AXEL.org

Culture

What the New Infrastructure Bill Means for Tech

On Tuesday, the United States Senate passed a USD $1 trillion infrastructure bill, sending it to the House of Representatives for further debate. While the details and amount of money are subject to change, it is likely that some kind of bill to expand and rebuild the country’s infrastructure will be passed and signed in the coming months. And while most of the bill’s funding will focus on fixing America’s roads, bridges, and other transportation infrastructure, tech is far from being ignored.

Infrastructure spending has long been a goal of many Presidential administrations. And while many bills fall victim to partisan battles, the general idea of infrastructure spending enjoys bipartisan support. Of course, certain tenets of the infrastructure bill will still face fierce debate, particularly the portions that pertain to technology. However, because there is bipartisan agreement that America’s infrastructure needs updates, a bill is likely to pass. And while the numbers may change, the country is still set to spend billions to update, modernize, and regulate technology infrastructure.

Crypto Tax Changes

One of the most important (and controversial) tenets of the bill is creating tax-reporting mandates for cryptocurrency brokers. In practice, this would make reporting cryptocurrency income similar to traditional stock income, where brokers already report their clients’ sales to the IRS. Congressional accountants estimate that this update to crypto tax laws would raise USD $28 billion over ten years [1]. And while this money doesn’t cover the entire cost of the bill, it would pay for the USD $25 billion to repair America’s structurally deficient bridges.

The reason for its controversy is cryptocurrency’s unique nature. Opponents say that the language of the bill regarding cryptocurrency is too broad, leading to software developers and crypto miners facing tax requirements. Additionally, some fully oppose taxes on cryptocurrencies, due to their purposefully decentralized nature. However, supporters of this tax claim that cryptocurrencies are like any other property, and therefore should be subject to capital-gains taxes. Supporters want cryptocurrency gains to be taxed the same as other properties, such as gold and stocks. So while cryptocurrency will still be largely decentralized and international, it will likely become subject to national taxes in the future.

Broadband Access

Another large portion of the infrastructure bill is dedicated to broadband affordability. While those living in urban or suburban communities typically have easy access to the Internet, those living in rural communities aren’t afforded that same accessibility. Many rural areas don’t have consistent access to the Internet, and if they do, the costs can be immense. To combat this Internet inequality, the infrastructure bill offers billions in grants to low-income households. The new program offers monthly USD $30 subsidies toward purchasing high-speed Internet [2]

As millions of Americans have spent the past year working and studying from home, reliable Internet access has become a necessity, especially for low-income college students. The new bill also provides USD $1 billion for colleges and universities to provide additional direct grants to students in need. Overall, expanding broadband access will help ensure more Americans have affordable access to the Internet. After all, access to online services has proven itself to almost be a necessity in nearly every facet of life.

Electric Vehicle Expansion

One of the largest physical infrastructure plans included in the bill is a USD $7.5 billion investment in electric vehicle (EV) charging stations [3]. While EVs have been available to Americans for years, adoption has been slow, partially due to the lack of EV chargers available across the country. This investment hopes to encourage Americans to switch to more environmentally-friendly EVs, as opposed to traditional gasoline-powered cars. In addition to EV charging stations, the bill also sets aside USD $7.5 billion to help cities adopt zero-emission public transportation vehicles. 

Cybersecurity Updates

The bill also offers USD $1.9 billion for cybersecurity updates. USD $1 billion of that fund is slated to be given as grants to state and local governments [4]. Following increased numbers of cyberattacks and ransomware incidents, this money will be useful for updating aging technology. State and local governments often rely on older tech, making it easier for cybercriminals to stage a successful attack.

In addition, these grants will greatly help local governments, who are particularly susceptible to ransomware attacks [5]. Local governments often oversee critical infrastructure, such as water, sewage, schools, and airports. Because all of these are necessities for the community, cybercriminals often target them, knowing that local governments will be desperate enough to pay the ransom. Thankfully, the infrastructure bill’s investment in modernizing cybersecurity for local governments can help protect these communities from the rising threat of cybercrime.

Why Tech is Infrastructure

While the infrastructure bill receives broad support from Americans, some have objected to the bill’s spending outside of traditional infrastructure. After all, “infrastructure” has always meant roads and bridges, rather than tech. But because technology is becoming so present in our lives, it’s important to ensure our tech consistently works. Think about it: If your employer’s Internet went out on a workday, it would be more than an inconvenience. It would likely cause nearly everyone’s work to pause. Simply put, we are incredibly reliant on technology, so it makes sense to ensure that technology works properly and consistently.

