“If you can’t explain it simply, you don’t understand it well enough”.
Here at Future Shredding, we understand your concerns with security and trust.
This is why our mission statement is quite simple. Your materials will be destroyed, securely and quickly, always on-site (if you prefer) and with consistency. All of the materials that can be recycled will be.
Our company is family-owned and run which makes our trustworthiness that much stronger because we actually care. We don’t “owe” this to any third party or shareholder; only you. We don’t cut corners at the expense of the security of your materials. We know our place in this world and we are trying our best to do our part. Together let’s make things happen.
Thief uses someone else’s Social Security Number to file a fraudulent tax return and get a refund. Victim may only learn about it after filing his own return and getting a notice from the IRS that one has already been filed in his name.
Thief, perhaps an illegal immigrant, uses someone else’s Social Security Number to get a job. Victim may only learn about it when she files her tax return and gets a notice from the IRS that she has under-reported her income.
How big is the problem?
IRS initiated 1,492 criminal investigations in FY 2013:
66% more than FY 2012.
440% more than FY 2011.
IRS issued $4 billion in fraudulent refunds in 2012 – sent 655 refunds to a fraudulent address in Lithuania.
Give us examples of tax identity theft:
Rashia Wilson of Tampa, FL obtained over $2 million in fraudulent refunds from 2009 to 2012. IRS calls her the “First Lady” of tax fraud.
Six Memphis women pleaded guilty last year to filing over 800 fraudulent returns totaling $1.3 million. Some victims were local high school students.
Other crooks have stolen identities of deceased persons, residents of nursing homes, and inmates.
Some crooks recruit mail carriers to intercept fraudulent refunds that are mailed to victims’ addresses.
Some thieves are crooked tax preparers – one fellow used information from 51 clients to obtain $200,000 in fraudulent refunds.
What are signs that someone is a victim of tax identity theft?
You receive a notice from the IRS that:
More than one tax return was filed for you.
You have a balance due, a refund offset, or a collection action taken against you for a year you didn’t file a return.
IRS records indicate you received wages from an employer unknown to you.
What should people do if they become a victim of tax identity theft?
Contact the IRS immediately.
Consider filing a police report.
Consider putting a fraud alert on credit reports.
Any other advice to avoid tax identity fraud?
Choose a reputable tax preparer.
Don’t respond to unsolicited emails that appear to come from the IRS asking for information.
Medical identity theft (MIT) has become a major fraud issue over the past several years. However, most consumers may not be aware of the threats it poses. Unlike traditional financial crimes such as credit card or check fraud, which rarely involves anything more than a loss of money, the consequences of MIT can involve physical harm or potential loss of life.
According to the Medical Identity Fraud Alliance (MIFA), MIT is defined as the fraudulent theft of an individual’s protected health information (PHI) and personally identifiable information (PII) — such as a name or Social Security number — to obtain medical goods and services or for financial benefit. Additionally, the MIFA states that synthetic identities have been used to commit MIT in which the PHI of several individuals may be mixed to create separate identities.
CONSEQUENCES OF MEDICAL IDENTITY THEFT
Unlike financial fraud, MIT is potentially a life-or-death situation at its most extreme. When others use a victim’s medical identity to obtain medical services or prescription drugs, that information may be commingled with the victim’s electronic health record (EHR).
The MIFA highlighted an example in which an elderly man visiting his local emergency room for a back injury was nearly administered penicillin, to which he had a life-threatening allergy. The issue was caused after the victim lost his medical ID card and did not immediately report it. In the intervening months, someone else used his medical ID at the same emergency room in which he was treated. The victim’s medical records were corrupted with the addition of the fraudster’s medical conditions.
There are several factors that contribute to the recent increase in MIT, such as a conversion to digital records, the black market value of medical records, friendly fraud and insider threats and Affordable Care Act (ACA) fraud.
CONVERSION TO DIGITAL RECORDS
As health care providers convert to digital records, the personal medical information of millions of people has become vulnerable to external data breaches. In 2009, the federal government began offering hospitals and health care providers a monetary incentive to convert to EHRs.
Although there are security guidelines and certifications in place, online medical data has become a prime target for skilled cybercriminals. According to the Identity Theft Resource Center (ITRC), of the 761 data breaches it reported in 2014, 322 (42 percent) were in the medical/health care category. The Ponemon Institute estimates the annual economic impact from MIT is $11.6 billion.
