“Any company doing something I don’t like should be nationalized.”
No. They should be liable for the damage they cause with negligently allowing hacks like this, but the existence of private businesses should be default-allow.
I am not philosophically opposed to nationalization in a case like this, where market forces do not have much influence, but I completely agree that the proposal address neither of the the major issues, which are a) incompetence in security, and b) the widespread use of identity and authentication systems that are predicated on a level of confidentiality that does not exist in practice.
Frankly, I don't know what should be done about b), but nationalization of credit reporting is not going to make any difference. As for a), as has been pointed out many times, one problem is that the people responsible do not have enough skin in the game. So long as the companies are private, something could, in principle, be done to to increase that, but in a nationalized industry, the responsible people would have even less personally at risk.
How do you ensure that a company doesn't become liable for more damage than they can afford to repair, though? Maybe nationalization isn't the answer, but with the current state of things the public essentially subsidizes careless companies by taking on most of their downside risk.
Why should we ensure that a company doesn't become liable for more damage than they can afford to repair? The implication there is that the company has a right to exist. If they're so grossly negligent, why should they have a right to exist?
I don't know anyone outside of high finance who had a good opinion of Equifax before the breach was announced. Their recent hardships has certainly not helped that.
For myself, I definitely think that companies and their officers should absolutely be liable for negligence.
Because they're not going to be able to pay back the damage they did. If they screw over a hundred million people and then go bankrupt, those hundred million people are stuck with the bill.
And if they continue to operate and continue to screw people over, what's the cost of that? It's not like they're benefitting anybody (not 'people' anybody).
The problem isn't that they're allowed to go bankrupt, it's that they're allowed to make bets with huge downside risk knowing that if they lose the bet they don't bare the cost.
What about when an SV darling company offers "lifetime" product and sells itself to another SV darling? I'm of course talking about joyent but it could be me next time. If we get rid of limited liability, do I become liable for BP's oil spills because I have own a few cents worth of petroleum stock through vanguard?
I like your idea that companies should be able to bear the cost of a possible future liability. I don't know how we can implement it besides some form of insurance (like sometime else said a $10 fine per person per breach but I'd up it to (2000 * minimum wage per hour) for every incident per person. At some point though we will need criminal charges for negligence or worse attempts of cover up (Equifax). We need to make it easier to convict CEOs and the board to put them in prison in case of attempted cover up or non disclosure.
The global financial crisis showed that insurance isn't the answer. The problem with "hedging against all futures" is that the hedging is part of the system, and when the hedge grows to the scale of the thing being hedged, you have to start asking how you hedge the hedge (and so forth). That is, if Equifax can't pay out for a sufficiently large mistake, why would you expect their insurer to be able to do so? And, worse, what if the insurer is "too big to fail," so instead you just have the public serve as the backstop?
Hence I think your latter point is right, executives really need to be more criminally liable. It's hardly unheard of, even if Ken Lay died before sentencing.
I would put it the other way: if you can't afford insurance to cover the potential damage you're doing, then you're not allowed to do it. And I don't mean unforseeable events, I mean something obvious about your business, like creating a single giant repository of data about other people and then not securing it.
Of course the hackers are directly responsible for the damage, but Equifax's negligence sure didn't help. Maybe a fractional multiplier for sharing responsibility.
If a company can take actions for which risks accrue to third parties, without any capacity for the company or its beneficiaries (stockholders, creditors, officers, etc.) to bear the consequences of those risks themselves then what you've created is one giant risk-transfer mechanism.
In the case of information disclosure risks, the parties for whom that information concerns often have little or no say in the actions which have direct bearing on them.
That's they "why not". It's not the company, it's everyone else.
how are we so quick to excuse companies that would provide credit without validating who is actually applying? the danger with the Equifax exposure is the lack of safeguards companies using the information apply.
just because someone gets my information by no means any company should accept a credit application, especially those outside of the area where the person has residence. It is this lack of safeguards that we should take issue with. Those issuing credit should always be liable for any loss.
This is not just about "credit". There is a lot more damage caused by the leak of untold amount of information about you. Wait till someone stars social engineering attacks against other sites based on revealed data.
It's not the public's responsibility to ensure that companies don't over-extend themselves. When they do, they go out of business; this is how the market should work, in my opinion.
That is not paulgb's concern, as I understand it. That is, paulgb is not concerned with the company itself, but rather its ability to undo harms to others. Companies going out of business doesn't correct the harm done to society.
I see what your saying, but that also seems like the market at work. If the harm done to society is sufficiently large, perhaps at that point society might decide create a government entity to meet the need... I do think that the company's failure and the infliction of harm on society is an important part of the feedback loop; I'm not sure we should be trying to prevent that (I mean, harm in terms of dollars or time lost, etc.)
Equifax doesn't lack accountability because they're bureaucratic. They just lack accountability, period. The customers aren't being hurt and the people being hurt aren't customers.
Adding accountability to the general public via regulation may make them more bureaucratic. It may make them less. That's up to the invisible hand to decide, once their incentive structure matches their real world impact.
Have you ever worked in a regulated industry? My experience is that regulators add accountability to bureaucracy. Bureaucracies brush off harm to customers pretty well. But when a regulator can fuck their shit up, they listen.
Sure have. The bureaucracy brought on by regulation rewards company employees who are bureaucratic beasts themselves. I've never worked in a more political, wasteful, back-stabbing environment than when I worked for a large company whose business was regulated.
Huh. That hasn't been my experience. I can't talk about the details due to NDA, but I was surprised at the extent to which fear of regulators produced useful behaviors.
Perhaps the difference is the age/size of the product/company. I could see a new company that has no choice but to build new product being driven by regulations, while a company that already has a long standing, regulated product has incentive to not introduce change.
I never consented to have my information in their database, and I have no power to get it out of their database. They have roundly and repeatedly demonstrated that they are not fit to hold and be trusted with maintaining the SSNs and other personal information of the entire country's worth of credit holders.
Is there even a license that the Equifax company needs to have, in order to do this type of work, that can be revoked? It needs to be revoked! But I'm afraid they don't need any license, they just woke up like this.
The right to covertly surveil and maintain dossiers on 50%+ of the citizens of this country should not be default-allow. Strongly disagree. People in power holding that kind of opinion, is exactly how we got here.
> I never consented to have my information in their database,
Don't you think that somewhere in the T&Cs of a loan you took or a credit card that you got or a phone contract you signed up for (or many other things) are lines explaining that your information would be shared with credit reporting agencies? So legally, you would've consented to the sharing of information at those times. If that isn't true, then I'd assume that you should be able to sue the institution that shared your information with all these agencies.
What is a reasonable alternative to credit agencies? Most countries I know use similar (or sometimes the same, like the UK) agencies, though sometimes with a caveat that they only log defaults or other stuff you mess up.
The alternative is the two other credit agencies that haven't (as far as we know) given up all of our personal information to hackers, and who haven't responded to the news of the breach by linking some of their customers to a parody/phishing site that was nearly indistinguishable from their own (very bad) breach response website.
There is no way out of this (the cat is out of the bag) but we can go on about our lives without Equifax. They need to be unplugged.
Ok sure but all of your objections above (https://news.ycombinator.com/item?id=15303289) can be applied to the other two agencies as well. They collect all your info also. I'm personally not super optimistic about their security.
Me either! That's absolutely a valid point. And I am terrified that this breach will ultimately result in the end of the credit system as we know it, but right now taking such a position is still scare-mongering. (Very reasonable scare mongering, mind you, but maybe cart before the horse.)
We can't just unplug all three agencies and shut down the credit industry, but why can't we shut down Equifax? Take the drivers' license and the car keys away from the drunk driver.
They are the ones that let the cat out of the bag, they should no longer be allowed to collect our personal information. There is no reasonable argument that can be made that Equifax in particular, should be allowed to go on making money off of our personal data with the negligent failure that they have created for us and admitted to, after what all has happened.
Edit:
When Sonny Vleisides plead guilty to Felony Mail Fraud in 2007, he was forbidden to engage in loan programs, gambling or gaming activities, telemarketing activities, investment programs or any other business involving the solicitation of funds. He went on to found the company called Butterfly Labs in 2010, a company that took pre-orders for Bitcoin mining equipment (in many cases soliciting funds for hardware that didn't exist, until it did).
Many people argued that this model was a direct violation of the terms of his supervised release. He stood in front of a judge in 2014 that said there was a "strong smell" of fraud with respect to his company.
Equifax it seems gets to skip the whole "plead guilty" thing and just announced their negligent failure directly to the world. When does Equifax get their 14 months in jail followed by a supervised release? Never, apparently, they just go on about their business and no charges are filed. It's absolutely ridiculous in my humble opinion. Maybe I'm the one who is being unreasonable, expecting that the wheels of justice can turn more rapidly than one can reasonably expect.
It's not exactly parallel, I'm stretching to draw parallels obviously, but there should be some parallels in the arena of legal action here. Has anyone argued that Equifax wasn't negligent in the circumstances leading up to the breach? What about in their actions since then? How much further does it have to go before we can get the FTC or US Marshals involved and shut the place down?
"In at least 40 other countries — including Belgium, France, Germany, Italy and Spain — credit reporting can be done by a public credit registry. It is usually operated by a central bank that already oversees the financial institutions that feed information into the reports. These reports tend to be more accurate because the operators have a legal right to demand data from banks as well as a mandate to ensure it’s correct and that errors are fixed. Data on late payments and defaults are erased once a consumer has settled up."
Right but surely a public credit registry would have the same risk of being hacked, no? At least in the US, we have government run data get hacked on a routine basis. That seemed to be G(G?)P's concern.
At the end of the day, whether it's a private or public credit agency, they're still collecting all your data whether you want them to or not (modulo going full Thoreau and removing yourself from the economy), and still could get hacked and have all that stolen.
> Right but surely a public credit registry would have the same risk of being hacked, no?
No, I disagree. A public agency would have the same value as a target. But its incentives would be better aligned (no profit motive), which could result in better practices and less actual risk.
You know the point I'm trying to make, and it's disingenuous to point at some line in some far-away terms and conditions, and say "that authorizes Equifax and two other companies to collect and maintain all information on you, in perpetuity, without any option to revoke this grant."
Are they licensed to do this type of work? Shouldn't they need to be? Should that be revokable? What is the process for revoking that permission, and can we get it started already? It just came out that in their response to the breach, they've been linking their "customers" to a phishing site since September 9. It's time to revoke those grants.
> it's disingenuous to point at some line in some far-away terms and conditions, and say "that authorizes Equifax and two other companies to collect and maintain all information on you, in perpetuity, without any option to revoke this grant."
To be fair, I'm pretty sure they can legally do that if this was actually the case.
It's a finer point, but if I have authorized Chase Bank to share data with a credit reporting agency, does that mean I have also authorized the credit reporting agency to retain that data? I don't think it does.
Absent any law that says exactly how they may and may not collect and retain such data, you're probably right that it is exactly what it means. The owners of the data (the banks) authorized them, so they are authorized to have the data.
It does not change the fact that, if true, the law is an ass. I do not grant power-of-attorney to the credit-holders that I do business with. They are not authorized to sign documents in my name. They should not be able to authorize arbitrary agencies to hold my personal data in an irrevocable fashion.
(And if I understand the difference in law between US and Europe, in Europe they would not be able to permanently retain my personal data without any recourse for me to shut it down. But in the US, they may be allowed to do this.)
> It's a finer point, but if I have authorized Chase Bank to share data with a credit reporting agency, does that mean I have also authorized the credit reporting agency to retain that data? I don't think it does.
I think you're placing too many constraints on a hypothetical contract just to support your initial argument. Most likely the contract is carefully written in such a way that it's legal for them to do whatever they wanted to do with your data to begin with. It's pointless arguing over what ifs.
Only in America. They could not store personal information about us without obtaining permission in Europe, and we would have the right to revoke it for any reason as well.
This is not normal, it is dysfunctional. I'm not arguing that it's not legal, I'm arguing that they need to lose their license. (Never mind that no such licensing requirement exists. Like I said, it's a dysfunctional system, and I don't know why we don't have more than 3 credit reporting agencies. It sounds like a great gig!)
I know the point you're trying to make, and I'd say more to that point: we already recognize that you can't sign a contract that strips you of some basic human rights. You can't sign a contract that enslaves you, etc.
With the amount of power these organizations and this information has over each of us, individually, I'd go so far as to say there is a human rights issue at stake. People's lives get fucked up through credit bureau mistakes, and what consequence is there for those bureaux?
Pointing to a subclause in a contract to say "well, here's where you let them potentially fuck up your life with no recourse, and everything is legal" suggests to me that our thinking around the power these agencies, and around ownership of information about our lives, have needs revisiting.
I hope that we can start having that conversation! Right now it seems unlikely.
It would not be so controversial if I claimed that Amazon grants customers a revokable license to audio and video content hosted on Prime, but my social security number and credit history evidently is not afforded as much protection under the law.
What's really at stake here? Your ability to take on debt, which primarily benefits the banks. The bigger problem I think we have here is the cavalier nature in which people view debt. Debt is bad for you. Rather than bringing going into debt under the umbrella of "basic human rights" how about a cultural shift away from debt altogether?
Now if we could just do something about those housing prices, that might even be possible. (What percent of homeowners do you suppose bought their homes without taking on some debt?)
Getting a home loan is relatively easier, because plenty of banks still do manual underwriting for things the size of mortgages. And if we had a culture that avoided unsecured debt, car debt, etc. then more banks would have to perform manual underwriting because no one would have a credit score. Instead they would have something better: money.
I completely agree that there doesn't seem to be any kind of good oversight on the entities, what they do and how they do it. The entire process and chain of information sharing doesn't seem to be in the best interests of consumers.
Are you claiming that people don't know what credit reporting is when they sign loans? If so, that's a failure of basic financial education on the part of parents and K12. If someone imagines they have the right to delete the records of debts they don't want to pay, that person has been tragically misled about the fundamental nature of adulthood.
Knowing that lenders communicate with each other about your reputation, especially when you'd rather they wouldn't, is right up there with knowing what interest is.
I'm claiming that we should have the right to tell one of the three credit reporting agencies to get bent and delete our file if they're Equifax in October of 2017. That's not the same thing as "delete the record of debts I don't want to pay." That's completely disingenuous of you to suggest that's what I meant.
There are three credit reporting agencies. Can you tell me why there aren't more? Because from everything I can tell, there is nothing short of purely criminal activity that could actually result in Equifax being required to go out of business. It seems that no amount of negligent behavior on their part can give me the right to say "cease and desist your retention of my record," while I've never so much as signed a document that came from Equifax. I have no direct relationship with them, and I have the right to get a restraining order if a malicious stalker is all up in my shit, so how is this situation any different? What makes them the authority? Because credit banks do business with them? That's nice... I want them out of business! In Europe, I would have this right. Nobody could maintain a file on me that I can't get a legal order for them to delete.
I'm not talking about debt holders. I'm talking about this parasitic company that evidently has no security team, or has chronically underfunded it to the point that we get where we are now, or had simply disregarded their advice umpteen times _after_ it became clear that the situation was very dire.
The struts vulnerability was disclosed months before they patched it. Any security researcher worth a dime could have told them it was a mistake to put up that equifaxsecurity2017 site that was literally (so much that their own Twitter account linked to it 9 times) indistinguishable from a phishing website and make the only way to know it was legit, a link from the front page of Equifax.com.
How did they get such a great gift from the law, if such is true then sign me up to be a credit reporting agency! I know how to build crappy websites and persist database records, it seems I meet all of the non-existent licencing requirements to be a CRA.
I’m guessing that, in the contracts you agreed to with credit card companies and others, you did consent to information being shared with the credit bureaus.
Yes. Conceded. That is different than consenting to the credit bureaus storing those data points in perpetuity.
It is an agreement with my bank. That lets my bank off the hook, not the negligent credit reporting agency Equifax. I must still have some kind of rights when any kind of agency is legally allowed to store my SSN and personal information. If this was Europe, with their data privacy protections, I would be sure about that. The reality in this country is, I have no idea if "I must have" is a statement of fact or not.
It should be my right to revoke this privilege that they have gained, however they came about it.
If I can go into Google and click a box to completely expunge my google history, why can't I do the same with a credit-reporting agency?
I get that the thinking is, well, you could just expunge away bad credit choices... but, so what? Your blank credit history is now your red flag, as well as a bad one.
But if you wanted to opt out, you could.
What could possibly go wrong? (Hah, I didn't mean that as a jokey rhetorical question!)
I can't tell Equifax to get bent and delete my record. I'm not asking for my credit history to go away (and shame on you for being the tenth person to suggest that I am), I am asking for the harmful company that appears to have chronically underfunded their security department, or ignored their advice, or whatever else has gone wrong to land us here, where we are now, to go out of business.
If I can't have that, then I'd settle for them being required to delete MY personal record upon my request. Next time I need to pull my credit file, I'll warn the lender not to try to pay Equifax to look me up, because they're going to get back a null reference with a timestamp of some September 2017 date on it. What's so hard about that? If the lender doesn't like it, I'll take my money elsewhere.
Lenders can keep their own records and report them anywhere they want, within the terms of our agreement and the law. I should not be obligated to remain in Equifax's database until fraud, criminal mischief, or negligence on their part is proven in a court of law. I am just asking for some modicum of control over where my records are stored, kept and shared.
But... that's not an option for me, we don't have EU style personal data privacy and protection laws!
> I never consented to have my information in their database
Why yes, you did through your agreement with any vendor (e.g. bank, credit union, credit card company, rental) that you have dealt with. This is a standard clause, although some places don't actually do it (my landlord for instance as I found out when I went for a car loan).
I hate this, but claiming you didn't consent is just not a credible answer without some additional legislation to force contracts to be explicit in whom a vendor may share information.
I disagree, you're citing an agreement between me and my bank. The bank may have authorized Equifax to store the data, but I did not. The bank was authorized to share the data (by me), and Equifax was authorized to store the data (by the bank), it is a fine point but it is a fact. So in all of this, the bank is the one who is not in the wrong.
I can't say whether Equifax's agreement with the bank provides any clauses to allow for revocation of Equifax rights to store the information about me, but if it does not then I need to go out and find me a new bank with some better lawyers.
(I'm saying that a scenario such as this whole series of negligent behavior and events, should trigger one of those clauses.)
You are going with the assumption that your sharing agreement with the bank has limits that don't really exist. I doubt you will be able to file a case based on the idea that the entity you have allowed your bank to share data with cannot actually store that data. I doubt a court would go along with that.
I'm not arguing that they weren't allowed to store the data. It would be less controversial apparently if I argued that Amazon grants a revokable license to consume the content on Prime Video and it is governed by the click-wrapped Terms of Service.
Im not saying they never had a right to store the data, I'm simply saying that it should be revoked. Let's not give them more responsibility and more data, they've already proven repeatedly that they can't handle it.