When people hear the word “infrastructure,” many think of physical infrastructure, such as roads, bridges, pipes and buildings. Naturally, most of the infrastructure bill is slated to fund these physical infrastructure projects. However, with the Internet truly becoming a necessity in recent years, technology needs to be included in infrastructure as well. To a certain extent, it’s just as important as water or sewage. When our country’s technology works as intended, it can lead to incredible efficiency and convenience. And even in a pandemic, technology allowed us to continue to get work done, ensuring that businesses and governments could continue to serve their communities. But when technology doesn’t work, it can lead to chaos and frustration. Just a loss of Internet can cause entire businesses to temporarily shut down. So because technology and the Internet are so vital to individuals, businesses, and governments, it simply makes sense to consider technology as infrastructure. After all, the Internet isn’t just a luxury anymore; it’s a vital necessity for all.

[1] Gordon, Marcy. “EXPLAINER: How Cryptocurrency Fits into Infrastructure Bill.” AP NEWS. August 10, 2021. https://apnews.com/article/technology-joe-biden-business-bills-cryptocurrency-92628a41124230448f65fdeb89ffad7d.

[2] Gravely, Alexis. “Infrastructure Bill Expands Broadband Affordability for Students.” Infrastructure Bill Expands Broadband Affordability for Students. August 10, 2021. https://www.insidehighered.com/news/2021/08/10/infrastructure-bill-expands-broadband-affordability-students.

[3] Szymkowski, Sean. “Bipartisan Infrastructure Bill Passes US Senate with Billions for EV Charging Network.” Roadshow. August 10, 2021. https://www.cnet.com/roadshow/news/biden-bipartisan-infrastructure-bill-ev-charging-network-senate/.

[4] Miller, Maggie. “Senate Includes over $1.9 Billion for Cybersecurity in Infrastructure Bill.” TheHill. August 10, 2021. https://thehill.com/policy/cybersecurity/567204-over-1-billion-in-cybersecurity-funds-included-in-senate-passed.

[5] Garcia, Michael. “The Underbelly of Ransomware Attacks: Local Governments.” Council on Foreign Relations. May 10, 2021. https://www.cfr.org/blog/underbelly-ransomware-attacks-local-governments.

Law Enforcement is Already Breaking into Encrypted Devices

Law Enforcement is Already Breaking into Encrypted Devices

Are we living in the drowsy beginnings of an Orwellian nightmare? The signs don’t look great. In Orwell’s most famous book, 1984, the protagonist Winston exclaims, “Freedom is the freedom to say two plus two make four,” as an appeal to the uncontroversial description of objective reality. You may think our society hasn’t sunk that low yet, but with 2+2=5 receiving some mainstream acceptance[1], sirens should be sounding in your head.

Beyond that can of worms lies less abstract evidence that our world is slipping into dystopia, such as the increasingly-shady tactics law enforcement agencies use to pry evidence from peoples’ phones.

A bit of backstory

The 2014 Supreme Court case Riley v. California scored a rare unanimous decision[2]. In it, the Justices upheld that law enforcement is not allowed to search a suspect’s phone upon arrest without a warrant. Privacy advocacy groups saw this as a significant win in the fight against unconstitutional search procedures.

Since then, the central issue centers around the topic of encryption. Police don’t like encryption, as it makes their job more difficult, even when they have a warrant. The frustration is understandable. Going through the trouble of attaining a warrant against an alleged criminal and still being unable to access their device to get crucial evidence would be upsetting. This is precisely what happened in the high-profile cases of the 2015 San Bernardino[3] shooting and the 2019 Pensacola Naval Air Station[4] shooting.

It boils down to the Department of Justice wanting tech companies like Apple and Google to implement “backdoors” into their operating systems, allowing law enforcement to bypass the encryption when necessary. Of course, the problem is that once you put a backdoor in a piece of software, there is no way to ensure only the “good guys” can use it. As we’ve seen with cyberattacks such as the recent SolarWinds breach, malicious hackers seem to be one step ahead of cybersecurity as-is. Now, imagine if developers had to code in an explicit path that allowed system breaches. It doesn’t seem like a good idea, right?

