Monday, September 18, 2017

Looking Under the Rock: Equifax's Credit Breach

On Sept. 8, the credit-rating agency Equifax announced that they had discovered a security breach that compromised the data of over 140 million U. S. consumers.  The company admitted they had found out about the hack on July 29, almost six weeks before their public announcement.  Hackers were able to obtain names, Social Security numbers, addresses, birthdates, and even some driver license numbers.  The hackers gained access to Equifax's data through a flaw in a piece of open-source web software called Apache Struts.  The cybersecurity arm of the U. S. Homeland Security Administration had released a fix for the Apache Struts flaw back in March, but Equifax didn't apply it well enough to prevent the hack that began three months later, in May.  Equifax is currently being sued and is overwhelmed with consumers requesting freezes of their credit reports so as to prevent hackers from applying for credit under false names. 

Most of the time, the three quasi-monopoly credit rating agencies Equifax, TransUnion, and Experian are largely invisible to the public eye.  They don't sell their products directly to consumers—their customers are banks, loan companies, and other extenders of consumer credit.  The only time you as a consumer have any dealings with one of the Big Three may be when you apply for a home loan or car loan.  The rating you receive from a credit agency can mean the difference between buying a home and renting for the rest of your life, or being able to borrow more money on a credit card without paying ruinous interest.  So although there's not much you can do to affect what the agencies say about you, they hold considerable financial power over you.  The least you can expect from them is to act as responsible guardians of the highly personal data they accumulate under your name.  And Equifax's data breach betrayed that trust.

This is an odd situation, but has come about through the nature of our consumer-credit-intensive economy.  Back in the nineteenth century, when consumer credit was most often an informal arrangement between a general-store customer and the owner who knew the customer personally, there was no widespread need for consumer credit information.  However, commercial firms were interested enough in the creditworthiness of other firms that the "Mercantile Agency" of Dun, Barlow & Co. arose.  By 1876, this firm had a network of informants all across America, typically small-town lawyers, who periodically sent reports on local merchants to headquarters in New York City.  The reports were compiled and printed in a quarterly Reference Book to which interested credit-extenders subscribed. 

Dun, Barlow & Co. eventually became Dun & Bradstreet, a firm which still provides financial data on commercial firms today.  But then as now, credit-rating agencies sell information about consumers to companies, and it is in their self-interest to protect that information from compromise.  In this, Equifax has signally failed.

I have previously discussed in this space the qualities that any company caught in a crisis should have.  Among these are prompt action and transparency.  So far, Equifax has stumbled on both counts.  While it has to take a certain amount of time to apply patches to large software systems such as Equifax runs, data security is the essence of their business, and the three-month delay between learning about the Apache Struts flaw in March and the time when the data breach began in May was too long.  It took Equifax another two months to discover the breach, and then six more weeks went by before they announced to the public that it had happened.  Such delays might be excusable in a mom-and-pop grocery store, but not for one of the three largest credit-reporting firms in the U. S. 

What can you as a consumer do if you think your data may have been compromised?  Equifax has announced the waiver of the usual ten-dollar fee for a credit freeze, and if you can manage to push your way through their clogged website and phone tree to request one, that is one thing you can do.  And at least one law firm has announced its intention to launch a class-action lawsuit on behalf of all 140 million Americans affected by the breach.  But neither of these things will address the fundamental structural problem:  too much of our personal information is stored in places that are too vulnerable to unscrupulous hackers.

If (as is possible) it turns out that the hackers were not based in the U. S., there is an international twist to this tale.  In that regard, the Homeland Security Agency deserves kudos for doing what it ought to be doing:  finding ways that hackers can attack U. S. interests and helping private firms prevent such attacks.  But if the private firms drop the security ball, the government has wasted its time telling them about the problem.