They don't need permission to store the identifying personal data about me for some reason (they, Equifax, the entity that I have no direct relationship with...) what was that reason exactly? Medical providers would not store your personally identifying information without permission, even if it was shared with them. You can ask a health care provider to furnish you with your records and delete their copy at any time, if I'm not mistaken.
Shouldn't they have some kind of licensing requirement in order to be held accountable for their security practices? Where is the line, that when they cross it, they should lose their accreditation? There isn't one, because there is no such accreditation (not to my knowledge anyway.)
It is not reasonable if there are only 3 credit reporting agencies and they do not have any licensing requirements. If I am mistaken about this, please correct me.
I agree that some boundaries, licensing, and potentially security requirements make a ton of sense. I'm cautiously for them. (Only cautiously because the govt can't get their own act together most of the time.)
But as of now, those requirements don't apply to them. So acting like they do is distracting at best.
Let's figure out ways: a) to know what they have, b) to force them to accept corrections, and c) add major negative consequences if/when they f* up.
If we can't have reasonable licensing requirements, then we need a "right to be erased" like they have across all of the European states.
If 140MM Americans (or even 50MM, let's be reasonable) told Equifax that they wanted to be removed from their database in response to the breach, and Equifax was required to honor those requests, it would be a step in the right direction.
That would be enough to put some "fear of God" into the shareholders at the remaining credit reporting agencies, and it does not sound like an unreasonable request at all. Companies going forward would have a disincentive to do business with Equifax, because 1/3 of people are missing from their database. (Instead, we're all permitted to buy more "Credit Freeze and Monitoring" solutions from Equifax, for the low price of $0, plus a low low payment of $10 every time we need to freeze or unfreeze our credit again to access it in the future. So let's dig the hole even deeper!)
Citizens that want to have credit would not be incentivized to remove their credit history from all three reporting agencies; as you probably already know, having no credit history is worse than having a bad credit history.
Then again, if we allowed that, then what's to stop those hackers from benevolently making the request on behalf of all 140MM people whose information they have appropriated.
There is no negative consequence that will incentivize Equifax to do better next time, if the result of this breach and their subsequent bungling of the response, is that they are allowed to continue operating their business without interruption.
Take the keys to the car away from the drunk driver. That's step one.
You don't have to provide consent to having a CRA host "your" data, because you're not the customer unless you buy a product from one of them.
CRAs are regulated by the government, with things like GLBA, CFPB, FCRA, and other acronyms covering what they can and cannot do, what their responsibilities are, etc. The CRAs have all been fined for improper handling of data, failing to adequately vet data provided to customers, etc.
CRAs get data from two places primarily: public records and CRA members (banks, credit card companies, retailers, etc.) The public records stuff is just that: public. Anyone can get it if they ask and are willing to pay the costs to gather it.
Member data is provided by members to CRAs, and you absolutely grant the right to them to do so when you signed up to use them. When you get a bank account, or credit card, or sign up for a store card, or really agree to do business with any entity on a financial basis, you approved it with your signature.
Your statement about "covert surveillance" is factually incorrect. You have a right under the law to view your entire credit file as held by all CRAs once per year. I also think (not sure) that you can get a copy if you're turned down for credit due to information on a credit report. So how is it "covert", if you not only know about it but can see it?
It's interesting that "your" data is in quotes. I understand what you mean by "your" data and it's a valid point. It's not my data, not in this country anyway, even when it identifies me personally. That's another subject.
You have made a substantive comment and I don't have time to respond substantively to any more comments right now unfortunately. I'm not arguing that they didn't have the right to collect the data.
I'm arguing that we have two other credit reporting agencies that appear to be functioning properly, and one that looks like it is in a continuing state of dysfunction. There appears to be no end to their ongoing dysfunctional behavior, and no possible remediation for affected parties on the horizon at all.
I just want to know what other kind of business in America would still have any customers after the two weeks that Equifax has just had? Do you think that Equifax should now have the right to continue operating, all things considered?
> I'm arguing that we have two other credit reporting agencies that appear to be functioning properly, and one that looks like it is in a continuing state of dysfunction.
I strongly suggest you do some research about that. You'll find that the other two CRAs have been equally "negligent" at different times.
> I just want to know what other kind of business in America would still have any customers after the two weeks that Equifax has just had?
Remember the Target data breach? Or the Home Depot breach? How about when Sony was distributing a rootkit on their music CDs? Or when Lenovo was distributing a malware package preinstalled on their laptops? Or when Best Buy was selling digital picture frames that had a virus? The list, sadly, goes on and on and on...
> Do you think that Equifax should now have the right to continue operating, all things considered?
Of course. Since you're here on Hacker News, I presume you must have some knowledge of computer security...do you really think it was negligence that caused all of this? Do you think that the other CRAs are in any way more secure or less negligent? Or banks? Or any business that uses, say Cisco switches (which have tons of vulnerabilities)? Or businesses that uses Microsoft Windows (too many viruses and worms to count)?
I'm personally more upset about their continued incompetence in their response to the breach, than about the breach itself. I'm sorry I can't write more right now...
First they suppressed valuable information in the form of interviews with their CISO that were public until September 10, when they came down for some reason.
Then they started tweeting out links to a phishing site that looked just like their own "equifaxsecurity2017" site. About this time, the CIO and CISO were removed from the picture entirely.
A few days later, each of these gaffes became known. Meanwhile they had delayed long past the timeline outlined in legal requirements for their reporting of the breach. Where are the Congressional interviews with their executive directorship?
Not on the calendar yet, why don't we schedule it for next February 30th. First of never. I'm just as incensed about the (seeming lack of) response of law enforcement, which admittedly I don't personally have much visibility into, but seems inadequate.
At a minimum I would argue that Equifax needs a "time-out." Ideally they would not be handling the response to this situation at all. They should go on the hook to pay someone competent to handle the response.
> Then they started tweeting out links to a phishing site that looked just like their own "equifaxsecurity2017" site.
Not much to say about that one, for sure. I still don't understand why they wanted to make a completely separate site with that stupid name.
> Meanwhile they had delayed long past the timeline outlined in legal requirements for their reporting of the breach.
I think you'll find that they adhered to the letter of the law on that. Maybe you know when Equifax made the breach public, but you don't know when they first contacted the relevant authorities (law enforcement or regulatory).
> Where are the Congressional interviews with their executive directorship?
Oh, that's coming, for sure. Other companies have been called before congress for far less. But what good has ever come out of such a hearing? That's what you do when you want to save face with the American public and seem like you're going to do something. There might be hope...Al Franken is the ranking member on what I think is the relevant committee, and he usually does a good job in calling out BS when he sees it.
> I'm just as incensed about the response of law enforcement
How so? What would you expect from law enforcement here?
> How so? What would you expect from law enforcement here?
Copied from another sub-thread I posted in...
When Sonny Vleisides plead guilty to Felony Mail Fraud in 2007, he was forbidden to engage in loan programs, gambling or gaming activities, telemarketing activities, investment programs or any other business involving the solicitation of funds.
He went on to co-found the company called Butterfly Labs in 2010, a company that took pre-orders for Bitcoin mining equipment (in many cases soliciting funds for hardware that didn't exist, until it did).
Many people argued that this business model was a direct violation of the terms of his supervised release. He stood in front of a judge in 2014 that said there was a "strong smell" of fraud with respect to his company.
Equifax it seems gets to skip the whole "plead guilty" thing and just announced their negligent failure directly to the world.
When does Equifax get their 14 months in jail followed by a supervised release? Never, apparently, they just go on about their business and no charges are filed. I would expect for them to get a "time-out" after their bungling of the response to this breach, at the bare minimum.
But no, let's give them a participation trophy instead, let them continue handling the response to the breach, they've earned it...
> Equifax it seems gets to skip the whole "plead guilty" thing and just announced their negligent failure directly to the world.
You're presuming that Equifax is guilty of something. Of what? Of being victims of a hack? What about the SEC, who just notified the public now that they were hacked back in 2016?
You seem to think that Equifax is guilty of negligence. Good luck proving that. They're subject to security audits not only from the government, but in relation to the contracts they have with their various customers (standard stuff when companies deal with each other, not least of which when consumer data is involved). Their security wasn't good enough, but they didn't know that until too late. Same as Target. Same as Home Depot. Same as the SEC.
Equifax is going to get fined. They're going to lose business. They're going to eat the cost of providing identity theft protection/monitoring to the entire country. They're going to have to fight their way back to whatever previous stature they had. But any thought that they're going to be found criminally liable for this is simply not credible.
Their behavior during the response has been chock full of negligence, and I don't need to prove it in a court of law. I just need you to concede that point, and I can go on with my day. :-D
They should not have been in charge of the response, but there was no way for us to know that for sure until they had already flubbed it so badly.
They are guilty of handling the response very poorly in a way that has been hashed out and rehashed at least six dozen times on HN until the culmination (so far) yesterday, when we found out that their site was so easy to spoof it fooled even Tim, the Twitter guy from Equifax, who tweeted links to the spoof site out to eight or nine customers over the course of the response.
That was possible because of their initial poor (evidently hasty, and negligently so) response. I'm not asking to make anyone criminally liable, I'm suggesting that next time a company leaks sensitive records on 140MM Americans, we should remember this chain of events and somehow all do better. (And not have another repeat of this shit show, if possible... but who am I kidding, it will repeat.)
The poor response was probably made worse because of their internal culture that resulted in the CIO and CISO being canned (that sounds like all of their top technical leadership put out the door) right as the response was just getting underway. That too, in my opinion, was probably negligence!
I know we don't put companies in "time out" but it seems like we had better think about doing exactly that in this case, lest we soon find out what it will look like when the (next) other shoe drops.
The Equifax story will only continue to get worse! Just wait until their new free credit monitoring systems are breached, and we get to find out exactly what that mandatory class-action arbitration clause we've all heard about is actually intended to do!
> They should not have been in charge of the response
Then who should have?
> we should remember this chain of events and somehow all do better. (And not have another repeat of this shit show, if possible... but who am I kidding, it will repeat.)
> > They should not have been in charge of the response
> Then who should have?
Better question: what would be an appropriate response? Because this one isn't, that much is sure, but I don't have an answer for this question other than "one that is not so hastily and shoddily implemented."
You were lamenting about the "delayed" response before, and now you're unhappy with the "hasty" response.
Further, do you really think this was a hasty response? This is the response dictated by the law, coupled with recommendations from their legal team, and probably with input from regulators as well.
It was delayed, in terms of how long it took them to let us know that we could be affected.
It was hasty, in terms of... just look at equifaxsecurity2017.com
Did they run this plan by even one security researcher before it was put into action? If so, that person's advice was either terrible, or ignored. No time at all had elapsed between the time we were alerted to the breach, and when Equifax revealed the 2-day old site that was protected by Amazon certificate.
I am building an HR web portal for employees to submit their identity when they do not go through our background checking service (some classes of employee who are exempt from the requirement to get a background check, for archaic reasons), and I am holding up Equifax's response to the breach as an example of "What Not To Do."
There is no legal requirement for them to put up a website that looks like a phishing scam, and respond to people who put in their information with a random value of "Yes you were affected/Check back later to find out if you were affected". There would certainly have been questions about "who was affected" but it would be better to answer with a blanket response of "everyone with a credit file" than to do as they did, and say "143 million Americans, now fill out this pointless form attached to a random number generator to find out if you are one of them."
My credit history is still in the hands of Equifax and I have no control over that fact. That is problem number one for me. I want to get off of Mr Bones Wild Ride.
> My credit history is still in the hands of Equifax
Your credit history is in the hands of all the CRAs, just like it has been since the first time you entered into any sort of credit agreement, or opened a bank account, or applied for a car loan, or rented an apartment, got student loans, or did anything where your "credit worthiness" comes into play.
In Europe, if I understand EU data privacy laws, all three of those CRAs would need my permission to retain my personal information. Maybe not explicitly granted by me directly and personally, but absolutely revokable by me, both directly and personally. In the USA, ... it is what it is. I can't revoke those grants, individually or summarily.
> I still don't understand why they wanted to make a completely separate site with that stupid name.
Probably because they still weren't sure that their existing systems were secure. So instead of securing them, or unplugging them, they ... built a new system, both hastily and shoddily!
Then they sent out an e-mail to everyone, telling them to put a little bit more of their SSNs than we're all used to providing at the drop of a hat, ... put them into the bucket. Isn't that about the size of it?
> Remember the Target data breach? Or the Home Depot breach? How about when Sony was distributing a rootkit on their music CDs? Or when Lenovo was distributing a malware package preinstalled on their laptops? Or when Best Buy was selling digital picture frames that had a virus?
I remember all of those things, and NONE of them were on the scale or level of impact of the Equifax breach. People who were affected by the Target breach, got replacement cards and moved on with their lives. Lenovo's malware package could be uninstalled and their hard drives could be reformatted.
People who are affected by Equifax breach... can do what? We are ALL affected by this breach. Every last American Citizen. The credit system itself, as we currently know it, now hangs in the balance.
I know that ALL of the credit reporting agencies have similar poorly designed systems, and THAT is EXACTLY what I am so goddamned mad about. Because THAT is a fact that is NOT going to change as a result of this. You know it and I know it!
We will still have the same 3 credit reporting agencies a year from now, and Equifax will STILL be profitable after whatever fines are imposed. We Need To Seriously Change This Shit Right.Fucking.Now! (NB. I have no specific suggestion, but I am so furious because of your apparent suggestion that there is no line that Equifax or any other CRA can cross that will earn them an honest decapitation. If not now, then when?)
This should NOT have been possible in any reasonable system designed to store sensitive data on every last American with a credit history, and the fact that it happened is all the evidence of negligence that you need. Someone exfiltrated ALL of the information they need to impersonate ANY American citizen with a credit file.
Nobody in particular needs to be held criminally negligent. No redress will make me happy about what has happened. The game is just over. The system is fucked, there's nothing left for them to protect. "Not for Identification Purposes" it's time to read the words on the card, and take them seriously.
> NONE of them were on the scale or level of impact of the Equifax breach.
I concede the possibility.
> We are ALL affected by this breach.
POTENTIALLY affected. There's been no disclosure of exactly how many records were accessed...I don't think they know, but it seems highly unlikely that their entire credit database could have been exfiltrated in that amount of time.
> I know that ALL of the credit reporting agencies have similar poorly designed systems
They don't actually. They tend to have above average security. It's just that it CANNOT be perfect. Just like we can't stop viruses, but Windows is still around.
> I am so furious because of your apparent suggestion that there is no line that Equifax or any other CRA can cross that will earn them an honest decapitation.
How about real criminal activity? You keep glossing over the point that Equifax was victimized here as well. What criminal intent, or even legitimate incompetence, can you claim that even remotely justifies that sort of reaction? Do you think this is Enron-level criminality? That was flat-out fraud, proven in court.
> the fact that it happened is all the evidence of negligence that you need
You're sadly mistaken as to the efficacy of computer security. The fact that it hasn't happened before, for a company that must be a target under constant and unrelenting assault, is actually a testimony to the how well they were maintaining security.
> "Not for Identification Purposes" it's time to read the words on the card, and take them seriously.
This is true. We don't know if they got all of the records. Reports of "143 million Americans impacted" would seem to indicate that it was roughly everyone with a credit file.
But that is just a headline/byline, and we don't know until the hackers dump it and divest of whatever they got, and the data (honestly, I say hopefully) winds up as public information so we can all know exactly how bad it is.
Equifax's primary customers are the banks and other people who want to check out a persons credit worthiness. They did not leak credit reports. Just think if that information was copied and in the wild, available as a torrent. They would have a lot fewer customers. If you were renting out a place, instead of paying Equifax hundreds of dollars to check the credit of a dozen people, you could just check them out for free. That would be pretty cool. Sort of like the Sci-Hub situation.
The existence of private business is default allow. That objection makes it sound like the author is arguing that all business should have to get government permission to exist. (Which, they kinda do if they want to get incorporated, but that's a low bar.) The author is making a different argument: this particular business is working in a market with incentives so perverse that they are more likely to be harmful than not. If we deem these kind of services necessary, then let's make it a government program so that the incentives are correctly aligned.
> the existence of private businesses should be default-allow
Equifax spreads misery across the general population. I have seen no practical proposals which allow us ordinary people to claw back the time and frustration these private companies suck out of us. How endlessly should they be allowed to socialize their losses and force us to subsidize them?
Indeed and to putting a fraud alert on your credit profile is only good for 90 days. This is curious since one's identity - name and social security number don't change after 90 days.
The onus of protection is on the consumer - the very people who never authorized the companies to collect and sell their financial identity. The concerned consumer needs to call back every 3 months to continue a fraud alert.
For those who don't know the value in placing a fraud alert is that it forces anyone extending you credit to first call you and verify that you actually intended to open the line of credit in your name. This is something that should be standard operating procedure and not a special consideration.
There are two ways to freeze your credit. The first is good for 90 days and you have to authorize any requests. The second is permanent, until you revoke it. To revoke it, you need a PIN that they give you when you freeze it.
There are three companies to do it at. The cost is low and it is mandated to be free in some jurisdictions.
Do you seriously believe that credit freezes are an adequate response to the massive harms inflicted upon individuals by identity theft and credit report inaccuracies?
They aren't and they further shift the responsibility of dealing with credit agencies negligence onto the consumer.
You want to rent an apartment, change your cell phone carrier, get home owner's insurance, order cable - all of these things require a credit check and you having to pay 5 dollars to each agency and making 3 separate calls to each of them to do so.
I don't believe there is anything better, at least that I'm aware of. Is it adequate? Probably not. Is there something better? Not that I know of.
To be clear, I only know about the freezing. I got free monitoring but didn't take advantage of it. Instead, I just froze my credit and hope for the best. I don't really need credit for anything, so it has been fairly painless.
This is the sad part about it is there is no way to opt out of having your identity put at risk by these thugs.
>"I got free monitoring but didn't take advantage of it."
This is perhaps the most incensing part of all of this. Is that after one of these breaches the agency offers 1 year of credit monitoring and then after that its $16.95 a month.
They have attempted create another revenue opportunity for themselves by being reckless with your data. It's mind blowing.
Those are actually two separate things - locking your credit and placing a fraud alert on your credit.
Locking your credit means that the only people allowed access to your credit file are your current creditors. The fraud alerts means that the only way someone can grant your a new line of credit is by verifying with you personally that you intended to apply for this new credit.
Locking your credit is permanent and it needs to be done with all 3 agencies separately and each time you want to unlock your credit, example someone needs to run a credit check or you want a new credit card then you need to phone each of the 3 credit agencies separately and they each charge you 5 dollars for that privilege.
The fraud alert doesn't cost anything but can only be done for 90 day increments and then it is automatically revoked.