BLACK MARKET VALUE OF MEDICAL RECORDS
Since December 2013, there have been many high-profile retail data breaches in which millions of consumers’ PII was compromised and put up for sale on underground websites such as Rescator. However, credit card and Social Security numbers for sale on underground sites only fetch a few dollars. Stolen medical identities, by comparison, sell for as much as $50.
In general, consumers do not understand how valuable their medical insurance information has become.
FRIENDLY FRAUD AND INSIDER THREATS
The Ponemon Institute’s survey found that 35 percent of MIT was the result of family members using the victim’s insurance information. These crimes often go unreported to law enforcement because the victim knows or is related to the perpetrator.
Twenty-nine percent of cases stem from health care providers billing for unrendered services and from malicious insiders employed by health providers who steal and sell medical identities.
ACA FRAUD
After the ACA was implemented, millions of Americans were exposed to identity theft and fraud. The HealthCare.gov enrollment website had issues, according to cybersecurity expert and SecureMySocial CEO Joseph Steinberg. He said it was unstable and would sometimes deny access, cut off communications in the middle of a session or crash completely. Buggy systems often let criminals exploit glitches to gain unauthorized access, read data or even modify the code executed during subsequent user sessions. Reports show organized crime groups and fraudsters began to bombard potential victims with emails and phone calls in an attempt to trick them into surrendering their Social Security number, bank number or other types of PII.
For instance, when a 69-year-old Ohio man signed up for health care through the site, he became a prime target for fraudsters. He started receiving dozens of spam emails and even received a phone call from a “convincing” man who claimed to be from the national Medicare office. The man said Medicare was ready to send a new Medicare card, but it first needed to confirm his identity through his bank account number.
LIMITING MIT
Consumer awareness of medical identity theft is an important step that must be taken to limit the growth and expansion of MIT. Consumers must understand there are potentially severe consequences if their medical identity is compromised. The following are some actions consumers can take to prevent and detect fraud early on:
Guard medical identification and insurance information as closely as your Social Security number and banking information.
Carefully review the explanation of benefit statements you receive in the mail to ensure listed services pertain to your own care.
Monitor your credit report for unusual activity related to delinquent medical bills.
If you suspect you have been victimized, request all medical records from your health care providers to perform a review.
Read this IRTC fact sheet for more consumer protection information.
A LOOK INTO THE NEAR FUTURE
As more devices enter the Internet of Things ecosystem, the health care industry will benefit from innovation. Wearables such as Fitbit and Apple iWatch will capture real-time data on patients. The natural progression is for this data to be transmitted to a patient’s health care provider and become part of a holistic health care approach.
Ultimately, there will be an increased number of access points into health care systems and, consequently, an increased attack surface for cybercriminals.
The top-of-mind issue for information security professionals in the health care industry is protecting against network infiltration and large-scale data breaches. However, what about the risk posed by the multiple devices patients will use to access their records? Mobile malware continues to increase at an alarming rate as cybercriminals look to capitalize on the proliferation of mobile device usage. According to Websense, 2015 will see cybercriminals looking to take advantage of auto-login capabilities of mobile apps to steal credentials. Malcovery predicts password reuse attacks from the countless data breaches will increase since cybercriminals will automate the attacks.
These are not groundbreaking predictions, but the preparedness of the health care industry must be considered. More mature industries in the digital world have made investments to address the challenges created by customers using multiple devices to access accounts and records. Device fingerprinting, malware detection, device reputation analysis and IP address monitoring are all techniques used to identify suspicious logins using a current customer’s credentials.
Are health care systems preparing to help protect their patients from login credential theft on the increasing number of devices patients will use to access and contribute to their health care records? Banks and other financial institutions have long witnessed their customers lose login credentials through phishing and malware attacks. With the digitalization of health care records and the subsequent surge in value, cybercriminals will employ the same techniques used to gain access to individuals’ online bank accounts to access their EHR.
The theft of health care login credentials can have widespread implications. Medical identity theft is still an immediate concern. However, this is shortsighted. Criminals can use the information from an EHR to conduct cross-industry identity theft, including establishing a line of credit using the victim’s identity or taking out an auto insurance policy in the victim’s name. What’s even more challenging is identifying the root cause of the identity theft. Victims are often unaware of lost credentials; therefore, they may never make the connection between the compromised medical records and the fraudulently opened credit card.