In general, I regard government regulation as a last resort when other measures fail.  But as firms get larger and affect more and more people in a country, it's probably appropriate for them to come under the regulation of that country's government.  There is always going to be some kind of relationship between large firms and government, but that relationship can be either benign or malign for the consumer.  The pre-breakup Bell System was allowed to monopolize telecommunications in the U. S. until the 1980s, and in turn it accepted close government supervision and regulation of its tariffs and profits.  It may not have been the most innovative telecomm service in the world, but it was stable, predictable, and reliable.   

It may be time to require the Big Three credit agencies to submit to some kind of data-integrity requirement, or face penalties for data breaches that are so severe they will clean up their act.  But our track record of penalizing these types of agencies for past messups is poor.  One need only think back to the housing-bubble collapse of 2008 in which commercial rating agencies were gold-plating financial instruments that looked as solid as a rock until the bubble burst and knocked them over, revealing a nest of roaches and scorpions underneath. 

Equifax is at best guilty of incompetence.  Perhaps the marketplace will punish it enough to make it mend its ways.  But it may be time to re-examine some of our basic assumptions about the responsibilities of private credit-rating firms in our consumer economy.  And in the meantime, keep an eye on your credit rating.

Sources:  I referred to an article on the CNN website at, a New York Times column by Ron Lieber posted on Sept. 14 at, and the Wikipedia articles on Equifax, Dun & Bradstreet, and credit freezes.  My information on Dun, Barlow & Co. in 1876 comes from p. 41 of a reproduction issue of the Asher & Adams Pictorial Album of American Industry (1876) published in 1976 by Rutledge Books. 

Monday, September 11, 2017

Mr. Damore, Welcome To the Prophet Club

In the Bible, being a prophet was not a sought-after job.  Prophets were chosen by God to deliver messages that more often than not turned out to be unwelcome.  And sooner or later, the same lack of welcome greeted the prophet himself as he stood in the city gate telling the people things they didn't want to hear.  Bad things tended to happen to prophets when they got on the wrong side of the establishment.  The prophet Jeremiah, after telling King Zedekiah to surrender to the attacking Babylonians, was accused of treachery and thrown into a muddy well, where he was left to die.  Only the intervention of a friendly official rescued him from a miserable death.

I don't think former Google engineer James Damore has any special line to the Almighty, but by now he has experienced the same thing that the biblical prophets discovered:  say things that the leadership doesn't want to hear, and sooner or later you're going to pay for it.  In response to a ten-page memo he posted entitled "Google's ideological echo chamber" in which he criticized the atmosphere created by gender-diversity programs at his company, the Internet lit up with a storm of attacks on him, and Google ended up firing him.  But exactly what did he say?  First, some background.

Like many companies these days, Google has initiatives and programs in diversity, including ones that attempt to change the fact that the percentage of women in computing is about 24%, according to an organization called Girls Who Code.  The desired change, naturally, is an increase to something closer to the representation of women in the overall U. S. population, which is 50.8%. 
I say "naturally" because there is a widely held assumption that when the percentage of women in a desirable field of endeavor—CEO suites, being rich, holding political office, or working at any job that the culture perceives to be desirable—falls below 50.8%, this proves that there is injustice somewhere that needs to be rooted out so that the percentage will more closely approach the magic 50.8%. 

If you look at this assumption on its own in the cold light of logic, you can start to see some holes in it.  Some of the highest-paying jobs in the country are in professional sports.  Where are the protests that there aren't any women playing for the Green Bay Packers?  I don't want to start a trend, you understand.  And professional football itself is losing popularity in view of the revelations of long-term brain damage it can cause.  But the point is that many of the assumptions and assertions surrounding issues of gender diversity are based on something besides mathematically exact logic.  And that's a good thing, because logic and undisputed facts can take you only so far.  Something else is needed in order to discuss these matters intelligently:  an ability to articulate the foundations of one's moral judgments.  But these days, that ability is much rarer than the ability to code.

