Tuesday, Feb. 8th, was Safer Internet Day 2011. It’s an annual event celebrated in 60 countries that comes with fanfare, special events, and a burst of safety tips for consumers.
Yet while these events bring important awareness to online safety, security and privacy, the larger question is, have consumers become safer or more vulnerable in the past year?
The answer is sobering. Along with celebrating the day we must acknowledge the failures or we are merely pretending there isn’t an elephant under the carpet.
As Commerce Secretary Gary Locke candidly put it last month, “The Internet will not reach its full potential until users and consumers feel more secure and confident than they do today when they go online.”
The year has seen some gains. Global spam volumes have dropped, and data privacy is now being discussed broadly. But we’ve also seen a dramatic increase in criminal exploits and threats; reduced budgets for law enforcement organizations; legislation that has no follow-through; little change in consumer behavior in key areas like securing personal computing environments; the deployment of new consumer features with potentially high risks, without an adequate counterbalance of safety functionality and broad user education, — and generally, far too little innovation within the industry on ‘best practices’.
A full review of the state of consumer safety, privacy and security does not fit in a blog, but here are some highs and lows, plus a general sense of the current state of affairs.
- Data mining: While it’s true that ad tracking, as well as data privacy, ownership and control, have become the subject of mainstream discussions, these discussions are a result of the steep increase in data encroachment.The good news is that data privacy has become a hot topic, within the federal government and among consumers. As a result, responsible companies are giving consumers greater choice in allowing or disallowing the collection of their information. Unfortunately, not all companies are responsible, and transparency, choice and control are still not inherent consumer rights.
Consumers need to know: Who is collecting the data, how are they using the data, and with whom are they selling, sharing, or trading it? At stake is who owns the right to your information, what kind of transparency, and choice consumers should have into data mining practices, and how websites turn a profit.
The Bottom line – More information is being collected about individual consumers than at any other time, and our ability to control this is still weak to nonexistent. We see the potential for the tide to turn in consumer’s favor, but we are at a crucial point. The decisions made in the next few months regarding consumer’s rights to personal privacy and control of personal information are likely to echo through history. We all have a very high stake in the outcome.
- Privacy Settings: Companies and consumers still struggle with establishing privacy settings. In some cases it’s because of the frequency with which privacy settings change, and the rollback of privacy settings to ‘public’ when changes are made. In other cases, the settings are simply too complicated for users to set, or the settings options do not give users the level of control they need. Whatever the case, individuals are trying to protect their information, but it has certainly not gotten easier for them in the last twelve months.The Bottom line – Privacy settings are still too cumbersome for users, and there’s been little improvement over the past year. Creating easy to use, consistent privacy settings should be a best practices requirement. Even more innovative would be to make these consistent across online services within a category, so that if a user has learned how to do this on one site they can be successful on other sites.
- Safer software: There are many things online services can do to significantly improve the privacy of their consumers, and while some real milestones have been reached – like innovation in family safety/parental control tools – many old holes have yet to be plugged. Here are a few pet peeves:
- Passwords struggles continue to be a major privacy risk for users. While some sites help consumers create strong passwords, others do nothing to educate users, and they place stumbling blocks in consumers’ paths by limiting the length of passwords, failing to allow symbols, etc.
- Insecure ‘security questions’ that ask for publicly available information actually make users less secure. There is no excuse for questions like ‘mother’s maiden name’ ‘city you were born in’ etc.
- Lack of image editing tools reduces user safety. Simple edits can make virtually any photo safer – and basic photo editing tools have been around for 40 years. Why aren’t services enabling crop, blur and stamp functionality wherever they allow user generated content to be uploaded?
The bottom line – As an industry, we continue to fall short in developing tools inside products that inherently improve the privacy of users. This is another area in which the industry can strengthen their best practices and drive companies to adopt better standards.
- Education: Internet safety and social responsibility education is still optional for K-12 schools in most states. Even in the states with laws, it’s pretty much up to each teacher to figure out what to teach. This means kids generally get the same few topics covered multiple times – with varying degrees of quality – and miss much of what they should learn. Compounding this lack of holistic material is the rapidly expanding set of online functionality that youth (and adults) are using, and for which users have had no safety education – like location tracking, mobile banking, etc. At a time when users need more education, they are getting fewer of their key risks covered.We have also largely failed to make progress in creating quality educational materials for the body of seniors who are going online for the first time, and in localizing educational materials for those for who English is a second language.
