Coding, Managing and Christianity

The Equifax Debacle

Not too long ago I was lamenting about all the data Facebook collects and now we have the Equifax debacle. I checked their website and we are part of the group whose data was compromised. So I took some time this weekend to put a freeze on our credit files and found it a very frustrating experience.

Equifax has been criticized a lot already, but they cleaned up placing a freeze and it was really straightforward. Experian was OK too, but Transunion was ridiculous. They force one to go through two pages until you finally get to the point where you can start creating the freeze. Along the way they try to sell you their identify protection stuff. When you finally are at the point to start the process one has to create an account, so they can have one’s email address too. Really?

It is almost a given that there will be an investigation and some engineer or line manager will be found negligent for something and then let go (by the time I finally publish this, they got a new CEO(). There may be even new, even more stringent regulations for the financial industry. All that is beside the point. Software systems are very complex and built from numerous components. It is certain that more hacks and leaks will happen. It is just a matter of time. Trying to make it safe and secure through regulations and process is futile. Don’t get me wrong, I’m not against continous improvement, quality management, best practices, reoccurring security training for developers, penetration tests, static code analysis and all those fine things. To the contrary, but at the same time we have to accept leaks of sensitive data being a reality and protect ourselves against it. So I hope, maybe against better judgment, that at least two things come out of this debacle:

• There must be one easy to use site where consumers can monitor their credit, dispute wrong information and manage things like a credit freeze. It is ridiculous that we are forced to deal with each agency individually. There are even small ones I didn’t even know they existed until just a few days ago.

• Credit reports must be free, not just once a year. The systems to produce them are automated and creating one costs almost nothing. That we are forced to to pay for our own data is outrageous.

The last point brings me to a larger issue. The credit reporting agencies have built their own walled gardens where they collect information about me. There is effort involved and they want to monetize it. I get that. At some point when I opened a bank account or opened a credit line, I even signed a piece of paper that gave them the right to my data. I didn’t like it, but I didn’t have a choice, because otherwise I wouldn’t have a bank account or a house. Regardless of it, it is still my data and information about me and I should be in control who sees it. The system is backwards, when I can only ask once a year what they have on me. What we need is a ledger for each individual where all transactions are recorded that affect ones credit, but the individual has control over sharing this information. Every time I pay my mortgage in time there is an entry on the that ledger, or every month my bank reports the closing balances of my accounts on that ledger. However, our vendors should be allowed only to see the data they contributed and the only one who can see everything is me. Of course when I do anything that requires a credit check I have to make the whole ledger readable by the creditor, but also only for a period of time. The little I know about blockchain, the technology underlying cryptographic currencies like Bitcoin, indicates that it should be possible in the not too distant future that we become the owner of our data again.

There is hope that something good comes out of Equifax, as long as the government is a “government of the people, by the people, for the people” A. Lincoln, Gettysburg Address and not one of Wall street paid for by lobbyists.