
Senator to Ex-CEO: Equifax Can't Be Trusted with Americans' Personal Data - gopalakrishnans
http://www.npr.org/2017/10/04/555651379/senator-to-ex-ceo-equifax-can-t-be-trusted-with-americans-personal-data
======
Top19
This is the choice quote:

> "This simply is not a company that deserves to be trusted with Americans'
> personal data," said Sen. Sherrod Brown, D-Ohio,

Obviously this quote leaves out a lot of nuance, but I like it and I like what
Senator Brown has said in general. What Equifax has let happen is very bad,
and I think moral judgments and perhaps even shame (which is how a society can
enforce morality) should be brought onto its leaders individually.

I hate how businesses and business persons have been making horrible,
destructive decisions for decades (not that humans in all fields weren’t
beforehand) and have been escaping any kind of shame. Indeed they’ve been
praised in many cases.

If you look at the top-level pages on Wikipedia (there are about 11 of them),
one of them is for “Society”. About a third way down you’ll see “Business”
listed under Society. I think this is a good reminder that business is a part
of and functions for society, not the other way around.

[https://en.wikipedia.org/wiki/Portal:Contents/Society_and_so...](https://en.wikipedia.org/wiki/Portal:Contents/Society_and_social_sciences)

~~~
sgustard
Is it a moral failing to be slow to update a Struts vulnerability? As an IT
engineer that makes be nervous because I don't know which of a hundred actions
I take or don't take in a given day will explode on me. Or was the moral
failing to agree to build such a system in the first place?

~~~
josephg
> Is it a moral failing to be slow to update a Struts vulnerability?

Yes.

As a professional engineer you are responsible for the systems you build and
maintain. The security of the modern internet depends on engineers on the
ground understanding and proactively fixing security issues.

There is no one else who can take responsiblity for code you deploy to
production. The buck stops with you.

~~~
briandear
Yeah, unless your management has other priorities and their management has
other priorities. The buck actually stops at the CEO.

~~~
Ntrails
As a member of an unrelated professional body, the buck always stops with me
on issues of ethical behaviour. I don't care how much the CEO wants me to do a
thing that is good for the bottom line - if I want to keep letters after my
name I have to behave in a way that is in line with the professional code of
conduct I signed up to.

I'm not saying that such a model is the right one for devs, but it would
certainly be an interesting move away from "not my fault - nobody would let me
do it _right_ ".

CEOs would, of course, then have the choice to hire non-accredited engineers
to work on their software, and then the buck does stop there because they made
an active decision.

~~~
FussyZeus
> I'm not saying that such a model is the right one for devs, but it would
> certainly be an interesting move away from "not my fault - nobody would let
> me do it right".

I would say I'm in a similar position, but that's because I'm more or less
essential (no ego here, and can't explain obviously, but I am) and if I walk
out, the company has a lot of BFPs to deal with.

Perhaps there should be some sort of guild? Some way that we could make it
harder for ourselves to be replaced in such a way where we can actually stop
bucks without just getting fired while they find some script kiddie to do what
we wouldn't.

------
maxxxxx
I think they have to be careful not to focus on Equifax only. Instead they
should think about systems where such a breach is just not possible. It's only
a matter of time until other companies like credit card companies get
breached. Same for Google and Facebook. We need a system where an individual
can hand over information one a case-by-case basis and revoke that information
anytime.

~~~
AnthonyMouse
> Instead they should think about systems where such a breach is just not
> possible.

The underlying problem is the existence of centralized identity, as opposed to
decentralized identity. It's the practice of identifying people by a single
global identifier (e.g. SSN) instead of having your bank identify you with
your bank card and your employer identify you with your employee ID.

People are focused on identity theft here, but there are two points about
that. The first is that identity theft _doesn 't exist_ without centralized
identity, and the second is that identity theft isn't even the main issue.

Centralized databases know very private things about you. They know if you've
paid for services at an abortion clinic or a cancer treatment center or a
mental health facility. They know if you've ever been on the payroll of a
police department, or paid tuition at a police academy, even if you're
currently working undercover. They know whether you patronize gay
establishments, even if you're in the closet. They know your current address,
even if you have a crazy ex who doesn't.

