2019年11月26日 星期二

The Privacy Project: Your data is in this man's hands

Judgment day for Equifax
Rytis Seskaitis/EyeEm, via Getty Images
Author Headshot

By Charlie Warzel

Opinion writer at large

On Dec. 19, District Judge Thomas Thrash of Atlanta will hold a final approval hearing for the Equifax 2017 data breach settlement. There’s a lot at stake. If the settlement is approved, the $31 million pool earmarked for claims will be paid out to some victims. Others will get free credit monitoring (because the cash reward set aside for victims was so small, if all 147 million people affected by the breach filed a claim, everyone would get just 21 cents).

There’s another option. As I wrote in a September column, victims could file a formal, legal objection, which would nullify the settlement. If Judge Thrash finds those objections convincing, Equifax’s class-action counsel wouldn’t receive their $77.5 million fee and Equifax would be liable again to face a substantial penalty for the breach. I’m happy to report quite a few people — maybe even a record number — did just that.

Over the past month Reuben Metcalfe, the founder of Class Action Inc., helped 911 individuals object (another 294 objected but did not provide signatures by the Nov. 19 deadline) by creating a chatbot tool that allowed victims to file objections automatically for the Equifax settlement at no cost (Class Action Inc. waived its 5 percent fee for Equifax). Theodore H. Frank, a lawyer who specializes in class-action suits, has jumped in the ring himself along with another victim, David Watkins. Frank’s objections, which are more formal and detailed than Metcalfe’s many automated ones, argue that the settlement is too broad and doesn’t take into account state-by-state protections for data breaches (in Utah, where Watkins lives, victims could claim damages up to $2,000).


Now it’s up to Judge Thrash to sift through the settlement and its objections and decide. Thanks to Metcalfe and Frank, he’s likely to be feeling some pressure. Back in September a class-action lawyer told me that even if only 1,000 people object, it can send a powerful message. Frank is hopeful the settlement will look weak on its own merits. “If the judge gives an honest look, he’ll realize it doesn’t meet muster,” he told me recently.

I’d argue there’s even more resting on Judge Thrash’s shoulders, including whether companies can get away with abusing our data in the future. Metcalfe, who has steeped himself in the world of class-action suits, suggested that the settlements, initially a method for accountability, have become a mechanism for companies to knowingly skirt liability for not protecting consumers. “It’s becoming cheaper to say sorry after the fact than to obey the law in the first place,” he told me.

This feels especially true in the world of data privacy, where breaches are so frequent that a discovery last week of an open database containing the personal information of 1.2 billion people hardly made news. We seem locked in a vicious cycle: Companies that gather and trade data have few checks or regulations. This allows them to collect more, which means more money. And deeper pockets make it harder to impose meaningful penalties that might deter repeat and future offenders (see: the Federal Trade Commission’s $5 billion slap on the wrist of Facebook). Judge Thrash, then, has a unique opportunity to make a statement by objecting.

And he’d have many good reasons to do so. First, the cash payout to the actual victims is paltry — less than 5 percent of the total amount set aside for the entire settlement. The small set of lawyers, supposedly representing the interests of the class, stand to make double the entire victim payout (this ratio is not uncommon in class-action settlements). Perhaps most galling, the free credit monitoring service that Equifax is doling out as part of the settlement will be provided by fellow data broker Experian, which suffered its own data breach in 2015 (approximately 15 million Social Security numbers and other personal information were exposed).


To recap: Equifax is avoiding accountability by offloading millions of its users’ data to another party with a shoddy history of data security practices, which will then profit from the services.

Should Judge Thrash decide to approve the settlement (and if subsequent appeals are lost), three things are likely to happen. The minimal compensation for the 147 million Americans who had their data exposed would be more evidence that their data has little value, and those who took the time to file claims may not file after the next big breach. For future settlement lawyers, the ruling would set a precedent, namely that there’s a big fee to be had offering consumers very little restitution (also a common critique of class-action settlements). For data brokers, the Equifax lesson would be stark: Failing to invest in information security is not an irresponsible business decision. (The company’s total settlement was $700 million; last year it posted $3.41 billion in revenue; after the settlement, Equifax’s stock was higher than it was at the time of the breach.)

It’s an exaggeration to suggest that the future of data privacy rests on the decision of one district court judge. But as Metcalfe argues, Judge Thrash “has agency where 147 million people have none.”

No pressure.

And you’re not powerless, either. Interested parties can write a letter to this address:

U.S. District Chief Judge Thomas Thrash Jr.

2188 Richard B. Russell Federal Building and United States Court House

75 Ted Turner Drive, SW

Atlanta, GA 30303-3309

Send me your thoughts at privacynewsletter@nytimes.com. Your responses may be shared in an upcoming edition of this newsletter.


Mike Bloomberg’s Troublesome Privacy Views

There’s a new candidate in the 2020 presidential race — former New York Mayor Mike Bloomberg. One piece of the new campaign’s merchandise was pinging around Twitter this week and caught my eye:


The phrase was supposedly coined by a pioneering management consultant, W. Edwards Deming. Apparently, it was also once fellow candidate Cory Booker’s “mantra.” But since it’s on Bloomberg’s swag, I was curious: What does a man who loves data supremacy so much he will put it on a T-shirt think of our current data privacy? I found an answer in a New York Daily News piece from 2013. The quotes are from the mayor’s former Friday morning radio program. According to the remarks, the erosion of privacy is inevitable.

He acknowledged privacy concerns, but said “you can’t keep the tides from coming in.”
“You wait, in five years, the technology is getting better, there will be cameras everyplace … whether you like it or not,” Bloomberg said.

It continues:

“The argument against using automation is just this craziness that ‘Oh, it’s Big Brother,’” Bloomberg said. “Get used to it!”
“It’s scary,” Bloomberg said. “But what’s the difference whether the drone is up in the air or on the building? I mean intellectually I have trouble making a distinction. And you know you’re going to have face recognition software. People are working on that.”
“We’re going to have more visibility and less privacy. I don’t see how you stop that. And it’s not a question of whether I think it’s good or bad. I just don’t see how you could stop that because we’re going to have them.”

Trust no one and bring data, indeed! We’ll be reaching out to the campaign to see whether these views have changed since the radio interview.

I want to hear from you

Send me your pressing questions about tech and privacy. Each week, I’ll select one to answer here. And if you’re enjoying what you’re reading, please consider recommending it to friends. They can sign up here.

What I’m Reading:

Need help? Review our newsletter help page or contact us for assistance.

You received this email because you signed up for The Privacy Project from The New York Times.

To stop receiving these emails, unsubscribe or manage your email preferences.

Subscribe to The Times


Connect with us on:


Change Your Email|Privacy Policy|Contact Us

The New York Times Company

620 Eighth Avenue New York, NY 10018