And if there is any glitch in the locking/unlocking or fraud alert, the agencies will resort to snail mail and letter writing to resolve issues. Everything is set up to be maximally inefficient and painful for the consumer to discourage doing so.
Also the 3 credit agencies manage a site that was mandated by congress after another scandal that allows consumers to request their own credit file for free once a year [1].
This site in addition to intentionally looking sketchy is also designed to be maximally painful to use. You will be asked things liked exact dates that you lived a certain address 15 years ago. If you fail any of these(which is quite easy to do) you will be instructed to send a letter, along with ID to the agency to request your personal credit report.
It is actually much much more difficult for a person to obtain their own credit report from these agencies than it is for a complete stranger to request it.
Ah, thanks! I thought they were talking about freezing it. The only fraud alert I know of was what was offered to me after the OPM hack. Instead, I just opted to freeze my accounts and they've been frozen ever since.
I think the whole "credit locking" thing is dubious at best however.
For anyone that had their credit locked or frozen previously the hackers would have also gotten access to the pin numbers that permit the unlocking of one's credit file. What's to stop someone from using the PIN to unlock it and create before opening credit in a victims name?
Not a whole lot can be done to stop it. I'm really not sure what we can do, beyond freezing it. I guess we could add monitoring to it, but I'm not sure that will help.
They should absolutely not allow PIN retrieval online and without a whole lot of serious vetting. That they do is yet another metaphorical kick in the teeth. I am just now learning about the PIN retrieval, so this may result in my needing to change strategies.
Fortunately, I don't rely on credit. If I need credit, I can easily qualify for a secured loan. It also helps that I sat on the board at my credit union for a while. So, credit isn't a problem.
I do feel sorry for those who aren't able to just stop using credit. See, according to what I've heard/read, freezing your credit actually negatively impacts your credit score. If you're freezing it, you must be at risk. Or so they seem to think. So, by defending yourself you are actually potentially harming yourself.
It is already eating up your time, perhaps some money, and adding stress to the lives of many innocent people. Then, when you want to alleviate some of that stress, or reduce your risk of harm, it harms you even more. There isn't even a realistic option to opt out of the game.
It's pretty horrifying and it is difficult to not be angry about it. I'm fairly well insulated but I can certainly empathize. I wish I had the answers. I wish I had a solution. I don't and I'm not sure anyone does.
>"See, according to what I've heard/read, freezing your credit actually negatively impacts your credit score."
Do you have a link or some further explanation for this? I don't think this is true. It's actually the opposite - when someone runs your credit which can happen without your knowledge or approval then your credit will get dinged. By freezing it and not allowing anyone but existing creditors to access your profile you prevent this.
Not having enough credit will keep you from obtaining a higher FICO score however. For instance you can have perfect credit but if you have to few credit cards your FICO score will be lower than someone who has perfect credit and has more credit cards. It's insane but true, its a metric called "balance to limit ratio":
Though, that link is strange in a new and interesting way. The page seems to indicate you can pull your credit score while your account is frozen. Except, if I look at Credit Karma, they say you can't register and access your credit report if your account is frozen.
The problem is that we already have a nationalized version of this - the OPM database for security clearances - and it too has been hacked. It was known vulnerable in 2009 and nothing was done about it until it was known to be hacked 6 years later.
Even worse, while the author criticizes how Equifax got started - private investigators looking for affairs, etc - that is exactly what the OPM database is. They're looking for things that could be used to blackmail an individual so it includes financial history, marital info, drug use/abuse info, and potentially medical records.
And no, there has been zero accountability around it.
Whenever someone says "the govt can protect this info better!" remember that this is the same government that doesn't follow the law with regards to wiretaps, FOIA requests, background check info, and many, many other things. Oh, and the NSA can't even protect their best tools.
All I got from the OPM hack was a form letter and free credit monitoring that I had no use for. Instead, I had to freeze my credit. Fortunately, I'm not really at risk for blackmail and I'm not worried about my information being out there.
I am, however, worried about the information in my file that is about other people. They contacted and interviewed lots of my friends and family. Those notes, and the associations between these groups of people, are all in the data that was exfiltrated.
You know what my friends and family got? Nothing, not even a form letter. Me? I'll be fine. However, some of them are now associated with others and who knows what other connections can be drawn when you cross-check with other information from the hack?
So, yeah, I'm jaded and skeptical about the idea of having it be a government operation. People keep saying this is the worst hack ever. Man, if they only knew what was in the clearance application. I disclosed all sorts of things that I really don't want to be public information.
And I got a form letter that was barely an apology. Hell, I think my notification was actually on a post card. Yeah, I just double checked. They sent my notification on a post card, not even in a secure envelope.
Because we can't prove harm, we have no standing in the eyes of the court. We have no recourse.
I couldn't even transfer my free credit monitoring to someone who could actually use it. It was non-transferable. I had no use for it, as I'd opted to freeze my credit entirely.
I'm not sure which bothers me the most, the hack or the response? I do know that if I'd been responsible for spillage of classified information, I'd have gone to jail. If I'd been responsible for spilling that much classified data, I'd have never felt a ray of sunshine again.
I'm very disappointed by it. What is most disappointing is that there was no good reason for me needing the clearance, FOUO would have been fine. I can't be specific, but there was no reason my work, or the data, should have been classified. On top of that, I'd already sold my business and had retired - years prior. There was no good reason for retaining my records.
I'm currently reading about other countries that offer a government run service for credit reporting. I'm trying really hard to remain objective and unbiased, but it's really difficult.
I feel sorry for the people who are impacted by this. It's not easy to go through. I'm not sure it's quite the same, but I felt violated when I found out about the OPM hack. I felt let down, abandoned, unappreciated, and powerless. The information was some of my most private information and, worse, wasn't just about me. I felt as though it was my fault that my friends and family also had their privacy violated.
I am not that great with words, so that's about the best way I can think of to describe it. Disgusting is a good description. On a positive note, it does help me empathize with the folks impacted by this hack.
I mostly know what others said about me, assuming they only spoke to people I listed. Those other people also disclosed information about themselves, some of it very personal.
Not only did the OPM hack affect my privacy, it made me a cause of others losing some of their privacy. By extension, they made me responsible.
Fortunately, none of my friends and family hold me accountable and understand that I'm not to blame. Still... It's not a good place to be, emotionally. I've since gotten over it, for the most part.
I don't even know what was in their investigation notes. That's need to know and they don't think I need to know. I disclosed everything from drug use to promiscuity, with names, dates, and places. It wasn't just my information in those files. Who knows what can be done with that info by giving it big-data treatment?
Add that database to this one, and the many others, and I'd be surprised if you couldn't draw much larger pictures and associations. The world is not that big and cross-checking on large data sets is almost certain to further erode privacy.
> I mostly know what others said about me, assuming they only spoke to people I listed.
One of the questions most investigators ask is "Is there anyone else I should talk to?"
Sometimes they say it in general, sometimes about specific situations or interests but they say it regularly and often. They know that the people you list will be neutral -> positive about you. They want more.
Yeah, I've been interviewed for other people and that was a question they did ask me. They also asked some odd questions that took me a while to think of why they had asked them. They'd asked them to make sure I really knew them well and was giving honest answers.
Stuff like, "We know you went to school together. Do you remember what sports they played?" Except we'd not gone to school together.
Crafty buggers. Either way, that data is all out there now. I'm not sure what all made it into the reports, I suspect most of it did.
Definitely. I love markets; they can do amazing stuff. But we're talking an invisible hand, not an invisible magic sparkle unicorn.
I look at a market as a machine that we can deploy. It does a specific thing, but only with the right inputs and working conditions. Here, we are not Equifax's customers. Harm to us is a negative externality, which is a classic kind of market failure:
Personally, I'd like to see this problem turned over to an institution something like the Smithsonian: not a regular part of government, but a trust with a specific purpose. I'd be even happier with it if it had directly elected privacy commissioners, so that it was more accountable to the people whose data it safeguards.
We're only going to end up with more data that's about people, even if it's not generated or held by those people. Having a home for that data, one with a public purpose and public accountability, seems way better to me than leaving it for a private, profit-making corporation to exploit.
NB, but the "invisible hand" rhetoric is a gross misrepresentation of Smith's intent.
Economic historian Gavin Kennedy has made something of a career debunking this fallacy. Among his many writings:
The sorry invisible hand myth owes more to imagination and hope than it does to economics from Adam Smith. Its modern form really began its take off with Paul Samuelson’s successful textbook, “Economics: an analytical introduction”, McGraw-Hill 1948, and continued through to edition 20 in 2010. It had an earlier oral presence at Chicago (where Samuelson was an undergraduate) and Cambridge, England (A. C. Pigou). Even Oscar Lange postulated (1938 and 1947) a rival and “better” invisible-hand role by socialist planners. The Soviet planned economy challenged capitalism from the 1930s and in Cold War rivalry, with large communist parties and social-democratic in Western Europe, the myth asserted the innate superiority of capitalism with its “invisible hand”. Since the current recession, increasing questions appeared about its existence. Warren Samuel’s last book, “Erasing the Invisible Hand, essays on a elusive and misused concept in economics”, 2011 (Cambridge) exposes the modern history of the mythical “invisible hand” since its heyday from the 1960s through to the late 1990s
If they are are so liable, then to remain profitable they will find a way to pass on their cost to the customers. Those customers in turn, will pass it on to the consumer. So then you end up footing liability insurance bill for the privilege of being subject to a credit search.
That's better than the situation we have now, where Equifax and the credit agencies are only profitable because they stick the general population with the liability and the losses.
What's the idea; that if a whole network of criminals now has my personal info, there will be an insurance-backed fund that will instantly buy me a whole new identity, so life goes on merrily?
Nope! We must rather completely get rid of this Equifax and make it a criminal offense for anyone to share such info with any emerging Equifax-like agency, or with anyone else.
Your data going to Equifax is the fucking security breach. What happens afterward is just a footnote.
In addition, untrue entries in their database should constitute libel. Most (but not all) of the damage from letting SSN/name/address combinations out into the wild that you're referring to comes from adding false entries to their own databases, so allowing consumer to sue for libel whenever an entry is wrong would force them and their up-stream data providers to clean up their act in a hurry.
That's sorta the point – in this case, I have no ability (as a consumer) to "go elsewhere." Aside from the two times I've placed freezes on my credit history, I have no relationship with Equifax, and have never consented in any way to what they collect and share about me.
This contrasts pretty heavily with, say, Facebook – where even though they collect and share plenty of information about me, I'm at least both consenting and continuing to feed them by using a service I presumably find worth the trade-off.
If you are the type of person who gets upset about this dynamic of Facebook, then Equifax should be completely next-level.
> Dont you consent to credit reporting when you sign up to get credit, though.
No, I consent to allow creditors to do their due diligence to see if I'm a viable candidate for their product. Equifax is not required in this transaction, it's just beneficial for the creditor, their customer, to use them to streamline that information collecting process. Loans and credit existed prior to credit reporting agencies and will exist long after.
> No, I consent to allow creditors to do their due diligence to see if I'm a viable candidate for their product.
you do much more than that though , from my card agreement
"We may obtain and review your credit history from credit reporting agencies and others. We may, from time to time, obtain employment and income data from third parties to
assist us in the ongoing administration of your account. We may also provide information about you and your account to credit reporting agencies and others. We may provide
information to credit reporting agencies about this account in the name of an authorized user. If you think we provided incorrect information, write to us and we will investigate."
> Equifax is not required in this transaction
Thats upto the business to decide, not you. You choose to not get credit from them if you have objections to how they run their business.
>Thats upto the business to decide, not you. You choose to not get credit from them if you have objections to how they run their business.
Regardless of what the business decides, no, Equifax is not required to assess my credit. If the business decides to go to McDonald's to get lunch while they are doing this process, that's not required regardless of what the business decides. It may be nice for them, it may make their process easier, but it's not /required/.
most of the language in those agreements just says "major bureaus" though, not explicitly which. And major transactions will usually pull all three. Trying to pick only lenders which don't use Equifax (or another bureau) may not even be possible for something like a car or home loan.
True, but at least third parties (where they check Equifax, etc.) have a choice. With government, no one has a choice.
I do agree that handling of data could be regulated to some sort, though. Much like how we have agencies, etc. for keeping tabs on companies that handle other things (hazardous materials, food, etc.)
You do, too, have a choice with government: you leave. Unless you live in North Korea or a similarly dictatorial state, you have a choice to leave your country.
Your second premise assumes that citizens are powerless to effect change, which is sadly more true these days, but in a proper functioning republic, government agencies are accountable and fixable.
In a proper functioning free market, companies are replaceable and reasonably transparent, so people can arrive at decisions and 'vote' with their actions in a practical sense.
I think the key point here isn't the system, but 'proper functioning'. In the event that no system is ever properly functioning, what's causing the least damage?
I'm reminded of the many stories I've seen claiming that people given experience of both, preferred 'bread line' communism to free market capitalism.
These people were never the lottery winners of capitalism: they're always just worker bee types, and their observation was that communism sucked but was stable and consistent. Small dreams, small risks, reasonable safety for the worker bees.
When they experienced capitalism, they had no preparation to competitively attack their fellow workers and win, and as a result they didn't win, they became worker bees under capitalism, and dropped below their previous living standard. Granted, this provided an environment where more ambitious worker bees could prevail and get rich, and that's the system working as intended, but for the less motivated ones, their experience told 'em communism took better care of them… in spite of the litany of horror stories we've all heard over and over (I live in the USA, so I've been indoctrinated against communism all my adult life).
I think it's pretty important to examine how these systems work when they're NOT properly functioning. It seems like free market capitalism produces some pretty spectacular damage when it catastrophically fails, but it's more abstracted. When something like communism catastrophically fails, it's in the form of state genocide, with more intentionality.
The authors point is still valid with that argument though -- the people with the greatest risk from participation with credit bureaus aren't their customers and don't have a right to decline participation. It's a lopsided marketplace where the market incentives aren't aligned with the risk.
Sadly, being the commodity and not the customer, even though it directly affects our lives, and in spite of it being a private company, we can't do anything about it. And is the hope then that Equifax will go out of business? Are we under the assumption that either of the other two are better, or are they just the same, and they haven't had their day in the spotlight yet?
> When a private company has a massive failure that impacts someone other than its customers, then the impacted parties have no recourse whatsoever.
IANAL. This is absolutely not true. You don't have to have a direct relationship with the other party in a negligence case. An easy example would be that you can sue the manufacturer of your transmission even though your Civic was sold to you by Honda. Equifax would have to somehow argue that they owe no duty of care to the people with private information in their database which just isn't going to happen.
Yes, technically this can be addressed by a class action suit. Which is better than nothing, I guess.
This has always struck me as an odd anti-regulatory argument, though. "Governments shouldn't use their power to distort the market. Therefore regulations are inherently bad. Instead we should distort the market using a different branch of the government, but in a much more capricious and unpredictable manner."
Did you even read the article ? The whole point is that as a consumer you have no choice to go elsewhere. Equifax has data about you that you never know and never consented to. They also sell their data to all sorts of agencies and their business practices are real shady. If you need to check your credit report multiple times in a year, they will sign you up for some useless monitoring program, and will make life really difficult to cancel it. At the very least, credit bureaus, who have enormous power over individual lives, without their knowledge, need to be made accountable and their profit motives squashed.
A pipe dream. As evidenced by the stock price, nothing will change. People don't care--at least not enough to do something like call their elected official, if they even know who they are.
Which brings me to a question of the "have things always been like this?" sort. Do we have data on the percentage of any population who's active in politics over the past, say, 7 decades?
The interesting thing about this sentiment and reasoning is that it could equally be said of data brokers in general. Changes here could have big impacts on the ads ecosystem. I don't know my opinion here, but between things like GDPR and op eds like this I have to imagine there are ad and data broker executives doing some worst case analysis and spin/ talking point preparation.
> Equifax is the oldest of the Big Three credit reporting bureaus, and it got its start as a private investigator in the late 1800s. A client — a business or a bank — would ask it about a consumer, and it would go about digging up dirt on things like marital problems and convictions. That client would then pay it for its services.
> This questionable business model raised eyebrows in the 1960s, when the companies were still compiling information on people’s “moral character” such as affairs or drinking problems. At the time, the reports weren’t available at all to the subjects themselves. That changed with the Fair Credit Reporting Act, which was signed in 1970. But even that reform put virtually no oversight on the bureaus’ practices.
As if there aren't a bunch of companies trying to do exactly this with a combination of tracking cookies, browser history, purchase history, and ML.
Separately, from the article (emphasis mine):
> The United States government is, of course, not impervious to data breaches, nor does it have a perfect track record of fending them off. In 2015, it announced that hackers had stolen “sensitive information” on 21.5 million people. But the government is at least accountable to public pressure. Equifax never will be, even under the tightest regulation.
Equifax may not have to change anything as there's a very real chance it goes bankrupt because of this. It's not just from the cost of lawsuits from consumers. There's a longer term cost of businesses not wanting to deal with them.
The risk of that happening to one of the other big credit reporting agencies is the biggest driver for them to clean up their act. The threat to their businesses is real and I'd imagine their internal responses will be as well. I also think regardless of what they do it's only a matter of time till they have a breach as well. You only have to screw up once.
> Credit bureaus have proved to be complete failures at safeguarding the public.
Nearly all companies are complete failures at data security. There's not special about credit bureaus here. They just happen to have a lot of sensitive data on a lot of people and thus are a hot target. As an example, we've had plenty of breaches in the health insurance industry as well.
Perhaps the best approach would be a "too big to fail" limit on the bureaus. Put a cap on the total size (in accounts / people covered) of a credit bureau. The libertarian in me is screaming at the thought of something like that but at least it has the advantage of limiting breaches to a max number of people.
"Equifax could easily have patched the hole in its system that hackers exploited, but it simply didn’t."
We don't know why, though. Perhaps they were working with law enforcement to track the attacker. Closing the hole would certainly alert the attackers and end the chance to catch them.
I don't know about this situation but I'm willing to bet one could find many examples of law enforcement doing that very thing in various different cases.
Law enforcement is about enforcing the law, not protecting law-abiding citizens from criminals.
I don't agree with trying to create a public government-run institution to track how "reliable" each citizen is. The solution to all of this is clear. Credit agencies provide a service primarily to lenders. These lenders count on the agencies' ratings to be a reliable predictor of the reliability of its potential customers. If those companies' products are no longer a reliable predictor, they shouldn't use them.
> If those companies' products are no longer a reliable predictor, they shouldn't use them.
I think this is very optimistic. It's hard for me to imagine a situation in which lenders are questioning the reliability of these credit reports and the only scenario I can come up with is one in which the reporting agency are over-estimating people's ability to reliably repay debt to the point where the lenders are losing so much money that they actually notice. Given that most consumers complain that these reports include erroneous /negative/ information, this scenario seems unlikely.
