Data Breaches and the Problem of Bigness

On Monday, The Wall Street Journal reported that Google plans to start collecting the health data of millions of Americans as part of a cloud-computing deal with Ascension, one of the largest health systems in the United States. This comes after Google’s recent announcement that it plans to acquire Fitbit, the maker of fitness-tracking devices, which will give Google access to the personal health data of millions of Fitbit users.

Critics are already pointing out the many ways that Google might abuse the knowledge it gains through these deals. Yet, even if Google lives up to its promise not to use health care data for nefarious purposes, a big problem remains, and it should be getting more attention. Google’s growing size alone makes it an ever more tempting target for hackers. Moreover, Google’s scale also means that once a hack occurs, the resulting loss of privacy is on such a scale that it would have consequences throughout society. Finally, Google’s scale also brings with it levels of complexity that can make securing data more difficult.

And the same is true of other giant digital giants. While computer systems always have some risk of getting hacked, size matters.

Microsoft presents a perfect example of how bigness amplifies the risk of an attack. Microsoft Windows is not markedly less secure than Apple’s operating system. But Windows’ enormous market share creates an incentive for hackers to target the operating system. In a 2003 report, the Computer & Communications Industry Association noted that “the presence of this single, dominant operating system in the hands of nearly all end users is inherently dangerous.”

The same point applies to Facebook. Last month, Facebook quietly revealed that 100 developers potentially accessed Facebook Group member information, despite Facebook changing its policies. Could Facebook have been more vigilant? Probably. But as Rep. Cindy Axne, D-Iowa, noted during last month's congressional hearing into Facebook’s proposed Libra cryptocurrency, “size makes Facebook a target for attacks.”

Microsoft, Facebook, and other large corporations often market their breadth of operations and product offerings as giving them the technical and financial wherewithal to provide better data protection. But strong security measures do not require expensive tools. Scott Schober, a cybersecurity expert and CEO of Berkeley Varitronics Systems, says some of the most effective security protocols “have minimal costs or are costless.” In other words, many companies can afford excellent security measures, not only market behemoths.

Schober states that some protocols, such as strong passwords, updating software, and enabling two-factor authentication, can deter a significant number of hacking attempts. In fact, a 2017 data breach report from Verizon detailed that 80 percent of all security breaches involved stolen or weak passwords.

Meanwhile, the most devastating recent data breaches affected millions of people - but only a single, giant corporation. Consider the recent Equifax data breach, in which one of the three major consumer credit reporting agencies was hacked, revealing personal information including first and last names, Social Security numbers, birth dates, addresses, driver's license numbers, or credit card numbers of approximately 145 million Americans.

Another part of the problem, Schober says, is that as corporations grow, the complexity of their operations also increases. Complexity creates security vulnerabilities across the landscape of a company’s operations. As security expert Bruce Schneier has written in his book, Click Here to Kill Everybody, complexity creates risks because it is not possible to “anticipate every configuration, condition, application, [and] use.”

Consider the Cambridge Analytica scandal, when a single decision in 2014 by Facebook to permit the harvesting of data without explicit user consent led to a single developer potentially acquiring group memberships, event histories, liked pages, interests, and more for 50 million users.

The risks of these mammoth stores of data are too great. Google’s deals with Ascension and FitBit create a wide array potential abuses. But even if those abuses do not occur, the increased risk of hacking attacks caused by scale alone provides regulators with a strong reason to oppose further concentration among digital giants.