The reason you can’t buy a car is the same reason that your health insurer let hackers dox you

When monopoly meets infosec, hilarity ensues.

Cory Doctorow
13 min readJun 28, 2024
A Depression-era photo of a used car lot with three cars for sale. It has been hand-tinted. The sky has been replaced with a ‘code waterfall’ effect as seen in the credit sequences of the Wachowskis’ ‘Matrix’ movies. All of the car headlights have been replaced with the hostile red eye of ‘HAL 9000’ in Kubrick’s ‘2001: A Space Odyssey.’ Image: Cryteria (modified) https://commons.wikimedia.org/wiki/File:HAL9000.svg CC BY 3.0 https://creativecommons.org/licenses/by/3.0/deed.en

On July 14, I’m giving the closing keynote for the fifteenth Hackers On Planet Earth, in Queens, NY. On July 20, I’m appearing at Chicago’s Exile in Bookville.

In 2017, Equifax suffered the worst data-breach in world history, leaking the deep, nonconsensual dossiers it had compiled on 148m Americans and 15m Britons, (and 19k Canadians) into the world, to form an immortal, undeletable reservoir of kompromat and premade identity-theft kits:

https://en.wikipedia.org/wiki/2017_Equifax_data_breach

Equifax knew the breach was coming. It wasn’t just that their top execs liquidated their stock in Equifax before the announcement of the breach — it was also that they ignored years of increasingly urgent warnings from IT staff about the problems with their server security.

Things didn’t improve after the breach. Indeed, the 2017 Equifax breach was the starting gun for a string of more breaches, because Equifax’s servers didn’t just have one fubared system — it was composed of pure, refined fubar. After one group of hackers breached the main Equifax system, other groups breached other Equifax systems, over and over, and over:

https://finance.yahoo.com/news/equifax-password-username-admin-lawsuit-201118316.html

Doesn’t this remind you of Boeing? It reminds me of Boeing. The spectacular 737 Max failures in 2018 weren’t the end of the scandal. They weren’t even the scandal’s start — they were the tipping point, the moment in which a long history of lethally defective planes “breached” from the world of aviation wonks and into the wider public consciousness:

https://en.wikipedia.org/wiki/List_of_accidents_and_incidents_involving_the_Boeing_737

Just like with Equifax, the 737 Max disasters tipped Boeing into a string of increasingly grim catastrophes. Each fresh disaster landed with the grim inevitability of your general contractor texting you that he’s just opened up your ceiling and discovered that all your joists had rotted out — and that he won’t be able to deal with that until he deals with the termites he found last week, and that they’ll have to wait until he gets to the cracks in the foundation slab from the week before, and that those will have to wait until he gets to the asbestos he just discovered in the walls.

Drip, drip, drip, as you realize that the most expensive thing you own — which is also the thing you had hoped to shelter for the rest of your life — isn’t even a teardown, it’s just a pure liability. Even if you razed the structure, you couldn’t start over, because the soil is full of PCBs. It’s not a toxic asset, because it’s not an asset. It’s just toxic.

Equifax isn’t just a company: it’s infrastructure. It started out as an engine for racial, political and sexual discrimination, paying snoops to collect gossip from nosy neighbors, which was assembled into vast warehouses full of binders that told bank officers which loan applicants should be denied for being queer, or leftists, or, you know, Black:

https://jacobin.com/2017/09/equifax-retail-credit-company-discrimination-loans

This witch-hunts-as-a-service morphed into an official part of the economy, the backbone of the credit industry, with a license to secretly destroy your life with haphazardly assembled “facts” about your life that you had the most minimal, grudging right to appeal (or even see). Turns out there are a lot of customers for this kind of service, and the capital markets showered Equifax with the cash needed to buy almost all of its rivals, in mergers that were waved through by a generation of Reaganomics-sedated antitrust regulators.

There’s a direct line from that acquisition spree to the Equifax breach(es). First of all, companies like Equifax were early adopters of technology. They’re a database company, so they were the crash-test dummies for ever generation of database. These bug-riddled, heavily patched systems were overlaid with subsequent layers of new tech, with new defects to be patched and then overlaid with the next generation.

These systems are intrinsically fragile, because things fall apart at the seams, and these systems are all seams. They are tech-debt personified. Now, every kind of enterprise will eventually reach this state if it keeps going long enough, but the early digitizers are the bow-wave of that coming infopocalypse, both because they got there first and because the bottom tiers of their systems are composed of layers of punchcards and COBOL, crumbling under the geological stresses of seventy years of subsequent technology.