This image has an empty alt attribute; its file name is Guns_used_in_San-Bernardino_shooting-2.jpg
The guns used by the San Bernardino shooter. San Bernardino County Sheriff’s Department, Public domain, via Wikimedia Commons

In the end, the bluster of the United States Department of Justice wasn’t necessary. In both of the shooting cases mentioned above, the feds cracked the encryption without Apple’s help[5][6]. Although, in the San Bernardino case, authorities shelled out over a million dollars to freelance hackers to do so. Those payment requirements are unsustainable, even for the U.S. government. So, their typical workflow is a bit different.

How they do it

This image has an empty alt attribute; its file name is 800px-CLB_logo_Tag_2color_pos_rgb.png
Cellebrite Logo Alon Klomek, GM, InternationalChris Armstrong (Toronto), CC BY-SA 4.0, via Wikimedia Commons

Law enforcement agencies use Mobile Device Forensic Tools (MDFTs) to break into locked, encrypted phones. Third-party vendors such as Grayshift and Cellebrite provide these tools[7][8]. Cellebrite is an Israeli company that requires the agency to send in the device they wish to crack. In contrast, the United States-based Grayshift gives the software and hardware packages directly to law enforcement. Both cost tens of thousands of dollars or more. MDFTs bypass locking and encryption mechanisms through system exploits. This is why Cellebrite has law enforcement send the mobile devices directly to them. It prevents the actual mobile companies (Apple and Google) from purchasing the tools to see which exploits they use and patching them.

 

MDFT packages are designed to be easy-to-use. Clients with little technical knowledge on staff can still use them and acquire all the desired information. They automatically scan the device’s directories for files and then sort them into categories such as “Images, SMS, Audio, etc.”

MDFT abuse

An October 2020 study by Upturn uncovered many startling facts about law enforcement’s use of MDFTs[9]  in the United States. Here’s a brief synopsis of their findings:

  • Over 2000 agencies throughout all 50 states, including the 50 largest police departments, purchased MDFTs between 2015-2020.
  • Many departments have no set guidelines regarding the use of MDFTs, resulting in little accountability.
  • Police skirt warrant regulations by coercing people involved in minor crimes to consent to a phone search. Then, they use the MDFT to analyze the entirety of the person’s device and collect evidence relating to other, more serious crimes.

The usage of these criminal analysis tools is widespread. Even smaller departments can usually pay the exorbitant fees through indirect avenues such as federal grant programs. Worryingly, those consenting to an electronic search typically assume it will be limited to the particular crime that sparked the investigation. Unfortunately, this isn’t the case.

Other shady tactics

Coercion isn’t the only loophole for law enforcement. In the age of Big Data, many agencies simply purchase information like detailed location data from third-party sellers[10]. It’s a particularly sneaky way to get around the pesky Fourth Amendment.

You never really know which apps will sell your data to law enforcement. Multiple recent stories prove that many seemingly innocuous applications collect a surprising amount of your personal info and are willing to sell to law enforcement or the military[11]. Download a digital level app to make sure your bookshelf isn’t crooked? You might be in a police database. It’s a strange reality most people don’t give a second thought to, but it truly is pushing society toward totalitarianism.

How to protect yourself

It isn’t easy. Firstly, if you’re in a situation where law enforcement wants to search your phone without a warrant, do not consent. Even if you have nothing to hide, we should hold the police to high standards of ethical behavior.

Furthermore, recognize Big Tech doesn’t have your back (although Apple’s new privacy labels for their App Store[12] are reasonable first steps.) We recommend only installing apps from reputable companies committed to keeping your data safe. It’s also a good idea to move away from free Big Tech services as much as you can. Free services sound great, but these companies are some of the most profitable in the world and are making money somehow. Usually, this means selling your data.

AXEL Go

You can move away from cloud storage and file-sharing apps such as Google Drive, OneDrive, or DropBox by using AXEL Go. AXEL is dedicated to providing users with full data custody and never selling personal information. AXEL Go delivers one of the most secure and private ways to share and store data on the internet. It utilizes technologies such as blockchain, IPFS servers, and AES 256-bit encryption for industry-leading security. Try it out today and sign up for a free, full-featured Basic account with 2GB of storage and complimentary fuel for hundreds of typical shares.

