Who has Primary Responsibility for Internet Safety, Security & Privacy?

October 18, 2011

If we could only figure out the answer to this question we could sue the irresponsible company, government entity, person, or standards body and get on with things – or not.

Unfortunately, the ugly truth is that we all share in the responsibility of protecting ourselves and others online – and like any project undertaken by committee things can get messed up.

There are five key stakeholder groups when it comes to protecting the internet: Industry companies & organizations; Governments & regulators; Law enforcement & oversight boards; Individuals & families; and Schools & other educational resources. Here is an overview of who should be responsible for which safety elements:

Government & regulators have primary responsibility to ensure internet services aren’t built without proper safety, security and privacy impact evaluations. Government is responsible to ensure clear regulations are in place and responsible for tightly monitoring products that impact consumers daily lives. It is the role of government to ensure these products are in compliance with baseline safety features, and this responsibility must extend to internet products and services; particularly since so many internet companies have demonstrated a failure to design, test and implement for safety, security and privacy.

Society has also tasked government with ensuring the dissemination of public service messages yet much of the current internet safety, security and privacy messaging fails to provide useful, actionable information. The result is that a high percentage of the population remains unaware of the safeguards they need to have in place to be safer online.

Government & regulators also have the primary responsibility of protecting consumer data. For most consumers, information posted and exposed by the federal, state, county and local government agencies represents your greatest risk of becoming a victim of identity theft.

There is a world of difference between requiring governments to be transparent in their actions – often called sunshine laws or freedom of information legislation – to guarantee access to data held by the government, and the wholesale exploitation of consumer’s information by posting birth, marriage, death, property, power of attorney, voter records, criminal records, and more online where individual criminals, would be stalkers, freaks or wholesale criminal organizations can leverage the data in a way that threatens the safety, security, privacy and financial stability of every man, woman and child in the country.

While I support “right-to-know” laws, these need to focus on government actions and stop at the door of private individuals.

Companies have primary responsibility when they provide consumers access to products or services that can hurdle them through cyberspace at warp speed, collect, trade, and sell consumer data. Unfortunately, feeding the bottom line wins out over protecting consumer interests in most cases and companies simply provide consumers access to services and urge them to go have fun; while make it nearly impossible to really understand the safety, privacy and security tradeoffs they’ve just made.

Companies have the primary responsibility to enforce their codes of conduct and ensure users have a reasonable level of safety and control over their data destiny. We hold amusement parks responsible for negligent conditions that allow injuries to occur, it is reasonable to apply the same standard to ‘virtual’ amusement parks. In their own online environments they must be the first line of consumer defense.

Companies have primary responsibility to post notices when a product is about to be expanded and to inform consumers about changes that will add new levels of safety and privacy. As companies rush to add great new features they too often cut corners. Being first with a feature, or a fast follower, requires tradeoffs and all too often the first thing cut and the last piece reluctantly added are safety, security and privacy elements that specifically help users manage their exposure.

Service providers will continue to innovate and this is good for everyone. However, consumers have the right to be informed about each new feature that affects their exposure to risk, and be able to determine whether the risk potential is appropriate for themselves and their families. Automatic ‘upgrades’ without notification can bear a strong resemblance to ‘bait and switch’. The Internet industry has for years promoted self-regulation of online tools & services, but they have largely failed to deliver adequate safeguards for consumers.

Here is a standard by which companies should be measured when considering whether they have stepped up to their responsibilities:

Consumer Internet Safety and Privacy Rights – A Standard for Respectful Companies

ALL Internet users have the expectation of a safe Internet experience, and respectful companies strive to provide quality safety and privacy options that are easily discovered and used by consumers.  Your safety and privacy, as well as the safety and privacy of your family on the Internet should be core elements of online product and service design.

In a nutshell, online consumers should demand these rights:

  1. Establishing safety and privacy settings should be an element in the registration, or activation of a specific feature’s, process.  This includes informing you in easily understood language about the potential consequences of your choices. This allows, and requires, you to make your own choices, rather than being pushed into hidden, default settings.
  2. During the registration or activation process, articles of the terms and conditions, and privacy policy, that might affect your privacy or safety, or that of a minor in your care, should be presented to you in easy to understand language, not in a long, complicated legal document in small font.
  3. You should expect complete, easily understood information and age appropriate recommendations about every safety and privacy feature in a product or service.
  4. You should expect to easily report abuse of the products or abuse through the products of you or someone in your care.
  5. You should expect a notice or alert if a significant safety or privacy risk is discovered in an online product or service you or someone in your care is using.
  6. The provider needs to publish on a regular basis statistics demonstrating how well the company enforces its policies.  Such statistics should include; the number and types of abuse reports, number of investigations conducted, and number and type of corrective actions taken by the provider.
  7. When services or products are upgraded, you have the right to be informed of new features or changes to existing features and their impact on your – or your child’s – safety or privacy in advance of the rollout.
  8. When the terms of use or privacy policy of any provider are about to change, you have the right to be informed in advance of the changes and their impact on your – or your child’s – safety and privacy.
  9. When a provider informs you of changes to their features, privacy policy, or terms and conditions, they should provide you with a clearly discoverable, way to either opt out, or block the change, or to terminate your account.
  10. When terminating an account, your provider should enable you to remove permanently and completely all of your personal information, posts, photos, and any other personal content you may have provided or uploaded, or that has been collected by the provider about you.

