
Get Rid of Equifax - hvo
https://www.nytimes.com/2017/09/21/opinion/get-rid-of-equifax.html?action=click&pgtype=Homepage&clickSource=story-heading&module=opinion-c-col-right-region&region=opinion-c-col-right-region&WT.nav=opinion-c-col-right-region
======
jedbrown
This can be fixed by a small change to privacy liability law. Current law
requires litigants to show actual economic harm. That is hard to do in cases
of identity theft and privacy violations, which is why the OPM case was just
dismissed [1]. If this was changed so that a privacy violation could be
litigated, companies like Equifax would need to buy insurance against such
actions. Alternatively, there could be a new law that any company storing SSN-
type data owed some nominal amount (say, $10) to the owner of that data if it
is compromised for any reason. Either way, companies that aggregate large
amounts of such data would end up buying insurance.

No insurance company would sell such policies without due diligence -- they
would establish security requirements and pen testing. Consumers are protected
by the existence of an actuarially fair insurance policy. not by the (nominal)
compensation. Note that Equifax's customers are (primarily) not consumers.
Regulations (in the form of liability law reform or nominal compensation) may
not be required in industries where companies only hold the data of their own
customers, but such companies could cite their insurance policy to convince
their customers that they take security seriously. (Now it's always empty
words.)

[1]
[https://www.washingtonpost.com/news/powerpost/wp/2017/09/20/...](https://www.washingtonpost.com/news/powerpost/wp/2017/09/20/federal-
court-denies-cash-awards-to-22-million-opm-data-theft-victims/)

~~~
justherefortart
Or you could just do what other countries do, regulate it and make it a
government function.

~~~
IgorPartola
So I am _not_ one of those people that says that the government is bad and
terrible and evil and can't be trusted to ever do anything. But a government
agency that has all the info about all my accounts, and is a reputation agency
which basically hands down major decision factors that will affect my life
(can I get a car loan? a mortgage?) seems ripe for abuse. Think of how well no
fly lists currently work: if your name is on that list, you are fucked. If you
end up there by mistake, which apparently happens with some frequency, you
have to prove that you aren't a terrorist. If your name matches the name of
someone on that list, you can be fucked. I just don't have faith in a system
like this.

I don't have a good solution for the recommendation system like this. Maybe we
wouldn't need it in the first place if we didn't do so much debt financing of
stuff. Or maybe it needs to be less centralized: applying for one loan, you
need to show payment history on a few other loans, etc. But I just don't see a
centralized government run agency as the solution.

~~~
WorldMaker
Aren't we already sort of in a worst of both worlds situation here? The IDs we
are using as primary keys are from the SSA. The FHA is involved in most
American's mortgage decisions. The Stafford loan program in most of America's
student loans.

But we also have giant for-profit companies aggregating giant databases with
little to no oversight, and up until recently no ability to access your own
data for free, and still today no straightforward, across-the-board, means to
appeal bad data, or collect damages from it (or from leaks of it).

Even with the terrible things associated with the no-fly list there is a TSA
appeals process and a court system to challenge it. Do you know how you
correct mistakes in your Equifax-TransUnion-Experian composite credit score?
You mostly don't, and you most likely can't take them to court, because they
think you are bound to arbitration.

I don't know if there is a good solution here either, but at least a
government-run solution would have to be accountable to the people as
citizens/constituents (even if it would still likely be in the pocket of the
banks).

~~~
aonsjeeu7ntao
> Do you know how you correct mistakes in your Equifax-TransUnion-Experian
> composite credit score? You mostly don't, and you most likely can't take
> them to court, because they think you are bound to arbitration.