 

[1] Caroline Delbert, “Why Some People Think 2+2=5…and why they’re right, Popular Mechanics, Aug. 7, 2020, https://www.popularmechanics.com/science/math/a33547137/why-some-people-think-2-plus-2-equals-5/

[2] Marc Rotenberg, Alan Butler, “Symposium: In Riley v. California, a unanimous Supreme Court sets out Fourth Amendment for digital age”, SCOTUSblog, June 26, 2014, https://www.scotusblog.com/2014/06/symposium-in-riley-v-california-a-unanimous-supreme-court-sets-out-fourth-amendment-for-digital-age/

[3] Arjun Karpal, “Apple vs. FBI: All you need to know”, CNBC, March 29, 2016, https://www.cnbc.com/2016/03/29/apple-vs-fbi-all-you-need-to-know.html

[4] Joseph Marks, “The Cybersecurity 202: Bar ramps up encryption war with Appl over Pensacola shooter’s phone”, May 19, 2020, https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2020/05/19/the-cybersecurity-202-barr-ramps-up-encryption-war-with-apple-over-pensacola-shooter-s-phone/5ec32a4188e0fa6727ffe363/

[5] Thomas Brewster, “FBI Hacks iPhones in Pensacola Terrorist Shooting Case, But The War With Apple Goes On”, Forbes, May 18, 2020, https://www.forbes.com/sites/thomasbrewster/2020/05/18/feds-hack-iphones-in-pensacola-case-apple-not-needed-after-all/?sh=1db6e89675e9

[6] Matt Drange, “FBI Hacks Into San Bernardino Shooter’s iPhone Without Apple’s Help, Drops Case”, Forbes, May 28, 2016, https://www.forbes.com/sites/mattdrange/2016/03/28/fbi-gets-into-san-bernardino-iphone-without-apples-help-court-vacates-order/?sh=492873d93b18

[7] Thomas Brewster, “Mysterious $15,000 ‘GrayKey’ Promises To Unlock iPhone X For The Feds”, Forbes, March 5, 2018, https://www.forbes.com/sites/thomasbrewster/2018/03/05/apple-iphone-x-graykey-hack/?sh=1419c67b2950

[8] Thomas Brewster, “This Powerful iPhone Hacking Tool Can Now Break Into Samsung Androids”, Forbes, Feb. 1, 2021, https://www.forbes.com/sites/thomasbrewster/2021/02/01/the-powerful-graykey-iphone-hacking-tool-can-now-break-into-samsung-androids/?ss=cybersecurity&sh=1cbafece4d61

[9] Logan Koepke, Emma Weil, Urmila Janardan, Tinuola Dada, Harian Yu, “Mass Extraction: The Widespread Power of U.S. Law Enforcement to Search Mobile Phones”, Upturn, Oct. 2020, https://www.upturn.org/reports/2020/mass-extraction/

[10] Gilad Edelman, “Can the Government Buy Its Way Around the Fourth Amendment?”, Wired, Feb. 11, 2020, https://www.wired.com/story/can-government-buy-way-around-fourth-amendment/

[11] “Mobile App Monetisation – Covert trackers in your pocket”, Privacy International, Jan. 28, 2021, https://privacyinternational.org/case-study/4404/mobile-app-monetisation-covert-trackers-your-pocket

[12] Sarah Perez, “Apple launches its new app privacy labels across all its App Stores”, Tech Crunch, Dec. 14, 2020, https://techcrunch.com/2020/12/14/apple-launches-its-new-app-privacy-labels-across-all-its-app-stores/

Sharing user data with Facebook? WhatsApp with that?

Sharing user data with Facebook? WhatsApp with that?

Facebook-owned WhatsApp is receiving backlash for recent changes to its privacy policy. The topic has started an international conversation about the expectation of privacy and consumer data rights. We summarize the situation and how the fallout is pushing the discussion forward.

The application

WhatsApp is the most popular messaging application, with over 2 billion active monthly users[1]. After Facebook purchased it in February 2014, privacy advocates became rightfully concerned. At the time, WhatsApp assured users it would not allow data sharing between the two companies. However, two short years later, in 2016, WhatsApp modified its terms and conditions to enable data sharing[2]. There was a grace period for users to opt-out of the sharing, but that option has long since expired.

This concerning development was partially offset by WhatsApp’s implementation of end-to-end encryption for messages. End-to-end encryption means that only the intended recipient’s device can decrypt messages from the sender. No third party can read or mine your messages. Conceived in 2014, the feature didn’t receive full integration until 2016. Since then, privacy worries mostly dissipated even though their relationship with Facebook never changed. Until they released a privacy policy update in January 2021…

Breakdown of privacy policy changes

So, what nefarious language did WhatsApp include that triggered a backlash? If anything, it was minor updates to already-existing policies. We believe these policies should have drawn ire long before now, but better late than never. According to the policy, WhatsApp could already share the following information with Facebook[3]:

  • Phone numbers of both users and their contacts
  • Profile names and pictures
  • Metadata, including app logs, status messages (i.e., when a user last logged in), and diagnostics information.