Medical identity theft is a growing fraud problem, and its consequences can be dire. The industry adoption of EHR, black market value of medical identity information and the lack of consumer awareness of the problem have all contributed to the growth of this issue. The expanded use of connected medical devices will provide increased opportunities for cybercriminals to access and compromise consumers’ medical records. Health care providers will have to invest in and adopt technologies to be on par with the financial sector.
The average person can take several basic steps to guard against identity theft both inside and outside the health care world. Here’s a sample of what experts advise:
1—Protect your Social Security Number: Ask if it is absolutely necessary to give out before you put it on a form at the doctor’s office. See if a health care provider might just accept the last four digits instead. These numbers can help fraudsters create fraudulent credit lines or tax returns, among other things.
2—Don’t ignore insurance statements: Read or at least glance at the “Explanation of Benefits” your insurer sends you to explain recent claims. If someone is making fraudulent health claims using your account, you may spot them there first.
3—Limit public Wi-Fi use: Don’t enter passwords online if you are using an open or public Wi-Fi network. Avoid looking at sensitive information like bank accounts too. Save that for networks that require a passcode.
4—Strengthen passwords: The longer, the better because hackers can use software to crack a password that is less than eight characters in a few seconds. Avoid words or phrases that can be found in the dictionary or easy identifiers like the name of your child. Don’t use the same password for multiple accounts.
Sources: Los Angeles Police Department, Cynthia Larose, chair of the privacy and security practice at the law firm Mintz Levin in Boston
The other day a reporter asked me who’s to blame for the growing epidemic of identity-related tax fraud. I almost replied, “the government and the bad guys,” but I caught myself before committing to that inaccuracy. “We’re all to blame,” I said.
I believe that breaches, and the identity theft that flows from them, have become the third certainty in life, right behind death and taxes. While it may seem like hyperbole, more than 1 billion consumer records containing some form of personally identifying information (PII) have been exposed to hackers, identity thieves and spies (forget, for the moment, the NSA) over the past 10 years.
Anthem, the second largest healthcare insurer in the nation, recently joined the burgeoning list of mega corporations that have suffered massive data breaches. In a revelation that beggars the imagination, the hackers accessed unencrypted databases containing the sensitive personal information of some 80 million current and former Anthem policyholders and employees, potentially putting millions of people in harm’s way. When Anthem’s CEO pointed to the cyber intruders’ failure to get health records, credit cards or financial data, one can only assume he was trying to spin a nightmare scenario, because they did manage to get their grubby little fingers on names, physical and email addresses, birth dates, medical IDs, phone numbers and employment information.
Last time I checked, that’s pretty much all that someone needs to commit identity-related fraud, or at the very least, to expose their targets to the panoply of “ishings” (phishing, spear phishing, smishing and vishing). If that doesn’t bother you, perhaps this will: the information stolen included the skeleton key to everyone’s life – Social Security numbers.
Unlocking Your Identity
Often what’s lacking in the aftermath is perspective. Anthem did a very good job of getting out in front of the breach. They were forthcoming, and notified customers quickly. But they did not do a great job spelling out to customers the predicament they are now in as a result. So, here it is. Everything a criminal might need to obtain medical treatment, devices or medications in your name, tainting your medical files in the process is now “out there.” In other words, you are one act of fraud away from having a medical file become a murder weapon. When your healthcare is used by a fraudster, their information gets mingled with yours—a cocktail for life-threatening decisions. And, while we’re on the subject, anyone with access to the information stolen can also file fraudulent tax returns and divert your refunds (we’ll get to the recent Turbo Tax ulcer-inducing event in a moment); anyone can obtain personal loans, credit cards and mortgages using your credit profile accessed with your information; the same data could be used to empower undocumented workers to get jobs – the income from which will be reported to federal and state tax authorities under your SSN and costing you even more. Your child’s identity can now be stolen if their SSN was taken in the breach; crimes can be committed leaving a trail of breadcrumbs back to you.
