With daily reports in the news about crimes on the Internet, there are many ways to be exposed to risk and many types of risks. Understanding these is the first step in protecting yourself and your family when you go online.
But the problems are the end result of an online environment that’s ripe for exploitation. If you looked at this as a mathematical problem, it might look like this:
1 Not knowing how to use the Internet safely
+ 2 Carelessness in online actions and a failure to recognize the consequences
+ 3 Unintentional or deliberate exposure of your information by others
+ 4 Flaws or gaps in technology
+ 5 Holes in consumer protection standards
= An Internet environment favorable to crime
1) Not knowing how to use the Internet safely
Comprehensive information about how to stay safe online is scarce, and sadly, much of what is out there is neither effective nor accurate. Good safety messaging doesn’t use fear tactics to scare people into safer practices. Rather, it explains potential risks, teaches the principles of how to avoid or minimize them, and shows how to evaluate and choose the level of risk that is acceptable to you.
What you can do
Make sure you understand the safety issues of any service or device that accesses the Internet– computers, mobile phones, game consoles, etc. You’ll find some of the practical basics of online safety on the ilookbothways.com website (www.look-both-ways.com). Or feel free to ask a question if there’s something you need help with.
2) Carelessness in online actions and a failure to recognize the consequences
Even when we know better and know how to stay safe, we make mistakes—often when we’re tired, rushed, or don’t have a complete understanding of the risks involved.
This is especially true when there’s no obvious cause and effect to help you correct your behavior. When you get careless with a knife and cut yourself, you get immediate feedback; unfortunately, this kind of feedback about a careless action online is rare:
- When you post information online that someone uses later to rob your home, it’s hard to put the two events together.
- Indiscreet blog entries may not impact college admission or job candidacy for several years.
- Giving credit card information at a disreputable site may not result in immediate identity theft.
- When you respond to spam, there’s no flashing sign warning you that your response will get you even more spam. Shady Web sites don’t tell you when they’re furtively downloading spyware, adware, viruses, etc.
What you can do
Don’t let yourself be rushed or distracted when you’re giving out sensitive personal information (name, address, Social Security number, etc.) online.
- Make sure that your computer, phone, and any other Internet-connected devices have the security software they need to thwart malicious attacks.
- It’s critical to understand how (or even if) a company protects your privacy and where it resells your information. You don’t want to patronize a disreputable or careless company that exploits your information.
- Before you post something to a public site, reread what you’re about to publish through the eyes of a future boss – or through the eyes of a criminal.
- Don’t just forward an e-mail from a friend to others. Take the time to remove or hide e-mail addresses and names before passing on that cute thought and protect your friends’ e-mail from spam.
3) Unintentional or deliberate exposure of your information by others
There’s a lot of information about you on the Web—from companies you’ve done business with, from schools you attend or organizations you’ve joined, on government websites, even from your families and friends. These bits of information can be pulled together by someone—for example, a company looking for business, a criminal, or someone just trying to get to know you— to get a full picture of you.
Businesses expose (and sell) information about you
The way companies expose your information can take many forms. (This doesn’t have to be the case. It is entirely possible for companies to create sites that inform and help protect consumers.) Consider the following:
- Many sites encourage you to reveal information about yourself. Social networking, blogging, chat, and other such sites encourage you to complete a profile, take quizzes, and add your own photos and text. Most online baby and bridal registries require a great deal of personal information just to register. (Read my article about the risks of online baby registries.) But these sites often fail to give you the option of making it private or explain how this information may be used against you, your family, or home.
- Genealogy sites often show birth dates and places, maiden names, detailed contact information, and the like to any visitor. They don’t provide safety messaging nor do they screen who gets access to different levels of sensitive data.
- When businesses resell customer data, many say they strip out identifiable information beforehand, but in actual practice, they may not. Consider what happened with the search data AOL users put on the Web in which many people were easily identified by the searches they had conducted. Of even more concern may be the practice by pharmaceutical companies of mining drug store data to target doctors for advertising, information that could also be used to help identify the prescriptions people are using.