Lenders will continue to use these reporting companies, no matter how poor their product, because there is no measure against which to judge their product except each other. They'll continue to use them out of inertia, out of erring on the side of caution, and because this is the way they have always done business.
Well, I guess the sticking point is that no one has found a better way to measure loan risk. If they had, lenders would work with the agency that more accurately assesses their risk because otherwise they are leaving money on the table by not lending to creditworthy individuals.
Agreed. As long as credit reporting companies report conservative numbers and lenders err on the side of minimizing risk, all of the potential lost dollars will fall into the "loans I could've made money on but decided not to loan out" category and that is difficult to gauge.
> no one has found a better way to measure loan risk.
Or rather, that the system which measures loan risk is feasible only because the parasitical entities which run it push the massive negative externalities onto the general population. If the loan risk system actually had to pay for all the harm it does, it would be a loser.
I am equally suspicious of creating a government agency for tracking all citizens. However, I worry that your proposed solution has three significant caveats.
Firstly, reliability tends to change slowly. Banks might not be tracking this, so it would take a long time for this problem to surface. The article indicates that they're already unreliable, and banks continue to rely on them.
Secondly, there's too little competition. There's no realistic alternative; especially when all three seem to be roughly equivalent in terms of reliability.
Finally, any single bank dropping a credit agency will cause that credit agency problems, but will likely cause themselves more problems. Individual banks have little incentive to act on their own. Some form of banking cartel would probably be needed to put sufficient pressure on the credit reporting agencies to effect change.
I’d argue that it should be a system where any number of companies can compete in the credit reporting industry. Why should it be only 3 companies competing?
The laws need more fleshing out. The current iteration of laws is insufficient.
Yeah, I was thinking "why don't we just nationalize credit bureaus" until I thought about what we would be handing over to the government, and how close it would resemble China's citizenship score-type thing.
Credit scores and credit reports are separate products. It would be possible to nationalize credit reporting while banning any government involvement in credit scoring. The government could license access to an arbitrary person's full credit report, requiring payment per person per access and compliance with a laundry list of consumer protection clauses, while notifying that person on at least an annual basis about who has been pulling their report. Perhaps more often, if you want to pay for the extra stamps or give permission for e-mail notifications.
The FICA folks could pull your report and reduce you to a number every time some creditor wants to check up on your creditworthiness. AirBnB could pull the same data and produce a houseguest score, so people can feel comfortable that you won't trash their place. A background check agency could pull the same data and try to figure out whether you are likely to hurt an employer's business.
> companies' products are no longer a reliable predictor, they shouldn't use them.
They really don't have a choice. Every aspect of your "credit score" is governed by law.
One particularly egregious example: banks and credit agencies are FORCED to ignore bankruptcy after 10 years when decided whether to grant a loan to someone. Even if a wealthy person default on a 100M loan, even if he has multiple bankruptcies in his past, banks must ignore them if they are >10 years old.
Credit agencies are private companies, but they play by the government's rules.
Lenders are forced to ignore "red flags" like multiple bankruptcies occuring >10 years ago.
Lenders are forced to use the government's criteria to determine when to loan out their money.
Someone could be abusing the system and declaring bankruptcy every 10.5 years, like clockwork, and the bank would have to keep taking them back as a customer.
Is a bankruptcy greater than >10 years ago statistically a red flag? What do you think would be a better term?
The government has several interests, beyond lenders. The government enforces the lenders abilities to claim debts. It is also in the government's interest to allow people to get back on their feet if their finances crater, because taking someone out of the financial system indefinitely is not productive.
Someone, somewhere, could be abusing any system. That, in and of itself, is not a disqualifying feature of a system.
> Is a bankruptcy greater than >10 years ago statistically a red flag? What do you think would be a better term?
I think the banks themselves should be allowed to decide when the risk is worth taking. It will all be determined by actuarial tables like every other similar business decision.
If the risk of someone defaulting 15 years after bankruptcy is 20% higher, then banks may charge that person 20% more interest.
Are you familiar with the output of a typical credit report?
I'm curious as to why you're focusing on bankruptcy, when there are a significant amount of other signals banks use, which do not age off in the same way.
Little people aren't able to recoup their losses when disentangling the tremendous inconveniences of identity theft, mistakes in credit reports, and so on. You're only addressing losses by lenders, which are a tiny fraction of the actual problem. You're not offering any practical way for the general population to seek redress.
This can be fixed by a small change to privacy liability law. Current law requires litigants to show actual economic harm. That is hard to do in cases of identity theft and privacy violations, which is why the OPM case was just dismissed [1]. If this was changed so that a privacy violation could be litigated, companies like Equifax would need to buy insurance against such actions. Alternatively, there could be a new law that any company storing SSN-type data owed some nominal amount (say, $10) to the owner of that data if it is compromised for any reason. Either way, companies that aggregate large amounts of such data would end up buying insurance.
No insurance company would sell such policies without due diligence -- they would establish security requirements and pen testing. Consumers are protected by the existence of an actuarially fair insurance policy. not by the (nominal) compensation. Note that Equifax's customers are (primarily) not consumers. Regulations (in the form of liability law reform or nominal compensation) may not be required in industries where companies only hold the data of their own customers, but such companies could cite their insurance policy to convince their customers that they take security seriously. (Now it's always empty words.)
This sounds like the most efficient solution to me. There is no need (and for many, no desire) for the government to take on the role of tracking citizens.
A minor but strategic change in liability law around privacy would shift incentives in the way you describe and suddenly it becomes in the best financial interests of the companies to protect the data. Indeed this is the only kind of incentive they will respond to.
Nationalizing the credit industry doesn't really solve any real problems as far as I can tell.
Frankly speaking, if we're going to be tracked (and we are, lots and lots), I want the government as involved as possible, whether through strict regulations or through being the central repository for that information.
Maybe do it state-by-state, so long as each state follows some federal guidelines and each state provides a way to interoperate with the rest, and with private businesses that need access to that information, if the feds freak you out.
Why?
Because I can, in theory, have my say in how the government operates. I can vote, I can submit comments, I can go talk to elected officials, whatever. I have zero recourse when private companies schlep my data around and wreck my life. Voting with your vote is best, but I can't even vote with my dollar with Equifax.
You have too much faith in government--voting has not reined in the rogue elements of the US government. Far from it. $2Trillion budget, black programs, black sites, renditions, and then plenty of run of the mill bullcrap going on, too like IRS targeting groups for political purposes, ATF "gun walking" schemes that backfired, PATRIOT Act, mass surveillance programs, do I need to even go on?
Totally agree with you. I know people who refuse to vote, use doctors, etc, to "prevent the government getting data about them" - but are registered on Facebook, Google, carry a smartphone, etc. I don't understand how people can be so paranoid about the government, and simultaneously so trusting of large corporations.
The opposite condition also exists: I don't understand how some people can be so paranoid about large corporations, and so trusting of government. They are both merely human organizations with large powers, and subject to corruption. We should be wary of both of them.
Firstly, examples of governments that have any people voted in at all are cherry-picked. Around the world, there are governments that are not voted in, or are "voted" in by a sham process which only has the external appearances of democracy.
Secondly, in democracies, a fairly common pattern is that the government consists of some seats that are voted in (parliament) plus some that are appointed (senate). The power is divided accordingly. (A minor point is that it is not uncommon for the leader of the elected party to appoint people for the uppermost staff positions: a so-called "cabinet" or whatever.)
Thirdly, government in the broad sense includes not only the parliament and senate political structure but all of the institutions of the government that actually get various things done throughout the governed region, and all the levels of bureaucracy employing large numbers of people. All of that staff is not elected; they are just people hired into positions and they generally keep those positions across government changes. That bureaucracy has considerable power of its own; not every single decision they make which affects you goes through a parliamentarian that you elected!
For one, as kazinator said in the sibling comment, even in the best democracies this is only true of a small percentage of government jobs - there are many powerful agencies and influential staff positions that are not elected and therefore not subject to the oversight of the people over whom that power is exercised.
Two, yes, many of the highest profile, and most powerful, positions are elected. And in practice, over time, this means that these positions have selected for people who are 'electable' - which has itself over time come to mean people who can raise huge amounts of campaign money. This is a deeply corruptible situation, if indeed it is not already deeply corrupted.
I agree with the idea that open public oversight is a powerful corrective, and is a major difference between private organizations and public ones with effective means for perceiving and removing corrupt officials. I think it is highly questionable to what degree the latter describes our current situation in much even of the democratized West.
He's a nasty one - my wife got a big box in the mail from Enfamil last week. "Congratulations on your new baby, here's some stuff to get you started!"
One problem. She didn't know that she had been pregnant and suffered a near fatal (to her) complication and miscarriage 7.5 months ago. Only a few parties were aware of this: My family (not posted on Facebook), two health insurance companies, the hospital, two pharmacies and the Ob/Gyn practice. Last week would have been the due date.
One of more of those entities, who are all supposed to protecting her privacy failed to do so to extract a few more bucks.
You and I have different meanings for the word, efficiency.
My definition: the most efficient has the least wasted effort and the maximum productivity.
I do not think having individuals & classes going off and suing everyone they can, every company buying piles of insurance against these suits (because how could they reasonably guarantee perfect privacy?) and having insurance providers coming to evaluate each institution...
This is only legally efficient, in that it requires the least amount of nuance in law.
There's a reason we have public infrastructure and services, and it is for efficiency.
We already have this in the US for another industry: HIPAA for health records.
And it generally works pretty well. In the law, the government lays out rough things it wants to see (e.g. access restrictions, auditing logs, etc) + penalties (financial and otherwise) and then lets the industry find a way to meet them. Furthermore, there's a legal distinction between willful and accidental non-compliance.
It's absolutely added cost, but generally seems to accomplish its privacy intent.
What specific components do you think are problematic?
I've worked as a developer with health care providers and insurance companies for 5 years, and other than it being annoying as "some regulation exists" no one I've talked to feels it's a bad solution to the problem.
Asking industries to be happy about privacy regulation seems an unreasonable goalpost.
By my quick reading, the majority of that article is spent dismantling the complaints of those at the beginning of the article. In summary, the complainers appear to be either overly cautious, or flat out misinterpret the law.
Besides, I’d be willing to bet that those at Equifax would have similar things to say about a comparable credit reporting law, just like how some medical practitioners don’t like HIPAA.
The US government is already tracking the financials of its citizens. Even foreign financial institutions are required to report financial activities of all US citizens. Otherwise, they will face heavy sanctions and fines. IRS would not become any more invasive if they are also tasked with maintaining credit histories. They are already as invasive as it can get.
So did Equifax, and Target, and Home Depot, and...
I don't see the point you're trying to make. If we're going by "who has made the news for hacks lately", the private sector is by far the worse choice.
OPM can't be sued into oblivion. The federal government gets to decide if you even have standing to sue them. What are the odds that they'll react accordingly?
If "being sued into oblivion" is such an existential threat to these corporations, why does this keep happening? Nobody is getting sued into oblivion, so I don't see why that's part of the argument. It's not "suing to destroy a corporation" vs "trying to sue the government", it's "free credit reporting and a BS 'we are REALLY sorry' letter" on both sides.
Also, OPM does not get to decide if you have standing to sue them. That's up to parts of the government so far removed from OPM they might as well be a different entity entirely.
So I am not one of those people that says that the government is bad and terrible and evil and can't be trusted to ever do anything. But a government agency that has all the info about all my accounts, and is a reputation agency which basically hands down major decision factors that will affect my life (can I get a car loan? a mortgage?) seems ripe for abuse. Think of how well no fly lists currently work: if your name is on that list, you are fucked. If you end up there by mistake, which apparently happens with some frequency, you have to prove that you aren't a terrorist. If your name matches the name of someone on that list, you can be fucked. I just don't have faith in a system like this.
I don't have a good solution for the recommendation system like this. Maybe we wouldn't need it in the first place if we didn't do so much debt financing of stuff. Or maybe it needs to be less centralized: applying for one loan, you need to show payment history on a few other loans, etc. But I just don't see a centralized government run agency as the solution.
> But a government agency that has all the info about all my accounts...
I'm quite happy with the approach that Switzerland has taken. Firstly, there are no credit scores or credit reports. Instead, there is a well-defined and regulated way to collect on overdue bills: The creditor requests debt collection from the state debt collection agency. At this point, collectees may decide to pay, to object to the prosecution or not to react. Objecting leads to a defined legal process where the creditor must prove the debt, and the collectee can defend themselves. In case of no reaction, authorities may proceed to seize assets.
As for the reporting, the debt collection agency will only keep a file on people against whom a collection request has been filed, and only make it available to the person in question and entities with a qualified interest in it. In practice this means that when renting a flat or getting credit, you request your own (empty) record and submit it to the landlord/bank in question. The agency is also responsible to expunge entries from that record after a defined time. And since responsibility for collection lies with a state agency, there's very little risk of the kind of harrassment you hear of in horror stories from the states.
The implementation has room for improvement: records are kept locally, tied to the state you live in and there's no immediate way to get online confirmation. Those are details though, that could be fixed in a clean implementation of the same system.
I used to think that way and then the Office of Personnel Management sent me a letter notifying me about their massive data breach and any scintilla of faith I still had in government's ability to secure data vanished like a fart in the wind.
Aren't we already sort of in a worst of both worlds situation here? The IDs we are using as primary keys are from the SSA. The FHA is involved in most American's mortgage decisions. The Stafford loan program in most of America's student loans.
But we also have giant for-profit companies aggregating giant databases with little to no oversight, and up until recently no ability to access your own data for free, and still today no straightforward, across-the-board, means to appeal bad data, or collect damages from it (or from leaks of it).
Even with the terrible things associated with the no-fly list there is a TSA appeals process and a court system to challenge it. Do you know how you correct mistakes in your Equifax-TransUnion-Experian composite credit score? You mostly don't, and you most likely can't take them to court, because they think you are bound to arbitration.
I don't know if there is a good solution here either, but at least a government-run solution would have to be accountable to the people as citizens/constituents (even if it would still likely be in the pocket of the banks).
> Do you know how you correct mistakes in your Equifax-TransUnion-Experian composite credit score? You mostly don't, and you most likely can't take them to court, because they think you are bound to arbitration.
Sorry, that's not true at all. I went to Experian late last week to set up a fraud alert because of the Equifax breach, they showed me my credit report and had a button to mark things that were factually incorrect. I did so and submitted it. They did some sort of investigation and removed the data because they couldn't verify that it was correct. It was as easy as filling out an online form. (Actually, I think I had to call about 1 particular item, but it was handled over the phone.)
I was being partly hyperbolic about the worst case. Keep in mind that fixing Experian doesn't fix TransUnion or Equifax, and there's no simple way to correct all three at once.
"In at least 40 other countries — including Belgium, France, Germany, Italy and Spain — credit reporting can be done by a public credit registry. It is usually operated by a central bank that already oversees the financial institutions that feed information into the reports. These reports tend to be more accurate because the operators have a legal right to demand data from banks as well as a mandate to ensure it’s correct and that errors are fixed. Data on late payments and defaults are erased once a consumer has settled up."
I confess that I didn't read the article. My bad, and thanks. I am going to hit up Google and see if I can learn about the mechanism and effectiveness.
It does look, from the snippet, like they aren't quite the same. I don't yet have an opinion on that, specifically the bit about data being erased after it has been settled. That's pretty different.
I shall see what I can find. It may change my opinion. Thanks again.
Privacy WRT contracts could also be improved. Why is my payment history shared with any credit company? Perhaps people will slowly choose companies similar to duckduckgo over google.
100% this. Allow consumers to opt-in or out of data sharing with credit bureaus. This at least would make room for alternate models of credit rating / risk that would not centralize this information in a couple of annoying locations.
I don't see why opt-in wouldn't work. You could at least have control over who is amassing all this data on you and change credit agencies in a sort-of marketplace.
It wouldn't work. Suppose Equifax gets hacked and the data gets out. Would TransUnion then be liable because they also had that data? What if TransUnion subsequently got hacked? Would they be able to argue, "Sorry, your data was already in the public domain," and get out of the liability?
The bigger problem I see is it incentivizes them never to come forward, or to massively downplay an attack. I guess if the damage is small enough and the penalties for nondisclosure astronomical enough (or that pierce the corporate veil), it could still work though.
> any company storing SSN-type data owed some nominal amount (say, $10) to the owner of that data if it is compromised for any reason
I think a company should be able to avoid a fine if they disclose breaches immediately and are able to document that they followed best practices. From what I've read about the Equifax breach, they would definitely be found negligent.
Well no, because under jedbrown's scheme the insurance is there to pay the claim.
Simple analogy: a homeowner still has to make a claim if their locked, alarmed house is ransacked while they're away. Insurance may subsequently deny the claim if it's shown that the homeowner failed to follow best practices, such as locking doors and windows. In other words, adherence to best practices is a condition of insurance.
That documentation would already be available because they would have prepared it during the insurance underwriting process.
And suddenly there would be a much more litigious and powerful entity on the side of protecting consumer data, the insurance company that underwrote the policy. They deny the claim and Equifax suddenly has a lot more problems.
No, it needs to be strict liability. If an entity is as responsible as possible and still accidentally causes millions of dollars of damage, they've still caused millions of dollars of damage. Some things cannot be done safely, and if entities want to do them anyway they should be prepared to bear the consequences.
It may be the case that once all the privacy related externalities are pushed back onto credit reporting agencies then their business model is no longer viable. I, for one, am fine with that outcome. If that's the case then credit reporting agencies were never a net good for society in the first place, and all the regulations are doing is exposing that truth.
No, not in that case (your hypothetical responsible bureau): it's the criminals who have caused millions of dollars of damage. The insurance proposal creates the right blend of incentives to promote responsible behavior and punish - significantly - incompetence (i.e. denied coverage).
To extend your thinking, consider air travel. Airlines act responsibly, even to the point of having government provide much of their security, yet occasionally terrorists manage to blow up aircraft. In that scenario, you'd have the airline be fully ('strictly') liable because of an external event they did everything to avoid. The harm is greater too - death is worse than ID theft.
Truth is, nothing can be done safely. Not travel, not business. There is always a tradeoff between risk and benefit.
Credit itself is an enabler for the economy. Credit bureaux facilitate comprehensible risk management, which allows for market forces to operate around interest rate setting reasonably effectively. Absent bureaux that same function needs to be performed, but it'll be done in a decentralized, ad hoc fashion by individual lenders which will impinge on their business models and ultimately drive up rates.
So you don't like the bureaux; well, nobody does really. But what is an alternative which allows lenders to compare applicants on a like-for-like basis with some degree of confidence?
When I fly, I'm aware that there are risks, and I choose to opt in when I buy a ticket. The risks are super obvious, and I'm the "customer". Not to mention airport security is pretty heavy handed and visible.
Data gathering is usually not opt-in and it's also intentionally non-obvious who your information is shared with in most cases. I'm also rarely the customer, which means there's very little chance that my interests are being represented. Security or lack thereof is pretty hidden as well.