In a twist of fate that would make a person think February is privacy and data-security awareness month, we learned that Intuit was forced to shut down the state tax filing on TurboTax for almost a day after detecting a large number of fraudulent filings. Minnesota refused to accept TurboTax e-filings, Alabama and Utah issued taxpayer warnings and Vermont halted refunds. To be clear, the TurboTax platform hadn’t suffered a data breach. Rather, identity thieves were e-filing and attempting to divert millions of dollars in refunds using precisely the kind of information that was leaked in the Anthem breach, and countless others over the past decade. How could this happen? A staggering amount of purloined data from breaches, scams, social network over-sharing and individual compromise has been aggregated—and the fraudulent e-filings on TurboTax are a manifestation of that reality.
Now, it’s easy to blame public and private sector organizations for their continuing failure to accord our sensitive personal information the privacy and security it deserves. Judging from the seemingly endless parade of reported breaches, our contempt and enmity has been well earned. Organizations’ inability or lack of desire to encrypt the PII they gather and store is inexcusable. We have a serious problem when a sitting governor explains the failure to encrypt a breached database containing the tax information of every citizen in her state by saying, “Encryption is hard.” A recent Government Accountability Office report confirms that a significant percentage of federal agencies are not secure. Sadly, many businesses and institutions have yet to harden their defenses or encrypt their data even after they have suffered at least one breach. After the near extinction-level breach of Sony Pictures, I am hopeful that many political leaders and corporate board members are finally coming to the realization that the threat is real, the odds are not in their favor and that there must be a paradigm shift in the way they approach privacy, data security, breach preparedness and incident response.
But the fault lies elsewhere. We live in a very connected world where convenience continues to trump security – often in the name of innovation. We’ve also learned the hard way that no system is more secure than its weakest link and that humans are the weakest link. Bad practices and lousy data-hygiene is the enemy. A few months ago, the Ponemon Institute conducted a survey of nearly 100 medical providers. Eighty-eight percent reported that doctors and other medical professionals were allowed to connect personal devices to their systems (BYOD – bring your own device). More than 50 percemt said that this practice raised serious security concerns, yet only 38 percent said they were doing anything about it.
Lest we forget Washington (and I acknowledge that many would like to permanently forget Washington), at least three administrations and scores of federal legislators have talked about doing something meaningful in the areas of privacy, cyber-security and identity theft, yet we have little to show for it. This year, at least, through executive order and his State of the Union Address, President Obama has put those issues squarely into the spotlight. “We are seeing momentum” is the two-party line, at least for now.
Everyday Security Failures
But while we’re pointing fingers, I would be remiss were I not to suggest that each of us stand in front of a mirror. No one is blameless here. We expose our most sensitive personal information any time we:
pick up a phone, respond to a text, click on a link or carelessly provide personal information to someone we don’t know;
fail to properly secure our computer or mobile device (smartphone, tablet or laptop);
discard, not shred, a document that contains PII;
respond to an email that requests we call a number we can’t independently confirm, or complete an attachment that asks for our PII in an insecure environment;
save our User ID or password on an app as a shortcut for future logins;
use the same User ID or password throughout our financial, social networking and email universes;
answer quizzes that subtly ask for information we’ve provided as the answers to security questions on various websites;
take pictures with our smartphone or digital camera without disabling the geo-tagging function;
fail to replace a manufacturer’s default password with a long and strong one of our own on any “connected” appliance or electronic device that we put in our homes;
permit our email address to be our User ID, if we have the option to change it;
use easily decipherable PINs or passwords;
fail to annually obtain, review and correct our credit reports;
choose not to do a daily review of our bank and credit card accounts to make absolutely sure that every transaction we see is familiar;
put off enrolling in free transactional monitoring programs offered by banks, credit unions and credit card providers that notify us every time there is any activity in our accounts;
use a free WiFi network, without confirming it is correctly identified and secure, to check email, or financial services websites that contain our sensitive data.
In each of these instances, we leave ourselves vulnerable to those who consider the theft of our identity as their day job. We are also contributing our personal data to folks who are hoping to someday launch the equivalent of a denial of service attack on our economy to take us down.
The bottom line is that we’re all in this together. In the ever-evolving connected world, it’s impossible to duck, bob or weave your way past the bad guys. Even a proactive measure to protect your identity like monitoring your credit regularly is no guarantee your identity won’t be stolen or used in a way that won’t show up on your credit report, like medical identity theft. (You can get your credit reports for free once a year under federal law.)