I have read Mr. Damore's memo, and at one point he refers to "moral biases."  Judging from his words, he is neither a political scientist nor a philosopher, but he recognizes that more than logic is required to deal with human-relations issues such as diversity and gender roles.  In his memo, he wrote some things that are undoubtedly unpopular in the Silicon Valley setting of Mountain View:  "On average, men and women biologically differ in many ways."  He cites personality differences that women show compared to men, many of which are positive:  agreeableness, ability to work in teams, and so on.  And he admits that males tend to rank higher on aggressiveness and the willingness to put in long unpleasant hours to get ahead in an organization.  He winds up his memo with a recommendation to "[h]ave an open and honest discussion about the costs and benefits of our diversity programs." 

It is a matter of public record that Mr. Damore was let go by Google shortly before Aug. 7.  Legally speaking, Google is probably not breaking any law to fire him, as California has what is called "employment at will," which means an employer can fire you at any time for any reason, or no reason at all.  Nevertheless, firing him doesn't contribute to an atmosphere at the company that would encourage an open and honest discussion about the costs and benefits of diversity programs. 

Along with Mr. Damore's memo, the website Gizmodo posted a statement from Google's diversity officer, in which she said of the memo, "I found that it advanced incorrect assumptions about gender."  But she didn't say what those incorrect assumptions were.

Engineers are trained to be logical, using known facts about the world to create useful products.  But human life is about more than logic and reasoning.  What Mr. Damore calls "moral biases" are really each person's conclusions, drawn from his or her world view, about what constitutes right and wrong.  And while "Googlers" (as they call themselves) may be mental giants when it comes to logic, programming, and the skillful exploitation of the Internet to generate revenue, neither Mr. Damore nor his opponents in the company are able to articulate the bases of their moral principles any better than they could when they were in high school, or perhaps earlier. 

Instead of a reasoned debate based upon clearly expressed moral principles, what happened when Mr. Damore posted his memo was the Internet equivalent of a riot, at which point Google called in their human-resources cops to quell the riot by arresting (firing) the riot's instigator—the cyberspace equivalent of dumping Mr. Damore down a muddy well.  He won't die from it, but he's certainly been soiled in the sight of many.  And it's far from clear that the conservative media outlets which have started to lionize Mr. Damore as a martyr to their causes will encourage meaningful debates about gender diversity either.  Mr. Damore may have left one echo chamber only to walk into another one of a more conservative bent. 

It's possible to have a reasonable, logical debate about gender diversity, but only if everyone can lay their moral cards on the table first.  And these days, we lack the vocabulary and often the courage to do so.

Sources:  I referred to reports about James Damore's firing carried by the San Jose Mercury-News at and Bloomberg News at  The percentage of women who code is from, and Gizmodo carried Mr. Damore's original memo and the response by Google's diversity officer at  The story of what happened to Jeremiah after he said unpopular things is in the 38th chapter of the Old Testament book of the same name.

Monday, September 04, 2017

Arkema's Crosby Nightmare: The Price of Ignorance

If you lived within three miles of a chemical plant where dangerous substances were being made or handled, maybe you wouldn't want to know all the details.  But I bet you'd like first responders in the area to know what was there so they could take appropriate actions if anything went wrong. 

Well, Texas is a good place to live in many ways, but about 3,800 people living within a 3-mile radius of the Arkema chemical plant in Crosby, Texas probably wish they lived somewhere else right now, that is, if they haven't already evacuated because of the record-breaking floods from Hurricane Harvey.  Because several refrigerated trailers parked at the plant are full of chemicals that must be refrigerated to keep them from exploding.  And as the plant flooded shortly after Harvey hit, the power went out, the trailers started warming up, and one of them has gone up in flames already, sending noxious smoke into the neighborhood and forcing 18 first responders to seek medical attention.  And beyond a few general statements from the plant owners about organic peroxides, the public still doesn't know what is in those trailers.

Here's what apparently happened, as I have gathered from news reports. 

Arkema is a multinational chemical-manufacturing conglomerate based in France.  Its Crosby plant is a few miles northeast of the center of town on U. S. 90, and Crosby is northeast of Houston.  The setting is suburban, not really rural, as the 3,800 people within a 3-mile radius can attest. 