The new policy only expands upon this specifically when communicating with businesses. Facebook now stores user chats with companies. They can also access any data within those chats[4]. Certainly not ideal, but perhaps the reaction wouldn’t be so severe had they not required users to accept the changes by February 2021 or face account deletion. The combination of scary words such as “data collection,” “sharing,” and “Facebook” was exacerbated by an equally-frightening ultimatum. It came across as a power play rather than an update. Needless to say, people were not happy.

Harsh backlash

This image has an empty alt attribute; its file name is fastCompanyHeadline-1024x374.pngThe backlash to the update was immediate. It became highly-publicized, with sensational headlines clogging up all of the internet’s many tubes.

 

Then, celebrities took to Twitter to promote privacy-based alternatives such as Signal.

 

This image has an empty alt attribute; its file name is independentHeadline-1024x460.pngThe hysteria around the policy announcement, along with the solicitation of alternatives from people such as Elon Musk, drove people to other encrypted messaging applications in droves. The open-source Signal app received the most significant boost. It is estimated that had at least 40 million new downloads within a week of the WhatsApp update.

Likewise, another private messaging client, Telegram, saw similar gains. In three days, they signed up 25 million new people for their service.

This image has an empty alt attribute; its file name is economicTimesHeadline-1024x374.pngThese substitute solutions are attractive due to their end-to-end encryption capabilities and the fact that Facebook, one of the biggest privacy offenders around, isn’t involved at all. Both companies have more transparent privacy policies and offer compelling products. Time will tell if the poached users migrate back to WhatsApp or if the trend continues.

Signal experiences difficulties

Gaining tens of millions of new users in for a bandwidth-intensive service is going to strain servers. While Telegram already had a massive user base and could withstand a short-term spike in usage, Signal had significant problems.

The Signal Foundation is a nonprofit organization that relies on private funding and donations from users. Interestingly enough, former WhatsApp co-founder, Brian Acton, is on Signal’s Board of Directors and remains one of its biggest funders[7]. Given its more “plucky underdog” status, it makes sense that the enormous increase in traffic caused issues. Within a week of its newfound popularity, the app experienced downtime and lost messages[8].

Consumers tend not to be sympathetic to poor user experiences. For the sake of all privacy apps, we hope that Signal can meet demand and deliver a great experience going forward. If people associate privacy-based alternative applications as “less than,” they’ll migrate back to the services they know.

WhatsApp combats misinformation

Undoubtedly feeling the heat, WhatsApp responded by clarifying the new policy and reassuring that they don’t share most data with Facebook[9]. To informed privacy advocates, this seems more like damage control than anything else. While this update didn’t have a significant amount of new information aside from the Businesses section, it shed light on an ongoing concern about how they share information with Facebook.

A new path forward

The WhatsApp controversy is encouraging. It shows that privacy issues can move the needle, demand mainstream media coverage, and cause tens of millions of people to switch to better solutions. In a time of corporate surveillance, government intrusion, and censorship, it’s nice to see everyday people begin to wake up. We hope this trend continues and the right to privacy becomes a  standard consideration for app developers and service providers.

AXEL believes in the users’ right to privacy and data custody. Our products embody this philosophy. Our blockchain-based, decentralized cloud storage and file-sharing platform, AXEL Go, lets you store or send files confidentially. We don’t sell your information to advertisers or mine your files for data. It offers AES 256-bit encryption to keep your documents away from any would-be spies. Try it out today and receive 2GB of free storage and enough of our AXEL Tokens to fuel thousands of typical shares. The future doesn’t have to be mass surveillance and constant data breaches. We’re providing a different path. Won’t you join us?

