Herbert Lin is a senior research scholar and the Hank J. Holland fellow for cyber policy and security at Stanford University. He served on President Barack Obama’s Commission on Enhancing National Cybersecurity.
In the wake of the hack of credit reporting agency Equifax, many people have suggested that affected consumers implement credit freezes to prevent the misuse of their sensitive personal data. Equifax, which originally tried to charge consumers for this protection, backed down and agreed to provide the service free of charge.
But the credit-freeze approach, while smart in the short term, is inadequate. In fact, it underscores the degree to which the current system puts the interests of credit reporting agencies above the imperative of protecting consumers’ financial privacy. The existing arrangement, under which consumers must generally pay a fee to prevent others from accessing their credit reports and an additional fee for thawing that freeze, has things exactly backward. The presumption should be that consumers’ financial information is protected unless and until they expressly request that a party be given access to it.
Under current law, consumers have essentially no rights regarding this stored personal data. Consumers are not customers of the credit reporting agencies; their data is the product being sold by those agencies to parties that have some reason to want to know individuals’ histories of managing money and their financial trajectories from birth until death. And these parties — banks, credit card companies and so on — pay the credit reporting agencies dearly for those histories. In 2016, Equifax’s revenue was $3.1 billion.
It’s reasonable for a bank to know how you have managed money in the past if it is going to loan you money. By providing information on financial histories, the credit reporting agencies — Equifax, Experian and TransUnion — play a vital role in enabling those of us without sufficient cash on hand to buy cars and houses. They also help financial institutions make decisions about who should get what kinds of credit cards. But they provide all of this data at your request; by applying for a loan to buy a house or to get a credit card, you agree to the release of your credit record to the party offering the loan or credit card. That’s fair — you give up some privacy in return for the possibility of getting the loan or the credit card.
But many parties obtain your credit report without your explicit consent. Most of the unsolicited credit card offers you receive in the mail are from firms that accessed your credit report as part of a marketing campaign to determine who they could sign up for one credit card or another. You never asked for the credit card offer, but the soliciting party saw your credit report anyway. In such cases, you gave up your financial privacy and received nothing of value (unless you really wanted the credit card offered). What’s fair about that?
In the wake of the Equifax breach, Congress should require stronger cybersecurity measures at credit reporting agencies, as well as for any company that stores large quantities of sensitive data about individuals, even if those individuals are not the company’s customers. But it is also important to go beyond proposed legislation on free freezing of credit reports to require that individual reports be frozen by default, “thaw-able” only with the individual’s consent.
Such a requirement would usually be implemented procedurally — a company would be legally subject to penalties or damages if it released a credit report without the express consent of the relevant individual. But such a requirement could also be enforced technically: A credit report could be stored in an encrypted form so that it could be thawed only with a key held or managed by the consumer. Technical enforcement of the thaw-only-on-request requirement would provide a high degree of security against a large-scale compromise, because hackers would have to obtain individual decryption keys for each record.
In addition, consumers would never have to give away their privacy for no received benefit. The credit reporting agencies will argue that many consumers benefit from unsolicited credit card offers because they would not otherwise learn of their availability. That problem is easily solved by enabling consumers to choose explicitly to make their credit reports available to all parties without requiring individual permissions.
But the real issue for credit reporting agencies is that freeze-by-default eliminates the fees they now collect when they make credit reports available to various parties without our explicit permission. For that complaint, we should all have relatively little sympathy — they earn billions of dollars annually from the selling of our data without our permission or consent.