CNNMoney/Shutterstock
Now playing
03:20
Equifax hack: What you need to know
Apple iPhone Xr models rest on display during a launch event on September 12, 2018, in Cupertino, California. - New iPhones set to be unveiled Wednesday offer Apple a chance for fresh momentum in a sputtering smartphone market as the California tech giant moves into new products and services to diversify.Apple was expected to introduce three new iPhone models at its media event at its Cupertino campus, notably seeking to strengthen its position in the premium smartphone market a year after launching its $1,000 iPhone X. (Photo by NOAH BERGER / AFP)        (Photo credit should read NOAH BERGER/AFP/Getty Images)
NOAH BERGER/AFP/Getty Images
Apple iPhone Xr models rest on display during a launch event on September 12, 2018, in Cupertino, California. - New iPhones set to be unveiled Wednesday offer Apple a chance for fresh momentum in a sputtering smartphone market as the California tech giant moves into new products and services to diversify.Apple was expected to introduce three new iPhone models at its media event at its Cupertino campus, notably seeking to strengthen its position in the premium smartphone market a year after launching its $1,000 iPhone X. (Photo by NOAH BERGER / AFP) (Photo credit should read NOAH BERGER/AFP/Getty Images)
Now playing
02:03
Apple may have most to lose with China tariffs
CNN
Now playing
03:09
First impressions of iPhone XS and XS Max
Photo Illustration: Shutterstock/CNNMoney
Now playing
01:25
Amazon is worth $1 trillion
The small rovers, MINERVA-II1. Rover-1A is on the left and Rover-1B is on the right. Behind the rovers is the cover in which they are stored.
JAXA
The small rovers, MINERVA-II1. Rover-1A is on the left and Rover-1B is on the right. Behind the rovers is the cover in which they are stored.
Now playing
01:49
See the images rover took on asteroid
The Airlander 10 airship is pictured airborne in its hangar during its media launch at Cardington Airfield in Shortstown near Bedford on March 21, 2016.
The Airlander, which was originally developed for the US military, is 300 feet (91 metres) long, according its British maker Hybrid Air Vehicles. The Airlander is essentially three streamlined airship-type bodies merged into one with wings and rotary engines. / AFP / ADRIAN DENNIS        (Photo credit should read ADRIAN DENNIS/AFP/Getty Images)
ADRIAN DENNIS/AFP/AFP/Getty Images
The Airlander 10 airship is pictured airborne in its hangar during its media launch at Cardington Airfield in Shortstown near Bedford on March 21, 2016. The Airlander, which was originally developed for the US military, is 300 feet (91 metres) long, according its British maker Hybrid Air Vehicles. The Airlander is essentially three streamlined airship-type bodies merged into one with wings and rotary engines. / AFP / ADRIAN DENNIS (Photo credit should read ADRIAN DENNIS/AFP/Getty Images)
Now playing
01:59
World's largest aircraft prepares to take off
Gravity
Now playing
02:23
The man behind the world's first jet suit
Disney
Now playing
01:18
Disney's high-flying acrobatic robots will floor you
Courtesy MIT researchers
Now playing
01:10
'Blind' robot can climb stairs, leap on desks
Elon Musk flamethrower
INSTAGRAM/elonmusk
Elon Musk flamethrower
Now playing
00:51
Elon Musk releases new torch devices
Houben/Van Mierlo architecten
Now playing
00:53
Watch these 3D-printed homes being built
CNN
Now playing
04:02
We took to the sky in Kitty Hawk's flying car
CNN; Reviver Auto
Now playing
01:08
California tests pricey digital license plates
Amazon.com/CNNMoney
Now playing
01:18
Amazon under fire over Echo recording error
Boston Dynamics
Now playing
01:21
Humanoid robot runs through the park by itself
blockchain thumb
CNN, Consensys
blockchain thumb
Now playing
03:00
What is blockchain?

Story highlights

Bruce Schneier says we can't rely on the marketplace to regulate the many companies that track our data;

Only government action can protect our privacy, and it's badly needed now, he writes

Editor’s Note: Bruce Schneier is a lecturer at the Harvard Kennedy School and a fellow at the Berkman-Klein Center for Internet and Society. He blogs at www.schneier.com. The views expressed in this commentary are his own.