The single best account of this phenomenon is the British Library’s postmortem of their ransomware attack, which is also in the running for “best hard-eyed assessment of how fucked things are”:

https://www.bl.uk/home/british-library-cyber-incident-review-8-march-2024.pdf

There’s a reason libraries, cities, insurance companies, and other giant institutions keep getting breached: they started accumulating tech debt before anyone else, so they’ve got more asbestos in the walls, more sagging joists, more foundation cracks and more termites.

That was the starting point for Equifax — a company with a massive tech debt that it would struggle to pay down under the most ideal circumstances.

Then, Equifax deliberately made this situation infinitely worse through a series of mergers in which it bought dozens of other companies that all had their own version of this problem, and duct-taped their failing, fucked up IT systems to its own. The more seams an IT system has, the more brittle and insecure it is. Equifax deliberately added so many seams that you need to be able to visualized additional spatial dimensions to grasp them — they had fractal seams.

But wait, there’s more! The reason to merge with your competitors is to create a monopoly position, and the value of a monopoly position is that it makes a company too big to fail, which makes it too big to jail, which makes it too big to care. Each Equifax acquisition took a piece off the game board, making it that much harder to replace Equifax if it fucked up. That, in turn, made it harder to punish Equifax if it fucked up. And that meant that Equifax didn’t have to care if it fucked up.

Which is why the increasingly desperate pleas for more resources to shore up Equifax’s crumbling IT and security infrastructure went unheeded. Top management could see that they were steaming directly into an iceberg, but they also knew that they had a guaranteed spot on the lifeboats, and that someone else would be responsible for fishing the dead passengers out of the sea. Why turn the wheel?

That’s what happened to Boeing, too: the company acquired new layers of technical complexity by merging with rivals (principally McDonnell-Douglas), and then starved the departments that would have to deal with that complexity because it was being managed by execs whose driving passion was to run a company that was too big to care. Those execs then added more complexity by chasing lower costs by firing unionized, competent, senior staff and replacing them with untrained scabs in jurisdictions chosen for their lax labor and environmental enforcement regimes.

(The biggest difference was that Boeing once had a useful, high-quality product, whereas Equifax started off as an irredeemably terrible, if efficient, discrimination machine, and grew to become an equally terrible, but also ferociously incompetent, enterprise.)

This is the American story of the past four decades: accumulate tech debt, merge to monopoly, exponentially compound your tech debt by combining barely functional IT systems. Every corporate behemoth is locked in a race between the eventual discovery of its irreparable structural defects and its ability to become so enmeshed in our lives that we have to assume the costs of fixing those defects. It’s a contest between “too rotten to stand” and “too big to care.”

Remember last February, when we all discovered that there was a company called Change Healthcare, and that they were key to processing virtually every prescription filled in America? Remember how we discovered this? Change was hacked, went down, ransomed, and no one could fill a scrip in America for more than a week, until they paid the hackers $22m in Bitcoin?

https://en.wikipedia.org/wiki/2024_Change_Healthcare_ransomware_attack

How did we end up with Change Healthcare as the linchpin of the entire American prescription system? Well, first Unitedhealthcare became the largest health insurer in America by buying all its competitors in a series of mergers that comatose antitrust regulators failed to block. Then it combined all those other companies’ IT systems into a cosmic-scale dog’s breakfast that barely ran. Then it bought Change and used its monopoly power to ensure that every Rx ran through Change’s servers, which were part of that asbestos-filled, termite-infested, crack-foundationed, sag-joisted teardown. Then, it got hacked.

United’s execs are the kind of execs on a relentless quest to be too big to care, and so they don’t care. Which is why their they had to subsequently announce that they had suffered a breach that turned the complete medical histories of one third of Americans into immortal Darknet kompromat that is — even now — being combined with breach data from Equifax and force-fed to the slaves in Cambodia and Laos’s pig-butchering factories:

https://www.cnn.com/2024/05/01/politics/data-stolen-healthcare-hack/index.html

Those slaves are beaten, tortured, and punitively raped in compounds to force them to drain the life’s savings of everyone in Canada, Australia, Singapore, the UK and Europe. Remember that they are downstream of the forseeable, inevitable IT failures of companies that set out to be too big to care that this was going to happen.

