If you were looking for better identity protection following a string of massive data breach events in the early 2000s, you might have seen the ads for LifeLock. Lifelock is a company that – while still in business today– was forced to pay 100 million dollars in a class action lawsuit for misleading advertising. Most people will likely remember something else about Lifelock, though. The CEO plastered his SSI on a billboard and then had his identity stolen.
What’s so Dark About the Dark Web?
The Dark Web is called the Dark Web because the pages are ‘dark’ to search engines. There’s no way for someone to Google an online bank and get the user dashboard without signing in – you may be able to use a link to get to it if you’ve already been there (and it will likely take you to a “Not Found” page if you’re not signed in), but Google doesn’t have access to it directly. The same goes for the vast majority of pages that are only accessible with a user account: they would be literally unusable if certain pages were visible and interact-able to the public.What’s the use of a public shopping cart, and a public payment portal? It’s non-functional.
As such, they remain inaccessible to Google’s search engine. These pages are effectively invisible, and any company that’s smart would like to keep it that way. That’s not the only way to stay off the radar, though, as sometimes things are invisible to Google because the webpage wasn’t indexed. What this all boils down to is that the Dark Web is many things, but first it’s a state of being, rather than a place. This doesn’t mean nothing shady ever happens on un-indexed pages, but it’s really not the majority of what is considered ‘dark’ to Google or Bing.
The Data LifeLock’s Scanning
Part of the appeal of un-indexable pages to criminals is that searching through them is a nightmare. LifeLock claimed to scan through a trillion data points a day – which sounds like a lot because it is. It also claims to patrol the dark web for your data. Since the results of the class action suit are what I’m basing this article on, this feature apparently functions at least as well as they advertise it currently, not back then. But the dark web is huge, and disjointed.
Searching through all that info for just LifeLock customers is difficult. After all, if it were easy, Google would have probably jumped at the opportunity to sell something just like LifeLock: “The World’s Number One Search Engine Can Now Find Your Stolen Data Anywhere”. Even back then, Google was a behemoth. You would need to have access to pages that are legally unfindable by Google, one of the most powerful tech companies in existence, to find stolen data before it becomes a problem. They would need to be digging into some obscure places to get to that data.
However, this wasn’t LifeLock’s only method of defense against criminals. They monitored (and continue to monitor) credit and bank withdrawals with user-set alarms – on their website, they also advertise alerting for address changes on certain accounts. However, I’m not sure how old that feature is, given that part of their suit was based around the alert system. These are things that banks themselves have taken over in recent times, and the thrice-annual free credit report acts as a canary for identity theft, so LifeLock’s exclusive features are no longer such a draw.
Former LifeLock CEO Todd Davis: Broken Promises
LifeLock’s methods make a couple of assumptions. One: the fraud is caught immediately as a result of LifeLock’s monitoring, and it doesn’t do significant damage to the customer’s life. Two: the information was used or sold somewhere that LifeLock would recognize it. As said before, the dark web is just un-indexed pages. That’s a huge number of pages. There’s a huge number of businesses that only need an SSN and a name to make an account. This will come back to haunt their marketing team later in the story.
Someone wanted to prove to all the naysayers that LifeLock was effective even if everybody had his full name and SSN. Nobody could ding his credit as long as LifeLock was watching his back. Setting up an account with AT&T, with stolen info? Not today! Former LifeLock CEO Todd Davis was confident in his product.
He slapped his SSN and full name up on a billboard. LifeLock Would Protect Him.
It was brazen. It was a tactic used by bulletproof glass manufacturers proving their faith in their product. So, what could have gone wrong, you may ask? What could have costed LifeLock it’s brand identity?
Thieves stole his identity. Not once. Not twice. Thirteen separate times. The number of times his identity was successfully protected don’t really matter when the CEO of LIFELOCK has had his identity successfully stolen thirteen times.
Davis said, “We were trying to make the point that … all it takes is one data breach. The point of that campaign was to take proactive steps to protect your identity.” Take proactive steps. Right. This is obviously a damage control statement! As you can see in the picture above, he is not saying ‘theft could still ruin your life even with LifeLock’. He is inviting people to try to take the data.
LifeLock later settled that class-action lawsuit from before because of problems with LifeLock’s automated alert system. Civil suits take time – this wasn’t filed as a result of their CEO accidentally proving LifeLock could be overwhelmed or evaded – but it didn’t help their public image.
Well, Former LifeLock CEO Todd Davis, you proved a point. Not even the best of identity-monitoring programs can keep your data out of the hands of thieves… when you tell those thieves that you’re untouchable.
Sources kept as links for convenience:
https://www.wired.com/2010/05/lifelock-identity-theft/
https://www.consumer.ftc.gov/blog/2015/12/lifelock-agrees-pay-100-million-allegedly-violating-ftc-order
https://www.consumerreports.org/money/No-longer-trust-LifeLock/
https://www.doughroller.net/credit/is-lifelock-worth-it/
https://www.forbes.com/sites/quora/2019/09/11/how-do-criminals-use-stolen-data/?sh=21bfa7ca7551