>Unfortunately, IMHO, it will take a large-scale "privacy disaster" unlike anything we've ever seen and where people are profoundly impacted, before the public gets wise to what it means to give up privacy.
Those have already happened but no one has explained the gravity of those situations thoroughly enough for people to understand them.
For example, the OPM hack[1] dumped all of the people who applied (note: weren't granted - which is an important distinction) for security clearances in the United States. This is very extensive information about a person's life, going back at least 10 years of their lives, and includes people they knew at addresses that they've lived at, spouses, fingerprint data, etc.
When you couple that with the Marriot/Starwood hack[2], this is information that includes passport numers, times stayed at hotels, etc.
When coupled together, if I'm a foreign adversary, I now have a larger picture of a group of people who have security clearances, their travel patterns, their passport numbers, and - if coupled with the OPM data - a veritable life's history.
This might seem tin-foil hat but if I have this data, I can then turn to the great advertising machines of the world (e.g.: Facebook, Google, etc.) and attempt to obtain targeting information related to those individuals, specifically.
Going out further on a limb, let's assume I've found an individual of interest, whom I want to "spoof". I have their life's history, I have all of their identification-relavent data, I - quite possibly - could obtain their historical advertising data to see patterns. If this person was living in the United States and is no longer doing so, say they moved away 10 years ago, I now have enough information to impersonate them (including fingerprint data) - in person - and all I require, then, is (possibly) a little cosmetic surgery to insert my foreign intelligence operative to impersonate them.
Now, I understand that all of this is a far stretch and is seemingly implausible but your large-scale "privacy disaster" has already happened (see also: 2016 elections).
What, instead, I think would have to happen (sad as this consideration is) is that the privacy breaches result in some other nefarious event that ties directly back to them.
Otherwise, people still live with this "it's no problem because I have nothing to hide" mentality. To them, so what if China stole their life's history? Unless someone takes that data and then makes them indebted for life (e.g.: to banks or the IRS and that ends-up in jail time, etc.), then they're still going to keep trucking along like it isn't that big of a deal because no one has explained the gravity of the potential use of that data. I think that onus is shared between the governments (themselves), businesses that were hacked, and the news agencies reporting these events.
If you told everyone affected by the OPM hack that they could be impersonated (almost perfectly), as long as the actor[s] had other data to correlate specifically to them, I imagine the response[s] would have been drastically different.
Instead, what you get is a couple of years of credit monitoring and that's about the extent of it - which, in my honest opinion - is woefully inadequate for the level of data that the compromise[s] exposed. Monitoring your credit is great and all but it does absolutely nothing for someone impersonating you for employment at other companies - say those who don't require a major background check - to build a recent history in a new city - let's say Philadelphia - to latter leverage that background to infiltrate a government sector.
Again, I get that most of what I'm positing is tin-foil hat seeming kind of stuff but the statement inferring that a large-scale privacy disaster hasn't occurred is, to me, a bit flawed (no offense intended or inferred) and discounts that it, indeed, has occurred - it's just that no one has explained it in the right/correct way[s].
> For example, the OPM hack[1] dumped all of the people who applied (note: weren't granted - which is an important distinction) for security clearances in the United States.
Oh, and also people who happened to be living with them at the time (assuming the applicant followed the instructions). :-(
> ...large-scale "privacy disaster" has already happened
> (see also: 2016 elections).
> What, instead, I think would have to happen (sad as
> this consideration is) is that the privacy breaches
> result in some other nefarious event that ties directly
> back to them.
Yes, that's exactly it. By "privacy disaster" I meant to say an actual disaster where people get tangibly hurt and the root cause of it was something that clearly traces back to privacy. THAT kind of disaster hasn't yet happened.
Those have already happened but no one has explained the gravity of those situations thoroughly enough for people to understand them.
For example, the OPM hack[1] dumped all of the people who applied (note: weren't granted - which is an important distinction) for security clearances in the United States. This is very extensive information about a person's life, going back at least 10 years of their lives, and includes people they knew at addresses that they've lived at, spouses, fingerprint data, etc.
When you couple that with the Marriot/Starwood hack[2], this is information that includes passport numers, times stayed at hotels, etc.
When coupled together, if I'm a foreign adversary, I now have a larger picture of a group of people who have security clearances, their travel patterns, their passport numbers, and - if coupled with the OPM data - a veritable life's history.
This might seem tin-foil hat but if I have this data, I can then turn to the great advertising machines of the world (e.g.: Facebook, Google, etc.) and attempt to obtain targeting information related to those individuals, specifically.
Going out further on a limb, let's assume I've found an individual of interest, whom I want to "spoof". I have their life's history, I have all of their identification-relavent data, I - quite possibly - could obtain their historical advertising data to see patterns. If this person was living in the United States and is no longer doing so, say they moved away 10 years ago, I now have enough information to impersonate them (including fingerprint data) - in person - and all I require, then, is (possibly) a little cosmetic surgery to insert my foreign intelligence operative to impersonate them.
Now, I understand that all of this is a far stretch and is seemingly implausible but your large-scale "privacy disaster" has already happened (see also: 2016 elections).
What, instead, I think would have to happen (sad as this consideration is) is that the privacy breaches result in some other nefarious event that ties directly back to them.
Otherwise, people still live with this "it's no problem because I have nothing to hide" mentality. To them, so what if China stole their life's history? Unless someone takes that data and then makes them indebted for life (e.g.: to banks or the IRS and that ends-up in jail time, etc.), then they're still going to keep trucking along like it isn't that big of a deal because no one has explained the gravity of the potential use of that data. I think that onus is shared between the governments (themselves), businesses that were hacked, and the news agencies reporting these events.
If you told everyone affected by the OPM hack that they could be impersonated (almost perfectly), as long as the actor[s] had other data to correlate specifically to them, I imagine the response[s] would have been drastically different.
Instead, what you get is a couple of years of credit monitoring and that's about the extent of it - which, in my honest opinion - is woefully inadequate for the level of data that the compromise[s] exposed. Monitoring your credit is great and all but it does absolutely nothing for someone impersonating you for employment at other companies - say those who don't require a major background check - to build a recent history in a new city - let's say Philadelphia - to latter leverage that background to infiltrate a government sector.
Again, I get that most of what I'm positing is tin-foil hat seeming kind of stuff but the statement inferring that a large-scale privacy disaster hasn't occurred is, to me, a bit flawed (no offense intended or inferred) and discounts that it, indeed, has occurred - it's just that no one has explained it in the right/correct way[s].
[1] - https://en.wikipedia.org/wiki/Office_of_Personnel_Management...
[2] - https://www.wired.com/story/marriott-hack-protect-yourself/