Sorry, that's not true at all. I went to Experian late last week to set up a
fraud alert because of the Equifax breach, they showed me my credit report and
had a button to mark things that were factually incorrect. I did so and
submitted it. They did some sort of investigation and removed the data because
they couldn't verify that it was correct. It was as easy as filling out an
online form. (Actually, I think I had to call about 1 particular item, but it
was handled over the phone.)

~~~
WorldMaker
I was being partly hyperbolic about the worst case. Keep in mind that fixing
Experian doesn't fix TransUnion or Equifax, and there's no simple way to
correct all three at once.

------
monochromatic
“Any company doing something I don’t like should be nationalized.”

No. They should be liable for the damage they cause with negligently allowing
hacks like this, but the existence of private businesses should be default-
allow.

~~~
yebyen
I never consented to have my information in their database, and I have no
power to get it out of their database. They have roundly and repeatedly
demonstrated that they are not fit to hold and be trusted with maintaining the
SSNs and other personal information of the entire country's worth of credit
holders.

Is there even a license that the Equifax company needs to have, in order to do
this type of work, that can be revoked? It needs to be revoked! But I'm afraid
they don't need any license, they just woke up like this.

The right to covertly surveil and maintain dossiers on 50%+ of the citizens of
this country should not be default-allow. Strongly disagree. People in power
holding that kind of opinion, is exactly how we got here.

~~~
newscracker
> I never consented to have my information in their database,

Don't you think that somewhere in the T&Cs of a loan you took or a credit card
that you got or a phone contract you signed up for (or many other things) are
lines explaining that your information would be shared with credit reporting
agencies? So legally, you would've consented to the sharing of information at
those times. If that isn't true, then I'd assume that you should be able to
sue the institution that shared your information with all these agencies.

~~~
yebyen
You know the point I'm trying to make, and it's disingenuous to point at some
line in some far-away terms and conditions, and say "that authorizes Equifax
and two other companies to collect and maintain all information on you, in
perpetuity, without any option to revoke this grant."

Are they licensed to do this type of work? Shouldn't they need to be? Should
that be revokable? What is the process for revoking that permission, and can
we get it started already? It just came out that in their response to the
breach, they've been linking their "customers" to a phishing site since
September 9. It's time to revoke those grants.

~~~
Frondo
I know the point you're trying to make, and I'd say more to that point: we
already recognize that you can't sign a contract that strips you of some basic
human rights. You can't sign a contract that enslaves you, etc.

With the amount of power these organizations and this information has over
each of us, individually, I'd go so far as to say there is a human rights
issue at stake. People's lives get _fucked up_ through credit bureau mistakes,
and what consequence is there for those bureaux?

Pointing to a subclause in a contract to say "well, here's where you let them
potentially fuck up your life with no recourse, and everything is legal"
suggests to me that our thinking around the power these agencies, and around
ownership of information about our lives, have needs revisiting.

~~~
Consultant32452
What's really at stake here? Your ability to take on debt, which primarily
benefits the banks. The bigger problem I think we have here is the cavalier
nature in which people view debt. Debt is bad for you. Rather than bringing
going into debt under the umbrella of "basic human rights" how about a
cultural shift away from debt altogether?

~~~
yebyen
Now if we could just do something about those housing prices, that might even
be possible. (What percent of homeowners do you suppose bought their homes
without taking on some debt?)

Paying rent is also bad for you.

~~~
Consultant32452
Getting a home loan is relatively easier, because plenty of banks still do
manual underwriting for things the size of mortgages. And if we had a culture
that avoided unsecured debt, car debt, etc. then more banks would have to
perform manual underwriting because no one would have a credit score. Instead
they would have something better: money.

------
_jal
Now here is a perfect, legitimate use of libel law. If a company with whom you
have no relationship is lying about you to people with whom you're attempting
to do business, that sounds like libel to me.

