The Role of Accountability in Capitalism

I am of the opinion that Capitalism can be summarised as an environment which creates evolutionary pressure among agents towards maximising monetary gain while minimising accountability (note that ethics do not play a direct role in this model). It is hence the job of the regulatory bodies to define a minimal-viable-level of ethical standards and to enforce accountability regarding these standards.

This creates an adversarial environment in which participating agents look for ways of circumventing regulations, in order to maximise their goals.

If there is only one takeaway from this article, I want it to be that we as consumers should remain ever vigilant, as failure to produce sufficient regulation has a direct, negative impact on their quality of life.

The rest of this article will be a more detailed breakdown of an individual case which is annoying me right now:

The Ebay-ID-Verification Case

Ebay started to require ID verification when using their app. Now this is a bit annoying, but I am not fundamentally opposed to strict KYC (know-your-customer) requirements on a platform that is (used to be?) rife with scams. They already have my bank details, so one may assume that they could trust the banks KYC process, but I recognise that not all banks are equal, and that banks may not be willing to give hard KYC guarantees to third parties. Alright, I make mental peace with the fact, that Ebay will now have a picture of my drivers license around. I mean, they could delete it after they are done, but I guess they will find a reason to keep it around. Purely for security reasons, of course.

Now, Ebay didn't roll their own solution. They are using Veriff. Veriff title boasts "AI-Powered Identity Verification | Drive Growth | Veriff", saying that they provide "Highly automated identity verification for fraud prevention, compliance and safeguarding your customers. Build trust, transparency online and drive more growth". They also offer ID-based account recovery, so it's safe to assume that they hold on to your biometric data for all eternity. They proudly claim to be able to operate in 230 countries, even recognising passports from North Korea! Wowzers!

Veriff isn't just doing this for Ebay, they are also partnered with Monzo, AWS, Trustpilot, and many others. They were founded in 2015, are VC funded, and appear to be quite successful. They even have all the certificates they could dream of. They are CCPA/CPRA, GDPR, SOC2 Type II, ISO 27001, UK Cyber Essentials and ISO 30107-3 Certified. So nothing to worry about, right?

I strongly believe that companies are very similar to dragons in fairy tales. They amass a hoard, protected by their might, until the hoard attracts someone that, takes it from them. Similarly, any hoard of personal data will eventually grow big enough such that even the mightiest dragon cannot protect it. Nothing is ever 100% hack-proof, and the more enticing the hoard, the more attempts made towards it. In my own personal opinion it is only a matter of time until Veriff gets phished, supply-chained, or otherwise compromised. Biometric data of a good chunk of the (wealthy) world? That sounds too enticing to not at least try, right?

Now, when Veriff gets leaked, what happens to the whole system? - Ebay can claim that this is all Veriffs fault - Veriff can go out of business without affecting any other party much - The consumer foots the bill, as it's their identities that were leaked

If things get tough for Veriff, they go bankrupt, possibly form a regulatory fine. But the damage is contained. Not a single company using Veriff could be blamed, as Veriff had all the necessary certificates, right?

So let's summarise the incentives and blame relationships:

• User:
  • Relies on Ebays image as a trustworthy company
• Ebay:
  • Relies on its image as a reputable company
  • Does not want to damage its image
  • Can "trust" Veriff based upon their certificates
• Veriff:
  • Does not need to worry about reputation, as customers cannot choose
  • Spends money on certificates as a stand-in for reputation

There are a few core problems here:

1. No company is incentivised to invest in their own security, as this directly impacts their bottom line
2. While Ebay relies on its reputation, it can outsource potentially risky parts to third parties, containing damage in case of "data mishaps"
3. Certification can be used as a form of "security theatre", providing a false sense of (literal) security

In the end, the only way to solve this is by regulation:

1. Make companies liable for security incidents of subcontractors
2. Deprecate ISO standard box-checking exercises with requirements for regular pen-testing with public results
3. Limit the size of personal-information hoards by creating pressure on companies relative to the size of their operation, similar to what GDPR is doing, but stronger