Texans are used to chemical plants.  They provide jobs and tax revenues, and while the smells and other hazards associated with chemical plants are drawbacks, the extreme safety precautions taken by most plant operators mean that millions of dollars' worth of chemicals are produced every day in the state without incident, under normal circumstances.  But Hurricane Harvey was anything but normal.

Organic peroxides are extremely reactive chemicals that are used in the polymerization of plastics, among other processes.  While I am no chemist and don't know any more about them than any other random resident of Crosby, I can well believe that some of them are so reactive that you have to keep them cooler than room temperature or else they will decompose violently, leading to an explosion.  Handling such stuff is a challenge, naturally, sort of like shipping frozen fish around, except instead of spoiling if it warms up, it blows up in your face.  So the plant no doubt has a lot of refrigeration machinery to keep its processes cold enough to preserve the nasty stuff, and refrigerated semi-trailers to take it where it needs to go—namely, other chemical plants that are equipped to keep the chemicals cold until they are used. 

All this has gone on up to now without any major incidents, although Arkema has reportedly been cited by regulators several times in the past for safety infractions.  Then last week came forecasts that Harvey, which was only a tropical depression as late as the Tuesday before it struck, was heading toward the Houston area.

The Arkema operators apparently decided that they ought to shut down the plant and move the existing stock of explosive chemicals off site in trailers.  So at some point before the hurricane hit, they loaded nine refrigerated semi-trailers with volatile chemicals that needed to be kept cool, and connected the refrigeration machinery to the local power utility, which was backed up by emergency power onsite. 

A skeleton crew of 11 stayed through the storm, making sure the power was still on to the trailers and switching to emergency power generators when the local utility power failed.  Then the water started to rise, and on Tuesday Aug. 29, the crew was ordered to evacuate, leaving the trailers behind.  As of today (Sunday, Sept. 3) one trailer has exploded, and the others are expected to go at any time.

At that point, one can question why they didn't take the trailers with them.  A number of reasons come to mind:  (1) they didn't have enough tractors (trucks) to haul them out, (2) the flood waters were so high that it might not have been possible to drive away from the plant in such heavy vehicles, (3) the prospect of dragging potentially explosive stuff all over flooded Houston was worse than leaving it there.  For whatever reason, the crew left the chemicals behind, and shortly thereafter Arkema officials announced that within a few days, the chemicals would of a certainty explode and make quite a mess.

An article in the Austin American-Statesman raises the question of why the contents of the plant have not been made public.  Every such plant has to file what's called a Tier II report detailing the chemicals made or used with the U. S. Environmental Protection Agency.  But under current law, it's not easy to gain access to that report.  You have to go to special reading rooms in Federal buildings and you can't photocopy them.  After the 2013 ammonium-nitrate explosion in West, Texas that killed more than a dozen people, the Obama administration proposed requiring the Tier II reports to be in a user-friendly format more widely available to the public.  But manufacturers and Texas regulators opposed this proposal, saying that such information could be used by potential terrorists.  And the new EPA administrator under the Trump administration, Scott Pruitt, has agreed to delay the change by at least two years. 

I said it after West and I'll say it again.  It is stupid that a Tier II report, or something like it, is not made available to first responders near any plant which they might reasonably be expected to respond to.  If you can't trust your local firemen to keep a secret, who can you trust?  And to me, the terrorist excuse sounds phony.  The more likely reason companies don't want Tier II reports released to the public is either out of concerns that competitors will use it, or that environmental protest groups will use the presence of certain chemicals to bring pressure to bear to shut the plant down. 

These concerns are legitimate, but they do not outweigh the needs of those sworn to protect the public from harm, to know what they are up against. 

So far, nobody has died as a result of the Arkema plant explosions.  But there are more trailers waiting to go off, and we still don't know what's in them.

Sources:  I referred to reports on the Arkema explosions and hazards that were carried by Houston TV stations at and  The Sept. 2 print edition of the Austin American-Statesman carried an article by Jeffrey Schwartz entitled "Information scarce on chemical plant blasts," on p. A11.