In July 2020, BuzzFeed News reporter Jane Lytvynenko was working from her attic in Toronto when she got a tip: someone might be stealing Instacart customer information. So Lytvynenko fired up the Tor browser and started trawling the dark web for signs of the data. It didn’t take long to find.
Someone or some group stole the names, order histories, and the last four digits of credit card numbers from 278,531 Instacart accounts. And now they were selling them on the dark web. All that information could be yours for just $2 per account.
Lytvynenko started reaching out to Instacart customers to verify the data. From what was there, she was able to find people through Facebook or by phone number. When she reached them, they were surprised and exasperated: why was a BuzzFeed reporter telling them about this, and not Instacart itself?
Instacart eventually spoke up about it, the day after BuzzFeed News published its story. They released their statement July 23; the information from compromised accounts had been on the dark web since June.
Instacart says there wasn’t any security breach on their end. Hackers must have used email and password combinations from other hacked accounts to login into Instacart. It was the victims’ fault for re-using their passwords.
But two people Lytvynenko spoke to said they didn’t re-use a password. One even sent her a screenshot of her password manager program, which auto-generates a random password for each of your accounts.
Lytvynenko says data breaches like this are so common that journalists don’t typically cover them. But this one was different. Instacart, to people isolated at home, “was what many viewed as an essential service,” she says. “And it, at that moment, failed to protect the data of its customers. So for me, that made the story important.”
The mass collection of personal data is now a fact of life. This means journalists need to pay attention to what happens to our personal information.
How big a problem?
Data breaches are all too common. So many people have had their information compromised that an FBI agent in 2018 told the Wall Street Journal “every American should assume that their data is out there.”
It’s a Canadian problem, too. In 2019, an employee at the credit union Desjardins stole the social insurance numbers and other personal information of its entire 4.2 million customers. Because of this one breach, over half of all Quebecers need to worry about identity theft.
But privacy issues go beyond data breaches. Andrew Clement, professor emeritus at the University of Toronto’s Faculty of Information, says we need to see privacy as the right to control information about us. And right now, “your personal information is completely out of your control.
“You have no idea who’s got it, what they’re doing with it, under what basis they collected it. And it’s totally opaque as to how your information will be used and why,” says Clement. “And there’s virtually no accountability.”
Between corporate surveillance and government surveillance, a lot happens to our information. But news stories often simplify this too much, Clement says.
“You often hear that ‘privacy has been lost’ when information travels beyond the individual,” he says. This ignores the issue of who has control over your information in the first place.
While data breaches are significant, Clement says, the information a Windows 10 laptop collects about you every day “is a data breach of much more massive and ultimately consequential scale.”
Reporting on privacy
Bryan Carney is a journalist who focuses on government surveillance. “I do a lot of coverage of police,” he says, “partly because they’re a body you can actually get information about.”
He’s filed a lot of freedom of information requests. That’s how the Tyee reporter (and web director) got his first privacy story for the Vancouver magazine. He saw a story in the Toronto Star that said Metrolinx transit gave police forces the transit records of 12 people during the first half of 2017, without any warrants. Carney wanted know if that was happening in Vancouver, too. So he filed a freedom of information request to see what data the Vancouver transit system shares with police.
When his request came back, it revealed TransLink in Vancouver gave law enforcement agencies the transit records of 111 people in 2016, also without any warrants.
At the time, Carney wasn’t sure how interested people would be in that type of story. But, “it was just a hit.” It even made it onto the evening TV news.
His readers weren’t surprised, but they were happy someone uncovered it. And then they started sending him tips. It was enough encouragement for Carney to make privacy one of his main focuses. Since then, it’s “kind of become my beat over the years.”
His beat reporting is one of the reasons the BC Freedom of Information and Privacy Association decided to present his magazine with an award recognizing “the Tyee for outstanding reporting related to surveillance and privacy.” In its press release, the BC FIPA specifically mentioned stories written by Carney and his colleague Andrew MacLeod.
Mike Larsen, president of the BC FIPA, says the Tyee’s dedication to these stories made it stand out. “They actually have a fairly stable privacy beat and cover this as a consistent issue, which we thought was impressive and worthy of recognition.”
Larsen says journalism is important to BC FIPA’s work: about one in five of the privacy issues they devote research and campaigning to they hear about from journalism. And good journalism gives them concrete examples to show people. “I think it’s crucial.”
When it comes to reporting on corporate data breaches, BuzzFeed’s Lytvynenko says holding corporations accountable is hard, but “it’s like holding any other institution accountable” – you put their words against what you found. Then the challenge becomes showing how it affects people.
“One of the traps that reporters can fall into is only looking at the technical aspects and not speaking to real people about what happened,” says Lytvynenko. For the Instacart story, “some of the strongest voices in the story are people who had no idea that their data was breached and expressed outrage that they are hearing this from a reporter and not from the company.”
Journalists haven’t always done the best job including ordinary people in stories about digital privacy and cybersecurity. A study analyzing how U.S. news outlets covered stories relating to cyber issues from 2014 to 2017 found that reporters rarely quoted ordinary people. The dominants voices in these stories were tech experts, corporate spokespeople and government officials.
Journalists also mostly covered these stories as one-time events. If it was a story about a data breach, it told people what happened, but not what it meant or what they could do about it. By 2017, newspapers were better at including context, but the best stories were from tech news outlets, like the Verge.
That context is important. According to Nora Draper, an associate professor of communication at the University of New Hampshire, it matters how we frame privacy issues. Draper has studied people’s attitudes towards digital privacy and found a lot of people know what the risks are, but don’t take much action to protect themselves. They care about their privacy, but feel like they have no control over their own information. It doesn’t help when journalists and companies treat privacy as being about making good choices, and ignore the constant surveillance that exists on the Internet.
But, Draper says, news coverage continues to improve. More journalists are treating this as a policy issue. “So not how Facebook can give us more options to protect our privacy individually, but like, do we need to rethink the ways in which Facebook is allowed to use personal information?”
People want answers
After publishing the Instacart story, Jane Lytvynenko received a flood of emails. People wanted to know if they were part of the Instacart data breach. That’s not an easy question to answer.
“There are not a lot of mechanisms that exist for regular people to understand whether they’ve been part of a fresh breach or not,” says Lytvynenko. She suggests people check out haveibeenpwned.com, where you can type in your email and see if it’s listed in any of the data breaches in its catalogue. But even that service has its limits.
People also wanted to know what they can do if their information was part of the breach. Lytvynenko thinks it’s sad that it’s up to reporters to share that information, but she was ready for that question and passed on the best advice she had.
“It’s just another thing we can do to help our readers feel a little bit less powerless.”
Alexander Johnson is a fourth-year Journalism Honours student at the University of King’s College in Halifax. This story first appeared in the King’s online news portal the Signal.