Serhii Mudruk / Shutterstock

Cybersecurity is a Social Justice Issue

November 3, 2017

You might not think of cybersecurity as a social justice issue, but it is. From your cell phone to your shopping habits to your employer, you are inheriting a set of practices that the businesses you interact with have invested in their products and services. Each of us inherits cybersecurity as a function of our relative wealth, and there are important ways that it is reverberating through every aspect of our daily interactions. I think it is time for a national conversation about this reality.

Firms like Apple and Microsoft invest heavily in cybersecurity. They do so at considerable expense. Part of their strategy is to vertically integrate their supply chain. In layman’s terms, this means they control which technologies can be used along with theirs. Limiting interoperability (the ability to use another company’s technology or platform) comes at a dollar cost, and also at an interoperability efficiency cost. This is why iTunes only syncs with the Apple store and why iPhone’s charger doesn’t work on other devices. It is both a corporate strategy and a security strategy.

Apple and Microsoft also invest in security design architectures within their products, such as biometric identification security. When you use biometric identification, whether fingerprint, facial recognition, iris scan, etc., the phone converts that to code and generates a unique “hash.” That hash can be used to authenticate any application within the same platform.

Apple has a secure enclave in which it stores your unique “hash” identifier, but competitors like Android do not have the secure enclave or the vertically integrated supply chain. Moreover, Apple and Microsoft use something called “formal methods” as their programming standard, a rigorous, mathematical-based coding technique. These two companies offer  uniquely-strong cybersecurity as a result, but their consumers pay a premium for such secure service, which thus becomes a white shoe commodity.

The reality is that the cybersecurity differential reverberates beyond Apple and Microsoft and into every aspect of American life because today, any institutional interaction involves multiple companies’ security strategies.

To illustrate this, envision two American women, Emma and Trudy.

Emma is a senior lawyer at a firm and makes $450,000 per year. She has AmEx fraud protection, loan/title company insurance on the condo she owns in a doorman building, and a few subscription security services like LifeLock. She shops at Neiman Marcus and owns an iPhone.

Trudy has a few young children and serves as caretaker for other family members like nephews or grandmothers. Her husband was killed in action, and she’s receiving military spouse survivor benefits and working as a nurse in the local hospital. She makes $43,000, rents from a weak title company, and shops at Target and TJ Maxx. She has a phone that came with the Cricket Wireless pay-as-you-go plan. Not only does she not have a premium AmEx with fraud prevention, but she uses a prepaid Green Dot debit card that can be stolen like cash and doesn’t have monitoring or support. She isn’t a lawyer, doesn’t have a lawyer, and doesn’t know what her rights are as a consumer.

Let’s compare how the lives of these women prepare them to handle cybersecurity issues.

Facts about Emma

Security Implications

Emma is a senior lawyer at a firm and makes $450,000 per year.

Emma is generally conscious of her legal rights. She can also walk down the hallway to access specialized attorneys for off-the-cuff advice on a daily basis.

Emma has an American Express card.

American Express provides fraud protection. They also hire strong cybersecurity teams to prevent having to cover the costs of fraud.

Emma owns a condo and has loan and title insurance.

A reputable title company will have stronger cybersecurity practices and is less likely to leak or sell customer information.

Emma has a doorman.

Even if a hacker were to access her front door using her smartphone, Emma has a physical layer of defense.

Emma has a security subscription service, LifeLock or a competitor.

Even if Emma’s identity were to be stolen, she could out-source the problem to her identity fraud insurance company

Emma shops at Neiman Marcus.

High end stores are less likely to be breached and more likely to help customers mitigate damages if necessary. They pay greater attention to vendor relationships, prioritize regulatory compliance, have fewer transactions than low-end stores, and are likely to buy more insurance. High end stores may be perceived as a more difficult target for cyber criminals and are likely to receive a thorough response from law enforcement.

Emma owns an iPhone and a Macbook.