That kind of information is inherently dangerous. In the wrong hands it can
get innocent people fired or blackmailed or killed. Which means any central
database containing all of it for everyone is inherently a huge vulnerability
waiting to be exploited. And none of that goes away even if you replace the
SSN with some kind of public key that doesn't itself need to be kept secret.

But centralized identity is the linchpin of those databases and it isn't
really needed for anything else. So we should get rid of it.

~~~
Joeri
There’s no effective taxation without centralized identity, so unless we move
to a system of anarchy it won’t happen.

~~~
AnthonyMouse
VAT is collected entirely by businesses and doesn't require individuals to be
identified at all.

And it's possible to have de facto progressive taxation without having any
income tax by combining VAT or similar with a universal basic income.

Alternatively, it's possible to have a tax ID which is used _only_ for taxes
and prohibited by law from being used for anything else.

~~~
moomin
I don’t think it is possible. The effective tax rate for billionaires under a
scheme such as you propose would still be pretty much zero. The only way to
make that a progressive tax scheme is to have zero or negative tax revenue.

~~~
AnthonyMouse
If they spend the money they would have to pay VAT. If they invest it in
something then the invested in company spends it and they would have to pay
VAT. The only way to avoid it is to stick the cash in a mattress, which nobody
really does because it's more profitable to make $1 in profit at the cost of
paying $.35 in VAT than to make no profit and pay no taxes.

They could avoid local taxes by investing offshore, but they do that already.

~~~
moomin
I think you're misunderstanding me. I'm not denying you can raise income
through VAT, I'm saying you can't do it in a progressive manner, basic income
or no basic income. The reason for this is that the more you earn, the less
you spend as a proportion of your income. Billionaires spend almost nothing
compared to either their income or their wealth. The poorest in society spend
everything, because some things are essential.

Any progressive system would make it so that the less well off paid _at most_
as much as the 1%.* Income tax may not work very well, but it's one of the
most progressive forms of taxation there is.

*And yeah, as you point out, tax avoidance makes a mockery of this anyway.

~~~
AnthonyMouse
> The reason for this is that the more you earn, the less you spend as a
> proportion of your income. Billionaires spend almost nothing compared to
> either their income or their wealth. The poorest in society spend
> everything, because some things are essential.

That's only true when you crib the definition of spending to mean only
personal consumption.

Donald Trump owns Trump Tower. It generates rental income. He is obviously not
spending _all_ of it on hamburgers and hair products for his own personal
self.

But it still gets spent, just not on himself. He doesn't put the cash in a
mattress, he uses it to go out and build another tower somewhere. For that he
has to buy steel and concrete and elevators and HVAC systems, which are all
taxed in the usual way. Essentially all of the "unspent" income is spent doing
things like this, because it's more profitable than holding cash that
generates no returns.

Most of the time there will be a corporation in the middle. Trump doesn't buy
concrete, he buys shares in a newly formed corporation which uses the money to
buy concrete. But that doesn't change the fact that the money is used to buy
concrete and concrete is subject to VAT.

~~~
moomin
Concrete is subject to VAT, but it's _reclaimable_ when you charge rents for
rooms. The effective rate of VAT for successful businesses is zero. This is by
design and is why it's so efficient: each part of the chain has an interest in
making sure it's collected as opposed to a sales tax like India has.

In short, Donald Trump's net VAT bill is pretty much exactly his VAT on
personal consumption. (It could be lower, depending on how exactly his
personal finances are laid out wrt his business's expenses, but it won't be
higher.)

~~~
AnthonyMouse
> Concrete is subject to VAT, but it's _reclaimable_ when you charge rents for
> rooms.

That just prevents it from being charged _twice_. It's the same thing as
saying that the tenant doesn't have to pay the VAT that the landlord has
already paid.

> The effective rate of VAT for successful businesses is zero.

There is clearly some kind of fallacy happening if a transaction occurs, the
government receives non-zero tax revenue, yet the effective rate is calculated
as zero.

Income taxes and consumption taxes are effectively the same thing. The
seller's income is the buyer's consumption. The taxes always come out of the
surplus between the seller's cost of production and the value to the buyer,
and who really pays depends on who would otherwise have had the market power
to claim that part of the surplus, not whether you call the tax an income tax
or a consumption tax.