Law enforcement has primary responsibility to monitor society’s safety, prevent crime and bring to justice those who break the law. Yet, this is a tall order when adequate laws & regulations are missing to facilitate enforcement, adequate safety features weren’t built into the products to minimize the potential for exploitation, and there has been a critical failure to allocate the funding, training and resources law enforcement needs in order to provide the level of safety we expect.

Crime has always enjoyed better funding than law enforcement, but without assurances of basic safety the public will not be able to fully realize the tremendous opportunities the Internet has to offer – and criminals will run rampant.

Schools have primary responsibility for teaching youth and adults the tools and skills they need to be successful members of society. Mastering the Internet and the necessary safety security and privacy skills need to use the internet successfully are critical life skills. But, no one has taught teachers how to teach Internet safety, or provided a solid curriculum for classrooms. While on the one hand we seem flooded with ‘safety information’ there is a shortage of factual, practical, flexible and free information for consumers to take action on. To address this issue, the LOOKBOTHWAYS Foundation has created the NetSkills4Life curriculum. The first 4 lessons of the full K-12 interactive online and FREE curriculum is available to the public now, more lessons are being developed as quickly as possible.

Families have the primary responsibility of teaching their children how to become honest, ethical and capable adults. In today’s world that includes teaching our children to be honest, ethical and capable online. While this is a unique challenge that parents of previous generations have not had to master, it’s time to suck it up and learn how to pass these skills on to our children.

Technology advances and a parent’s job is to keep up. Did parents whine when cars were created and they had to teach their kids to drive and understand traffic safety? What about when phones were invented? Did parents throw up their arms and give up?   The internet has been a critical part of society for at least 10 years now so step up and learn; you don’t have to be a techspert (technical expert) to successfully help your children master the tools and responsibilities they need to be successful.

Parents have the responsibility to say YES to their children’s online activities. Far too many parents (and schools) take the kneejerk ‘no’ response route and this is perhaps the worst possible choice. Failing to allow youth to learn to use the internet sets them up to fail when they finally get out from under their parent’s reach.  Or it forces youth to sneak behind their parents back and use the internet without the support and guidance of a parent.

Instead, parents need to teach the skills and social responsibilities needed to use new online tools and when youth have demonstrated they have mastered both the skills and the responsibilities they need to be allowed to use the services that are appropriate for them. This also means that parents have the responsibility to respect the age restrictions placed on sites, and to teach their children to respect these age boundaries.

Individuals have the primary responsibility for their own safety and ethical use – certainly from the time they reach adulthood. Childhood is a transitional phase where children gain more responsibility as they show they can master situations. For example, while a 16 year old may not be ready to take full responsibility for their online security or privacy, they are ready to be held fully responsible for their online behavior towards others.

In spite of being able to identify the responsibilities of all these stakeholder groups, the internet has not become a safer place.

What’s missing? Commitment.  Each stakeholder group must become more committed and invest more in Internet safety, security, privacy, and in creating a positive online environment. Beyond that commitment each stakeholder group must deliver on three key action areas – providing education, creating a safer product, services and online environment infrastructure, and enforcing the safety, security, privacy, and respect of everyone online. This must happen in a far more coordinated method that is being employed today.

Integration of initiatives is complicated, but the level of collaboration required is not new. We’ve done it in other areas like road safety, drug safety, health issues, etc. it is past time that we put the same level of collaboration in place online.

Without synchronized efforts by all stakeholder groups the web of safety will continue to have gaps that far too many consumers of all ages will fall through.

Seen as a table, responsibilities look like this:



October is National Cyber Security Awareness Month – But Are We Safer than Last Year?

September 29, 2011

October is National Cyber Security Awareness Month. It’s an annual event celebrated across the country and used to host special safety and security events, and deliver a burst of tips for consumers.

Yet while these events bring important awareness to online safety, security and privacy, the larger question is, have consumers become safer or more vulnerable in the past year?

The answer is sobering. Along with celebrating the day we must acknowledge the failures or we are merely pretending there isn’t an elephant under the carpet.

As Commerce Secretary Gary Locke candidly put it in January, “The Internet will not reach its full potential until users and consumers feel more secure and confident than they do today when they go online.”