I suspect we would find a way to fill the economic holes if every credit bureaux was phased out over the next 5 years.
IMO, the entire vertical needs to be more transparent.
You're entirely right on the first two points. But you do implicitly opt in by being a consumer of credit. I recognize that's a bit mealy-mouthed, since it's rather hard to exist in modern America without being on Equifax's radar, but nevertheless there is at least some illusory optionality. I completely agree with your final point about a need for greater transparency. But this is the situation we are in.
I think the much more interesting discussion is about how those economic holes are filled, and it's why I posed that question in my note above. Of all the corners of the internet where you might expect such a solution to be proposed, HN is surely the best. What does post-bureau creditworthiness attestation look like? Presumably it's decentralized, to minimize aggregate harm to people in the event of a hack. Presumably it's de facto (and de jure) verifiable and correctable by each individual. It must also have some sort of graduated 'need to know' disclosure mechanism, with crude aggregate scores available to low-ranked creditors (cellphone companies, for example), and much more detailed information available to senior stuff like mortgage lenders. And why wouldn't it also have a facility, which didn't disclose creditworthiness data, for authenticating users to various services?
But then why not go one step further. Why have this stuff in one place per consumer at all? Why not have lenders jus reach out over an API to every other lender to ask in effect "How good a debtor has scrumper, with SSN 01-234-5678, been for you? How long have you done business with her?" and get various answers back, all of which can be factored into some model which conforms minimally to a regulator-provided specification? The size or risk of the loan dictates the depth of that pan-industry query. Companies don't hold any more than they already hold, and there's no nexus for that data at all. And all the lender is allowed to keep is the model result, some sort of FICO equivalent, for a particular applicant.
With air travel the people bearing the risk are the direct customers. If I'm uncomfortable with the safety record of airlines I can simply not fly. How do I opt out of the risks imposed by a credit rating agency?
The closer analogy, I think, would be if cargo planes were routinely crashing in populated areas. The air freight company and its clients may well be completely comfortable with their loss rate, but the unaffiliated third parties living underneath would have a pretty justifiable reason to complain.
> Truth is, nothing can be done safely. Not travel, not business. There is always a tradeoff between risk and benefit.
This is absolutely true, but as currently constructed credit agencies get to reap the benefits while pushing the risk off onto the general public. If we regulate to internalize that risk and the agencies still think it's a good risk/reward tradeoff then that's fine. If they no longer think it's a good tradeoff that's fine too.
> So you don't like the bureaux; well, nobody does really. But what is an alternative which allows lenders to compare applicants on a like-for-like basis with some degree of confidence?
There's several suggestions elsewhere in the thread, but I'm going to go out on a limb and suggest: nothing.
On a macroeconomic level, easy availability of credit increases average growth but also increases total risk, and therefore volatility. It's not apparent to me that that's a good trade.
On a microeconomic level, the benefits I receive from being able to get credit easily have to be weighed against both the suboptimal personal accounting I have to engage in to keep my credit score up and against the long tail risk that a third party can open a line of credit in my name. It's not apparent to me that that's a good trade either.
Maybe lenders should be much more conservative with who they loan to. Maybe they should price in a much higher default rate. Maybe individuals should seek a single line of credit from their bank of choice instead of expecting expenses to be financed individually. I don't know, I'm just some guy with 2 semesters of college-level economics. What I do know is that the status quo isn't sacred and the arguments explicitly in support of it seem to boil down to "growth is good and change is scary", which seems like really weak rationale for giving someone most of us don't even have a business relationship with essentially unilateral control of millions of people's financial fates.
I thought this was an excellent comment with some very strong arguments, good food for thought.
So yes, the problem is one here the credit bureaux get to externalize their risk. I was arguing with your rejection of the 'insurance model' for bringing some of those externalities back in house. Your proposal of strict liability is really just a banning of the industry in disguise: without the possibility of insuring away those risks it's not viable to stay in business - an agency is going to get breached even if they are as careful as possible. I don't think the lobby (and it'd be bureaux and lenders lobbying on the same side) would permit that outcome, no matter how strong the political will. It's too far reaching.
My response is, insurance doesn't preclude elimination. Those bureaux aren't going anywhere tomorrow. Incremental reform along the lines proposed by whatever grandparent we are both under provides a path to improvement, better risk management for individuals, and it could perhaps ultimately lead to your desired end state of a completely restructured consumer credit market.
For the record, I'm not opposed to credit agencies buying data breach insurance on whatever terms they can negotiate. I'm just opposed to the idea that any amount of caution on their part should dissipate their (or their insurer's) legal liability in the event of a breach.
I do agree that would probably be a de facto ban on the industry, or at least a radical restructuring thereof. My suspicion is that the industry is actually not a profitable enterprise once all the externalities are properly accounted for. But I'd be happy to be proved wrong, and I'm more than willing to give the industry a chance to figure out a model that works.
Edit: Completely off topic, but this is the nicest internet argument I've had in a long time. Thanks, scrumper, for being an excellent debating partner!
> I'm just opposed to the idea that any amount of caution on their part should dissipate their (or their insurer's) legal liability in the event of a breach.
Oh then yes we totally agree. If they're prudent, their insurer pays. Otherwise they do.
You might be right about the credit reference industry being ultimately unprofitable as a standalone business, but I think there's a lot of arguing to be had about the magnitude of those externalities. That's why we need a law to provide some automatic, per-individual-leaked fine - the insurable risk from way up-thread.
> it's the criminals who have caused millions of dollars of damage.
Yes, that's true. But as the poster above already said some things are simply not safe to do. If I wanted to warehouse explosives, I wouldn't be allowed to do it near a populated area, I'd have to put my warehouse far away from populates areas. But absent that prohibition, let's say I found a cheap space in town, and so I loaded it up with tons of explosive material. Then a homeless fellow breaks in one night and manages to start a fire, burns the place. He survives, but the explosives were set off and half the town blew up. You'd think it's okay if I shrugged my shoulders and pointed at the homeless fellow?
Credit reporting bureaus have free reign to screw up here because there's no oversight like the BATFE and no reasonable way for them to be sued into oblivion when they screw up so badly as Equifax has clearly done here.
How anyone can trust Equifax to do anything anymore is beyond me. There is still no corrective force here to cause these companies to become competent with data security. This is a farce.
We're all arguing under a parent post which wants to reform the industry to bring some externalities back onto the agencies' books.
If it's legal to operate an explosives warehouse in town at the time you do it, then unfortunately yes I have to answer that, provided you'd complied with applicable laws in securing your warehouse full of bombs, then you could shrug your shoulders. But you'd then be shrugging in the face of a barrage of lawsuits (as is happening now with Equifax). Soon after your homeless guy blew up the block the laws would be changed. And that's the situation we're in now: rubble everywhere, with a chance to make legislative changes to prevent a recurrence.
> So you don't like the bureaux; well, nobody does really. But what is an alternative which allows lenders to compare applicants on a like-for-like basis with some degree of confidence?
Ironically, even if I liked the bureaux (I don't) I couldn't do it any more. Their negligence self-defeated their mission.
With the leaked information, no credit report from Equifax is believable any more. If somebody slams it in my face I can shrug and say "Nope, that's not me: leaked information". Everybody in the Equifax data can do that. Everybody in the other companies' data which intersect with Equifax's can do it. All of a sudden, these companies are providing zero value.
Except that'd be willfully lying in pursuit of financial gain, so no you can't really do that. The burden is on you to correct the record and defend against ID theft.
If only. That's lying for financial gain though (or a job or whatever). Burden is on the consumer - you - to get Equifax to correct it. Credibility may destroy their business if competitors are better, but in the meantime you can't refute by default on a presumption of inaccuracy.( Not trying to sound lawyerish here, I'm talking generally.)
But I am not the consumer of Equifax. I have not paid them, nor asked them to do anything, nor indirectly getting a service from them [0]. The consumer is the bank or whoever paid for the information. So, on your logic being "the burden is on the consumer", why should the burden be on me?
Second, why would the presumption of inaccuracy trump the presumption of accuracy? Who said Equifax is right? Especially since they have a track record of incompetence. As any debate on facts goes, the burden of the proof is on whomever is making a claim. Equifax is claiming something, i.e. that my credit score is X. I'm saying it is not.
I concede you that what you say is probably how the law and the system works right now. And I concede that mine was more like a desire than a real prediction. I know things won't change. But that doesn't change the fact that, after the hack, Equifax and similar are just selling hot air.
[0] If you want my credit score, you ask me for my statements, nor Equifax. If anything, Equifax is damaging me with their inaccurate information.
You say "this can be fixed", but don't seem to have read the article. Your proposal only speaks to one of a myriad problems a firm like Equifax presents.
>This can be fixed by a small change to privacy liability law.
People in glass houses shouldn't throw rocks.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
This too can be "fixed" with a small change to liability laws.
How is that even remotely similar? If I download a piece of software, then yes, I can expect to take responsibility for verifying it serves my purposes.
I never asked Equifax to keep me in their database and send my information to creditors.
>I never asked Equifax to keep me in their database and send my information to creditors.
It seems you can't be expected to take responsibility for reading the fine print in your loan agreements. Quite an interesting bit of cognitive dissonance you have there.
Agreeing to something is not the same as asking for something. Consumers are not the customers for credit bureaus. We tolerate them, but now maybe not.
Credit reporting is always consensual. In the same way you agree on the interest rate, fees, payment schedule, etc., you agree to a credit pull at the beginning of a loan and reporting on your payments over time.
Maybe you feel entitled to be extended a loan without any credit reporting. I, personally, feel entitled to a loan without any interest. But neither of us are going to get what we want.
Disruption solve a problem better for the customer. There's little evidence that credit bureau customers (lenders, et al) experience this as a problem. So I don't think this is much of an opportunity for disruption.
It's ok to post stories from sites with paywalls that have workarounds.
In comments, it's ok to ask how to read an article and to help other users do so. But please don't post complaints about paywalls. Those are off topic.
Now here is a perfect, legitimate use of libel law. If a company with whom you have no relationship is lying about you to people with whom you're attempting to do business, that sounds like libel to me.
Of course, that's preempted by a federal law that Equifax & friends carefully purchased. Perhaps all we need is for them to lose that protection to give them a reason to care.
Now you're talkin'! Today, an ordinary person can barely even get inaccuracies in a credit report changed after laborious effort -- to say nothing of being denied a house, a car, or a job as a result of that inaccurate info.
Equifax and the credit agencies only exist because they are allowed to perpetrate great harm spread across millions. They are a giant negative externality.
The only proposal for any kind of action I have heard on this is the Warren and Schatz legislation which is appropriately titled" Freedom from Equifax Exploitation (FREE) Act"[1]
Aside from Senator Warren I have heard very little concern from lawmakers in Washington regarding the menace that these credit reporting agencies have become and the threat they pose to people.
I can understand the impulse to want Equifax punished for getting hacked and releasing all of this information. But I think these credit bureaus are small fry compared the size of the companies that are at the root of the problem: banks and other entities that make loans. The reason most people don't like the credit bureaus are the fear of "identity theft" not the spread of truthful information about themselves.
A bank makes a loan to a fraudster who is impersonating you. The fraudster defaults on the loan and the the bank tells a lie about you to the credit bureau, which gets spread around and hurts you in many ways. If we called this situation "bank slander" or "bank libel", the focus would be on who is creating the problem: the bank with its lie. Create high enough penalties for banks reporting false loan defaults and "identity theft" will disappear as the banks become more cautious of fraudsters. This is unlikely to happen as banks are concentrated and powerful institutions. "To big to fail" I believe is the term. I don't think the credit bureaus themselves are that influential in Congress but the banks want them and will lobby on their behalf.
It would be interesting to know how much money the banks get from people illegally each year from people paying off fraudsters debts to clear their credit reports from the false default reports from banks.
I keep seeing calls for the government to revoke Equifax's corporate charter, because we citizens cannot vote with our wallets in this case; we are not Equifax's customers. But I wonder about Equifax's actual customers, the financial institutions that choose to rely on Equifax for credit reporting. What sensible institution would continue to trust Equifax after all of this nonsense? Perhaps banks and the like should all abandon Equifax as a credit reporting source and let the company die of natural causes.
I think the real problem is that we have no definitive way to prove who we are. A SSN is fine and all but it's just a number that anyone can obtain and say they are me. We need key pairs or some way to prove that when we are requesting credit that we are in fact the person that we say we are. Until that happens the systems is exploitable by even the most inept of criminals.
I wrote to my senator about this solution weeks ago and have yet to receive an actual reply.
I think the problem is figuring out the transition from SSN's to something like key pairs/TOTP. How do we securely establish the "new" identity and pair it to the old SSN? Do we even bother and just start from scratch?
Individuals should have the option to tell companies requesting credit checks that they do not consent. Further more, it should be illegal to hold non-consent against the individual.
268 comments
[ 2.8 ms ] story [ 238 ms ] threadNo. They should be liable for the damage they cause with negligently allowing hacks like this, but the existence of private businesses should be default-allow.
Frankly, I don't know what should be done about b), but nationalization of credit reporting is not going to make any difference. As for a), as has been pointed out many times, one problem is that the people responsible do not have enough skin in the game. So long as the companies are private, something could, in principle, be done to to increase that, but in a nationalized industry, the responsible people would have even less personally at risk.
I don't know anyone outside of high finance who had a good opinion of Equifax before the breach was announced. Their recent hardships has certainly not helped that.
For myself, I definitely think that companies and their officers should absolutely be liable for negligence.
I like your idea that companies should be able to bear the cost of a possible future liability. I don't know how we can implement it besides some form of insurance (like sometime else said a $10 fine per person per breach but I'd up it to (2000 * minimum wage per hour) for every incident per person. At some point though we will need criminal charges for negligence or worse attempts of cover up (Equifax). We need to make it easier to convict CEOs and the board to put them in prison in case of attempted cover up or non disclosure.
Hence I think your latter point is right, executives really need to be more criminally liable. It's hardly unheard of, even if Ken Lay died before sentencing.
Of course the hackers are directly responsible for the damage, but Equifax's negligence sure didn't help. Maybe a fractional multiplier for sharing responsibility.
In the case of information disclosure risks, the parties for whom that information concerns often have little or no say in the actions which have direct bearing on them.
That's they "why not". It's not the company, it's everyone else.
just because someone gets my information by no means any company should accept a credit application, especially those outside of the area where the person has residence. It is this lack of safeguards that we should take issue with. Those issuing credit should always be liable for any loss.
Adding accountability to the general public via regulation may make them more bureaucratic. It may make them less. That's up to the invisible hand to decide, once their incentive structure matches their real world impact.
Mind you, I agree about adding accountability. I just doubt that's really a solution; it's part of a solution.
Equifax is definitely the latter.
Is there even a license that the Equifax company needs to have, in order to do this type of work, that can be revoked? It needs to be revoked! But I'm afraid they don't need any license, they just woke up like this.
The right to covertly surveil and maintain dossiers on 50%+ of the citizens of this country should not be default-allow. Strongly disagree. People in power holding that kind of opinion, is exactly how we got here.
Don't you think that somewhere in the T&Cs of a loan you took or a credit card that you got or a phone contract you signed up for (or many other things) are lines explaining that your information would be shared with credit reporting agencies? So legally, you would've consented to the sharing of information at those times. If that isn't true, then I'd assume that you should be able to sue the institution that shared your information with all these agencies.
There is no way out of this (the cat is out of the bag) but we can go on about our lives without Equifax. They need to be unplugged.
We can't just unplug all three agencies and shut down the credit industry, but why can't we shut down Equifax? Take the drivers' license and the car keys away from the drunk driver.
They are the ones that let the cat out of the bag, they should no longer be allowed to collect our personal information. There is no reasonable argument that can be made that Equifax in particular, should be allowed to go on making money off of our personal data with the negligent failure that they have created for us and admitted to, after what all has happened.
Edit: When Sonny Vleisides plead guilty to Felony Mail Fraud in 2007, he was forbidden to engage in loan programs, gambling or gaming activities, telemarketing activities, investment programs or any other business involving the solicitation of funds. He went on to found the company called Butterfly Labs in 2010, a company that took pre-orders for Bitcoin mining equipment (in many cases soliciting funds for hardware that didn't exist, until it did).
Many people argued that this model was a direct violation of the terms of his supervised release. He stood in front of a judge in 2014 that said there was a "strong smell" of fraud with respect to his company.
Equifax it seems gets to skip the whole "plead guilty" thing and just announced their negligent failure directly to the world. When does Equifax get their 14 months in jail followed by a supervised release? Never, apparently, they just go on about their business and no charges are filed. It's absolutely ridiculous in my humble opinion. Maybe I'm the one who is being unreasonable, expecting that the wheels of justice can turn more rapidly than one can reasonably expect.
It's not exactly parallel, I'm stretching to draw parallels obviously, but there should be some parallels in the arena of legal action here. Has anyone argued that Equifax wasn't negligent in the circumstances leading up to the breach? What about in their actions since then? How much further does it have to go before we can get the FTC or US Marshals involved and shut the place down?
From the article.
At the end of the day, whether it's a private or public credit agency, they're still collecting all your data whether you want them to or not (modulo going full Thoreau and removing yourself from the economy), and still could get hacked and have all that stolen.
No, I disagree. A public agency would have the same value as a target. But its incentives would be better aligned (no profit motive), which could result in better practices and less actual risk.
Are they licensed to do this type of work? Shouldn't they need to be? Should that be revokable? What is the process for revoking that permission, and can we get it started already? It just came out that in their response to the breach, they've been linking their "customers" to a phishing site since September 9. It's time to revoke those grants.
To be fair, I'm pretty sure they can legally do that if this was actually the case.
Absent any law that says exactly how they may and may not collect and retain such data, you're probably right that it is exactly what it means. The owners of the data (the banks) authorized them, so they are authorized to have the data.
It does not change the fact that, if true, the law is an ass. I do not grant power-of-attorney to the credit-holders that I do business with. They are not authorized to sign documents in my name. They should not be able to authorize arbitrary agencies to hold my personal data in an irrevocable fashion.
(And if I understand the difference in law between US and Europe, in Europe they would not be able to permanently retain my personal data without any recourse for me to shut it down. But in the US, they may be allowed to do this.)
I think you're placing too many constraints on a hypothetical contract just to support your initial argument. Most likely the contract is carefully written in such a way that it's legal for them to do whatever they wanted to do with your data to begin with. It's pointless arguing over what ifs.
This is not normal, it is dysfunctional. I'm not arguing that it's not legal, I'm arguing that they need to lose their license. (Never mind that no such licensing requirement exists. Like I said, it's a dysfunctional system, and I don't know why we don't have more than 3 credit reporting agencies. It sounds like a great gig!)