 

[1] J. Clement, “Number of monthly active WhatsApp users worldwide from April 2013 to March 2020”, statista, April 30, 2020, https://www.statista.com/statistics/260819/number-of-monthly-active-whatsapp-users/#:~:text=As%20of%20March%202020%2C%20WhatsApp,billion%20MAU%20in%20February%202016

[2] Natasha Lomas, “WhatsApp’s privacy U-turn on sharing data with Facebook draws more heat in Europe”, TechCrunch, Sept. 30, 2016, https://techcrunch.com/2016/09/30/whatsapps-privacy-u-turn-on-sharing-data-with-facebook-draws-more-heat-in-europe/

[3] “WhatsApp Privacy Policy”, WhatsApp.com, July 20, 2020, https://www.whatsapp.com/legal/privacy-policy?eea=0

[4] Andrew Griffin, “WHATSAPP NEW PRIVACY TERMS: WHAT DO NEW RULES REALLY MEAN FOR YOU?”, Independent, Jan. 9, 2021, https://www.independent.co.uk/life-style/gadgets-and-tech/whatsapp-new-privacy-terms-facebook-rules-explained-b1784469.html

[5] Saheli Roy Choudhury, “Indian ministry reportedly asked WhatsApp to drop privacy policy changes that sparked backlash”, CNBC, Jan. 19, 2021, https://www.cnbc.com/2021/01/20/india-has-reportedly-asked-whatsapp-to-withdraw-privacy-policy-update.html

[6] Tugce Ozsoy, Firat Kozok, “WhatsApp Dropped by Erdogan After Facebook Privacy Changes”,

[7] Andy Greenberg, “WhatsApp Co-Founder Puts $50M Into Signal To Supercharge Encrypted Messaging”, Wired, Feb. 2, 2018, https://www.wired.com/story/signal-foundation-whatsapp-brian-acton/

[8] Katie Canales, “Signal appears to be down for some users after the messaging app saw a record spike in downloads”,  Business Insider, Jan. 15, 2021, https://www.businessinsider.com/signal-app-down-users-report-messages-sending-problems-outage-2021-1

[9] “Answering your questions about WhatsApp’s Privacy Policy”, WhatsApp, Jan. 2021, https://faq.whatsapp.com/general/security-and-privacy/answering-your-questions-about-whatsapps-privacy-policy

The 10 WORST Data Breaches of the Decade

As another decade comes to a close, now is the perfect time to reflect on some of the top 10 worst data breaches and cyber-security blunders from the last ten years. Over the 2010s, we’ve seen the pace of technological growth rapidly advance. From the development of facial recognition software to the growth of artificial intelligence and quantum computing, the digital age has taken a monumental leap forward.

And while this technology has brought innumerable benefits, the vast quantity of personal information now stored digitally has exposed us to catastrophic privacy violations from even the smallest data breach.

While there have been data breaches as long as data has existed, the danger has never been more apparent. Our entire lives are stored digitally, from personal files like family photos to vital business data like employee records and legal documents. The digital world is inescapable, and millions of users across the web are unknowingly putting their privacy at risk.

Data breaches have become so common that society has become desensitized to the effects, which, ironically, makes it all that more dangerous.

So in case you’ve forgotten just how pervasive data breaches have become, we’ve assembled a list of the ten most damaging breaches of the last decade.

10) Facebook

Date: 2017-2019
Impact: 50 Million Users

Starting off our list is the social media powerhouse, Facebook. Although a prominent social platform, Facebook is not 100% bulletproof and has become a victim to hackers and data breaches in the past. Two years ago, Facebook announced the discovery of a bug in their site that resulted in the exposure of over 50 million accounts. By abusing the flaw, hackers were able to obtain account access tokens, which are security keys that enable users to stay logged into a Facebook account without the need to re-enter passwords when returning to the site. The real significance of this data breach was that the access tokens didn’t just allow hackers to spy on users’ private information; the tokens gave hackers full control over the victims’ accounts. The breach forced Facebook to reset the access tokens of the over 50 million affected accounts, in addition to 40 million more accounts out of precaution. (Source)

9) Uber

Date: 2016
Impact: 57 Million Users

Uber, a multi-national ride-sharing company, suffered a major data breach in 2016, which involved at least 7 million drivers and 50 million passengers. The breach compromised all sorts of personal information: names, email addresses, and phone numbers, to name but a few examples. In addition, the breach exposed over 600,000 drivers’ license numbers. What makes this data breach so much worse, is that Uber initially attempted to hide the incident to regulators and users. Instead, Uber tried to pay a $100,000.00 ransom to the hackers, in the hope that they would get rid of the data and keep the breach concealed from the public. Their plan failed, but to Uber’s credit, they did take immediate steps to secure the data and shut down further unauthorized access by the hackers. (Source)