The year has seen some gains.   Global spam volumes have dropped, and data privacy is now being discussed broadly – though nothing yet has come of it.

At the same time we’ve seen a dramatic increase in criminal exploits and threats, particularly on mobile platforms;  reduced budgets for law enforcement organizations; legislation that has no follow-through;  little change in consumer behavior in key areas like securing personal computing environments; the deployment of new consumer features with potentially high risks yet without an adequate counterbalance of safety functionality and broad user education, — and generally, far too little innovation within the industry on ‘best practices’.

A full review of the state of consumer safety, privacy and security does not fit in a blog, but here are some highs and lows, plus a general sense of the current state of affairs.

  • Data mining: While it’s true that ad tracking, as well as data privacy, ownership and control, have become the subject of mainstream discussions, these discussions are a result of the steep increase in data encroachment.

The good news is that data privacy has become a hot topic, within the federal government and among consumers. As a result, responsible companies are giving consumers greater choice in allowing or disallowing the collection of their information. Unfortunately, not all companies are responsible, and transparency, choice and control are still not inherent consumer rights.

Consumers need to know:  Who is collecting the data, how are they using the data, and with whom are they selling, sharing, or trading it?  At stake is who owns the right to your information, what kind of transparency, and choice consumers should have into data mining practices, and how websites turn a profit.

The Bottom line – More information is being collected about individual consumers than at any other time, and our ability to control this is still weak to nonexistent. We see the potential for the tide to turn in consumer’s favor, but we are at a crucial point. The decisions made in the next several months regarding consumer’s rights to personal privacy and control of personal information are likely to echo through history. We all have a very high stake in the outcome.

  • Privacy Settings:  Companies and consumers still struggle with establishing privacy settings. In some cases it’s because of the frequency with which privacy settings change, and the rollback of privacy settings to ‘public’ when changes are made. In other cases, the settings are simply too complicated for users to set, or the settings options do not give users the level of control they need.

In still other cases, users aren’t informed when new features are released – the most current example of this is Facebook’s Tag Suggestions, a facial recognition feature that allows users to identify an individual across multiple photos. Facebook spokesman Andrew Noyes, responding to criticism about the deployment of the company’s new feature Said “We should have been more clear with people during the roll-out process when this became available to them.”

Whatever the case, individuals are trying to protect their information, but it has certainly not gotten easier for them in the last twelve months.

The Bottom line – Privacy settings are still too cumbersome for users, and there’s been little improvement over the past year. Creating easy to use, consistent privacy settings should be a best practices requirement. Even more innovative would be to make these consistent across online services within a category, so that if a user has learned how to do this on one site they can be successful on other sites.

  • Safer software: There are many things online services can do to significantly improve the privacy of their consumers, and while some real milestones have been reached – like innovation in family safety/parental control tools – many old holes have yet to be plugged. Here are a few pet peeves:
    • Passwords struggles continue to be a major privacy risk for users. While some sites help consumers create strong passwords, others do nothing to educate users, and they place stumbling blocks in consumers’ paths by limiting the length of passwords, failing to allow symbols, etc.
    • Insecure ‘security questions’ that ask for publicly available information actually make users less secure. There is no excuse for questions like ‘mother’s maiden name’ ‘city you were born in’ etc.
    • Lack of image editing tools reduces user safety. Simple edits can make virtually any photo safer – and basic photo editing tools have been around for 40 years. Why aren’t services enabling crop, blur and stamp functionality wherever they allow user generated content to be uploaded?

The bottom line – As an industry, we continue to fall short in developing tools inside products that inherently improve the privacy of users. This is another area in which the industry can strengthen their best practices and drive companies to adopt better standards.

  • Education: Internet safety and social responsibility education is still optional for K-12 schools in most states. Even in the states with laws, it’s pretty much up to each teacher to figure out what to teach. This means kids generally get the same few topics covered multiple times – with varying degrees of quality – and miss much of what they should learn.  Compounding this lack of holistic material is the rapidly expanding set of online functionality that youth (and adults) are using, and for which users have had no safety education – like location tracking, mobile banking, etc. At a time when users need more education, they are getting fewer of their key risks covered.

We have also largely failed to make progress in creating quality educational materials for the body of seniors who are going online for the first time, and in localizing educational materials for those for who English is a second language.

The bottom line – Given the dramatic cuts to education budgets and charitable organizations, technology investments and safety education suffered heavily over the past year — we are at best at status quo. To help change the tide, the LOOKBOTHWAYS Foundation has created the first lessons in a full K-12 curriculum titled Netskills4life. These are free, check them out.

  • Safety, security & privacy legislation: It has been a contentious year for internet related legislation, with many proposals, and more fights.  What’s notable is the lack of follow through on legislation that has been passed. Some laws passed without funding – which means they were just for show and never intended to be implemented. Some passed, and received funding, only to see a breakdown at some other link in the chain.