With the amount of power these organizations and this information has over each of us, individually, I'd go so far as to say there is a human rights issue at stake. People's lives get fucked up through credit bureau mistakes, and what consequence is there for those bureaux?
Pointing to a subclause in a contract to say "well, here's where you let them potentially fuck up your life with no recourse, and everything is legal" suggests to me that our thinking around the power these agencies, and around ownership of information about our lives, have needs revisiting.
It would not be so controversial if I claimed that Amazon grants customers a revokable license to audio and video content hosted on Prime, but my social security number and credit history evidently is not afforded as much protection under the law.
Paying rent is also bad for you.
Are you claiming that people don't know what credit reporting is when they sign loans? If so, that's a failure of basic financial education on the part of parents and K12. If someone imagines they have the right to delete the records of debts they don't want to pay, that person has been tragically misled about the fundamental nature of adulthood.
Knowing that lenders communicate with each other about your reputation, especially when you'd rather they wouldn't, is right up there with knowing what interest is.
There are three credit reporting agencies. Can you tell me why there aren't more? Because from everything I can tell, there is nothing short of purely criminal activity that could actually result in Equifax being required to go out of business. It seems that no amount of negligent behavior on their part can give me the right to say "cease and desist your retention of my record," while I've never so much as signed a document that came from Equifax. I have no direct relationship with them, and I have the right to get a restraining order if a malicious stalker is all up in my shit, so how is this situation any different? What makes them the authority? Because credit banks do business with them? That's nice... I want them out of business! In Europe, I would have this right. Nobody could maintain a file on me that I can't get a legal order for them to delete.
I'm not talking about debt holders. I'm talking about this parasitic company that evidently has no security team, or has chronically underfunded it to the point that we get where we are now, or had simply disregarded their advice umpteen times _after_ it became clear that the situation was very dire.
The struts vulnerability was disclosed months before they patched it. Any security researcher worth a dime could have told them it was a mistake to put up that equifaxsecurity2017 site that was literally (so much that their own Twitter account linked to it 9 times) indistinguishable from a phishing website and make the only way to know it was legit, a link from the front page of Equifax.com.
How did they get such a great gift from the law, if such is true then sign me up to be a credit reporting agency! I know how to build crappy websites and persist database records, it seems I meet all of the non-existent licencing requirements to be a CRA.
It is an agreement with my bank. That lets my bank off the hook, not the negligent credit reporting agency Equifax. I must still have some kind of rights when any kind of agency is legally allowed to store my SSN and personal information. If this was Europe, with their data privacy protections, I would be sure about that. The reality in this country is, I have no idea if "I must have" is a statement of fact or not.
It should be my right to revoke this privilege that they have gained, however they came about it.
If I can go into Google and click a box to completely expunge my google history, why can't I do the same with a credit-reporting agency?
I get that the thinking is, well, you could just expunge away bad credit choices... but, so what? Your blank credit history is now your red flag, as well as a bad one.
But if you wanted to opt out, you could.
What could possibly go wrong? (Hah, I didn't mean that as a jokey rhetorical question!)
And it's the bank's right not to write loans to people who think this, and they're exercising it.
The whole point of credit reporting is that you can't make your record go away.
I can't tell Equifax to get bent and delete my record. I'm not asking for my credit history to go away (and shame on you for being the tenth person to suggest that I am), I am asking for the harmful company that appears to have chronically underfunded their security department, or ignored their advice, or whatever else has gone wrong to land us here, where we are now, to go out of business.
If I can't have that, then I'd settle for them being required to delete MY personal record upon my request. Next time I need to pull my credit file, I'll warn the lender not to try to pay Equifax to look me up, because they're going to get back a null reference with a timestamp of some September 2017 date on it. What's so hard about that? If the lender doesn't like it, I'll take my money elsewhere.
Lenders can keep their own records and report them anywhere they want, within the terms of our agreement and the law. I should not be obligated to remain in Equifax's database until fraud, criminal mischief, or negligence on their part is proven in a court of law. I am just asking for some modicum of control over where my records are stored, kept and shared.
But... that's not an option for me, we don't have EU style personal data privacy and protection laws!
Why yes, you did through your agreement with any vendor (e.g. bank, credit union, credit card company, rental) that you have dealt with. This is a standard clause, although some places don't actually do it (my landlord for instance as I found out when I went for a car loan).
I hate this, but claiming you didn't consent is just not a credible answer without some additional legislation to force contracts to be explicit in whom a vendor may share information.
I can't say whether Equifax's agreement with the bank provides any clauses to allow for revocation of Equifax rights to store the information about me, but if it does not then I need to go out and find me a new bank with some better lawyers.
(I'm saying that a scenario such as this whole series of negligent behavior and events, should trigger one of those clauses.)
Im not saying they never had a right to store the data, I'm simply saying that it should be revoked. Let's not give them more responsibility and more data, they've already proven repeatedly that they can't handle it.
You are trying to draw boundaries that don't exist.
Shouldn't they have some kind of licensing requirement in order to be held accountable for their security practices? Where is the line, that when they cross it, they should lose their accreditation? There isn't one, because there is no such accreditation (not to my knowledge anyway.)
It is not reasonable if there are only 3 credit reporting agencies and they do not have any licensing requirements. If I am mistaken about this, please correct me.
But as of now, those requirements don't apply to them. So acting like they do is distracting at best.
Let's figure out ways: a) to know what they have, b) to force them to accept corrections, and c) add major negative consequences if/when they f* up.
If 140MM Americans (or even 50MM, let's be reasonable) told Equifax that they wanted to be removed from their database in response to the breach, and Equifax was required to honor those requests, it would be a step in the right direction.
That would be enough to put some "fear of God" into the shareholders at the remaining credit reporting agencies, and it does not sound like an unreasonable request at all. Companies going forward would have a disincentive to do business with Equifax, because 1/3 of people are missing from their database. (Instead, we're all permitted to buy more "Credit Freeze and Monitoring" solutions from Equifax, for the low price of $0, plus a low low payment of $10 every time we need to freeze or unfreeze our credit again to access it in the future. So let's dig the hole even deeper!)
Citizens that want to have credit would not be incentivized to remove their credit history from all three reporting agencies; as you probably already know, having no credit history is worse than having a bad credit history.
Then again, if we allowed that, then what's to stop those hackers from benevolently making the request on behalf of all 140MM people whose information they have appropriated.
There is no negative consequence that will incentivize Equifax to do better next time, if the result of this breach and their subsequent bungling of the response, is that they are allowed to continue operating their business without interruption.
Take the keys to the car away from the drunk driver. That's step one.
CRAs are regulated by the government, with things like GLBA, CFPB, FCRA, and other acronyms covering what they can and cannot do, what their responsibilities are, etc. The CRAs have all been fined for improper handling of data, failing to adequately vet data provided to customers, etc.
CRAs get data from two places primarily: public records and CRA members (banks, credit card companies, retailers, etc.) The public records stuff is just that: public. Anyone can get it if they ask and are willing to pay the costs to gather it.
Member data is provided by members to CRAs, and you absolutely grant the right to them to do so when you signed up to use them. When you get a bank account, or credit card, or sign up for a store card, or really agree to do business with any entity on a financial basis, you approved it with your signature.
Your statement about "covert surveillance" is factually incorrect. You have a right under the law to view your entire credit file as held by all CRAs once per year. I also think (not sure) that you can get a copy if you're turned down for credit due to information on a credit report. So how is it "covert", if you not only know about it but can see it?
You have made a substantive comment and I don't have time to respond substantively to any more comments right now unfortunately. I'm not arguing that they didn't have the right to collect the data.
I'm arguing that we have two other credit reporting agencies that appear to be functioning properly, and one that looks like it is in a continuing state of dysfunction. There appears to be no end to their ongoing dysfunctional behavior, and no possible remediation for affected parties on the horizon at all.
I just want to know what other kind of business in America would still have any customers after the two weeks that Equifax has just had? Do you think that Equifax should now have the right to continue operating, all things considered?
I strongly suggest you do some research about that. You'll find that the other two CRAs have been equally "negligent" at different times.
> I just want to know what other kind of business in America would still have any customers after the two weeks that Equifax has just had?
Remember the Target data breach? Or the Home Depot breach? How about when Sony was distributing a rootkit on their music CDs? Or when Lenovo was distributing a malware package preinstalled on their laptops? Or when Best Buy was selling digital picture frames that had a virus? The list, sadly, goes on and on and on...
> Do you think that Equifax should now have the right to continue operating, all things considered?
Of course. Since you're here on Hacker News, I presume you must have some knowledge of computer security...do you really think it was negligence that caused all of this? Do you think that the other CRAs are in any way more secure or less negligent? Or banks? Or any business that uses, say Cisco switches (which have tons of vulnerabilities)? Or businesses that uses Microsoft Windows (too many viruses and worms to count)?
First they suppressed valuable information in the form of interviews with their CISO that were public until September 10, when they came down for some reason.
Then they started tweeting out links to a phishing site that looked just like their own "equifaxsecurity2017" site. About this time, the CIO and CISO were removed from the picture entirely.
A few days later, each of these gaffes became known. Meanwhile they had delayed long past the timeline outlined in legal requirements for their reporting of the breach. Where are the Congressional interviews with their executive directorship?
Not on the calendar yet, why don't we schedule it for next February 30th. First of never. I'm just as incensed about the (seeming lack of) response of law enforcement, which admittedly I don't personally have much visibility into, but seems inadequate.
At a minimum I would argue that Equifax needs a "time-out." Ideally they would not be handling the response to this situation at all. They should go on the hook to pay someone competent to handle the response.
Not much to say about that one, for sure. I still don't understand why they wanted to make a completely separate site with that stupid name.
> Meanwhile they had delayed long past the timeline outlined in legal requirements for their reporting of the breach.
I think you'll find that they adhered to the letter of the law on that. Maybe you know when Equifax made the breach public, but you don't know when they first contacted the relevant authorities (law enforcement or regulatory).
> Where are the Congressional interviews with their executive directorship?
Oh, that's coming, for sure. Other companies have been called before congress for far less. But what good has ever come out of such a hearing? That's what you do when you want to save face with the American public and seem like you're going to do something. There might be hope...Al Franken is the ranking member on what I think is the relevant committee, and he usually does a good job in calling out BS when he sees it.
> I'm just as incensed about the response of law enforcement
How so? What would you expect from law enforcement here?
Copied from another sub-thread I posted in...
When Sonny Vleisides plead guilty to Felony Mail Fraud in 2007, he was forbidden to engage in loan programs, gambling or gaming activities, telemarketing activities, investment programs or any other business involving the solicitation of funds.
He went on to co-found the company called Butterfly Labs in 2010, a company that took pre-orders for Bitcoin mining equipment (in many cases soliciting funds for hardware that didn't exist, until it did).
Many people argued that this business model was a direct violation of the terms of his supervised release. He stood in front of a judge in 2014 that said there was a "strong smell" of fraud with respect to his company.
Equifax it seems gets to skip the whole "plead guilty" thing and just announced their negligent failure directly to the world.
When does Equifax get their 14 months in jail followed by a supervised release? Never, apparently, they just go on about their business and no charges are filed. I would expect for them to get a "time-out" after their bungling of the response to this breach, at the bare minimum.
But no, let's give them a participation trophy instead, let them continue handling the response to the breach, they've earned it...
You're presuming that Equifax is guilty of something. Of what? Of being victims of a hack? What about the SEC, who just notified the public now that they were hacked back in 2016?
You seem to think that Equifax is guilty of negligence. Good luck proving that. They're subject to security audits not only from the government, but in relation to the contracts they have with their various customers (standard stuff when companies deal with each other, not least of which when consumer data is involved). Their security wasn't good enough, but they didn't know that until too late. Same as Target. Same as Home Depot. Same as the SEC.
Equifax is going to get fined. They're going to lose business. They're going to eat the cost of providing identity theft protection/monitoring to the entire country. They're going to have to fight their way back to whatever previous stature they had. But any thought that they're going to be found criminally liable for this is simply not credible.
They should not have been in charge of the response, but there was no way for us to know that for sure until they had already flubbed it so badly.
They are guilty of handling the response very poorly in a way that has been hashed out and rehashed at least six dozen times on HN until the culmination (so far) yesterday, when we found out that their site was so easy to spoof it fooled even Tim, the Twitter guy from Equifax, who tweeted links to the spoof site out to eight or nine customers over the course of the response.
That was possible because of their initial poor (evidently hasty, and negligently so) response. I'm not asking to make anyone criminally liable, I'm suggesting that next time a company leaks sensitive records on 140MM Americans, we should remember this chain of events and somehow all do better. (And not have another repeat of this shit show, if possible... but who am I kidding, it will repeat.)
The poor response was probably made worse because of their internal culture that resulted in the CIO and CISO being canned (that sounds like all of their top technical leadership put out the door) right as the response was just getting underway. That too, in my opinion, was probably negligence!
I know we don't put companies in "time out" but it seems like we had better think about doing exactly that in this case, lest we soon find out what it will look like when the (next) other shoe drops.
The Equifax story will only continue to get worse! Just wait until their new free credit monitoring systems are breached, and we get to find out exactly what that mandatory class-action arbitration clause we've all heard about is actually intended to do!
Then who should have?
> we should remember this chain of events and somehow all do better. (And not have another repeat of this shit show, if possible... but who am I kidding, it will repeat.)
100% agreement here.
> Then who should have?
Better question: what would be an appropriate response? Because this one isn't, that much is sure, but I don't have an answer for this question other than "one that is not so hastily and shoddily implemented."
Further, do you really think this was a hasty response? This is the response dictated by the law, coupled with recommendations from their legal team, and probably with input from regulators as well.
It was hasty, in terms of... just look at equifaxsecurity2017.com
Did they run this plan by even one security researcher before it was put into action? If so, that person's advice was either terrible, or ignored. No time at all had elapsed between the time we were alerted to the breach, and when Equifax revealed the 2-day old site that was protected by Amazon certificate.
I am building an HR web portal for employees to submit their identity when they do not go through our background checking service (some classes of employee who are exempt from the requirement to get a background check, for archaic reasons), and I am holding up Equifax's response to the breach as an example of "What Not To Do."
There is no legal requirement for them to put up a website that looks like a phishing scam, and respond to people who put in their information with a random value of "Yes you were affected/Check back later to find out if you were affected". There would certainly have been questions about "who was affected" but it would be better to answer with a blanket response of "everyone with a credit file" than to do as they did, and say "143 million Americans, now fill out this pointless form attached to a random number generator to find out if you are one of them."
Seriously, what were they thinking? Even the most charitable light isn't enough for this to make sense.
Butterymales! What about Hillary!
My credit history is still in the hands of Equifax and I have no control over that fact. That is problem number one for me. I want to get off of Mr Bones Wild Ride.
Your credit history is in the hands of all the CRAs, just like it has been since the first time you entered into any sort of credit agreement, or opened a bank account, or applied for a car loan, or rented an apartment, got student loans, or did anything where your "credit worthiness" comes into play.
Probably because they still weren't sure that their existing systems were secure. So instead of securing them, or unplugging them, they ... built a new system, both hastily and shoddily!
Then they sent out an e-mail to everyone, telling them to put a little bit more of their SSNs than we're all used to providing at the drop of a hat, ... put them into the bucket. Isn't that about the size of it?
I remember all of those things, and NONE of them were on the scale or level of impact of the Equifax breach. People who were affected by the Target breach, got replacement cards and moved on with their lives. Lenovo's malware package could be uninstalled and their hard drives could be reformatted.
People who are affected by Equifax breach... can do what? We are ALL affected by this breach. Every last American Citizen. The credit system itself, as we currently know it, now hangs in the balance.
I know that ALL of the credit reporting agencies have similar poorly designed systems, and THAT is EXACTLY what I am so goddamned mad about. Because THAT is a fact that is NOT going to change as a result of this. You know it and I know it!
We will still have the same 3 credit reporting agencies a year from now, and Equifax will STILL be profitable after whatever fines are imposed. We Need To Seriously Change This Shit Right.Fucking.Now! (NB. I have no specific suggestion, but I am so furious because of your apparent suggestion that there is no line that Equifax or any other CRA can cross that will earn them an honest decapitation. If not now, then when?)
This should NOT have been possible in any reasonable system designed to store sensitive data on every last American with a credit history, and the fact that it happened is all the evidence of negligence that you need. Someone exfiltrated ALL of the information they need to impersonate ANY American citizen with a credit file.
Nobody in particular needs to be held criminally negligent. No redress will make me happy about what has happened. The game is just over. The system is fucked, there's nothing left for them to protect. "Not for Identification Purposes" it's time to read the words on the card, and take them seriously.
I concede the possibility.
> We are ALL affected by this breach.
POTENTIALLY affected. There's been no disclosure of exactly how many records were accessed...I don't think they know, but it seems highly unlikely that their entire credit database could have been exfiltrated in that amount of time.
> I know that ALL of the credit reporting agencies have similar poorly designed systems
They don't actually. They tend to have above average security. It's just that it CANNOT be perfect. Just like we can't stop viruses, but Windows is still around.
> I am so furious because of your apparent suggestion that there is no line that Equifax or any other CRA can cross that will earn them an honest decapitation.
How about real criminal activity? You keep glossing over the point that Equifax was victimized here as well. What criminal intent, or even legitimate incompetence, can you claim that even remotely justifies that sort of reaction? Do you think this is Enron-level criminality? That was flat-out fraud, proven in court.
> the fact that it happened is all the evidence of negligence that you need
You're sadly mistaken as to the efficacy of computer security. The fact that it hasn't happened before, for a company that must be a target under constant and unrelenting assault, is actually a testimony to the how well they were maintaining security.
> "Not for Identification Purposes" it's time to read the words on the card, and take them seriously.
100% agreement on this.
> POTENTIALLY affected.
This is true. We don't know if they got all of the records. Reports of "143 million Americans impacted" would seem to indicate that it was roughly everyone with a credit file.
But that is just a headline/byline, and we don't know until the hackers dump it and divest of whatever they got, and the data (honestly, I say hopefully) winds up as public information so we can all know exactly how bad it is.
No reputable news source has said anything other than "potentially affected" as far as I know.
> the data (honestly, I say hopefully) winds up as public information so we can all know exactly how bad it is.
I agree.
Equifax spreads misery across the general population. I have seen no practical proposals which allow us ordinary people to claw back the time and frustration these private companies suck out of us. How endlessly should they be allowed to socialize their losses and force us to subsidize them?
The onus of protection is on the consumer - the very people who never authorized the companies to collect and sell their financial identity. The concerned consumer needs to call back every 3 months to continue a fraud alert.
For those who don't know the value in placing a fraud alert is that it forces anyone extending you credit to first call you and verify that you actually intended to open the line of credit in your name. This is something that should be standard operating procedure and not a special consideration.
There are three companies to do it at. The cost is low and it is mandated to be free in some jurisdictions.
