The drumbeat of privacy debacles gets louder every week. But how can we fight back? It’s not easy, but the one bit of leverage we do have is our willingness to do business with the violators.
Sony is responsible for the worst recent database incursion, with its PlayStation network severely compromised. The company now admits, after a bizarre delay, that all kinds of sensitive user data, possibly including credit-card numbers and, most likely, even answers to security questions, is in the hands of criminals.
Meanwhile, Apple took its time even acknowledging what security experts had found to be problematic storage of users’ location data on the phones and the desktop computers to which they must be tethered for updates and backups. Steve Jobs’ current statements don’t fully square with what the company has said before, the Wall Street Journal reports, and Apple’s insistence that software “bugs” were responsible for much of the situation fails the smell test. As Gizmodo noted in its typically way, Apple’s PR-driven Q&A says, essentially, “We’re not tracking your location, we’re just tracking your location!”
I’m no longer a customer of either Sony or any Apple iOS products — largely because I disapprove of those companies’ control-freak tendencies — so I have no power to influence them by taking my dollars elsewhere. I hope their customers will consider making this kind of decision, and explain why if they do.
I did have that power with one of the companies caught up in yet another notable data breach in the last few weeks. Chase Bank issued one of my credit cards, and I have a small checking account there. In an April 6 email, Chase wrote:
Chase is letting our customers know that we have been informed by Epsilon, a vendor we use to send e-mails, that an unauthorized person outside Epsilon accessed files that included e-mail addresses of some Chase customers. We have a team at Epsilon investigating and we are confident that the information that was retrieved included some Chase customer e-mail addresses, but did not include any customer account or financial information. Based on everything we know, your accounts and confidential information remain secure. As always, we are advising our customers of everything we know as we know it, and will keep you informed on what impact, if any, this will have on you.
We apologize if this causes you any inconvenience. We want to remind you that Chase will never ask for your personal information or login credentials in an e-mail. As always, be cautious if you receive e-mails
asking for your personal information and be on the lookout for unwanted spam. It is not Chase’s practice to request personal information by e-mail.
Such bland assurances are absurd. This is more than an inconvenience; for many customers it will be a big problem. When the bad guys have your email address and know what companies you do business with, they are eager to go phishing — that is, to pretend to be that company and lure you into a trap.
I’m not Epsilon’s customer. Chase is the customer, and that gave me limited leverage. But I had this much:
Using the messaging system on Chase’s customer-accounts website, I asked the bank’s customer support the following question:
My question is this: Does Chase plan to continue using Epsilon for these services? If so, I will be canceling my Chase accounts and moving them to institutions that take their customers privacy more seriously.
Chase initially responded with boilerplate informing me that it takes privacy “very seriously” — standard language that means nothing. I wrote back, saying that the reply was non-responsive and that I did want an answer.
Some days later, a Chase employee called. I asked again, did the bank intend to keep doing business with Epsilon? The employee said that Chase had “suspended” its use of Epsilon services while it investigated the hacking.
Even the suspension is suspect. I also asked how I would know if Chase was using this email provider again. I’d have to call back, she said. In other words, the onus is on me to find out if Chase resumes business with a vendor that has demonstrated its inability to protect Chase’s customers.
I’ve decided this isn’t good enough.
Chase had a chance to re-earn my trust, to make a statement to the public that this kind of casual treatment of customers’ information by its vendors is not acceptable and would not be tolerated. The only way I can imagine for this to be taken seriously is for Chase to announce that it’s terminating its relationship with Epsilon, period.
Since this isn’t happening, I’m looking for a new bank. If you’re a Chase customer, consider doing the same.