Failures like Ticketmaster’s, which flushed 500 million users’ personal information into the identity-theft mills just last month. Ticketmaster, you’ll recall, grew to its current scale through (you guessed it), a series of mergers en route to “too big to care” status, that resulted in its IT systems being combined with those of Ticketron, Live Nation, and dozens of others:

https://www.nytimes.com/2024/05/31/business/ticketmaster-hack-data-breach.html

But enough about that. Let’s go car-shopping!

Good luck with that. There’s a company you’ve never heard. It’s called CDK Global. They provide “dealer management software.” They are a monopolist. They got that way after being bought by a private equity fund called Brookfield. You can’t complete a car purchase without their systems, and their systems have been hacked. No one can buy a car:

https://www.cnn.com/2024/06/27/business/cdk-global-cyber-attack-update/index.html

Writing for his BIG newsletter, Matt Stoller tells the all-too-familiar story of how CDK Global filled the walls of the nation’s auto-dealers with the IT equivalent of termites and asbestos, and lays the blame where it belongs: with a legal and economics establishment that wanted it this way:

https://www.thebignewsletter.com/p/a-supreme-court-justice-is-why-you

The CDK story follows the Equifax/Boeing/Change Healthcare/Ticketmaster pattern, but with an important difference. As CDK was amassing its monopoly power, one of its execs, Dan McCray, told a competitor, Authenticom founder Steve Cottrell that if he didn’t sell to CDK that he would “fucking destroy” Authenticom by illegally colluding with the number two dealer management company Reynolds.

Rather than selling out, Cottrell blew the whistle, using Cottrell’s own words to convince a district court that CDK had violated antitrust law. The court agreed, and ordered CDK and Reynolds — who controlled 90% of the market — to continue to allow Authenticom to participate in the DMS market.

Dealers cheered this on: CDK/Reynolds had been steadily hiking prices, while ingesting dealer data and using it to gouge the dealers on additional services, while denying dealers access to their own data. The services that Authenticom provided for $35/month cost $735/month from CDK/Reynolds (they justified this price hike by saying they needed the additional funds to cover the costs of increased information security!).

CDK/Reynolds appealed the judgment to the 7th Circuit, where a panel of economists weighed in. As Stoller writes, this panel included monopoly’s most notorious (and well-compensated) cheerleader, Frank Easterbrook, and the “legendary” Democrat Diane Wood. They argued for CDK/Reynolds, demanding that the court release them from their obligations to share the market with Authenticom:

https://caselaw.findlaw.com/court/us-7th-circuit/1879150.html

The 7th Circuit bought the argument, overturning the lower court and paving the way for the CDK/Reynolds monopoly, which is how we ended up with one company’s objectively shitty IT systems interwoven into the sale of every car, which meant that when Russian hackers looked at that crosseyed, it split wide open, allowing them to halt auto sales nationwide. What happens next is a near-certainty: CDK will pay a multimillion dollar ransom, and the hackers will reward them by breaching the personal details of everyone who’s ever bought a car, and the slaves in Cambodian pig-butchering compounds will get a fresh supply of kompromat.

But on the plus side, the need to pay these huge ransoms is key to ensuring liquidity in the cryptocurrency markets, because ransoms are now the only nondiscretionary liability that can only be settled in crypto:

https://locusmag.com/2022/09/cory-doctorow-moneylike/

When the 7th Circuit set up every American car owner to be pig-butchered, they cited one of the most important cases in antitrust history: the 2004 unanimous Supreme Court decision in Verizon v Trinko:

https://www.oyez.org/cases/2003/02-682

Trinko was a case about whether antitrust law could force Verizon, a telcoms monopolist, to share its lines with competitors, something it had been ordered to do and then cheated on. The decision was written by Antonin Scalia, and without it, Big Tech would never have been able to form. Scalia and Trinko gave us the modern, too-big-to-care versions of Google, Meta, Apple, Microsoft and the other tech baronies.

In his Trinko opinion, Scalia said that “possessing monopoly power” and “charging monopoly prices” was “not unlawful” — rather, it was “an important element of the free-market system.” Scalia — writing on behalf of a unanimous court! — said that fighting monopolists “may lessen the incentive for the monopolist…to invest in those economically beneficial facilities.”