You want to rent an apartment, change your cell phone carrier, get home owner's insurance, order cable - all of these things require a credit check and you having to pay 5 dollars to each agency and making 3 separate calls to each of them to do so.
To be clear, I only know about the freezing. I got free monitoring but didn't take advantage of it. Instead, I just froze my credit and hope for the best. I don't really need credit for anything, so it has been fairly painless.
This is the sad part about it is there is no way to opt out of having your identity put at risk by these thugs.
>"I got free monitoring but didn't take advantage of it."
This is perhaps the most incensing part of all of this. Is that after one of these breaches the agency offers 1 year of credit monitoring and then after that its $16.95 a month.
They have attempted create another revenue opportunity for themselves by being reckless with your data. It's mind blowing.
Locking your credit means that the only people allowed access to your credit file are your current creditors. The fraud alerts means that the only way someone can grant your a new line of credit is by verifying with you personally that you intended to apply for this new credit.
Locking your credit is permanent and it needs to be done with all 3 agencies separately and each time you want to unlock your credit, example someone needs to run a credit check or you want a new credit card then you need to phone each of the 3 credit agencies separately and they each charge you 5 dollars for that privilege.
The fraud alert doesn't cost anything but can only be done for 90 day increments and then it is automatically revoked.
And if there is any glitch in the locking/unlocking or fraud alert, the agencies will resort to snail mail and letter writing to resolve issues. Everything is set up to be maximally inefficient and painful for the consumer to discourage doing so.
Also the 3 credit agencies manage a site that was mandated by congress after another scandal that allows consumers to request their own credit file for free once a year [1].
This site in addition to intentionally looking sketchy is also designed to be maximally painful to use. You will be asked things liked exact dates that you lived a certain address 15 years ago. If you fail any of these(which is quite easy to do) you will be instructed to send a letter, along with ID to the agency to request your personal credit report.
It is actually much much more difficult for a person to obtain their own credit report from these agencies than it is for a complete stranger to request it.
[1] https://www.annualcreditreport.com/index.action
For anyone that had their credit locked or frozen previously the hackers would have also gotten access to the pin numbers that permit the unlocking of one's credit file. What's to stop someone from using the PIN to unlock it and create before opening credit in a victims name?
They should absolutely not allow PIN retrieval online and without a whole lot of serious vetting. That they do is yet another metaphorical kick in the teeth. I am just now learning about the PIN retrieval, so this may result in my needing to change strategies.
Fortunately, I don't rely on credit. If I need credit, I can easily qualify for a secured loan. It also helps that I sat on the board at my credit union for a while. So, credit isn't a problem.
I do feel sorry for those who aren't able to just stop using credit. See, according to what I've heard/read, freezing your credit actually negatively impacts your credit score. If you're freezing it, you must be at risk. Or so they seem to think. So, by defending yourself you are actually potentially harming yourself.
It is already eating up your time, perhaps some money, and adding stress to the lives of many innocent people. Then, when you want to alleviate some of that stress, or reduce your risk of harm, it harms you even more. There isn't even a realistic option to opt out of the game.
It's pretty horrifying and it is difficult to not be angry about it. I'm fairly well insulated but I can certainly empathize. I wish I had the answers. I wish I had a solution. I don't and I'm not sure anyone does.
Do you have a link or some further explanation for this? I don't think this is true. It's actually the opposite - when someone runs your credit which can happen without your knowledge or approval then your credit will get dinged. By freezing it and not allowing anyone but existing creditors to access your profile you prevent this.
Not having enough credit will keep you from obtaining a higher FICO score however. For instance you can have perfect credit but if you have to few credit cards your FICO score will be lower than someone who has perfect credit and has more credit cards. It's insane but true, its a metric called "balance to limit ratio":
http://www.experian.com/blogs/ask-experian/getting-more-cred...
Citation of my error:
https://www.consumer.ftc.gov/articles/0497-credit-freeze-faq...
Though, that link is strange in a new and interesting way. The page seems to indicate you can pull your credit score while your account is frozen. Except, if I look at Credit Karma, they say you can't register and access your credit report if your account is frozen.
https://help.creditkarma.com/hc/en-us/articles/202041774-I-h...
It's surprisingly hard to find consistent information. I think this highlights another problem with the system.
Even worse, while the author criticizes how Equifax got started - private investigators looking for affairs, etc - that is exactly what the OPM database is. They're looking for things that could be used to blackmail an individual so it includes financial history, marital info, drug use/abuse info, and potentially medical records.
My coverage of it at the time: https://caseysoftware.com/blog/why-this-security-breach-is-w...
And no, there has been zero accountability around it.
Whenever someone says "the govt can protect this info better!" remember that this is the same government that doesn't follow the law with regards to wiretaps, FOIA requests, background check info, and many, many other things. Oh, and the NSA can't even protect their best tools.
I am, however, worried about the information in my file that is about other people. They contacted and interviewed lots of my friends and family. Those notes, and the associations between these groups of people, are all in the data that was exfiltrated.
You know what my friends and family got? Nothing, not even a form letter. Me? I'll be fine. However, some of them are now associated with others and who knows what other connections can be drawn when you cross-check with other information from the hack?
So, yeah, I'm jaded and skeptical about the idea of having it be a government operation. People keep saying this is the worst hack ever. Man, if they only knew what was in the clearance application. I disclosed all sorts of things that I really don't want to be public information.
And I got a form letter that was barely an apology. Hell, I think my notification was actually on a post card. Yeah, I just double checked. They sent my notification on a post card, not even in a secure envelope.
I may be a bit biased.
I couldn't even transfer my free credit monitoring to someone who could actually use it. It was non-transferable. I had no use for it, as I'd opted to freeze my credit entirely.
I'm not sure which bothers me the most, the hack or the response? I do know that if I'd been responsible for spillage of classified information, I'd have gone to jail. If I'd been responsible for spilling that much classified data, I'd have never felt a ray of sunshine again.
I'm very disappointed by it. What is most disappointing is that there was no good reason for me needing the clearance, FOUO would have been fine. I can't be specific, but there was no reason my work, or the data, should have been classified. On top of that, I'd already sold my business and had retired - years prior. There was no good reason for retaining my records.
I'm currently reading about other countries that offer a government run service for credit reporting. I'm trying really hard to remain objective and unbiased, but it's really difficult.
I feel sorry for the people who are impacted by this. It's not easy to go through. I'm not sure it's quite the same, but I felt violated when I found out about the OPM hack. I felt let down, abandoned, unappreciated, and powerless. The information was some of my most private information and, worse, wasn't just about me. I felt as though it was my fault that my friends and family also had their privacy violated.
I am not that great with words, so that's about the best way I can think of to describe it. Disgusting is a good description. On a positive note, it does help me empathize with the folks impacted by this hack.
Not only did the OPM hack affect my privacy, it made me a cause of others losing some of their privacy. By extension, they made me responsible.
Fortunately, none of my friends and family hold me accountable and understand that I'm not to blame. Still... It's not a good place to be, emotionally. I've since gotten over it, for the most part.
I don't even know what was in their investigation notes. That's need to know and they don't think I need to know. I disclosed everything from drug use to promiscuity, with names, dates, and places. It wasn't just my information in those files. Who knows what can be done with that info by giving it big-data treatment?
Add that database to this one, and the many others, and I'd be surprised if you couldn't draw much larger pictures and associations. The world is not that big and cross-checking on large data sets is almost certain to further erode privacy.
One of the questions most investigators ask is "Is there anyone else I should talk to?"
Sometimes they say it in general, sometimes about specific situations or interests but they say it regularly and often. They know that the people you list will be neutral -> positive about you. They want more.
Stuff like, "We know you went to school together. Do you remember what sports they played?" Except we'd not gone to school together.
Crafty buggers. Either way, that data is all out there now. I'm not sure what all made it into the reports, I suspect most of it did.
I look at a market as a machine that we can deploy. It does a specific thing, but only with the right inputs and working conditions. Here, we are not Equifax's customers. Harm to us is a negative externality, which is a classic kind of market failure:
http://www.economicsonline.co.uk/Market_failures/Types_of_ma...
So markets don't fix this even in theory.
Personally, I'd like to see this problem turned over to an institution something like the Smithsonian: not a regular part of government, but a trust with a specific purpose. I'd be even happier with it if it had directly elected privacy commissioners, so that it was more accountable to the people whose data it safeguards.
We're only going to end up with more data that's about people, even if it's not generated or held by those people. Having a home for that data, one with a public purpose and public accountability, seems way better to me than leaving it for a private, profit-making corporation to exploit.
Economic historian Gavin Kennedy has made something of a career debunking this fallacy. Among his many writings:
The sorry invisible hand myth owes more to imagination and hope than it does to economics from Adam Smith. Its modern form really began its take off with Paul Samuelson’s successful textbook, “Economics: an analytical introduction”, McGraw-Hill 1948, and continued through to edition 20 in 2010. It had an earlier oral presence at Chicago (where Samuelson was an undergraduate) and Cambridge, England (A. C. Pigou). Even Oscar Lange postulated (1938 and 1947) a rival and “better” invisible-hand role by socialist planners. The Soviet planned economy challenged capitalism from the 1930s and in Cold War rivalry, with large communist parties and social-democratic in Western Europe, the myth asserted the innate superiority of capitalism with its “invisible hand”. Since the current recession, increasing questions appeared about its existence. Warren Samuel’s last book, “Erasing the Invisible Hand, essays on a elusive and misused concept in economics”, 2011 (Cambridge) exposes the modern history of the mythical “invisible hand” since its heyday from the 1960s through to the late 1990s
http://adamsmithslostlegacy.blogspot.com/2012/04/political-s...
If they are are so liable, then to remain profitable they will find a way to pass on their cost to the customers. Those customers in turn, will pass it on to the consumer. So then you end up footing liability insurance bill for the privilege of being subject to a credit search.
What's the idea; that if a whole network of criminals now has my personal info, there will be an insurance-backed fund that will instantly buy me a whole new identity, so life goes on merrily?
Nope! We must rather completely get rid of this Equifax and make it a criminal offense for anyone to share such info with any emerging Equifax-like agency, or with anyone else.
Your data going to Equifax is the fucking security breach. What happens afterward is just a footnote.
Why is that commonly accepted, but it's horrible to contemplate regulation of Equifax for the same essential reasons?
When a government agency has a massive failure, we're of stuck with it, short of hoping politicians might do something about it.
This contrasts pretty heavily with, say, Facebook – where even though they collect and share plenty of information about me, I'm at least both consenting and continuing to feed them by using a service I presumably find worth the trade-off.
If you are the type of person who gets upset about this dynamic of Facebook, then Equifax should be completely next-level.
Dont you consent to credit reporting when you sign up to get credit, though.
You can "choose" to not use Equifax by not getting credit from people who report to equifax.
No, I consent to allow creditors to do their due diligence to see if I'm a viable candidate for their product. Equifax is not required in this transaction, it's just beneficial for the creditor, their customer, to use them to streamline that information collecting process. Loans and credit existed prior to credit reporting agencies and will exist long after.
you do much more than that though , from my card agreement
"We may obtain and review your credit history from credit reporting agencies and others. We may, from time to time, obtain employment and income data from third parties to assist us in the ongoing administration of your account. We may also provide information about you and your account to credit reporting agencies and others. We may provide information to credit reporting agencies about this account in the name of an authorized user. If you think we provided incorrect information, write to us and we will investigate."
> Equifax is not required in this transaction
Thats upto the business to decide, not you. You choose to not get credit from them if you have objections to how they run their business.
Regardless of what the business decides, no, Equifax is not required to assess my credit. If the business decides to go to McDonald's to get lunch while they are doing this process, that's not required regardless of what the business decides. It may be nice for them, it may make their process easier, but it's not /required/.
I do agree that handling of data could be regulated to some sort, though. Much like how we have agencies, etc. for keeping tabs on companies that handle other things (hazardous materials, food, etc.)
I think the key point here isn't the system, but 'proper functioning'. In the event that no system is ever properly functioning, what's causing the least damage?
I'm reminded of the many stories I've seen claiming that people given experience of both, preferred 'bread line' communism to free market capitalism.
These people were never the lottery winners of capitalism: they're always just worker bee types, and their observation was that communism sucked but was stable and consistent. Small dreams, small risks, reasonable safety for the worker bees.
When they experienced capitalism, they had no preparation to competitively attack their fellow workers and win, and as a result they didn't win, they became worker bees under capitalism, and dropped below their previous living standard. Granted, this provided an environment where more ambitious worker bees could prevail and get rich, and that's the system working as intended, but for the less motivated ones, their experience told 'em communism took better care of them… in spite of the litany of horror stories we've all heard over and over (I live in the USA, so I've been indoctrinated against communism all my adult life).
I think it's pretty important to examine how these systems work when they're NOT properly functioning. It seems like free market capitalism produces some pretty spectacular damage when it catastrophically fails, but it's more abstracted. When something like communism catastrophically fails, it's in the form of state genocide, with more intentionality.
When a private company has a massive failure that impacts someone other than its customers, then the impacted parties have no recourse whatsoever.
You're not an Equifax customer. Banks and big businesses are, and they don't really have a strong incentive to punish this sort of behavior.
IANAL. This is absolutely not true. You don't have to have a direct relationship with the other party in a negligence case. An easy example would be that you can sue the manufacturer of your transmission even though your Civic was sold to you by Honda. Equifax would have to somehow argue that they owe no duty of care to the people with private information in their database which just isn't going to happen.
This has always struck me as an odd anti-regulatory argument, though. "Governments shouldn't use their power to distort the market. Therefore regulations are inherently bad. Instead we should distort the market using a different branch of the government, but in a much more capricious and unpredictable manner."
Which brings me to a question of the "have things always been like this?" sort. Do we have data on the percentage of any population who's active in politics over the past, say, 7 decades?
> This questionable business model raised eyebrows in the 1960s, when the companies were still compiling information on people’s “moral character” such as affairs or drinking problems. At the time, the reports weren’t available at all to the subjects themselves. That changed with the Fair Credit Reporting Act, which was signed in 1970. But even that reform put virtually no oversight on the bureaus’ practices.
As if there aren't a bunch of companies trying to do exactly this with a combination of tracking cookies, browser history, purchase history, and ML.
Separately, from the article (emphasis mine):
> The United States government is, of course, not impervious to data breaches, nor does it have a perfect track record of fending them off. In 2015, it announced that hackers had stolen “sensitive information” on 21.5 million people. But the government is at least accountable to public pressure. Equifax never will be, even under the tightest regulation.
Equifax may not have to change anything as there's a very real chance it goes bankrupt because of this. It's not just from the cost of lawsuits from consumers. There's a longer term cost of businesses not wanting to deal with them.
The risk of that happening to one of the other big credit reporting agencies is the biggest driver for them to clean up their act. The threat to their businesses is real and I'd imagine their internal responses will be as well. I also think regardless of what they do it's only a matter of time till they have a breach as well. You only have to screw up once.
> Credit bureaus have proved to be complete failures at safeguarding the public.
Nearly all companies are complete failures at data security. There's not special about credit bureaus here. They just happen to have a lot of sensitive data on a lot of people and thus are a hot target. As an example, we've had plenty of breaches in the health insurance industry as well.
Perhaps the best approach would be a "too big to fail" limit on the bureaus. Put a cap on the total size (in accounts / people covered) of a credit bureau. The libertarian in me is screaming at the thought of something like that but at least it has the advantage of limiting breaches to a max number of people.
> Let’s demand we get our data back.
It was never your data.
https://www.nytimes.com/2017/09/20/business/sec-hacking-atta...
We don't know why, though. Perhaps they were working with law enforcement to track the attacker. Closing the hole would certainly alert the attackers and end the chance to catch them.
This reads just like the Cuckoo's Egg.
That logic is simply broken. Either the argument is strawman or law enforcement is just as guilty of negligence as Equifax is.
Law enforcement is about enforcing the law, not protecting law-abiding citizens from criminals.
I think this is very optimistic. It's hard for me to imagine a situation in which lenders are questioning the reliability of these credit reports and the only scenario I can come up with is one in which the reporting agency are over-estimating people's ability to reliably repay debt to the point where the lenders are losing so much money that they actually notice. Given that most consumers complain that these reports include erroneous /negative/ information, this scenario seems unlikely.
Lenders will continue to use these reporting companies, no matter how poor their product, because there is no measure against which to judge their product except each other. They'll continue to use them out of inertia, out of erring on the side of caution, and because this is the way they have always done business.
Or rather, that the system which measures loan risk is feasible only because the parasitical entities which run it push the massive negative externalities onto the general population. If the loan risk system actually had to pay for all the harm it does, it would be a loser.
Firstly, reliability tends to change slowly. Banks might not be tracking this, so it would take a long time for this problem to surface. The article indicates that they're already unreliable, and banks continue to rely on them.
Secondly, there's too little competition. There's no realistic alternative; especially when all three seem to be roughly equivalent in terms of reliability.
Finally, any single bank dropping a credit agency will cause that credit agency problems, but will likely cause themselves more problems. Individual banks have little incentive to act on their own. Some form of banking cartel would probably be needed to put sufficient pressure on the credit reporting agencies to effect change.
The laws need more fleshing out. The current iteration of laws is insufficient.
The FICA folks could pull your report and reduce you to a number every time some creditor wants to check up on your creditworthiness. AirBnB could pull the same data and produce a houseguest score, so people can feel comfortable that you won't trash their place. A background check agency could pull the same data and try to figure out whether you are likely to hurt an employer's business.
They really don't have a choice. Every aspect of your "credit score" is governed by law.
One particularly egregious example: banks and credit agencies are FORCED to ignore bankruptcy after 10 years when decided whether to grant a loan to someone. Even if a wealthy person default on a 100M loan, even if he has multiple bankruptcies in his past, banks must ignore them if they are >10 years old.
Credit agencies are private companies, but they play by the government's rules.
Lenders are forced to use the government's criteria to determine when to loan out their money.
Someone could be abusing the system and declaring bankruptcy every 10.5 years, like clockwork, and the bank would have to keep taking them back as a customer.
The government has several interests, beyond lenders. The government enforces the lenders abilities to claim debts. It is also in the government's interest to allow people to get back on their feet if their finances crater, because taking someone out of the financial system indefinitely is not productive.
Someone, somewhere, could be abusing any system. That, in and of itself, is not a disqualifying feature of a system.
I think the banks themselves should be allowed to decide when the risk is worth taking. It will all be determined by actuarial tables like every other similar business decision.
If the risk of someone defaulting 15 years after bankruptcy is 20% higher, then banks may charge that person 20% more interest.
I'm curious as to why you're focusing on bankruptcy, when there are a significant amount of other signals banks use, which do not age off in the same way.
