?

Log in

No account? Create an account
Trevor Stone's Journal
Those who can, do. The rest hyperlink.
Letter to My Senators: Allow Americans to Opt Out of Data Collection by Insecure Credit Bureaus 
2nd-Oct-2017 10:34 pm
mail.app
Senator Bennet,

Thank you for introducing the Energy Storage Tax Incentive and Deployment Act. Distributed electricity storage helps make our power system more robust and can help lessen the impact when our normally-reliable electrical grid suffers an outage.
Senator Gardner,

Thank you for your letter last week in support of assistance to Puerto Rico to reestablish electric power in the aftermath of Hurricane Maria. As someone affected by the 2013 Colorado floods, I know how challenging it is to deal with a disruption to infrastructure that we take for granted. I hope the people of Puerto Rico can soon experience the same ecstatic relief I felt when power was restored after the flood.

I am writing you today about another sort of infrastructure that Americans rarely think about until there’s a problem. As you know, the credit bureau Equifax’s computer systems were compromised in May, allowing the intruders to exfiltrate data about tens of millions of Americans for more than two months. The response to the incident from Equifax has been, frankly, awful. They waited to inform the American people about the breach for five weeks. And once the incident was announced, Equifax was unable to handle the public taking action to secure their data: among other problems, the company did not properly deploy the web encryption standard SSL and the site allowing users to freeze their credit file was unable to handle the demand, leaving many Americans frustrated and frightened about what might done with their data. The cybercriminals who have purloined this data are now able to commit identity and financial fraud in the name of these people, none of whom personally entrusted their data to Equifax.

Credit bureaus like Equifax are not subject to the same market pressures as other companies who collect data from consumers. I am a software engineer working in the cloud storage industry. I am proud that our customers trust us with some of their most private data, and it is crucial for efficient market function that they can delete their data and cancel their account when they choose, whether due to distrust of our security practices or because the data are no longer needed. Likewise, a bank which does not prioritize cybersecurity can expect to lose customers. Unfortunately, credit bureaus which collect and data on nearly every American are not subject to significant financial repercussions when they mishandle that data. The people whose data was stolen did not choose to give that data to the credit bureau, nor are they permitted to remove their data from the company which cannot protect it. The bureaus’ main paying customers—companies seeking data about Americans—are likewise not incentivized to prefer companies with the best security practices, since these paying customers do not suffer the consequences when an American’s identity is stolen.

I urge you to work with the Senate to bring clarity to the American people on what data credit bureaus collect on Americans, how it is stored, and how we can better protect it. I further urge you to work to refine the laws under which credit bureaus operate and ensure that Americans can opt out of having their data collected, and require companies to delete non-public data about Americans upon request. Individual Americans stand to lose the most when their identity is stolen, so they must have the tools to safeguard that identity data, including the ability to revoke it from a company whose security process they do not trust.

Thank you for your service and for your consideration on this matter,
Trevor Stone

Ironically, I had to try several times to submit this through Senator Cory Gardner's website, sine senate.gov kept returning an error that said

Request not Accepted - Security Risk Detected

Request not Accepted

Your submitted request contained a potential security risk.

Please try your submission again using natively composed plain text (not copied and pasted from another document), with few or no hyperlinks, or other syntax that may be interpreted as computer code (examples: '--', '&').

*As stated in the privacy policy, unauthorized attempts to upload or change information are strictly prohibited.

So yeah, Equifax aren't the only ones who are bad at cybersecurity. My first guess was that the site was choking on smart quotes. Then on the em-dash above. Nope: you're not allowed to email a colon (:) to your Republican Senator. Senator Michael Bennet's submission form accepted the text without finding any threatening punctuation.

This entry was originally posted at https://flwyd.dreamwidth.org/378839.html – comment over there.

This page was loaded Jul 20th 2018, 1:56 pm GMT.