8) JP Morgan Chase

Date: 2014
Impact: 76 Million Users and 7 Million Small Businesses

In 2014, JPMorgan Chase was the victim of a cyber-attack that resulted in the theft of nearly 80 million users’ data. From confidential information like home addresses to business information like corporate banking documents, the breach affected millions of files. Reporters and journalists stated that the hackers likely operated out of Russia or Eastern Europe and that they were able to break into the Chase network by hacking a Chase employee’s personal computer. (Source)

7) Target

Date: 2013
Impact: 110 Million Accounts

The retail giant faced a data breach that resulted in the unauthorized access of almost 110 million accounts. The attackers stole information stored on the magnetic stripe of the back of credit and debit cards swiped in several Target stores. It was incidents like this that contributed to the rise of the EMV chip, now embedded into all new credit and debit cards. Several years later, Target paid out an $18.5-million-dollar settlement, which included a $10,000.00 payment to consumers who provided evidence that they suffered losses resulting from the data breach. (Source)

6) eBay

Date: 2014
Impact: 145 Million Users

In 2014, the online commerce company, eBay, announced that its records had been breached and suggested that almost 145 million users needed to change their passwords. This cyber-attack was carried out by a team of hackers who were able to obtain the credentials of three eBay employees. Names, emails, passwords, and even security questions were all compromised in the hack. Even more concerning was that due to eBay and Paypal being so interconnected, hackers were able to gain access to people’s Paypal accounts too. In the end, eBay did not provide any reimbursement towards the consumers that had their credentials misused or their money stolen. (Source)

5) Equifax

Date: 2017
Impact: 148 Million Users

Equifax, one of the largest consumer credit reporting agencies in the United States, suffered a data breach in September 2017. In addition to the theft of 209,000 credit card numbers, approximately 148 million Americans had their name, phone number, home address, date of birth, driver’s license number, and social security number compromised as well. As more details came to light, a lack of regard for consumer data by many of Equifax’s senior staff became apparent. It was a catastrophe; they even hired a Chief Information Security Officer who’s credentials were entirely made up of not one, but two degrees, in music. Yes, music.

Fast forward to July 2019, Equifax announced a $675 million consumer settlement. They offered people who were affected by the breach a choice of  4-years of free credit monitoring services or a $125 cash payment. (Source)

4) Adult Friend Finder

Date: 2016
Impact: 400 Million Users

Almost half a billion users had their data compromised from a litany of websites across the FriendFinder network. Over 20 years of data, including names, email addresses, and passwords were all exposed. Even more worrying, is that this wasn’t FriendFinder’s first rodeo…

In May 2015, it was revealed that around 4 million FriendFinder accounts were stolen. The good news is that FriendFinder was transparent and updated the public as soon as they became aware of the attack. The breadth of this data breach is still under investigation; however, FriendFinder Networks suggests that all users reset their passwords. (Source)

3) Marriot International

Date: 2018
Impact: 500 Million Customers

In November 2018, Marriot International announced that a data breach had occurred within their system. However, the incident initially began in 2014. The breach originated in the Starwood Hotel guest reservation database, where hackers laid dormant in the system for several years before Marriott acquired the company. With that time, the attackers were able to steal passport and credit card information from hundreds of millions of people. (Source)

2) First American

Date: 2019
Impact: 885 Million Customers

Not only is First American second on this list because of volume, but they are here due to their carelessness. Data from at least 885 million people was easily accessible on the First American’s site by inputting a specific set of URLs. These URL’s had a sequential system, meaning you could simply plug and play with different numbers to find confidential information. This sort of reckless behavior regarding data security seems like it would be a story from the 1990’s. What makes it so sad though… is this is the most recent data breach on this list, occurring in 2019. (Source)

1) Yahoo!

Date: 2013-2014
Impact: Over 3 Billion Users

Yahoo takes the number one spot for the largest data breach of the decade due to the pure volume of records stolen. The internet giant that was once the face of the internet had names, email addresses, passwords, and security questions compromised due to outdated and easy-to-crack encryption. Also, Yahoo failed to correctly pinpoint the number of users affected and released several revisions on the estimate. In 2016, Yahoo announced that 500 million users had their data compromised in a 2014 data breach. That announcement was later amended with information that there was another 2013 data breach that affected approximately 1 billion users. After drastically increasing the estimate with each subsequent announcement, the final estimate was that over 3 billion people were affected. In the spirit of schadenfreude, though, you can find some solace in knowing that Yahoo did pay. When the breach was announced, Yahoo was in the process of selling the company to Verizon. The data breaches ended up chopping off approximately $350 million off Yahoo’s sale price and the two companies agreed to share regulatory and legal liabilities from the incident. (Source)

On the plus side, a class-action lawsuit was filed against Yahoo and people who’ve had a Yahoo account since 2012 are entitled to up to $358.80 of compensation. You can learn more on YahooDataBreachSettlement.com. Don’t let these Yahoo’s get off cheap for exposing your data.

