Letter to My Senators: Allow Americans to Opt Out of Data Collection by Insecure Credit Bureaus

Senator Bennet, Thank you for introducing the Energy Storage Tax Incentive and Deployment Act. Distributed electricity storage helps make our power system more robust and can help lessen the impact when our normally-reliable electrical grid suffers an outage.

Senator Gardner, Thank you for your letter last week in support of assistance to Puerto Rico to reestablish electric power in the aftermath of Hurricane Maria. As someone affected by the 2013 Colorado floods, I know how challenging it is to deal with a disruption to infrastructure that we take for granted. I hope the people of Puerto Rico can soon experience the same ecstatic relief I felt when power was restored after the flood.

I am writing you today about another sort of infrastructure that Americans rarely think about until there’s a problem. As you know, the credit bureau Equifax’s computer systems were compromised in May, allowing the intruders to exfiltrate data about tens of millions of Americans for more than two months. The response to the incident from Equifax has been, frankly, awful. They waited to inform the American people about the breach for five weeks. And once the incident was announced, Equifax was unable to handle the public taking action to secure their data: among other problems, the company did not properly deploy the web encryption standard SSL and the site allowing users to freeze their credit file was unable to handle the demand, leaving many Americans frustrated and frightened about what might done with their data. The cybercriminals who have purloined this data are now able to commit identity and financial fraud in the name of these people, none of whom personally entrusted their data to Equifax.

Credit bureaus like Equifax are not subject to the same market pressures as other companies who collect data from consumers. I am a software engineer working in the cloud storage industry. I am proud that our customers trust us with some of their most private data, and it is crucial for efficient market function that they can delete their data and cancel their account when they choose, whether due to distrust of our security practices or because the data are no longer needed. Likewise, a bank which does not prioritize cybersecurity can expect to lose customers. Unfortunately, credit bureaus which collect and data on nearly every American are not subject to significant financial repercussions when they mishandle that data. The people whose data was stolen did not choose to give that data to the credit bureau, nor are they permitted to remove their data from the company which cannot protect it. The bureaus’ main paying customers—companies seeking data about Americans—are likewise not incentivized to prefer companies with the best security practices, since these paying customers do not suffer the consequences when an American’s identity is stolen.

I urge you to work with the Senate to bring clarity to the American people on what data credit bureaus collect on Americans, how it is stored, and how we can better protect it. I further urge you to work to refine the laws under which credit bureaus operate and ensure that Americans can opt out of having their data collected, and require companies to delete non-public data about Americans upon request. Individual Americans stand to lose the most when their identity is stolen, so they must have the tools to safeguard that identity data, including the ability to revoke it from a company whose security process they do not trust.

Thank you for your service and for your consideration on this matter,
Trevor Stone

---

Ironically, I had to try several times to submit this through Senator Cory Gardner's website, sine senate.gov kept returning an error that said

Request not Accepted - Security Risk Detected

Request not Accepted

Your submitted request contained a potential security risk.

Please try your submission again using natively composed plain text (not copied and pasted from another document), with few or no hyperlinks, or other syntax that may be interpreted as computer code (examples: '--', '&').

*As stated in the privacy policy, unauthorized attempts to upload or change information are strictly prohibited.

So yeah, Equifax aren't the only ones who are bad at cybersecurity. My first guess was that the site was choking on smart quotes. Then on the em-dash above. Nope: you're not allowed to email a colon (:) to your Republican Senator. Senator Michael Bennet's submission form accepted the text without finding any threatening punctuation.

Well-Armed Futility

Trigger warning: guns, violence, murder, game theory.

Last night, a 64-year-old Nevadan killed at least 59 people and wounded more than 500 by shooting several (semi-?) automatic rifles into a large crowd at an outdoor country music festival across the Las Vegas strip. This terrible act was the deadliest mass shooting so far in modern America.

When I hear gun rights advocates talk about how guns can make us safer and that a well-armed populace is the best defense against tyranny, it often sounds like they have specific scenarios in mind. Maybe it's an attacker in a dark alley, or a home intruder, or someone opens fire in a crowded restaurant. And I often get the sense that they've mentally played through this scenario, and have a plan for how they would use a firearm in response. (The use might not involve shooting: the mere presence of a firearm can change the dynamics of a situation and get an attacker to change their course of action.)

I'm having trouble imagining how citizens bearing arms would have made this situation any safer or less deadly.

The shooter was 300 feet above ground and more than 1000 feet away from the victims. Response from someone in the concert area would be difficult under the best of circumstances. A handgun would be a completely ineffective. A high-powered rifle could return fire, but it would require a very good marksman, who would also need to locate the attacker's position. The shooter didn't seem to care who he hit, but a defender would need to make sure they got the right room; otherwise they're just shooting already scared people in the Mandalay Bay hotel. Plus, bringing an assault rifle to a concert (even if it were allowed) doesn't seem like a recipe for enjoying the show, not to mention putting the crowd at grater risk of accidental discharge.

Armed citizens inside the hotel perhaps could have taken action. But that would have required a lot of bravery and/or recklessness: if someone busts through a guy's door who's been shooting rapid-fire across the street, it seems just as likely that he'll whirl and unload into the would-be hero as the hero is to stop the shooter. For anyone concerned primarily with their own safety, getting away from the hallway that a shooter might emerge into seems the only rational move.

In the end, it sounds like the police responded within minutes and confronted the gunman… who then committed suicide. This highlights another incongruity between the scenario I hear from gun rights advocates and the experience America has had with mass shooters. In the scenario, the shooter is often concerned with his own life and will back down when confronted by an armed opponent. Yet game theory assumes a rational and self-interested actor. When the attacker intends to kill himself, or if his mind is willing to die, bodily harm is little deterrent and all bets on rationality are off. Shooting the attacker may disable his body, preventing the number of dead from rising further. But "I might get shot" is kind of the point for someone who wants to go out in a blaze of glory, so the presence of more firearms nearby isn't likely to stop him from starting the scene.

The situation was, of course, resolved by trained people with guns. It sounds like the police responded to the shooter's room in remarkable time—I think it would take me more than two minutes to get from the lobby to a particular room on the 32nd floor of a building even if I knew exactly where I was going. The police have some significant advantages that an armed citizen response would lack. First, they've received extensive crisis response training for situations like this. In theory, militia members would have similar training; in practice, when someone in plain clothes pulls out a gun in an active situation, it's hard to judge how well trained he his, whereas a certain level can be assumed of an officer in uniform. Second, the police are acting as a team, both with folks on scene and folks on the other end of the radio who can coordinate more resources. Third, the police have a social dispensation to use force in an emergent situation. The social contract entrusts official emergency responders to make decisions that the society doesn't trust ordinary citizens to make.

When someone's goal is to kill a lot of people and they're willing to become the final tally in the body count, it's very difficult to prevent a mass shooting on the scene; the most we one can usually accomplish is to shorten it. Preventing a gunman massacre requires intervening before the killer is ready to take action. I don't have a novel solution to offer, and I suspect that there are dozens of different things (none of them easy) that need to be done to reach the dozens of potential shooters. I am reminded of President Obama's comment after the Sandy Hook shooting:

We are going to need to work on making access to mental health care at least as easy as access to guns.