It should go without saying that government and businesses should have to protect our PII by law, and if they fail to do their duty, they should be held accountable. That said, each of us has a responsibility to minimize our risk of exposure, to be as alert as possible to signs of an identity-related problem and to have a damage control program to put ourselves back together in the event we are compromised.
Any opinions expressed in this column are solely those of the author.
Adam Levin is chairman and co-founder of Credit.com and Identity Theft 911. His experience as former director of the New Jersey Division of Consumer Affairs gives him unique insight into consumer privacy, legislation and financial advocacy. He is a nationally recognized expert on identity theft and credit
You surely know about the dangers of identity theft, where someone who has obtained some of your personal information, such as your Social Security number, uses that to get money (often yours) or credit. It can cause massive headaches, at the very least. There’s not just a single kind of identity theft, though. There’s one kind in particular that has been happening more often lately. You probably don’t know about it and you definitely should. It’s medical identity theft.
The Federal Trade Commission has warned consumers about this growing danger, explaining medical identity theft thusly: “A thief may use your name or health insurance numbers to see a doctor, get prescription drugs, file claims with your insurance provider, or get other care. If the thief’s health information is mixed with yours, your treatment, insurance and payment records, and credit report may be affected.”
A growing problem
Here’s how much of a growing problem medical identity theft is: There’s a Medical Identity Fraud Alliance, or MIFA. And it has studied the matter, estimating that 2.3 million Americans were victimized by it in 2014, up almost 22% over 2013. That’s a lot of people — and a fast growth rate. Worse, along with the Ponemon Institute, MIFA has surveyed Americans, finding that among victims of medical identity theft, 65%, about two-thirds, ended up spending an average of $13,500 to straighten matters out. Victims also lost a lot of time — an average of about 200 hours spent trying to resolve their cases. Can it get any worse than that? Yup, it can: the folks at MIFA found that only 10% of those surveyed reached a “completely satisfactory conclusion of the incident.” And while about a fifth of victims suffered a decrease in their credit score, almost a third lost their health insurance.
Part of the problem likely stems from cyberattacks and security breaches at major corporations, when thousands or millions of people’s data is stolen in one fell swoop. That happened recently at America’s second-largest health insurer, Anthem, for example, and even more recently at Premera Blue Cross, based in Washington State. Premera Blue Cross’ breach is believed to affect 11 million members, and a Reuters report has explained that “the attackers may have gained access to claims data, including clinical information, along with banking account numbers, Social Security numbers, birth dates and other personal data in an attack that began in May 2014 and was uncovered on Jan. 29 of this year.” See some potential problems? Right. (Anthem believes that medical information was not stolen in its breach that affected close to 80 million people.)
What to do
Fortunately, if you’re now quivering in fear, worrying about being victimized, know that you’re not completely powerless. There are some steps you can take to reduce your chances of falling prey:
Check your credit reports regularly for any strange unpaid bills that an identity thief might have generated. You’re entitled to one free copy of your credit report each year from each of the three main reporting bureaus, and you can access those at AnnualCreditReport.com. To be strategic about it, you might space out your three annual copies, requesting one every four months, so that you’re getting information more regularly than once a year.
It also helps to know your Health Insurance Portability and Accountability Act rights and to ask your healthcare providers if you can see your electronic health records, to check for errors — especially if you know or suspect that you’ve been victimized. Read your explanation-of-benefits statements from providers, too, to check for any fraudulent charges. Know that you can ask health plans and medical providers for an “accounting of disclosures,” too, which is a listing of who has received your records and what information they received. You should, by law, be able to get one copy per year from each provider.
Don’t give out your personal information to friends or family members so that they can access some medical care. The data from MIFA shows that about a quarter of victims had given identifying information to a friend or family member.
Be on the lookout for scams, such as if someone claims to work for a healthcare company and offers you some services for free or for a too-good-to-be-true price, requiring your Social Security number or other personal data.
If you find that you’ve been victimized — and it can take several months for someone to notice, perhaps after receiving an unexpected bill or a collections notice — report it. Many people don’t report medical identity theft. Reasons include being embarrassed (such as if they gave their information to a trusted person) or not knowing where to report it. You can report problems to your health care provider, your insurer, and federal and state authorities. You can also contact your local police department, your state Attorney General’s office, and the Department of Health and Human Services.
