Like many of you, thanks to the Equifax breach, I am currently wondering if I should freeze my credit reports. Like some of you, I am planning to refinance my house in the near future, which makes me quail at the thought of freezing the darn things, and then unfreezing them, and then freezing them again. … Is it really necessary?
Answer: Probably yes. Just let Bloomberg’s own Drew Armstrong tell you what happens when your identity is stolen. You don’t just have trashed credit and a lot of hassle with banks. You also, apparently, have the TSA giving you the microscope treatment when you fly.
Our aversion to this sort of hassle is part of the reason that the breach happened in the first place. Let me explain.
In "Seeing Like a State," James Scott writes about the ways in which governments have striven, over the centuries, to make the world “legible.” Imagine you’re a guy who’s just unified some territory in the ancient world and proclaimed himself king, or emperor. How many subjects do you have? Unless the territory is pretty small, the answer is likely to be “dunno.” What do those subjects do with their days? Er … em … yeah, dunno. Most importantly, how much tax revenue can you squeeze out of them? How many men can you conscript to fill your armies and build giant, unseemly monuments of your face stuck onto the body of someone 20 years younger and in much better shape?
You have no idea.
So you have censuses. And you enact all sorts of rules designed to make various markets operate differently -- often less efficiently, but in ways that are easier for you to see and tax. So too in the modern state. Payroll and accounting departments? They’re in the business of making businesses more legible. And of course, your Social Security number is purely an instrument of legibility.
But it turns out that governments aren’t the only institutions that like legibility. Bosses like workers to be legible, which is one reason we have punch clocks and open-plan workspaces instead of private offices. Banks love legibility. So do utility companies and anyone else who provides a service in the hopes that we will pay them for it after we have consumed it.
Legibility has transformed along with American life: In 1830, your neighbors probably had frighteningly accurate picture of your financial resources and ability to repay a loan, but a banker 1,500 miles away would have to make do with a character impression and perhaps a letter of reference. In 2017, a banker anywhere in the country can find out almost instantly how much money you owe, how often you have missed payments, and what sort of car you drive … but your neighbors probably have no idea what’s going on with your bank account. It's the peculiar paradox of modern life: We have never felt less legible, nor been more so.
Mass legibility has considerable advantages. In the old days, bankers had more leeway to advance loans based on their assessment of the borrower’s character -- but what if there was only one bank in town, and the president didn’t much care for your character? Credit rating has democratized credit, making it cheaper, more broadly available, more convenient, and less subject to the whims of personal relationships. You can refinance your house every time interest rates dip a quarter-point; you can go to Europe without any cash or traveler’s checks; you can obtain goods and services with only your signature on a promise to pay, as if you were J.P. Morgan.
But there is a cost to that legibility. Imagine a man in 1830 trying to impersonate someone to their local banker. How could they? Your banker knows who you are. Unless the impersonator is Obi Wan Kenobi, it’s not going to work. Nor would it do them any good to impersonate you to another banker who doesn’t know you, because why would that banker give money to a stranger?
Now we live in the age of identity theft.
At the dawn of the internet era, the New Yorker published a famous cartoon with the caption: “On the Internet, nobody knows you’re a dog.” By now, it needs to be updated: Given how many groups are interested in our identities, and constantly tracking them as we burrow through the internet, the only people who don’t know whether you’re a dog -- along with exactly who you are, and what you like to buy, and what kind of videos you watch -- are the people who don’t care.
The Equifax breach is a direct consequence of that. Our single identity bristles with information, and that information is extremely valuable. When something is very valuable, someone else is going to eye it longingly, and look for ways to take it.
I don’t intend to excuse Equifax here. Undoubtedly, when the facts are known, we will find that some manner of corporate stupidity exposed data on millions of Americans to thieves. And the company has handled the crisis clean-up with a callousness toward those Americans that verges on the criminally insane.
Having written a book on failure, I am also pretty confident that:
- When the shouting is done, and the investigation is complete, we’ll find what we usually do with these kinds of catastrophic system failures: a series of seemingly innocuous decisions taken by disparate individuals, which collectively added up to a big hole the hackers drove a truck through. None of the individuals understood the risk they were taking, and indeed, each of those risks was probably pretty small; they had to line up just right for everything to go wrong. It’s what James Reason has dubbed the “Swiss Cheese model” of failure, and if you start looking at disasters, you’ll see it time and time again.
- There ain’t no such thing as a foolproof system. Especially when someone outside is trying to break it. The hackers only have to find one entry point into the system. The system administrators have to patch all of them, in advance.
Mass legibility means that the inevitable failures will be catastrophic.
Equifax will undoubtedly be hauled up in front of Congress, investigated by every agency and prosecutor who can find an excuse, and given a rough ride by the stock market. I won’t exactly weep tears of sympathy. But we should not fool ourselves into thinking that if we just bash Equifax hard enough, and maybe make a law, that will somehow fix the problem. Our identities will still be thick, and legible, and valuable. Which means that they will still be eminently stealable, and very probably, they will be stolen en masse again someday.
The real fix is to make our identities harder to read -- which is, essentially, what locking down your credit report does. So why weren't people doing that already? Because we actually like being legible. We like being able to get credit on a moment’s notice. We like having the government know who we are so they can whisk us through the TSA Pre line (and hopefully, whisk folks who are up to no good off to an interrogation room). We like our airline miles and our EZ Pass and our shopper rewards program, and having a cell phone on contract instead of going through the hassle of pre-paying for every call. All of that depends on readily accessible information about our identities and our finances. Accessible to those we want to see it, and those we don't.
If we really want to keep ourselves from being vulnerable to breaches like this, we have to first recognize that we are among the many people whose small decisions created small risks that accumulated to enable the Equifax hack. We chose convenience over tighter security. We trusted Equifax to deal with all the tedious, inconvenient logistics while we whizzed around buying stuff. But why did we put our trust in a company, in a system, that wasn’t particularly legible to us? And having done so, why did we expect them to treat our information as valuable, when we didn't value it ourselves?
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
Megan McArdle is a Bloomberg View columnist. She wrote for the Daily Beast, Newsweek, the Atlantic and the Economist and founded the blog Asymmetrical Information. She is the author of “The Up Side of Down: Why Failing Well Is the Key to Success.”
© Copyright 2021 Bloomberg L.P. All Rights Reserved.