Legislators and the public are complacent with the status quo: that giving up our security is necessary for online involvement
Week after week, thieves break into corporate computer systems to steal customer lists, email addresses and credit card numbers. Large data breaches are overshadowed by even larger ones.
Yet people are turning over personal information to online retailers, social networks and other services in growing numbers. The point at which people lose trust in the websites they deal with appears further away than ever before – if it exists at all – as shopping, socialising and gaming online becomes deeply embedded in modern life.
People have come to accept that sharing information is the price of a meaningful, connected life online – even if they don’t like it.
“We are clearly schizophrenic about this technology,” says Jim Dempsey, an expert on internet privacy at the Center for Democracy & Technology.
“We love it, we use it, we expect it to work, and we’ve woven it into our daily lives, professionally, socially and personally. But we really don’t trust it, and we do get upset when our data is lost or stolen.”
Companies collecting personal details have little incentive to offer the best privacy protections because people have yet to demand companies do better.
People are simply not walking away from their gadgets, online retailers or social networks in the wake of breaches.
“I know I take the risk,” says 44-year-old Lance Locurto. “It’s more convenient.”
The banker says he buys almost everything online, despite hackers having broken into both his iTunes and Amazon accounts in the past few months.
Many people are simply resigned to the reality that breaches happen.
“I’ve accepted the fact that all my information is out there and someone has it, and that’s just the way it is,” says 47-year-old Jim Pachetti.
James McCartney, an identity theft expert, says his smartphone has become an integral part of his life and business, despite security concerns.
“The velocity of business precludes me from going without it,” he says. “It’s the rules of the game. It’s not something I can change.”
It may take government regulation to force companies to do better.
The US’s Federal Trade Commission is urging web browser makers to build “do not track” tools to let consumers stop advertisers from studying their online activity in order to target pitches. The US Commerce Department has called on Congress to adopt ground rules for companies that collect consumer data online for marketing. Several lawmakers have introduced privacy bills.
“For many companies, it’s easier and cheaper to deal with the repercussions of a data breach that’s already occurred, rather than taking steps to prevent it,” says Ioana Rusu, regulatory counsel for the Consumers Union.
“Companies need to be held accountable so they protect your data upfront.”
The information that distinguishes one faceless internet user from another is so valuable that companies have been hurt when they limit what they collect.
Yahoo will soon keep logs on people’s searches for 18 months, the same amount of time as Google does. That’s a reversal of its vow in late 2008 to remove such details after 90 days. In making an industry-leading privacy pledge, Yahoo says it has become less competitive in offering personalised services enabled by long-term tracking.
Companies do, however, face lawsuits and penalties by promising more than they can deliver. If they are vague their biggest risk is bad publicity when a hacking attack or a technical error exposes customers’ information.
“The lack of meaningful liability for breaches reduces the incentive for making sure that they don’t happen,” says Susan Grant, director of consumer protection for the Consumer Federation of America.
Businesses have to be only as good as their competitors. They know customers have nowhere else to go as long as everyone sets the bar low. And as in the case of Yahoo, one company setting the bar higher is likely to cause their business more harm than good.
“Choice becomes meaningless in this context,” says Ashkan Soltani, a security researcher.
The number of records exposed in data breaches is staggering – more than half a billion in the past six years, according to Privacy Rights Clearinghouse.
Even with this backdrop of insecurity, people continue to share more online. More than half a billion people are on Facebook, and billions of people search Google and Yahoo each month and accept tracking data files called cookies.
The Pew internet & American Life Project found that 61 per cent of adult internet users in the US have used social networks, up from less than a third in 2008.
When they aren’t sharing on social networks, they are leaving their marks with online gaming services, shopping sites and retail loyalty programmes.
The dependence on technology explains why the reputations of technology companies are remarkably resilient, even after embarrassing breaches.
Smartphones have added a new dimension to the online privacy debate because they also record their owners’ location.
Apple CEO Steve Jobs emerged from medical leave recently to try to quash a controversy over secret recordings of location information by iPhones.
Apple denies directly tracking people, but says it is building a database of known Wi-Fi hot spots and cell towers to improve location-based services. Google’s Android phones do something similar.
To quiet privacy critics, Apple is changing the iPhone’s software to keep data for a week instead of indefinitely. Google says its phones store data for only a “short time”.
Apple’s disclosure came a day after Sony said a hacker might have stolen credit card numbers and other valuable information about the 77 million players using its PlayStation online gaming network. That would make it one of the biggest known credit card breaches.
A few weeks ago, a little-known company Epsilon, which is behind the email campaigns of American companies Chase, Best Buy, Hilton and Walgreens, revealed that millions of names and email addresses of consumers were potentially stolen. Epsilon sends more than 40 billion emails a year on behalf of other companies for services such as customer loyalty programmes.
Many smaller breaches of personal information go unpublicised.
Consumers are at a disadvantage because companies often leave their privacy policies intentionally vague, yet lengthy with legalese. In any case, few people bother to read them at all.
Carnegie Mellon University researchers found it would take the average person 40 minutes a day to read all the privacy policies the average person encounters online.
“Sadly, the consumer can do absolutely nothing to protect themselves,” says Bruce Schneier, a prominent security blogger and chief security technology officer at the British telecommunications operator BT.
“When you give your data to someone else, you are forced to trust them.”
If you say no, he says, “that’ll mean living in a cave in the woods”.