(CNN) —  

Last Thursday, Equifax reported a data breach that affects 143 million US customers, about 44% of the population. It’s an extremely serious breach; hackers got access to full names, Social Security numbers, birth dates, addresses, driver’s license numbers – exactly the sort of information criminals can use to impersonate victims to banks, credit card companies, insurance companies, and other businesses vulnerable to fraud.

Bruce Schneier
Ann De Wulf
Bruce Schneier

Many sites posted guides to protecting yourself now that it’s happened. But if you want to prevent this kind of thing from happening again, your only solution is government regulation (as unlikely as that may be at the moment).

The market can’t fix this. Markets work because buyers choose between sellers, and sellers compete for buyers. In case you didn’t notice, you’re not Equifax’s customer. You’re its product.

This happened because your personal information is valuable, and Equifax is in the business of selling it. The company is much more than a credit reporting agency. It’s a data broker. It collects information about all of us, analyzes it all, and then sells those insights.

Its customers are people and organizations who want to buy information: banks looking to lend you money, landlords deciding whether to rent you an apartment, employers deciding whether to hire you, companies trying to figure out whether you’d be a profitable customer – everyone who wants to sell you something, even governments.

It’s not just Equifax. It might be one of the biggest, but there are 2,500 to 4,000 other data brokers that are collecting, storing, and selling information about you – almost all of them companies you’ve never heard of and have no business relationship with.

Surveillance capitalism fuels the Internet, and sometimes it seems that everyone is spying on you. You’re secretly tracked on pretty much every commercial website you visit. Facebook is the largest surveillance organization mankind has created; collecting data on you is its business model. I don’t have a Facebook account, but Facebook still keeps a surprisingly complete dossier on me and my associations – just in case I ever decide to join.

I also don’t have a Gmail account, because I don’t want Google storing my email. But my guess is that it has about half of my email anyway, because so many people I correspond with have accounts. I can’t even avoid it by choosing not to write to gmail.com addresses, because I have no way of knowing if newperson@company.com is hosted at Gmail.

And again, many companies that track us do so in secret, without our knowledge and consent. And most of the time we can’t opt out. Sometimes it’s a company like Equifax that doesn’t answer to us in any way. Sometimes it’s a company like Facebook, which is effectively a monopoly because of its sheer size. And sometimes it’s our cell phone provider. All of them have decided to track us and not compete by offering consumers privacy. Sure, you can tell people not to have an email account or cell phone, but that’s not a realistic option for most people living in 21st-century America.

The companies that collect and sell our data don’t need to keep it secure in order to maintain their market share. They don’t have to answer to us, their products. They know it’s more profitable to save money on security and weather the occasional bout of bad press after a data loss. Yes, we are the ones who suffer when criminals get our data, or when our private information is exposed to the public, but ultimately why should Equifax care?

Yes, it’s a huge black eye for the company – this week. Soon, another company will have suffered a massive data breach and few will remember Equifax’s problem. Does anyone remember last year when Yahoo admitted that it exposed personal information of a billion users in 2013 and another half billion in 2014?

This market failure isn’t unique to data security. There is little improvement in safety and security in any industry until government steps in. Think of food, pharmaceuticals, cars, airplanes, restaurants, workplace conditions, and flame-retardant pajamas.

Market failures like this can only be solved through government intervention. By regulating the security practices of companies that store our data, and fining companies that fail to comply, governments can raise the cost of insecurity high enough that security becomes a cheaper alternative. They can do the same thing by giving individuals affected by these breaches the ability to sue successfully, citing the exposure of personal data itself as a harm.

Get our free weekly newsletter

By all means, take the recommended steps to protect yourself from identity theft in the wake of Equifax’s data breach, but recognize that these steps are only effective on the margins, and that most data security is out of your hands. Perhaps the Federal Trade Commission will get involved, but without evidence of “unfair and deceptive trade practices,” there’s nothing it can do. Perhaps there will be a class-action lawsuit, but because it’s hard to draw a line between any of the many data breaches you’re subjected to and a specific harm, courts are not likely to side with you.

If you don’t like how careless Equifax was with your data, don’t waste your breath complaining to Equifax. Complain to your government.