Of course, that's preempted by a federal law that Equifax & friends carefully
purchased. Perhaps all we need is for them to lose that protection to give
them a reason to care.

~~~
rectang
Now you're talkin'! Today, an ordinary person can barely even get inaccuracies
in a credit report changed after laborious effort -- to say nothing of being
denied a house, a car, or a job as a result of that inaccurate info.

Equifax and the credit agencies only exist because they are allowed to
perpetrate great harm spread across millions. They are a giant negative
externality.

------
JoeCoder_
When a private company has a massive failure, customers have the freedom to go
elsewhere and the company may go out of business.

When a government agency has a massive failure, we're of stuck with it, short
of hoping politicians _might_ do something about it.

~~~
whafro
That's sorta the point – in this case, I have no ability (as a consumer) to
"go elsewhere." Aside from the two times I've placed freezes on my credit
history, I have no relationship with Equifax, and have never consented in any
way to what they collect and share about me.

This contrasts pretty heavily with, say, Facebook – where even though they
collect and share plenty of information about me, I'm at least both consenting
and continuing to feed them by using a service I presumably find worth the
trade-off.

If you are the type of person who gets upset about this dynamic of Facebook,
then Equifax should be completely next-level.

~~~
dominotw
> and have never consented in any way to what they collect and share about me.

Dont you consent to credit reporting when you sign up to get credit, though.

You can "choose" to not use Equifax by not getting credit from people who
report to equifax.

~~~
lghh
> Dont you consent to credit reporting when you sign up to get credit, though.

No, I consent to allow creditors to do their due diligence to see if I'm a
viable candidate for their product. Equifax is not required in this
transaction, it's just beneficial for the creditor, their customer, to use
them to streamline that information collecting process. Loans and credit
existed prior to credit reporting agencies and will exist long after.

~~~
dominotw
> No, I consent to allow creditors to do their due diligence to see if I'm a
> viable candidate for their product.

you do much more than that though , from my card agreement

"We may obtain and review your credit history from credit reporting agencies
and others. We may, from time to time, obtain employment and income data from
third parties to assist us in the ongoing administration of your account. We
may also provide information about you and your account to credit reporting
agencies and others. We may provide information to credit reporting agencies
about this account in the name of an authorized user. If you think we provided
incorrect information, write to us and we will investigate."

> Equifax is not required in this transaction

Thats upto the business to decide, not you. You choose to not get credit from
them if you have objections to how they run their business.

~~~
lghh
>Thats upto the business to decide, not you. You choose to not get credit from
them if you have objections to how they run their business.

Regardless of what the business decides, no, Equifax is not required to assess
my credit. If the business decides to go to McDonald's to get lunch while they
are doing this process, that's not required regardless of what the business
decides. It may be nice for them, it may make their process easier, but it's
not /required/.

~~~
dominotw
i agree that its not required.

------
matt-attack
I don't agree with trying to create a public government-run institution to
track how "reliable" each citizen is. The solution to all of this is clear.
Credit agencies provide a service primarily to lenders. These lenders count on
the agencies' ratings to be a reliable predictor of the reliability of its
potential customers. If those companies' products are no longer a reliable
predictor, they shouldn't use them.

~~~
cmiles74
> If those companies' products are no longer a reliable predictor, they
> shouldn't use them.

I think this is very optimistic. It's hard for me to imagine a situation in
which lenders are questioning the reliability of these credit reports and the
only scenario I can come up with is one in which the reporting agency are
over-estimating people's ability to reliably repay debt to the point where the
lenders are losing so much money that they actually notice. Given that most
consumers complain that these reports include erroneous /negative/
information, this scenario seems unlikely.

Lenders will continue to use these reporting companies, no matter how poor
their product, because there is no measure against which to judge their
product except each other. They'll continue to use them out of inertia, out of
erring on the side of caution, and because this is the way they have always
done business.

~~~
stult
Well, I guess the sticking point is that no one has found a better way to
measure loan risk. If they had, lenders would work with the agency that more
accurately assesses their risk because otherwise they are leaving money on the
table by not lending to creditworthy individuals.

~~~
rectang
> no one has found a better way to measure loan risk.