Schools and organizations often expose information about students, teachers, and members
- When school newsletters were printed and sent home with students, exposure to the information was limited. But now that school information—such as student schedules or club photos with full names—is posted on the Web, it puts students, teachers, and their families at considerable risk. It may be great information to share to create a sense of community, but if it’s being shared with 2.3 billion Internet users around the world, it needs rethinking. The same cautions apply to clubs, churches, and other such organizations. (Read my guidelines for safer school Web sites.)
People disclose information about each other
Most often this is completely innocent. Grandma proudly posts photos of her grandchild; friends list the names of everyone in a photo; a child mentions that a friend’s family will be out of town; girlfriends show photos and talk about their boyfriends and vice versa; a comment on a friend’s site refers to them by their last name; someone exposes emotional vulnerability —”Katie’s really depressed lately.”
Then there are the very deliberate, often vicious, exposures of information. In a modern version of the phone number scratched on the bathroom wall, bullies, stalkers, and harassers deliberately put information online about someone hoping to cause them harm. Though most of these attacks fall within the boundaries of just plain mean, some can be extreme—like the Craigslist posting inviting everyone to take what they wanted from a relative’s home or deliberately exposing a young person to a known child predator.
What you can do
- Review any information you may have posted about yourself and remove or change it if you feel too exposed.
- Be skeptical when interacting online with people you don’t already know in real life.
- Look at the information your employer, clubs, church groups, or schools may have posted about you. If you aren’t happy with what you find, ask that it be removed.
- Look at what your others have posted about you and discuss what information you do not want to share. Ask them to respect those boundaries; listen to and respect their desires as well. (Note: Just because a friend’s Web site is private today doesn’t mean that it will be tomorrow, they can change the privacy setting at any time so use caution.)
- If you’re the target of harassment, notify the service provider immediately. If you are a minor, tell a trusted adult. (Read my article on bullying.) If it’s serious enough, contact your local law enforcement and follow their instructions.
4) Flaws or gaps in technology
Online products and services can expose consumers in two ways: either when a company fails to secure its customer data and is hacked, or when a company fails to build adequate safeguards and safety messaging into its product or service.
The press has widely reported hacking into customer data. (Read my blog on 100 Million Data Leaks.) But failing to build even rudimentary consumer safety protections, though less discussed, is potentially a far more serious threat. Securing back end systems hardly helps if criminals can collect critical consumer information and interact with them through the interface. Being first with an upgrade requires tradeoffs; all too often the first features cut and the last features added are safety related, such as filters for images and text, the ability to track abuse, safety information within products, the ability to turn off or restrict access to high risk areas, etc. (Read my blog, Who has primary responsibility for Internet safety?)
- Too many tech companies give minors (and adults) access to products that hurtle them through cyberspace at warp speed but fail to provide the equivalent of drivers’ education or user’s manual; they don’t build in safety measures equivalent to brakes, locks, or airbags. The public outrage over MySpace offers one example: the problem was not that MySpace databases were compromised; it was that the company failed to protect or even adequately warn consumers of the potential dangers inherent in providing information that MySpace encouraged consumers to post. Facebook is now under similar scrutiny, but virtually every social networking sited have significant flaws in their consumer safety.
- Too few companies adequately test their products for safety. (In fact, few test them for safety at all.)
- Companies don’t seek parental consent for products and services with a potential for high risk that kids use—or even inform parents that their child is using it.
- Companies require consumers to adhere to their Codes of Conduct, but fail to take the corresponding responsibility to enforce them.
- Companies expand functionality without informing consumers. For example: Many adult instant messaging (IM) users are surprised to discover that IM has steadily added new functionality that far surpasses the real-time e-mail service they initially signed up for or approved for their children. In so doing, IM services have significantly increased the risks to users.
What you can do
- Act defensively online.