In practice VAT is _very_ similar to corporate income tax. The main difference
(and benefit) is that VAT is paid to the jurisdiction where the end product is
sold, rather than whatever arbitrary jurisdiction the company arranges for its
profits to be declared in.

~~~
moomin
> That just prevents it from being charged twice. It's the same thing as
> saying that the tenant doesn't have to pay the VAT that the landlord has
> already paid.

Well, no it's not. If you rent a room from Trump, it matters a lot whether you
pay the VAT for the concrete or Trump does. And you're the one who ultimately
pays. Trump pays and reclaims. You don't get to reclaim.

I get that you might not be concerned with who ultimately pays for this stuff,
but it matters greatly if you're trying to design a progressive tax system.

~~~
AnthonyMouse
> If you rent a room from Trump, it matters a lot whether you pay the VAT for
> the concrete or Trump does. And you're the one who ultimately pays. Trump
> pays and reclaims. You don't get to reclaim.

Who pays the tax has nothing to do with who can reclaim what.

Suppose Trump has a local real estate monopoly. Then rents are high and the
surplus is going to Trump. Any tax paid by anyone is really paid by Trump,
because if it was "paid" by the tenants and Trump didn't lower rents by the
same amount to compensate, the tenants would move out of the city because the
rental cost would exceed the value of the real estate.

Now suppose the local real estate market is highly competitive. The rents are
low and the surplus is going to tenants. Any tax paid by anyone is really paid
by the tenants, because if it was "paid" by the landlords and they didn't
raise rents by the same amount to compensate, the rents wouldn't be enough to
cover costs.

Taxes are always paid out of surplus. Whoever would otherwise be getting the
surplus is the one really paying the tax. If part of the surplus was going to
landlords and part to tenants, they would each be paying part of the tax.

Now notice what happens with VAT. If Trump has a monopoly then he pays $100 in
construction and the tenant pays $500 to rent, and VAT is owed on $500. If
Trump is in a competitive market then he pays $100 in construction and the
tenant pays $120 to rent, and VAT is owed on $120 even though the rental was
worth $500 to the tenant, and the tenant gets to keep the $380 difference
untaxed. So who pays VAT and who doesn't? _It isn 't collected on the surplus
going to the buyer._

------
olivermarks
Meanwhile, 'The IRS will pay Equifax $7.25 million to verify taxpayer
identities and help prevent fraud under a no-bid contract issued last week,
even as lawmakers lash the embattled company about a massive security breach
that exposed personal information of as many as 145.5 million Americans.'

[http://www.politico.com/story/2017/10/03/equifax-irs-
fraud-p...](http://www.politico.com/story/2017/10/03/equifax-irs-fraud-
protection-contract-243419)

~~~
colejohnson66
It’s probably a system written and it’s too late for a replacement

------
partycoder
Meanwhile:

\- Former Equifax CEO is walking away with 90 million dollars.

\- Equifax's stock price (NYSE:EFX) is recovering.

\- Equifax is being awarded contracts and continues to serve as a credit
bureau.

\- The leaked information is being traded among fraudsters, and will remain to
be traded for years.

Welcome to the golden age of bullshit.

~~~
MaxBarraclough
> The leaked information is being traded among fraudsters, and will remain to
> be traded for years

Do we know that to be true?

My understanding was that we have no idea what's being done with the leaked
data. Has there even been a spike in fraud?

~~~
spydum
My prediction: tax return fraud is going to spike for 2017 returns. All other
forms of identity theft profiteering are too high touch.

~~~
partycoder
You can set an IRS PIN to prevent that.

------
hpcjoe
While it is always "fun" (for some definition of the word fun) to pile on, and
sometimes watch the otherwise clueless elected officials to get soundbites at
the expense of a hapless CEO of a company that did bad things, or allowed bad
things to happen on their watch ... the bigger picture is one of what sequence
of events enabled this to occur. Placing the blame on an OSS component, or a
"sole IT" person is both unfortunate, and generally wrong.

