It’s sort of sickening to indulge in yet more creation of copy in regard to the great celebrity nude photo leak. Surely, just about everything that needs to be said about this 100-car-pileup of a story has been said: It’s a heinous invasion of privacy; it’s not J-Law’s or McKayla Maroney’s or anyone else’s fault; two-factor identification should be the norm; hey, kids, remember what you’re doing when you’ve got your photostream enabled.
However, I think one interesting development worth a bit more exploration is the burgeoning idea of PII as currency.
Not that digital currency is anything new. There’s actually a thing called “dogecoin,” named for a stupid dog meme, and people actually buy and sell things with it. If that doesn’t have you stockpiling food and getting ready for the zombie apocalypse, you’re a better person than I am.
But it’s interesting to think of PII as currency in the same way. When hackers steal credit-card numbers, it’s rarely so they, themselves, can use them to make purchases. Rather, they sell the numbers off in lots for, well, probably bitcoins nowadays. Those card numbers are then probably resold for standard currency in ones and twos to people who actually then try to see how much stuff they can buy before the number goes dead.
At the first step, though, it’s a straight digital exchange—a piece of data for another piece of data.
Just as the cost of a bitcoin fluctuates, so, too, does the cost of a credit card number. Freshly stolen with a high confidence of big limit and low chance it’s already been cancelled? Maybe that costs $50 per number. Then that value degrades as the theft fades into the rearview mirror and people start realizing they should call their credit card company or the credit card company starts issuing new cards as a precautionary measure.
Six months later, that $50 number might be worth $1 or less.
Similarly, now, consider these nude photos and explicit videos. According to various reports, many of these images have been circulating through the deep web for years, traded in exchange for bitcoins and other things of value (maybe user names and passwords) and amassed by so-called collectors. These photos and videos, this PII, is now currency in a very real sense. In fact, there are theories out there that this giant leak was a sort of bad-guy sabotage: By putting all the photos and videos out onto the mainstream web, their value crashes.
Why pay bitcoin when you can just search Reddit? Maybe that J-Law photo was worth half a bitcoin last week. Today? Why would it be worth anything more than a sliver?
Perhaps this sounds a bit like the plot to The Goldfinch? In the Donna Tartt novel (spoiler alert!), a rare painting becomes a trading chip amongst drug dealers and other underground ne’er-do-wells. Want to get fronted a million bucks worth of heroin? You’ll need to leave a rare Renaissance painting as collateral.
Looking for a bank of user names and passwords that you can try to convert into cash? Well, I’ll need some revealing photos of an Olympic gymnast before we can continue.
Further, just as no one is taking my seven-year-old’s scribbles (despite the sentimental value they may have to me) in exchange for a giant haul of cocaine, neither is anyone forking over big bitcoin for photos of random frumpy couch potato men.
Some people’s PII is worth more than others. Are you factoring that into your risk assessments? Just as a police officer’s home address is worth more than mine, it’s demonstrably true that the photos on Kate Upton’s phone are more valuable than mine (and, yes, I did just call myself a frumpy couch potato). Should verified celebrities get more expensive privacy protection? Should banks be offering the extremely wealthy different privacy protections than the hoi polloi? Or, rather, not even allowing the extremely wealthy to use credit cards without PIN and chip technology, as the risk is so much greater?
Sure, we’re already parceling out risk by the type of PII—health info vs. phone numbers; financial data vs. IP addresses—but are we parceling out risk by to whom the PII belongs?
It may be that we should start.
That PII you’re holding on your servers somewhere may be worth big money. If so, you can be sure some hacker is already mining away to get it. You might want to know how hard they’re likely to be trying and what the eventual payoff is likely to be.
If you want to comment on this post, you need to login.