- It’s critically important that you do not broadcast your vulnerabilities and sensitive personal information publicly. Also, periodically review for risks the information that is available about you online.
- Be cautious when dealing with online companies that you do not have a relationship with or that do not come recommended. They aren’t all legitimate.
- Demand that companies protect your safety.
- If you do not see clear safety messaging outlining the use and potential risks of features, guidelines for how you can reduce or avoid risks, or see how the service itself monitors and prevents abuse, ask for it.
- If you don’t get answers that satisfy your need for safety, let the company know you’ll switch to another service.
5 Holes in consumer protection standards
One of the great strengths of the Internet has been its openness. The downside, however, is that we are all using an infrastructure that simply was not designed to protect consumers or thwart criminal activity. This can’t continue. Criminals will always exploit vulnerabilities and it is imperative that companies build safer products and stronger defenses.
Consumers are picking up on this. A 2006 IBM survey of U.S. adults found that they have a greater fear of falling victim to a cyber attack than to a physical crime and feel the need to protect themselves from this emerging threat. They’re fearful with good reason: The criminal economy on the Internet is booming. “There’s certainly more money [than ever before] in the cybercrime market… We’re talking about hundreds of billions of dollars,” according to David Parry, Global Director of Security Education at Trend Micro.
Internet growth has also outpaced regulatory actions. Car, drug, and environmental safety all came about when risks to consumers from products and criminal activity became so significant that the government had to step in. Internet safety has now reached its own crisis point, and governments are scrambling for solutions.
What needs to change?
Some safety precautions, such as crossing the street safely or locking your house when you go out are the responsibility of consumers. Other safety measures are not. We don’t ask consumers to build public roads, ensure that the roads meet quality standards, or require consumers to enforce speed limits. In the same way, we cannot place the full burden of online safety on consumers.
Three key responsibilities lie firmly in the domain of government:
- Establishing minimum safety standards for companies and their products and services so that consumers can use technology without fear of harm.
- Monitoring companies’ compliance with established safety standards and penalizing companies that fail to meet them.
- Enforcing the law. Fighting criminals isn’t a job for ordinary citizens; it leads to fear and vigilantism (as we have seen in the vigilante efforts of ordinary citizens to trap predators online).
Many Internet insiders are less than enthusiastic about government intervention or regulation. They cite valid concerns that new laws and standards must be carefully considered and crafted to be useful or they will fail or be costly and inconvenient for companies and consumers.
That said, the current approach is clearly not working; we’re losing ground to online criminals every day. Thoughtful, practical regulations must be put into place to fill the gaps in our current laws, standards, and enforcement.
Governments and courts need to set age boundaries, establish the dividing line between legal and illegal content, and between safe and unsafe product quality, and support these laws by:
- Creating and enforcing minimum safety standards to restore the confidence of consumers in online tools and services.
- Passing legislation that enables law enforcement to arrest criminals and get convictions for crimes that aren’t covered by existing laws.
- Making funds available for equipment, training, and additional officers. Mandates without funding aren’t priorities; they’re merely political lip service.
What you can do
Let your elected officials know that you demand regulations that require consumer protection in online services and products and the development of laws that will allow law enforcement to arrest and prosecute online criminals.
= An Internet environment favorable to crime
Putting the word cyber in front of -criminal, -robber, or -predator only changes the tools, not the motivation or goals. Criminals still want to steal your money, dominate or abuse, or simply be destructive. What is new is that the Internet has given criminals broader access to more people and more information than ever before.
Think about it. There are enormous numbers of potential victims who don’t know how to protect themselves; they’re using tools and services on the Web that aren’t actively protecting them in the absence of standards that require their protection. Further, there is a huge financial opportunity and low risk of getting caught, in part because law enforcement doesn’t have the resources and manpower needed to effectively monitor crimes and catch criminals.
To successfully increase the safety of the Web and consumer confidence understanding these risks is the first step; taking action is the second.
For more information about the landscape of Internet risk, read my award winning book, Look Both Ways: Help protect your family on the Internet.