Based on big tech’s terrible track record with data protection, it is safe to say that our data is not safe. Cybersecurity, which should be at the forefront of any company’s mind -especially when you hold the private information of millions of people- is looked at as an expense to be mitigated.

And what may be the most disheartening part is that it’s not a super team of elite hackers cracking into databases. It’s pure and simple negligence in many cases, from not updating security software, to leaving private information exposed on a public database with no password.

But finally, the decade is coming to an end, and hopefully, data breaches are ending with it. But with how little is being done to prevent them… it might be best to start keeping your data to yourself.

Why Data Breaches are so Damaging and how the Law has Failed Consumers

Very few times in history have a group of people sat down with the purpose of writing a set of new laws to improve society. Instead, what usually happens is that laws are written to solve specific problems. This leads to a litany of laws piling up over the decades. While it could always be debated how effective a particular law might be at accomplishing its goal, the rapid pace of technological advancement over the past 20 years – especially as compared to the pace of the lawmaking process – has introduced new challenges as laws become quickly outdated, sometimes even by the time they take effect.

The results of this are acutely apparent in the cross-section between the fields of cybersecurity and consumer protection, namely data breaches.

The magnanimity of consumer protection laws in the United States were written for a society concerned with immediate product safety and compensation for resulting injuries, not for the nebulous and incalculable injuries that may be sustained by potential millions when private records are exposed.

Why are data breaches so damaging?

The unique problem of data breaches stems from the fact that the breach of privacy carries in of itself no specific harm. Instead, it is the later misuse of information that has been breached that may lead to ensuing harm. However, with data breaches occurring on a near-daily basis, the causality of specific financial or reputational damage is nigh impossible to link to a single breach causally; with our laws written around the concept of calculable damages being the source of justified remuneration, we are left constantly and increasingly victimized but unable to seek just compensation.

Some would argue that even more problematic is the irreparable nature of many of the most severe data breaches. Once a name and social security number are leaked, that identity is permanently and irreversibly at risk for being used fraudulently. While one could always apply for a new social security number, the Social Security Administration is extremely reluctant to issue new identities, and while that is a debate for another time, it goes to show just how difficult it can be to recover from a breach. Victims are permanently marred and at increased risk for future injuries resulting from a single breach, no matter how much time has passed.

Because of the damage resulting from a data breach being so far removed temporally and causally from the actual breach itself, adequate compensation is rarely won, if it is even sought. Was it the Equifax breach, the MoviePass breach, or one of the innumerable other breaches this year that resulted in your identity being stolen and used to take out fraudulent loans a decade from now?

Moreover, even if you should find that it was MoviePass’ negligence that leads to your identity being stolen, what compensation can you seek from a company that has been defunct for years? Our laws were not written to address these issues adequately. Our legal system often does not ponder questions of uncertainty and possibility, and that’s the perfect summary of what victims face in the aftermath of a breach; uncertainty and possibilities.

For all the uncertainty victims face, the solutions going forward as a country are equally opaque.

It would be easy to write some draconian law to punish companies for exposing private data, but as is often the case, that could have unintended consequences, such as pushing data overseas where even looser security and weaker privacy laws may exacerbate the problem. Instead, it’s going to take a significant shift in our collective-consciousness over how data is handled.

Laws written for managing telecommunications and transmissions in that era are being used to handle complex cybersecurity and data privacy cases.

This can’t come just from one party though; companies need to seriously consider what data they need to collect, and what information needs to be retained on a long-term basis. Consumers have to take ownership of their data and demand a higher quality of service from corporations and governments over how their data is collected and used.

As a whole, we must recognize the value of data, and the dangers we expose ourselves to by collecting it (and why it might even be best to not collect data at all in many circumstances).

Just like holding valuables such as gold and art entails a security risk, so too does data. If people started treating data like the digital gold it really is, maybe then we could all come together to work out a solution.

But until then, I’ll be keeping my data to myself.