None of this would have come to fruition had the business model not been one
of "lets gather and curate high value information and intelligence about
individuals", without an appropriate "gee, we have high value intelligence and
information on individuals, maybe we should design our systems so that in the
event of a failure of a security system, damage would be minimal." When you
aggregate, curate, sell access to high value information, you damned well
better have a good and fail safe security model. So if your DCs are overrun
with hackers, the data exfiltrated would be unusable.

More specifically, the principle I claim to be implicitly at play here is,
with great power and/or information, comes great responsibility. Pointing
fingers at lower level subordinates for their possible failings ... opening up
and exposing the entire business model's core weaknesses in terms of data
protection, and data access integrity and control ... means that the
organization has simply failed to maintain, audit, test, and verify that its
control systems are adequate to the task. Blaming an OSS component for all the
damage means that the rest of the systems were not designed and built to the
necessary level of safety and security.

This is part of what I find unconscionable. They attempt to absolve themselves
of blame by pointing fingers.

When an organization does crap like this, you know they have many other
problems. And yes, you cannot, and should not trust them going forward. If
data was exfiltrated from them (and it was), is it possible that their data
was altered in situ? Yes, yes it is.

They should not be allowed to have such data in their control again.
Seriously, if you can't control access to the data, you can't have the data.

------
sethgecko
I was thinking, would it be a viable solution for the government to employ pen
testers to test companies like banks/ISPs etc? It would more than pay for
itself from the fines they would impose to those that hold sensitive citizen
data and fail to hold high standards of security.

~~~
gm-conspiracy
This would be in conflict with the NSA's mission.

Horde those 0-days.

------
allengeorge
Call me cynical, but it's not going to change anything:

* Equifax won't have fines levied against it

* C-level staff won't have to pay fines (because they put in place or rewarded a corporate culture that made security a low priority)

* Banks and other institutional customers won't stop using Equifax

* No additional regulation will be created

It's all theatre; we'll have "thoughts and prayers" directed our way while
nothing of substance changes.

~~~
acdha
That cynicism is often self-fulfilling: the best way to ensure that outcome is
to treat it as a given and not contact your representatives and state
prosecutors asking for more.

------
featherverse
Duh, Senator. We knew this when Experian got hacked.

Experian, Equifax, TransUnion, and any other credit bureaus are going to fail
to protect people's personal data. There is no such thing as "unhackable",
they are the biggest honey pots, and the majority of the Information
Technology hiring pool is incompetent. The majority of competent candidates
are underpaid or underappreciated and so they don't care as much as we need
them to.

Put all these things together and you have inevitable disaster after disaster
after disaster.

Credit Bureaus are old-think. They are unsafe, unsecure, and they don't fit
with Future-Era lifestyle.

Something better is required.

------
LyalinDotCom
Is that before or after the same senators awarded Equifax a $7.5M no-bid IRS
contract? <grin>

~~~
acdha
Senators don’t award contracts.

In this case, the IRS is already using that service so when you see “no bid”
that really means they didn’t want to take a production service offline while
they re-bid it and/or hire the staff/contractors who would update the
application to use something else. Remember that the rules government staff
are required to follow are heavily based on up-front planning so putting out a
bid means many months of delay.

All of the anger directed at the IRS for this really should be directed into a
positive direction of reforming the acquisitions process.

------
mrskitch
This whole credit tracking industry is so unconstitutional it's crazy. I hope
that this awakens people to the fact that their identities and personal data
_should_ be theirs, and that they should fight tooth and nail to grant access
to it. Centralizing information such as this is a "single-point-of-failure",
or it is in spirit.

I wish I had suggestions, but feel the something like a blockchain or other
ledger is a step in the right direction. This Ted talk on the subject is
interesting
[https://www.ted.com/talks/don_tapscott_how_the_blockchain_is...](https://www.ted.com/talks/don_tapscott_how_the_blockchain_is_changing_money_and_business)

~~~
SilasX
Where are you getting "unconstitutional"? A private organization remembers
credit related events and reports them to lenders.

I can understand _pragmatic_ reasons to regulate exactly how they can go about
that, but I don't see the connection to the Constitution.

~~~
mrskitch
Probably a little over reacted on my part. Perhaps better said as un-American?
Just seems to fly in the face of a lot ideologies folks here stand for.

------
LoSboccacc
Total dodge of the ssn as authentication issue

------
jasonkostempski
No one can.