Little people aren't able to recoup their losses when disentangling the tremendous inconveniences of identity theft, mistakes in credit reports, and so on. You're only addressing losses by lenders, which are a tiny fraction of the actual problem. You're not offering any practical way for the general population to seek redress.
No insurance company would sell such policies without due diligence -- they would establish security requirements and pen testing. Consumers are protected by the existence of an actuarially fair insurance policy. not by the (nominal) compensation. Note that Equifax's customers are (primarily) not consumers. Regulations (in the form of liability law reform or nominal compensation) may not be required in industries where companies only hold the data of their own customers, but such companies could cite their insurance policy to convince their customers that they take security seriously. (Now it's always empty words.)
[1] https://www.washingtonpost.com/news/powerpost/wp/2017/09/20/...
A minor but strategic change in liability law around privacy would shift incentives in the way you describe and suddenly it becomes in the best financial interests of the companies to protect the data. Indeed this is the only kind of incentive they will respond to.
Nationalizing the credit industry doesn't really solve any real problems as far as I can tell.
Maybe do it state-by-state, so long as each state follows some federal guidelines and each state provides a way to interoperate with the rest, and with private businesses that need access to that information, if the feds freak you out.
Why?
Because I can, in theory, have my say in how the government operates. I can vote, I can submit comments, I can go talk to elected officials, whatever. I have zero recourse when private companies schlep my data around and wreck my life. Voting with your vote is best, but I can't even vote with my dollar with Equifax.
Firstly, examples of governments that have any people voted in at all are cherry-picked. Around the world, there are governments that are not voted in, or are "voted" in by a sham process which only has the external appearances of democracy.
Secondly, in democracies, a fairly common pattern is that the government consists of some seats that are voted in (parliament) plus some that are appointed (senate). The power is divided accordingly. (A minor point is that it is not uncommon for the leader of the elected party to appoint people for the uppermost staff positions: a so-called "cabinet" or whatever.)
Thirdly, government in the broad sense includes not only the parliament and senate political structure but all of the institutions of the government that actually get various things done throughout the governed region, and all the levels of bureaucracy employing large numbers of people. All of that staff is not elected; they are just people hired into positions and they generally keep those positions across government changes. That bureaucracy has considerable power of its own; not every single decision they make which affects you goes through a parliamentarian that you elected!
Two, yes, many of the highest profile, and most powerful, positions are elected. And in practice, over time, this means that these positions have selected for people who are 'electable' - which has itself over time come to mean people who can raise huge amounts of campaign money. This is a deeply corruptible situation, if indeed it is not already deeply corrupted.
I agree with the idea that open public oversight is a powerful corrective, and is a major difference between private organizations and public ones with effective means for perceiving and removing corrupt officials. I think it is highly questionable to what degree the latter describes our current situation in much even of the democratized West.
One problem. She didn't know that she had been pregnant and suffered a near fatal (to her) complication and miscarriage 7.5 months ago. Only a few parties were aware of this: My family (not posted on Facebook), two health insurance companies, the hospital, two pharmacies and the Ob/Gyn practice. Last week would have been the due date.
One of more of those entities, who are all supposed to protecting her privacy failed to do so to extract a few more bucks.
I would suggest that that is not "failing to protect" private data, but "actively exploiting".
My definition: the most efficient has the least wasted effort and the maximum productivity.
I do not think having individuals & classes going off and suing everyone they can, every company buying piles of insurance against these suits (because how could they reasonably guarantee perfect privacy?) and having insurance providers coming to evaluate each institution...
This is only legally efficient, in that it requires the least amount of nuance in law.
There's a reason we have public infrastructure and services, and it is for efficiency.
And it generally works pretty well. In the law, the government lays out rough things it wants to see (e.g. access restrictions, auditing logs, etc) + penalties (financial and otherwise) and then lets the industry find a way to meet them. Furthermore, there's a legal distinction between willful and accidental non-compliance.
It's absolutely added cost, but generally seems to accomplish its privacy intent.
http://www.medscape.com/viewarticle/810648
I just googled it, and it was the first result
I've worked as a developer with health care providers and insurance companies for 5 years, and other than it being annoying as "some regulation exists" no one I've talked to feels it's a bad solution to the problem.
Asking industries to be happy about privacy regulation seems an unreasonable goalpost.
Besides, I’d be willing to bet that those at Equifax would have similar things to say about a comparable credit reporting law, just like how some medical practitioners don’t like HIPAA.
I don't see the point you're trying to make. If we're going by "who has made the news for hacks lately", the private sector is by far the worse choice.
Also, OPM does not get to decide if you have standing to sue them. That's up to parts of the government so far removed from OPM they might as well be a different entity entirely.
I don't have a good solution for the recommendation system like this. Maybe we wouldn't need it in the first place if we didn't do so much debt financing of stuff. Or maybe it needs to be less centralized: applying for one loan, you need to show payment history on a few other loans, etc. But I just don't see a centralized government run agency as the solution.
I'm quite happy with the approach that Switzerland has taken. Firstly, there are no credit scores or credit reports. Instead, there is a well-defined and regulated way to collect on overdue bills: The creditor requests debt collection from the state debt collection agency. At this point, collectees may decide to pay, to object to the prosecution or not to react. Objecting leads to a defined legal process where the creditor must prove the debt, and the collectee can defend themselves. In case of no reaction, authorities may proceed to seize assets.
As for the reporting, the debt collection agency will only keep a file on people against whom a collection request has been filed, and only make it available to the person in question and entities with a qualified interest in it. In practice this means that when renting a flat or getting credit, you request your own (empty) record and submit it to the landlord/bank in question. The agency is also responsible to expunge entries from that record after a defined time. And since responsibility for collection lies with a state agency, there's very little risk of the kind of harrassment you hear of in horror stories from the states.
The implementation has room for improvement: records are kept locally, tied to the state you live in and there's no immediate way to get online confirmation. Those are details though, that could be fixed in a clean implementation of the same system.
But we also have giant for-profit companies aggregating giant databases with little to no oversight, and up until recently no ability to access your own data for free, and still today no straightforward, across-the-board, means to appeal bad data, or collect damages from it (or from leaks of it).
Even with the terrible things associated with the no-fly list there is a TSA appeals process and a court system to challenge it. Do you know how you correct mistakes in your Equifax-TransUnion-Experian composite credit score? You mostly don't, and you most likely can't take them to court, because they think you are bound to arbitration.
I don't know if there is a good solution here either, but at least a government-run solution would have to be accountable to the people as citizens/constituents (even if it would still likely be in the pocket of the banks).
Sorry, that's not true at all. I went to Experian late last week to set up a fraud alert because of the Equifax breach, they showed me my credit report and had a button to mark things that were factually incorrect. I did so and submitted it. They did some sort of investigation and removed the data because they couldn't verify that it was correct. It was as easy as filling out an online form. (Actually, I think I had to call about 1 particular item, but it was handled over the phone.)
From the article.
It does look, from the snippet, like they aren't quite the same. I don't yet have an opinion on that, specifically the bit about data being erased after it has been settled. That's pretty different.
I shall see what I can find. It may change my opinion. Thanks again.
I think a company should be able to avoid a fine if they disclose breaches immediately and are able to document that they followed best practices. From what I've read about the Equifax breach, they would definitely be found negligent.
Simple analogy: a homeowner still has to make a claim if their locked, alarmed house is ransacked while they're away. Insurance may subsequently deny the claim if it's shown that the homeowner failed to follow best practices, such as locking doors and windows. In other words, adherence to best practices is a condition of insurance.
I think negligence or fraud on the part of the company should multiply the penalty and it probably release the insurer from being responsible.
And suddenly there would be a much more litigious and powerful entity on the side of protecting consumer data, the insurance company that underwrote the policy. They deny the claim and Equifax suddenly has a lot more problems.
It may be the case that once all the privacy related externalities are pushed back onto credit reporting agencies then their business model is no longer viable. I, for one, am fine with that outcome. If that's the case then credit reporting agencies were never a net good for society in the first place, and all the regulations are doing is exposing that truth.
To extend your thinking, consider air travel. Airlines act responsibly, even to the point of having government provide much of their security, yet occasionally terrorists manage to blow up aircraft. In that scenario, you'd have the airline be fully ('strictly') liable because of an external event they did everything to avoid. The harm is greater too - death is worse than ID theft.
Truth is, nothing can be done safely. Not travel, not business. There is always a tradeoff between risk and benefit.
Credit itself is an enabler for the economy. Credit bureaux facilitate comprehensible risk management, which allows for market forces to operate around interest rate setting reasonably effectively. Absent bureaux that same function needs to be performed, but it'll be done in a decentralized, ad hoc fashion by individual lenders which will impinge on their business models and ultimately drive up rates.
So you don't like the bureaux; well, nobody does really. But what is an alternative which allows lenders to compare applicants on a like-for-like basis with some degree of confidence?
Data gathering is usually not opt-in and it's also intentionally non-obvious who your information is shared with in most cases. I'm also rarely the customer, which means there's very little chance that my interests are being represented. Security or lack thereof is pretty hidden as well.
I suspect we would find a way to fill the economic holes if every credit bureaux was phased out over the next 5 years.
IMO, the entire vertical needs to be more transparent.
I think the much more interesting discussion is about how those economic holes are filled, and it's why I posed that question in my note above. Of all the corners of the internet where you might expect such a solution to be proposed, HN is surely the best. What does post-bureau creditworthiness attestation look like? Presumably it's decentralized, to minimize aggregate harm to people in the event of a hack. Presumably it's de facto (and de jure) verifiable and correctable by each individual. It must also have some sort of graduated 'need to know' disclosure mechanism, with crude aggregate scores available to low-ranked creditors (cellphone companies, for example), and much more detailed information available to senior stuff like mortgage lenders. And why wouldn't it also have a facility, which didn't disclose creditworthiness data, for authenticating users to various services?
But then why not go one step further. Why have this stuff in one place per consumer at all? Why not have lenders jus reach out over an API to every other lender to ask in effect "How good a debtor has scrumper, with SSN 01-234-5678, been for you? How long have you done business with her?" and get various answers back, all of which can be factored into some model which conforms minimally to a regulator-provided specification? The size or risk of the loan dictates the depth of that pan-industry query. Companies don't hold any more than they already hold, and there's no nexus for that data at all. And all the lender is allowed to keep is the model result, some sort of FICO equivalent, for a particular applicant.
With air travel the people bearing the risk are the direct customers. If I'm uncomfortable with the safety record of airlines I can simply not fly. How do I opt out of the risks imposed by a credit rating agency?
The closer analogy, I think, would be if cargo planes were routinely crashing in populated areas. The air freight company and its clients may well be completely comfortable with their loss rate, but the unaffiliated third parties living underneath would have a pretty justifiable reason to complain.
> Truth is, nothing can be done safely. Not travel, not business. There is always a tradeoff between risk and benefit.
This is absolutely true, but as currently constructed credit agencies get to reap the benefits while pushing the risk off onto the general public. If we regulate to internalize that risk and the agencies still think it's a good risk/reward tradeoff then that's fine. If they no longer think it's a good tradeoff that's fine too.
> So you don't like the bureaux; well, nobody does really. But what is an alternative which allows lenders to compare applicants on a like-for-like basis with some degree of confidence?
There's several suggestions elsewhere in the thread, but I'm going to go out on a limb and suggest: nothing.
On a macroeconomic level, easy availability of credit increases average growth but also increases total risk, and therefore volatility. It's not apparent to me that that's a good trade.
On a microeconomic level, the benefits I receive from being able to get credit easily have to be weighed against both the suboptimal personal accounting I have to engage in to keep my credit score up and against the long tail risk that a third party can open a line of credit in my name. It's not apparent to me that that's a good trade either.
Maybe lenders should be much more conservative with who they loan to. Maybe they should price in a much higher default rate. Maybe individuals should seek a single line of credit from their bank of choice instead of expecting expenses to be financed individually. I don't know, I'm just some guy with 2 semesters of college-level economics. What I do know is that the status quo isn't sacred and the arguments explicitly in support of it seem to boil down to "growth is good and change is scary", which seems like really weak rationale for giving someone most of us don't even have a business relationship with essentially unilateral control of millions of people's financial fates.
So yes, the problem is one here the credit bureaux get to externalize their risk. I was arguing with your rejection of the 'insurance model' for bringing some of those externalities back in house. Your proposal of strict liability is really just a banning of the industry in disguise: without the possibility of insuring away those risks it's not viable to stay in business - an agency is going to get breached even if they are as careful as possible. I don't think the lobby (and it'd be bureaux and lenders lobbying on the same side) would permit that outcome, no matter how strong the political will. It's too far reaching.
My response is, insurance doesn't preclude elimination. Those bureaux aren't going anywhere tomorrow. Incremental reform along the lines proposed by whatever grandparent we are both under provides a path to improvement, better risk management for individuals, and it could perhaps ultimately lead to your desired end state of a completely restructured consumer credit market.
I do agree that would probably be a de facto ban on the industry, or at least a radical restructuring thereof. My suspicion is that the industry is actually not a profitable enterprise once all the externalities are properly accounted for. But I'd be happy to be proved wrong, and I'm more than willing to give the industry a chance to figure out a model that works.
Edit: Completely off topic, but this is the nicest internet argument I've had in a long time. Thanks, scrumper, for being an excellent debating partner!
Oh then yes we totally agree. If they're prudent, their insurer pays. Otherwise they do.
You might be right about the credit reference industry being ultimately unprofitable as a standalone business, but I think there's a lot of arguing to be had about the magnitude of those externalities. That's why we need a law to provide some automatic, per-individual-leaked fine - the insurable risk from way up-thread.
Yes, that's true. But as the poster above already said some things are simply not safe to do. If I wanted to warehouse explosives, I wouldn't be allowed to do it near a populated area, I'd have to put my warehouse far away from populates areas. But absent that prohibition, let's say I found a cheap space in town, and so I loaded it up with tons of explosive material. Then a homeless fellow breaks in one night and manages to start a fire, burns the place. He survives, but the explosives were set off and half the town blew up. You'd think it's okay if I shrugged my shoulders and pointed at the homeless fellow?
Credit reporting bureaus have free reign to screw up here because there's no oversight like the BATFE and no reasonable way for them to be sued into oblivion when they screw up so badly as Equifax has clearly done here.
>Credit bureaux facilitate comprehensible risk management,
How anyone can trust Equifax to do anything anymore is beyond me. There is still no corrective force here to cause these companies to become competent with data security. This is a farce.
If it's legal to operate an explosives warehouse in town at the time you do it, then unfortunately yes I have to answer that, provided you'd complied with applicable laws in securing your warehouse full of bombs, then you could shrug your shoulders. But you'd then be shrugging in the face of a barrage of lawsuits (as is happening now with Equifax). Soon after your homeless guy blew up the block the laws would be changed. And that's the situation we're in now: rubble everywhere, with a chance to make legislative changes to prevent a recurrence.
Ironically, even if I liked the bureaux (I don't) I couldn't do it any more. Their negligence self-defeated their mission.
With the leaked information, no credit report from Equifax is believable any more. If somebody slams it in my face I can shrug and say "Nope, that's not me: leaked information". Everybody in the Equifax data can do that. Everybody in the other companies' data which intersect with Equifax's can do it. All of a sudden, these companies are providing zero value.
Sucks. I'm not defending it. This is how it is.
Second, why would the presumption of inaccuracy trump the presumption of accuracy? Who said Equifax is right? Especially since they have a track record of incompetence. As any debate on facts goes, the burden of the proof is on whomever is making a claim. Equifax is claiming something, i.e. that my credit score is X. I'm saying it is not.
I concede you that what you say is probably how the law and the system works right now. And I concede that mine was more like a desire than a real prediction. I know things won't change. But that doesn't change the fact that, after the hack, Equifax and similar are just selling hot air.
[0] If you want my credit score, you ask me for my statements, nor Equifax. If anything, Equifax is damaging me with their inaccurate information.
People in glass houses shouldn't throw rocks.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
This too can be "fixed" with a small change to liability laws.
I never asked Equifax to keep me in their database and send my information to creditors.
Under current law.
Since the Equifax break in, journalists have been demanding legislation to change that,
https://www.nytimes.com/2017/09/11/opinion/equifax-accountab...
https://www.emptywheel.net/2017/09/14/software-is-a-long-con...
>I never asked Equifax to keep me in their database and send my information to creditors.
It seems you can't be expected to take responsibility for reading the fine print in your loan agreements. Quite an interesting bit of cognitive dissonance you have there.
In non insane countries, a company doing that would be closed and the perpetrators would go to jail.
Maybe you feel entitled to be extended a loan without any credit reporting. I, personally, feel entitled to a loan without any interest. But neither of us are going to get what we want.
I strongly suspect you are subject to all of this via a state-owned CRA or little to no borrowing activity (also an option in the US).
Why is no one stepping up and flipping the business model on credit reporting?
https://www.prbc.com/ (2002)
http://www.dataxltd.com/ (2004)
https://ws.factortrust.com/ (2005)
See also https://wallethub.com/edu/credit-reporting-agencies/25518/
This is not true for Germany.
https://en.wikipedia.org/wiki/Schufa
It's ok to post stories from sites with paywalls that have workarounds.
In comments, it's ok to ask how to read an article and to help other users do so. But please don't post complaints about paywalls. Those are off topic.
If only NYT knew that HN was popularizing workarounds, they'd be so happy about it, not.
It is because of you that paywalled sites haven't died yet.
Of course, that's preempted by a federal law that Equifax & friends carefully purchased. Perhaps all we need is for them to lose that protection to give them a reason to care.
Equifax and the credit agencies only exist because they are allowed to perpetrate great harm spread across millions. They are a giant negative externality.
That is a naive statement, perhaps based on an idealized version of a few cherry-picked governments.
Aside from Senator Warren I have heard very little concern from lawmakers in Washington regarding the menace that these credit reporting agencies have become and the threat they pose to people.
[1] https://www.warren.senate.gov/?p=press_release&id=1837
A bank makes a loan to a fraudster who is impersonating you. The fraudster defaults on the loan and the the bank tells a lie about you to the credit bureau, which gets spread around and hurts you in many ways. If we called this situation "bank slander" or "bank libel", the focus would be on who is creating the problem: the bank with its lie. Create high enough penalties for banks reporting false loan defaults and "identity theft" will disappear as the banks become more cautious of fraudsters. This is unlikely to happen as banks are concentrated and powerful institutions. "To big to fail" I believe is the term. I don't think the credit bureaus themselves are that influential in Congress but the banks want them and will lobby on their behalf.
It would be interesting to know how much money the banks get from people illegally each year from people paying off fraudsters debts to clear their credit reports from the false default reports from banks.
Data sources might be another case.
I think the problem is figuring out the transition from SSN's to something like key pairs/TOTP. How do we securely establish the "new" identity and pair it to the old SSN? Do we even bother and just start from scratch?
An increasingly familiar pattern.
The free market is flipping against the people.