Medical identity theft is a scary scam, but by taking certain steps, you may be able to either avoid it or minimize its damage, should it happen to you.
The Motley Fool is a USA TODAY content partner offering financial news, analysis and commentary designed to help people take control of their financial lives. Its content is produced independently of USA TODAY.
The easy answer – anything that has a signature, account number, phone number, social security number, medical or legal information (plus credit offers).
The complete answer – see below.
Address labels from junk mail and magazines
ATM receipts
Bank statements
Birth certificate copies
Canceled and voided checks
Credit and charge card bills, carbon copies, summaries and receipts
Credit reports and histories
Documents containing maiden name (used by credit card companies for security reasons)
Documents containing names, addresses, phone numbers or e-mail addresses
Documents relating to investments
Documents containing passwords or PIN numbers
Driver’s licenses or items with a driver’s license number
Employee pay stubs
Employment records
Expired passports and visas
Unlaminated identification cards (college IDs, state IDs, employee ID badges, military IDs)
Legal documents
Investment, stock and property transactions
Items with a signature (leases, contracts, letters)
Consumers have long wondered just what Google and Facebook know about them, and who else can access their personal data. But internet giants have little incentive to give straight answers — even to simple questions like, “Why am I being shown this ad?”
On May 25, however, the power balance will shift towards consumers, thanks to a European privacy law that restricts how personal data is collected and handled. The rule, called General Data Protection Regulation or GDPR, focuses on ensuring that users know, understand, and consent to the data collected about them. Under GDPR, pages of fine print won’t suffice. Neither will forcing users to click yes in order to sign up.
Instead, companies must be clear and concise about their collection and use of personal data like full name, home address, location data, IP address, or the identifier that tracks web and app use on smartphones. Companies have to spell out why the data is being collected and whether it will be used to create profiles of people’s actions and habits. Moreover, consumers will gain the right to access data companies store about them, the right to correct inaccurate information, and the right to limit the use of decisions made by algorithms, among others.
The law protects individuals in the 28 member countries of the European Union, even if the data is processed elsewhere. That means GDPR will apply to publishers like WIRED; banks; universities; much of the Fortune 500; the alphabet soup of ad-tech companies that track you across the web, devices, and apps; and Silicon Valley tech giants.
As an example of the law’s reach, the European Commission, the EU’s legislative arm, says on its website that a social network will have to comply with a user request to delete photos the user posted as a minor — and inform search engines and other websites that used the photos that the images should be removed. The commission also says a car-sharing service may request a user’s name, address, credit card number, and potentially whether the person has a disability, but can’t require a user to share their race. (Under GDPR, stricter conditions apply to collecting “sensitive data,” such as race, religion, political affiliation, and sexual orientation.)
GDPR has already spurred, or contributed to, changes in data-collection and -handling practices. In June, Google announced that it would stop mining emails in Gmail to personalize ads. (The company says that was unrelated to GDPR and donein order to harmonize the consumer and business versions of Gmail.) In September, Google revamped its privacy dashboard, first launched in 2009, to be more user-friendly. In January, Facebook announced its own privacy dashboard, which has yet to launch. Though the law applies only in Europe, the companies are making changes globally, because it’s simpler than creating different systems.
The law’s impact will extend well past the web giants. In March, Drawbridge, an ad-tech company that tracks users across devices, said it would wind down its advertising business in the EU because it’s unclear how the digital ad industry would ensure consumer consent. Acxiom, a data broker that provides information on more than 700 million people culled from voter records, purchasing behavior, vehicle registration, and other sources, is revising its online portals in the US and Europe where consumers can see what information Acxiom has about them. GDPR “will set the tone for data protection around the world for the next 10 years,” says Sheila Colclasure, Acxiom’s chief data ethics officer.
Beyond such moves, the law’s emphasis on consent, control, and clear explanations could prompt users to better understand and reconsider the ways they are surveilled online. Meanwhile, privacy activists plan to use GDPR as a weapon to force changes in corporate data-handling practices.
In short, the law is a chance to flip the economics of the industry. Since the dawn of the commercial web, companies have been financially incentivized to hoover up data and monetize later. Now, EU consumers will have the freedom to opt in, rather than the burden of opting out. That emphasis on consent creates a financial reward to building consumer trust.