The bottom line – It isn’t enough to pass quality legislation; it actually has to be implemented at every stage if it is to be effective and measured for success.  Instead we’ve seen a series publicity stunts, and well-intended stops and starts that are largely disjointed and certainly not providing the best returns. Year over year, we are at best at status quo.

  • Law enforcement:  I have nothing but the highest praise for the law enforcement officers dedicated to protecting our online safety, but they’re trying to work miracles with both hands tied behind their backs. We do not have enough trained officers, and those we have don’t have the resources they need.  There is an appalling shortage of cyber-crime labs, officers are often struggling against antiquated state and federal laws (and all the international differences in laws), and most do not have the latest in digital technologies to work with – though the criminals they are fighting do.

The bottom line –cyber criminals have law enforcement officials outnumbered and outgunned. We are in worse shape than we were a year ago.

  • Criminal threats: The title of a new McAfee report says it all: it was A good decade for cybercrime, and 2010 was the best of the bunch – from a crook’s point of view.  Here are just a few of the stats:
  • Malware – In 2010, 20 million new malware strains were created – a 50% increase over 2009i. The year also saw a shift in criminal tactics to focus on exploiting users’ trust by increasing the volume, sophistication and complexity of social networking exploits, ID theft, scams, and phishing attacksii . The prevalence and availability of attack toolkits (malicious software that criminals use to launch their attacks) has significantly increasediii
  • Botnets – The number of botnets held fairly steady in 2010, with some downturn. There were an average of 6 million new botnet infections per month in the first 8 months of the year.iv
  • Phishing – There was a marked increase in phishing sites in 2010 with about 2,000 new phishing sites discovered daily. Even more concerning is that these exploits were generally more targeted – and more successful.v
  • Identity theft – ID theft continues to escalate and transform so quickly that the Identity Theft Resource Center says it “can only make educated predictions on the course of identity theft for 2011”vi. According to Dataprivacyrights.org, over 512 million personal data records have been reported as breached in the United States. Given there are just over 300 million citizens, the likelihood that your personal information has been stolen multiple times is high.
  • Spam – Global spam volumes actually declined in 2010, by September: the global spam volume was down to 3.5 trillion spam messages per month.vii

The bottom line – though the malware battle fields have shifted, and some skirmishes have been won, the threat of malware and other criminal exploits continues to rise; we’re in worse shape than we were a year ago.

What does this mean for 2012?

 Many good companies are working hard to improve consumer safety, security and privacy. These include security companies, large platform developers, many individual service providers, non-profit groups, and others. We need to applaud the great work they have done, encourage them to continue, work more closely as invested parties to leverage the work that has been done, and push into new areas of safety.

If we continue developing safety, privacy and security solutions at our current rate we will continue to fall further behind the bad guys.  We need to redouble efforts in spite of the economic downturn and make larger strides in improving consumer safety.

Next October, when we again mark National Cyber Security Awareness Month 2012, I hope we’ll be able to look at an in-depth status report that will demonstrate that we’ve not only held ground, but strengthened our position. Unfortunately, hope alone won’t get us there.

Additional material from recent blogs; the titles alone are sobering:

  1. A good decade for cybercrime (McAfee)
  2. Identity Theft Statistics 2010
  3. How Much Does Identity Theft Cost? [INFOGRAPHIC]
  4. Cyber crime: a clear and present danger
  5. Internet security threat report (Symantec)
  6. Social Engineering Bigger Risk to Your Online Safety than Malware
  7. Windows Getting Safer, but Study Finds that 1 of Every 14 Programs Downloaded is Later Confirmed as Malware
  8. Symantec Delivers Threat Report and Excellent Tools that Explain Risks to Consumers
  9. Every 3 Seconds an Identity is Stolen – Don’t Be Next
  10. Consumer Internet Safety and Privacy Rights – Standards for Respectful Companies
  11. Global Leaders Debate Regulating the Internet – It’s no Surprise that Industry Players are Concerned
  12. The Commercial Internet Just Turned 16 – And like Teens it Could Use a Little Supervision
  13. FBI Article: Child Predators – The Online Threat Continues to Grow
  14. Are You Sure Your PC is Malware Free??
  15. The Epsilon Threat – How a Company You’ve Never Heard of Increased Your Risk of Personalized Phishing Scams
  16. Are You a Malware Magnet? 4 simple steps can make all the difference
  17. More Mobile Apps Caught Inappropriately Collecting User Info and Installing Malware




i According to Panda Security Insight

ii According to Cisco’s Annual Security Report, released Jan. 20 2011

iii According to Symantec’s Internet security threat report

iv According to McAfee Threats Report: 3rd Quarter 2010

v According to McAfee Threats Report: 3rd Quarter 2010

vi According to Identity Theft Statistics 2010

vii According to McAfee Threats Report: 3rd Quarter 2010