In other words, in order to prevent monopolists from being too big to care, we have to let them have monopolies. No wonder Trinko is the Zelig of shitty antitrust rulings, from the decision to dismiss the antitrust case against Facebook and Apple’s defense in its own ongoing case:

https://www.ftc.gov/system/files/documents/cases/073_2021.06.28_mtd_order_memo.pdf

Trinko is the origin node of too big to care. It’s the reason that our whole economy is now composed of “infrastructure” that is made of splitting seams, asbestos, termites and dry rot. It’s the reason that the entire automotive sector became dependent on companies like Reynolds, whose billionaire owner intentionally and illegally destroyed evidence of his company’s crimes, before going on to commit the largest tax fraud in American history:

https://www.wsj.com/articles/billionaire-robert-brockman-accused-of-biggest-tax-fraud-in-u-s-history-dies-at-81-11660226505

Trinko begs companies to become too big to care. It ensures that they will exponentially increase their IT debt while becoming structurally important to whole swathes of the US economy. It guarantees that they will underinvest in IT security. It is the soil in which pig butchering grew.

It’s why you can’t buy a car.

Now, I am fond of quoting Stein’s Law at moments like this: “anything that can’t go on forever will eventually stop.” As Stoller writes, after two decades of unchallenged rule, Trinko is looking awfully shaky. It was substantially narrowed in 2023 by the 10th Circuit, which had been briefed by Biden’s antitrust division:

https://law.justia.com/cases/federal/appellate-courts/ca10/22-1164/22-1164-2023-08-21.html

And the cases of 2024 have something going for them that Trinko lacked in 2004: evidence of what a fucking disaster Trinko is. The wrongness of Trinko is so increasingly undeniable that there’s a chance it will be overturned.

But it won’t go down easy. As Stoller writes, Trinko didn’t emerge from a vacuum: the economic theories that underpinned it come from some of the heroes of orthodox economics, like Joseph Schumpeter, who is positively worshipped. Schumpeter was antitrust’s OG hater, who wrote extensively that antitrust law didn’t need to exist because any harmful monopoly would be overturned by an inevitable market process dictated by iron laws of economics.

Schumpeter wrote that monopolies could only be sustained by “alertness and energy” — that there would never be a monopoly so secure that its owner became too big to care. But he went further, insisting that the promise of attaining a monopoly was key to investment in great new things, because monopolists had the economic power that let them plan and execute great feats of innovation.

The idea that monopolies are benevolent dictators has pervaded our economic tale for decades. Even today, critics who deplore Facebook and Google do so on the basis that they do not wield their power wisely (say, to stamp out harassment or disinformation). When confronted with the possibility of breaking up these companies or replacing them with smaller platforms, those critics recoil, insisting that without Big Tech’s scale, no one will ever have the power to accomplish their goals:

https://pluralistic.net/2023/07/18/urban-wildlife-interface/#combustible-walled-gardens

But they misunderstand the relationship between corporate power and corporate conduct. The reason corporations accumulate power is so that they can be insulated from the consequences of the harms they wreak upon the rest of us. They don’t inflict those harms out of sadism: rather, they do so in order to externalize the costs of running a good system, reaping the profits of scale while we pay its costs.

The only reason to accumulate corporate power is to grow too big to care. Any corporation that amasses enough power that it need not care about us will not care about it. You can’t fix Facebook by replacing Zuck with a good unelected social media czar with total power over billions of peoples’ lives. We need to abolish Zuck, not fix Zuck.

Zuck is not exceptional: there were a million sociopaths whom investors would have funded to monopolistic dominance if he had balked. A monopoly like Facebook has a Zuck-shaped hole at the top of its org chart, and only someone Zuck-shaped will ever fit through that hole.

Our whole economy is now composed of companies with sociopath-shaped holes at the tops of their org chart. The reason these companies can only be run by sociopaths is the same reason that they have become infrastructure that is crumbling due to sociopathic neglect. The reckless disregard for the risk of combining companies is the source of the market power these companies accumulated, and the market power let them neglect their systems to the point of collapse.

This is the system that Schumpeter, and Easterbrook, and Wood, and Scalia — and the entire Supreme Court of 2004 — set out to make. The fact that you can’t buy a car is a feature, not a bug. The pig-butcherers, wallowing in an ocean of breach data, are a feature, not a bug. The point of the system was what it did: create unimaginable wealth for a tiny cohort of the worst people on Earth without regard to the collapse this would provoke, or the plight of those of us trapped and suffocating in the rubble.

If you’d like an essay-formatted version of this post to read or share, here’s a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2024/06/28/dealer-management-software/#antonin-scalia-stole-your-car

--

--