GDPR presents “a real chance to renegotiate the terms of engagement between people, their data, and the company,” rather than mindlessly clicking away a terms-of-service agreement, says David Carroll, associate professor of media design at The New School. Carroll says data collected by activists “might be the basis for new investigations and ways to keep the companies accountable.”
The need for transparency and accountability is more vital than ever. Clicking to accept an impenetrable terms-of-service document once seemed like a no-brainer. The upside was incredible efficiency and the downside, it seemed, was just some annoying shoe ads stalking you around the web. But the past year has shown how the same personal data has been weaponized to suppress minority voters, radicalize young white men, exploit political beliefs to sow division, and possibly swing elections. In a white paper called “Corporate Surveillance in Everyday Life,” researcher Wolfie Christl diagrams how personal data is used to influence behavior and determine what products you see, what services you have access to, and what prices you pay in areas from shopping to banking. “Every time we click, these companies are trying to figure out, is this a valuable person or this is a worthless person?” Christl says.
Researcher Wolfie Christl shows the sources of information companies tap to assemble profiles of people.PASCALE OSTERWALDER/CRACKED LABS
Most of the data rights enshrined under GDPR were already established in the EU, but went unenforced. GDPR standardizes data rights across all EU countries, empowering regulators with the same big stick and sharper teeth. Violators face fines of up to 4 percent of annual global revenue. For Facebook, that would be $1.6 billion; for Google, $4.4 billion.
Of course, the law has its share of detractors, who dismiss GDPR as more protectionism from the EU, which has challenged American tech platforms on antitrust and privacy grounds with expensive consequences. Then there are concerns about cost. Colclasure from Acxiom calls the data industry the backbone of “free content and free knowledge” online. “It’s either hit a pay wall or these sites are ad-supported for the most part,” she says.
There are potential loopholes in the law. It allows businesses to process personal data without consent for limited reasons, including a business’s “legitimate interests,” which the European Commission says includes “direct marketing,” through mail, email, or online ads.
However, even then companies must take into account a consumer’s expectation of how their data will be used and can’t infringe on the other consumer rights guaranteed under GDPR. In the digital realm, EU consumers also have the added protection of a companion set of rules, called the ePrivacy Directive, that govern electronic communication. Under those rules, which are in the process of being ratified into law, consent is the only legal basis for collecting personal data.
David Martin, senior legal officer at the European Consumer Organisation, an umbrella group of 43 consumer groups, says tech company lobbyists are working to influence the guidelines to interpret GDPR and weaken the ePrivacy language.
Avoidance isn’t an option. In 2017, Facebook’s revenue per user in Europe grew 41 percent from a year earlier, to $8.86. The rate of increase was faster than any other region.
In a statement to WIRED, Rob Sherman, Facebook’s deputy chief privacy officer, said, “Everyone on Facebook will see improvements to their tools and privacy controls this year. In addition to GDPR, we’re looking at things across the board to see how we can give people more control and do more to help them understand how their data is used.” Google directed WIRED to a 2017 blog post where the company said it “is committed to complying with the GDPR across all of the services that we provide in Europe,” including Google search, Gmail, and all of its advertising and measurement services.
Privacy activists believe the law will unlock the data they need to force other changes. It’s worked before. A lawsuit filed against Facebook in 2013 by Austrian lawyer and privacy activist Max Schrems led to a ruling striking down a “Safe Harbor” agreement that companies used to transfer data between the US and Europe. Schrems’ case is pending.
Emboldened by the approach of GDPR, Schrems in November launched a nonprofit called None of Your Business that will use GDPR to “confront tech giants like Facebook, Google & Co. with a team of highly qualified and motivated lawyers and IT experts on equal footing,” the group said in a statement.
Paul-Olivier Dehaye, a mathematician and cofounder of PersonalData.IO, has used UK data protection law to help individuals access personal information processed by Cambridge Analytica, the controversial firm behind the data breach affecting more than 50 million Facebook users. Dehaye believes that GDPR could help pry out more information.
GDPR’s ultimate impact will rest on how aggressively consumers wield their new rights. Recent trends indicate a growing interest in privacy. The use of ad-blockers and VPNs is on the rise in the US and elsewhere. Corporations have responded to the demand. In August, Mozilla introduced Firefox Focus, a private mobile browser. In September, Apple added tracking prevention to its Safari browser.
