiable Information (PII). Anthem will have to spend at least $90 million annually on beefing up its cybersecurity practices for the coming years. At minimum, my clients will get awarded between $5K -$15K each. Then, there are dozens of attorneys like myself who have invested countless hours and dollars (yes – pursuing class actions costs money) and we will not want to retire anytime soon because we love fighting for consumers. BTW: note that federal law has a strict limit on attorneys’ fees.
Thanks to all of you who have contacted us with your stories, questions and concerns. As with our many other clients, we want to help give you a voice and make sure that you recover from this historic data breach.
Why do people not care about Privacy? Some will offhandedly claim, “I have nothing to hide.” Others will say that big data and government surveillance should not concern those who are law abiding and innocent of wrongdoing. But the problem with this response is that it reveals a lack of understanding regarding the value of privacy. Privacy is not a mere shield or wall to hide certain details about us from others. The concept is not reducible to single acts of intrusion or violation of one’s personal sphere. To think about Privacy in terms of someone peering into your window to watch you with your family is to focus on only one tiny strand of tapestry or one grain of sand in a beach.
Think of the value of Privacy this way: If you drank one glass of lead-laden water from Flint, would you see a quick path to cancer or any other potentially deadly disease? Probably not. But the problem for those in Flint was that they drank water contaminated with lead for years. The cumulative effect, the acts taken in the aggregate were what caused so many in Flint to suffer irreversible health problems.
This is the same way the Privacy violations harm each of us and our society as a whole. The information collection, aggregation, insecurity, increased accessibility and decisional inferences/interference (“decisional interference” was coined by Prof. Daniel Solove).
While nebulous, Privacy is important because it affords individuals a basic amount of autonomy and control over facts and details that make each unique. In the aggregate, “big data” seems harmless. But as we have seen, there are many ways to hack and identify personally identifiable information (PII). When the PII and/or valuable data sets of individuals get in the wrong hands, one loses control over their finances and their digital existence. One of my data breach clients suffered and continues to see fraudsters obtain lines of credit, obtain a Washington State driver’s license, and so on. Folks: This is NOT Privacy Paranoia. It is a well informed fact that we need to care about how our PII is disclosed and safeguarded.
Most people do not realize how their data is getting sold in myriad forms either legally or illegally. I will talk about this more in future posts. That private data has value in virtually every imaginable industry. If it matters to others, it certainly should matter to you. At the very least, to value your Privacy is to value control over the information that is accessible about you. If you don’t care about having that minimal amount of control, then feel free to broadcast your SSN along with all of your family’s SSNs and dates of birth.
Tomorrow, January 28, 2016, is Data Privacy Day. Big deal? It actually is: The first Data Privacy Day that occurred in the United States and Canada was in 2008, which was observed as an extension of the Data Protection Day celebration in Europe. Data Protection Day commemorates the Jan. 28, 1981 signing of Convention 108, which was the first legally binding international treaty dealing with privacy and data protection.
Now led by the National Cyber Security Alliance (NCSA), Data Privacy Day has become the signature event promoting privacy awareness. Without committed defenders of privacy, like the Electronics Frontier Foundation, we would not have seen a complaint filed with the FTC against Google for unauthorized collection of school aged children’s information, when they are using Google Apps and Chromebooks in their schools. Google’s unauthorized collection of personal information from school children via Chromebooks and Google Apps for Education (GAFE)—caught the attention of Senator Al Franken, a ranking member of the Senate Judiciary Subcommittee on Privacy, Technology and the Law. Franken responded by writing a letter to Google CEO Sundar Pichai asking for information about GAFE’s privacy practices.
The first step to ensure that our student privacy campaign succeeds, is to educate ourselves as parents. This way, we can direct our energy and knowledge effectively. On this Data Privacy Day, take the time to check out the resources that the Electronic Frontier Foundation compiled to regain control of your children’s privacy. Please spread the word about student privacy by sharing these and similar resources with other parents!
I can’t emphasize enough how important it is that parents understand their and their children’s rights. We live in a world where parents may be asked by schools to waive those rights before their youngsters are permitted to use technology in the classroom. Third parties will too often encourage parents to give schools consent to release their children’s information to those very third parties.
Interested in becoming part of the “privacy defender team?” There are many ways in which you can get involved.
- Create a culture of privacy at your organization.
- Own your personal online presence.
- Share your privacy knowledge with your local communities.
- Attend a Data Privacy Day event.
- Become a Data Privacy Day Champion.
Can you imagine a world without Google? I can’t.
I have a Droid phone as well as an iPhone. But everything tethers to my Google world — contacts, maps, videos, etc.
It wasn’t always this way, but internet marketers (including Google) have figured out that the key to making money off of content is via online profiling and highly targeted advertising. If you Google something or shop on Amazon, do you notice how your latest online shopping follows you to online news sites, your gmail, yahoo mail, etc? That’s how sophisticated online marketing has grown. (As I mentioned elsewhere, I too used to work in the online marketing/high tech world. We would hear concerns about privacy, but needed to tune them out to figure out how to get the most bang for our clients’ marketing/advertising dollars.)
Finnish security researcher and chief research officer Mikko Hypponen tried to vow a life of unGoogleness. After all, he understood his privacy was threatened every time he broke his vow. But, try as he might, he couldn’t.
Hypponen spoke at a WSJ technology conference, WSJDLive, openly confessed that the Internet has evolved into a privacy nightmare because of the users’ reliance on “free” services. (I will talk more about “free” and sex in an upcoming blog post.)
“I really tried getting rid of Google,” he said. “You can’t avoid Google. We are way beyond that.” True that.
Let me know if you’ve succeeded in upholding the vow of nonGoogleness. I’d love to know how you did it!