Or rather, that the system which measures loan risk is feasible only because
the parasitical entities which run it push the massive negative externalities
onto the general population. If the loan risk system actually had to pay for
all the harm it does, it would be a loser.

------
lukejduncan
The interesting thing about this sentiment and reasoning is that it could
equally be said of data brokers in general. Changes here could have big
impacts on the ads ecosystem. I don't know my opinion here, but between things
like GDPR and op eds like this I have to imagine there are ad and data broker
executives doing some worst case analysis and spin/ talking point preparation.

------
njarboe
I can understand the impulse to want Equifax punished for getting hacked and
releasing all of this information. But I think these credit bureaus are small
fry compared the size of the companies that are at the root of the problem:
banks and other entities that make loans. The reason most people don't like
the credit bureaus are the fear of "identity theft" not the spread of truthful
information about themselves.

A bank makes a loan to a fraudster who is impersonating you. The fraudster
defaults on the loan and the the bank tells a lie about you to the credit
bureau, which gets spread around and hurts you in many ways. If we called this
situation "bank slander" or "bank libel", the focus would be on who is
creating the problem: the bank with its lie. Create high enough penalties for
banks reporting false loan defaults and "identity theft" will disappear as the
banks become more cautious of fraudsters. This is unlikely to happen as banks
are concentrated and powerful institutions. "To big to fail" I believe is the
term. I don't think the credit bureaus themselves are that influential in
Congress but the banks want them and will lobby on their behalf.

It would be interesting to know how much money the banks get from people
illegally each year from people paying off fraudsters debts to clear their
credit reports from the false default reports from banks.

------
dmh2000
sp the government is better at security?

[https://www.nytimes.com/2017/09/20/business/sec-hacking-
atta...](https://www.nytimes.com/2017/09/20/business/sec-hacking-attack.html)

~~~
rmdundon
Not to mention the OPM hack

------
DamnInteresting
I keep seeing calls for the government to revoke Equifax's corporate charter,
because we citizens cannot vote with our wallets in this case; we are not
Equifax's customers. But I wonder about Equifax's _actual_ customers, the
financial institutions that choose to rely on Equifax for credit reporting.
What sensible institution would continue to trust Equifax after all of this
nonsense? Perhaps banks and the like should all abandon Equifax as a credit
reporting source and let the company die of natural causes.

~~~
dredmorbius
Equifax's actual customers face no risk, on the outbound reports side.

Data sources might be another case.

------
bogomipz
The only proposal for any kind of action I have heard on this is the Warren
and Schatz legislation which is appropriately titled" Freedom from Equifax
Exploitation (FREE) Act"[1]

Aside from Senator Warren I have heard very little concern from lawmakers in
Washington regarding the menace that these credit reporting agencies have
become and the threat they pose to people.

[1]
[https://www.warren.senate.gov/?p=press_release&id=1837](https://www.warren.senate.gov/?p=press_release&id=1837)

------
optimuspaul
I think the real problem is that we have no definitive way to prove who we
are. A SSN is fine and all but it's just a number that anyone can obtain and
say they are me. We need key pairs or some way to prove that when we are
requesting credit that we are in fact the person that we say we are. Until
that happens the systems is exploitable by even the most inept of criminals.

~~~
24gttghh
I wrote to my senator about this solution weeks ago and have yet to receive an
actual reply.

I think the problem is figuring out the transition from SSN's to something
like key pairs/TOTP. How do we securely establish the "new" identity and pair
it to the old SSN? Do we even bother and just start from scratch?

------
ma2rten
_In at least 40 other countries — including Belgium, France, Germany, Italy
and Spain — credit reporting can be done by a public credit registry._

This is not true for Germany.

[https://en.wikipedia.org/wiki/Schufa](https://en.wikipedia.org/wiki/Schufa)

------
0xfeba
A pipe dream. As evidenced by the stock price, nothing will change. People
don't care--at least not enough to _do_ something like call their elected
official, if they even know who they are.

Which brings me to a question of the "have things always been like this?"
sort. Do we have data on the percentage of any population who's active in
politics over the past, say, 7 decades?

------
eternalban
This is a perfect opportunity for "distrupting" this sector.

Why is no one stepping up and flipping the business model on credit reporting?