Fatemeh Khatibloo, a principal analyst at Forrester, thinks the end result will be more progressive data-collection practices. Consumers would be shocked to know the number of cookies, trackers, and ad servers firing on the web pages they visit, she says.
In a survey of UK consumers Khatibloo conducted in August, 51 percent of respondents said they were at least somewhat likely to exercise their new rights under GDPR. The most common example cited was data deletion. “People felt they could ‘punish’ the companies that were invasive or aggressive by asking them to delete their information,” she says.
Still, Khatibloo is skeptical that GDPR will spook users of popular internet services. Consumers understand the value of exchanging their data for free services and don’t want their online experience interrupted, she says. GDPR “sheds very bright light on some of the data machination that people aren’t aware of, but I don’t think that there’s going to be a huge Facebook reckoning.”
Much may turn on how companies ask for consent. In September, PageFair, which helps publishers deal with ad blockers, conducted a survey in which it presented users with choices for being tracked, such as “only accept first party tracking” or “reject tracking unless it’s strictly necessary for the services requested.” Of the 300 people surveyed, only about 5 percent consented to all tracking.
Marketing firm Criteo is aiming for something much less intrusive. In January, Digiday published a sample consent interface that Criteo was testing. It featured a tiny banner pop-up at the bottom of a page that told users that by clicking on any link on the page, they consented to Criteo’s “user-friendly, cross-site tracking technology.”
Rewriting the Rules
GDPR is prompting changes in the web’s Whois directory, which may be closed to public view.
Facebook offered advertisers the opportunity to target users as young as 14during moments of psychological vulnerability,
California Governor Jerry Brown last week signed one of the toughest data privacy laws in the nation. The new law, California Consumer Privacy Act of 2018, has been compared to the European Union’s General Data Protection Regulation (GDPR), and goes into effect in 2020.
While the California Consumer Privacy Act of 2018 doesn’t have the exact same provisions as GDPR, it’s close enough in many respects. That includes giving consumers the right to know how their data is used, why it’s being collected, and also to bar companies from selling the data.
According to the California Consumer Privacy Act website, the new law (which was called AB 375) gives residents of California the most comprehensive consumer privacy rights in the entire country. Specifically, the new law gives residents:
The right to know all data collected by a business on you;
The right to say no to the sale of your information;
The right to delete your data;
The right to be informed of what categories of data will be collected about you prior to its collection, and to be informed of any changes to this collection;
.Mandated opt-in before sale of children’s information (under the age of 16);
The right to know the categories of third parties with whom your data is shared;
The right to know the categories of sources of information from whom your data was acquired;
The right to know the business or commercial purpose of collecting your information;
Enforcement by the Attorney General of the State of California;
The private right of action when companies breach your data, to make sure these companies keep your information safe.
The new law spurred strong reaction from executives in the tech industry. Patrick McGrath, Director of Solutions at Commvault, said greater steps should be taken to protect data.
“Organizations should minimize their exposure in handling personal data, keeping only the personal data necessary to service direct business and legal needs,” McGrath tells Datanami via email. “As a best practice, we encourage organizations to use archiving policies that identify instances of personal data, delete, encrypt and/or move data to more secure locations that are fully tracked.”
Mike McCandless, an executive with the encryption company Apricorn, says the new law is “a strong step” in the right direction. “However, properly implemented data encryption has proven to be a safeguard against data breaches….and should be required in order to truly protect consumers’ data.”
Salesforce.com CEO Marc Benioff says California’s new privacy law could help with the “crisis of trust” that exists between the tech industry and consumers. “Our customers’ data belongs to them. It’s their data,” he told Diginomica. “I think in some cases, companies that are start-ups and next generation technologies here in San Francisco, they think that data is theirs….We need a national privacy law here in the United States that probably looks a lot like GDPR.”
California’s new privacy law is similar to a proposition that data rights advocates previously hoped to put on the November ballot. Supporters of that proposition, which companies like AT&T and Amazon invested millions of dollars to defeat, are withdrawing it from the November election as a direct result of the legislative action.
“We are thrilled that AB 375 has become law,” Alaistair MacTaggart, the businessman who backed the proposition, told The Verge. “This is a monumental achievement for consumers, with California leading the way in creating unprecedented consumer protections for the rest of the nation.”
