We lost our privacy before we lost our data

In May of 2015, the United States federal government suffered a massive data breach, a hack that exposed the names and Social Security Numbers of over 21 million people.

In a press release, the Office of Personal Management reported that as a result of its “aggressive effort to upgrade the agency’s cybersecurity posture,” the agency discovered the massive theft of background records, reportedly originating in China, including identification details such as Social Security Numbers residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details.

Some records also include findings from interviews conducted by background investigators and fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen.

This was a new breach — not the same looting of 4.2 million of records that the agency discovered in April of this year.

The news didn’t stop OPM Director Katherine Archuleta, appointed to the post in 2013, from congratulating herself for the agency’s great strides in security. It was her “comprehensive IT strategic plan” that led to the knowledge that these incidents had happened.

Sounds like congratulations are in order. But now it’s September, Archuleta is long gone (she lasted about one day after praising herself for noticing the theft), and the latest news is that the fingerprints of 5.6 million people were also grabbed in the mega-hacking of OPM’s “cybersecurity posture.”

OPM assures us that “federal experts believe that, as of now, the ability to misuse fingerprint data is limited.” As of right now… this second… as we hit the press… you probably have nothing to worry about if your fingerprints got stolen from OPM’s data banks. Hurrah.

Even Archuleta would probably concede that discovering a robbery is not quite as good as preventing it. Let’s even go so far as to say that she is less to blame for having failed to fix how her agency functions than is the nature of bureaucracy itself.

Of course, governmental organizations are not the only organizations vulnerable to being cyber-attacked in consequence of lax security. Other victims in recent years have included Target, Chase, and Sony.

But it’s the decades-old privacy-invading policies of the federal government that have routinely converted all such breaches of personal data into potentially limitless disasters for the victims.

The federal government which, decades ago, assured us on the cards stamped with our Social Security Numbers that these digits were “not to be used for purposes of identification” is the same government that now mandates the SSN’s ubiquitous deployment to monitor and tax us.

Today, the Social Security Number is like the number to a combination lock: perhaps not enough by itself to enable a bad guy to rob the safe, but a big, big help. Once your SSN-tagged info is out there in badland, your stolen data can be sold and re-sold and re-re-sold. And your cyber-housed, SSN-tagged stuff can be targeted again and again.

Yet it has become harder and harder to refrain from giving others that number. You can join a club without divulging your SSN. You can open an email account or buy a book, a hamburger, a refrigerator, or a gift card without reporting your SSN. But you cannot put ten dollars in the bank, nor open an investment account, nor apply for a credit card or a job without reporting it. Most often, you cannot rent an apartment or buy a house without reporting it.

Absent unusual efforts to protect your financial and personal privacy (of the kind outlined in J.J. Luna’s book How to Be Invisible), the most you can do by way of preventing cyber-assaults is to take such precautions as using different and non-obvious passwords for different cyber-accounts, and withholding your address, data of birth, and SSN from persons who may ardently request these data but will still do business with you if you refuse.

If your data has been grabbed, you can also — if and when you learn of the theft — arrange to monitor your credit and to block routine access to your credit reports, and perhaps take a few other barn-door-slamming measures. But you cannot, short of engaging in fraud, supply anything other than your actual Social Security Number when a government agency requires that it be supplied.

Our most personal information hasn’t always been thus exposed. Today we are so used to privacy-violating mandates like the Social Security Number tag that we take the necessity of such poisonous violations for granted. But poison does not become nutritious merely because it has become, for now, unavoidable.

This work is licensed under a Creative Commons Attribution 4.0 International License, and was first published by The Foundation for Economic Freedom.