~~~
wpietri
Disruption solve a problem better for the _customer_. There's little evidence
that credit bureau customers (lenders, et al) experience this as a problem. So
I don't think this is much of an opportunity for disruption.

------
kazinator
> _Although they call themselves bureaus, there is nothing governmental about
> what these private companies do._

That is a naive statement, perhaps based on an idealized version of a few
cherry-picked governments.

------
mywittyname
Individuals should have the option to tell companies requesting credit checks
that they do not consent. Further more, it should be illegal to hold non-
consent against the individual.

------
eevilspock
_> That’s because we are not the customers... but the product._

An increasingly familiar pattern.

The free market is flipping against the people.

------
koolba
> Equifax is the oldest of the Big Three credit reporting bureaus, and it got
> its start as a private investigator in the late 1800s. A client — a business
> or a bank — would ask it about a consumer, and it would go about digging up
> dirt on things like marital problems and convictions. That client would then
> pay it for its services.

> This questionable business model raised eyebrows in the 1960s, when the
> companies were still compiling information on people’s “moral character”
> such as affairs or drinking problems. At the time, the reports weren’t
> available at all to the subjects themselves. That changed with the Fair
> Credit Reporting Act, which was signed in 1970. But even that reform put
> virtually no oversight on the bureaus’ practices.

As if there aren't a bunch of companies trying to do exactly this with a
combination of tracking cookies, browser history, purchase history, and ML.

Separately, from the article (emphasis mine):

> The United States government is, of course, not impervious to data breaches,
> nor does it have a perfect track record of fending them off. In 2015, it
> announced that hackers had stolen “sensitive information” on 21.5 million
> people. But the government is at least accountable to public pressure.
> _Equifax never will be, even under the tightest regulation._

Equifax may not have to change anything as there's a very real chance it goes
bankrupt because of this. It's not just from the cost of lawsuits from
consumers. There's a longer term cost of businesses not wanting to deal with
them.

The risk of that happening to one of the other big credit reporting agencies
is the biggest driver for them to clean up their act. The threat to their
businesses is real and I'd imagine their internal responses will be as well. I
also think regardless of what they do it's only a matter of time till they
have a breach as well. You only have to screw up once.

> Credit bureaus have proved to be complete failures at safeguarding the
> public.

Nearly all companies are complete failures at data security. There's not
special about credit bureaus here. They just happen to have _a lot_ of
sensitive data on a lot of people and thus are a hot target. As an example,
we've had plenty of breaches in the health insurance industry as well.

Perhaps the best approach would be a "too big to fail" limit on the bureaus.
Put a cap on the total size (in accounts / people covered) of a credit bureau.
The libertarian in me is screaming at the thought of something like that but
at least it has the advantage of limiting breaches to a max number of people.

> Let’s demand we get our data back.

It was never your data.

------
SamuelAdams
"Equifax could easily have patched the hole in its system that hackers
exploited, but it simply didn’t."

We don't know why, though. Perhaps they were working with law enforcement to
track the attacker. Closing the hole would certainly alert the attackers and
end the chance to catch them.

This reads just like the Cuckoo's Egg.

~~~
inetknght
Your argument is that law enforcement wanted to risk the identities of
millions of Americans they're supposed to protect?

That logic is simply broken. Either the argument is strawman or law
enforcement is just as guilty of negligence as Equifax is.

~~~
talmand
I don't know about this situation but I'm willing to bet one could find many
examples of law enforcement doing that very thing in various different cases.

Law enforcement is about enforcing the law, not protecting law-abiding
citizens from criminals.