The bottom line - Given the dramatic cuts to education budgets and charitable organizations, technology investments and safety education suffered heavily over the past year — we are at best at status quo.
- Safety, security & privacy legislation: It has been a contentious year for internet related legislation, with many proposals, and more fights. What’s notable is the lack of follow through on legislation that has been passed. Some laws passed without real funding – which means they went nowhere. Some passed, and received funding, only to see a breakdown at some other link in the chain.The bottom line – It isn’t enough to pass quality legislation; it actually has to be implemented at every stage if it is to be effective and measured for success. Instead we’ve seen a series of well-intended stops and starts, largely disjointed and certainly not providing the best returns. Year over year, we are at best at status quo.
- Law enforcement: I have nothing but the highest praise for the law enforcement officers dedicated to protecting our online safety, but they’re trying to work miracles with both hands tied behind their backs. We do not have enough trained officers, and those we have don’t have the resources they need. There is an appalling shortage of cyber-crime labs, officers are often struggling against antiquated state and federal laws (and all the international differences), and most do not have the latest in digital technologies to work with – though the criminals they are fighting do.The bottom line – cyber criminals have law enforcement officials outnumbered and outgunned. We are in worse shape than we were a year ago.
- Criminal threats: The title of a new McAfee report says it all it was A good decade for cybercrime, and 2010 was the best of the bunch – from a crooks point of view. Here are just a few of the stats:
- Malware – In 2010, 20 million new malware strains were created – a 50% increase over 2009 . The year also saw a shift in criminal tactics to focus on exploiting users’ trust by increasing the volume, sophistication and complexity of social networking exploits, ID theft, scams, and phishing attacks. [ii] The prevalence and availability of attack toolkits (malicious software that criminals use to launch their attacks) has significantly increased. [iii]
- Botnets – The number of botnets held fairly steady in 2010, with some downturn. There were an average of 6 million new botnet infections per month in the first 8 months of the year.[iv]
- Phishing – There was a marked increase in phishing sites in 2010 with about 2,000 new phishing sites discovered daily. Even more concerning is that these exploits were generally more targeted – and more successful. [v]
- Identity theft – ID theft continues to escalate and transform so quickly that the Identity Theft Resource Center says it “can only make educated predictions on the course of identity theft for 2011” [vi]. According to Dataprivacyrights.org, over 512 million personal data records have been reported as breached in the United States. Given there are just over 300 million citizens, the likelihood that your personal information has been stolen multiple times is high.
- Spam – Global spam volumes actually declined in 2010, by September, the global spam volume was down to 3.5 trillion spam messages per month.[vii]
The bottom line - though the malware battle fields have shifted, and some skirmishes have been won, the threat of malware and other criminal exploits continues to rise; we’re in worse shape than we were a year ago.
What does this mean for 2011?
Many good companies are working hard to improve consumer safety, security and privacy. These include security companies, large platform developers, many individual service providers, non-profit groups, and others. We need to applaud the great work they have done, encourage them to continue, work more closely as invested parties to leverage the work that has been done, and push into new areas of safety.
If we continue developing safety, privacy and security solutions at our current rate we will continue to fall further behind the bad guys. We need to redouble efforts, in spite of the economic downturn, and make larger strides in improving consumer safety.
If we continue developing safety, privacy and security solutions at just our current rate we will continue to fall further behind the bad guys. We need to redouble efforts, in spite of the economic downturn, and make larger strides in improving consumer safety.
On Safer Internet Day 2012 I hope we’ll be able to look at an in-depth status report that will demonstrate that we’ve not only held ground, but strengthened our position. Unfortunately, hope alone won’t get us there.
A good decade for cybercrime (McAfee)
[i] According to McAfee Threats Report: 3rd Quarter 2010
[ii] According to Panda Security Insight
[iii] According to Cisco’s Annual Security Report, released Jan. 20 2011
[iv] According to Symantec’s Internet security threat report
[v] According to McAfee Threats Report: 3rd Quarter 2010
[vi] According to McAfee Threats Report: 3rd Quarter 2010
[vii] According to Identity Theft Statistics 2010