The Privacy Project: You might not get your $125 from Equifax

View in BrowserAdd nytdirect@nytimes.com to your address book

Monday, July 29, 2019

The Privacy Project »

Justin Lane/EPA-EFE

By Charlie Warzel
@cwarzel

Even during its public shaming, Equifax has found a way to rub it in the face of the tens of millions of people whose privacy it violated.

Last week Equifax settled a lawsuit against the Federal Trade Commission for up to $700 million — in response to a 2017 hack that compromised the information of more than 147 million people.

Not long after the settlement, Equifax set up a claim site for those affected. Media outlets published service articles with instructions detailing how to file claims and get $125 — the bare minimum amount of money to which victims of the episode are entitled — without having to submit receipts or documentation of lost time or wages. "Equifax owes you a lot more," The Verge's headline argued, "but here's how to get $125." Representative Alexandria Ocasio Cortez urged her 4.9 million followers on Twitter to "cash that check!"

Urgency was important: "Equifax is figuring most people won't take the time to submit a claim. You should prove them wrong," L.A. Times columnist David Lazarus argued. At Slate, Josephine Wolff suggested we have a "moral obligation" to take our $125, to "drive up the costs of data breaches for corporations so they have an incentive to invest more heavily in security."

They're right. But when it comes to data brokers, nothing is simple. Rufo Sanchez, a developer for the company GitHub, pointed out a substantial caveat buried in the fine print of the Equifax settlement page: If there are more than $31 million in claims, all payments "will be lowered and distributed on a proportional basis." That means that after 248,000 claim submissions, the payout will go down from the $125 "minimum." As one Twitter user pointed out, "If a million people fill it out, or 0.6 percent of those affected, it goes down to $31."

What's left is a frustrating dilemma: If customers file claims en masse, it sends a powerful signal to Equifax and other data brokers that we're not complacent about our privacy and that we can take four minutes to fill out a form to protect our interests. Similarly, millions of claims would inundate Equifax and force it to pay out the full pool of money set aside for the settlement, a pot that totals $425 million.

But the more claims filed, the less money is paid out to each claimant. One slightly perverse way to look at this is that the myriad articles and tweets and pleas to file claims are self-defeating. And that, in a way, the decision to seek individual retribution against Equifax comes at the expense of other victims. Equifax pays the full $425 million but victims feel their privacy is worth very little (and perhaps not the hassle of filling out a form with yet more personal information). Or, Equifax pays less than the maximum and gets to cite statistics that its victims didn't even care enough about their privacy to file claims.

This Catch-22 is reminiscent of Equifax's entire business, where the data brokers wield all the power and operate with impunity, and customers have very little recourse. As my colleague Farhad Manjoo wrote about the Equifax breach in 2017, "The more data a company has on us, the less likely it is that a breach will put the company in any real danger, because its very size protects it." That very size is the reason that Equifax can negotiate settlements that amount to only 17 percent of one year's revenue and not have to publicly admit wrongdoing.

But let's not forget what made Equifax and others so big as to avoid meaningful punishment in the first place. It's not ingenuity or force of will or, as we've learned, top-notch data security. It's our personal information. The very kind it so brazenly exposed.

A Bit More on Facebook v. F.T.C.

Last week's newsletter highlighted some excellent reporting behind the scenes of the F.T.C.'s investigation into Facebook (which resulted in a $5 billion fine but didn't do much to change the company's data collection practices). A week later, more information is coming out. I was struck by this line from a Sunday MSNBC interview with F.T.C. commissioner Rohit Chopra. When asked if there was more the F.T.C. could have done, Chopra seems to suggest that the Facebook investigation was never even finished:

"I was frustrated that we stopped the investigation before we really knew what was going on. We did not collect the documents in Mark Zuckerberg's hands; we did not hear his testimony under oath; we didn't not come up with why this business model is fundamentally broken."

As Open Markets' Matt Stoller pointed out on Twitter Monday, there seems to be a broad pattern in the Facebook investigation of deferring to the platform to secure a large-sounding fine. Stoller pointed to a December article where an F.T.C. enforcement official, "echoing Facebook's own argument," seemed to think the company was not fully responsible for data breaches and had taken steps to fix the problems.

The same official, Stoller points out in a subsequent tweet, told reporters last week at an F.T.C. news conference that the company used (traded) deposing Facebook C.E.O. Mark Zuckerberg to land the $5 billion fine.

"Part of getting the tremendous result with the tools we had is we didn't need to depose him but we could use that to get more protections for the public."

Now, I'm no regulator, but not finishing an investigation would seem like a textbook example of letting a company that's repeatedly violated orders off the hook!

Come See The Privacy Project: Live!

San Francisco readers! The Privacy Project is coming to your town this week. If you're in the Bay Area, I'll be at the San Francisco Public Library on Wednesday, with my colleagues Sarah Jeong, Farhad Manjoo and Jenée Desmond-Harris. Join us at 6:30 p.m. for a discussion about the most pressing privacy issues and how we approach them in our own personal lives. Oh, and it's free. More details here. See you there!

From the Archives: "The Privacy of Public Men"

NYT archive

This week I decided to find the oldest possible mention of privacy from the archives. Turns out it's a short piece from The New York Daily Times from August 17, 1857. At first glance the piece resembles something like an editorial — and it seems a bit tongue and cheek to me. The closing line seems to suggest that we've been thinking about celebrity and privacy for at least 162 years:

Inquisitive as our people are commonly considered to be, their curiosity after all seems to find its own antidote in the infidelity of the public memory, and the private life of our public men would appear to be practically more sacred than it has usually been reckoned to be.

But I'll be honest, I'm not totally sure what the piece is in reference to. So if any of you astute readers are historians or can decipher the 1850s jargon, send me an email at privacynewsletter@nytimes.com and we'll quote it in an upcoming edition.

I want to hear from you

Send me your pressing questions about tech and privacy. Each week, I'll select one to answer here. And if you're enjoying what you're reading, please consider recommending it to friends. They can sign up here.

What I'm Reading

An unsettling article about how your bosses can spy on you. And there's little you can do about it.

Apple contractors working on Siri admit to The Guardian that they overhear confidential medical information, drug deals and recordings of couples having sex.

Ikea wants to be the data-safe brand for smart home tech 🤔.