Apple has state of the art security because they have a vertically integrated supply chain and little interoperability. Biometric identity information is stored as a unique hash in the phone’s secure enclave.

Facts About Trudy

Security Implications

Trudy is a nurse at a local hospital and has survivor’s benefits because her husband was killed in a war.

Trudy isn’t a lawyer, doesn’t have access to a lawyer, and is not aware of her rights.

She makes $43,000 a year and is the caretaker for extended family members like nephews and grandmothers.

She has significant family members to take care of, which strains her resources. Family members like children might also download insecure games or apps to her phone and other devices, sign into her credentials on insecure platforms, or otherwise allow for a larger and more insecure footprint.

Trudy rents from a cheap title company

A weak title company is unlikely to invest in security of customer information. They also may require more of Trudy’s time to make sure that her rent goes through every month. She probably pays cash or debit, rather than automated deposit from an American Express with fraud protection. This cycles back to her debit card security.

Trudy shops at TJ Maxx and Target.

Retailers Target and TJ Maxx have each been hit by significant breaches. In fact, the entire family of companies was subject to the Heartland payment systems breaches in 2008 and again in 2015. Their significant volume of transactions and lower attention to customer data have resulted in insecurity.

Trudy has a cell phone that came with the Cricket Wireless pay-as-you-go plan.

Trudy’s smart phone might look like it has many of the same features as an iPhone, but it has significantly less security. For example, any biometric identification (fingerprint, facial recognition) will be stored as a unique hash, but Androids don’t have Apple’s secure enclave. It is more likely that a hacker could fake his way into any applicatio, and, with the proliferation of Internet of Things, could gain entry not only to her bank account, but her front door.

Trudy uses a Green Dot debit card.

Debit card companies generally provide no fraud protection and invest less heavily in their security because they don’t bear the liability burden like credit cards do. The less fancy the debit card, the less you can assume the company invests in security. Meanwhile, the funds can be stolen like cash.

The insecurities not only mount, but compound: an insecurity in one dimension of life (let’s say payment systems at a retailer) reverberates through other aspects (like cell phone and bank account security). This means that, as with many other aspects of daily life, the most vulnerable Americans are hit the hardest.

Recent breaches like the Equifax hack might seem to affect people indiscriminately. In practice, these too hit vulnerable people the hardest. Wealthier people are likely to have barriers to their identity being stolen in the first place (such as AmEx with fraud protection and Lifelock or other personal identity protection). Wealthier people are more likely to have access to a lawyer. They are more likely to know their rights and know how to approach the situation with formal letters and documentation. They are less likely to be suspicious of law enforcement andmore likely to have the time and attention to pursue the necessary credit score corrections. In sum, wealthier people are more likely to be shielded by other institutions from identity theft and, if exposed, are more likely to recover from identity theft - in the short and the long term.

Practically speaking, cybersecurity provides a new access point for wealth discrimination in America, and it is a pervasive one.

We have had national conversations about wealth inequality in other contexts. For example, we have concluded as a nation that every individual should have a right to a lawyer with a bare minimum of competence. We know that wealthier people can buy lawyers that are likely more effective, but we’ve had the conversation over time and set boundaries on the extent to which wealth (or lack thereof) can dictate your representation in the legal system.

We have yet to hold the national conversation about cybersecurity as an artifact of wealth,  and the fact is that this issue doesn’t select for those who can afford to be informed and prepared. We are already living in a stratified cyber world, and the threat is worse for already-vulnerable population. The daily reality of inequality is not something I’m convinced Americans are willing to accept. We owe ourselves and our fellow citizens the conversation.

The views expressed herein are the personal views of the author and do not necessarily represent the views of the FCC or the U.S. Government, for whom she works.

Contact Information

Fels Institute of Government
University of Pennsylvania
3814 Walnut Street
Philadelphia, PA 19104

Phone: (215) 898-2600
Fax: (215) 746-2829

felsinstitute@sas.upenn.edu