Individual action and regulation need to go hand in hand when it comes to privacy

Garry Kasparov 11 Jul 2018

Protecting your data online requires a blend of regulation, standardization, and individual action. With round 1 of GDPR-compliant websites now in our past, consumers should now take the time to implement basic security practices to keep their online data and information safe.

The European Union’s “General Data Protection Regulation,” or GDPR, went into effect at the end of May, to great international fanfare. At long last, a multilateral organization was seriously taking on the challenge of protecting privacy in the digital age. The patchwork quilt of national laws, ranging from aggressive privacy protection to nothing at all, has been predictably ineffective in the multi-jurisdiction online world. While regulation always comes with risks, it has become clear in recent years that cyberspace demands public measures to keep users safe and corporations accountable.

Broadly, the GDPR requires companies that process the personal data of European Union citizens—which can include everything from name and address to biometric data—to update their practices for the collection, storage, and release of this sensitive data. For instance, organizations must now obtain consent from consumers before storing their information in a database. That’s why your inbox was likely inundated by opt-in requests from all of the companies whose products and services you use, since nearly every large company has EU customers. Companies must also notify EU regulators within 72 hours when user data has been compromised; in cases where the breach is severe, customers must be notified promptly. And if users want access to their personal data at any time, or want to delete it under the GDPR’s “right to be forgotten” clause, companies must comply (provided there are no legal grounds for retaining the data).

The penalties for not meeting these standards are steep. Companies can be fined up to four percent of their annual global revenue for the most serious violations. In fact, on the first day of the law’s implementation, Facebook and Google were hit with fines of over four billion dollars each for failing to update their policies substantively enough. Implementing the required protections is a matter of considerable work; depending on the size of the organization, a dedicated Data Protection Officer or even an entire department could be needed. That means major costs for companies, one reason why such regulations are called anti-business by their critics. But for online civilization to flourish, law and order must be established, much as the American frontier couldn’t remain the Wild West forever.

Given its scope and enforcement mechanisms, the GDPR promises to have far-reaching effects on global business. Data protections will now be incentivized in the early stages of product development, transforming the technologies that come to the market. Companies will have to adjust their advertising strategies given the new restrictions on data sharing, potentially leading to an explosion of influencer marketing and other user-to-user advertising.

All of this is certainly a step in the right direction, but it does not mean that the European Union has solved cybersecurity issues within its borders or laid down an infallible blueprint for the rest of the world. The transparency and accountability the GDPR demands from corporations will go a long way, but consumers must still play a role in protecting themselves. Don’t interpret these improvements as permission to forfeit personal responsibility over your information. As I say at every opportunity, education and vigilance are crucial. Ultimately, no government agency, corporate department, or legal body can take the place of a knowledgeable and proactive consumer. Know your rights, understand how the programs and devices you use interact with your data, and take the time to implement basic practices that keep you and your information safe—or at least as safe as reasonably possible.

Perhaps the clearest example of such a practice is two-factor authentication (2FA) on all of your accounts. It takes only a few minutes to enable and provides a big jump in security beyond a single password. It has the dual advantage of making your accounts more difficult to break into and making them less appealing for hackers, who often just move on to accounts without this setting enabled. Of course, turning on 2FA means that, every time you sign on from a new device, you will have to perform the additional step of verifying your identity, whether through an authentication app, a text message (the least secure option), or a physical USB key (the most advanced). For many users, this minimal inconvenience is reason enough to ignore the risks of not using 2FA. Many others are not even aware that the option exists. The result is that over ninety percent of Gmail accounts do not have 2FA turned on.

How do we change this? Is it merely a problem of ignorance and complacency, to be overcome by individuals? While I did just stress the importance of personal responsibility, I also believe in systemic changes that can exploit certain aspects of human psychology to enhance our collective security. The GDPR, for its part, raises the bar for defaults on the company side, but end-user defaults are equally important to consider. What if two-factor authentication were the default setting for Gmail accounts? Going further still, what if it were mandatory? (This would not be feasible for some users, who don’t have access to a convenient way to authenticate, but it is an interesting thought experiment for our conversation.)

Corporate email accounts usually require much higher default security level than personal accounts because companies have a different risk/convenience balance. Formula One drivers employ much stronger safety features in their cars than the average driver even though we would all technically be safer if we wore helmets and five-point seatbelt harnesses in our cars. But we all do wear seatbelts these days—or know we should. (I learned this the hard way myself after a bad bump on the head this year that even if you’re in heavy traffic going a short distance, buckle up!)

At the very least, Google and other service providers could let you know how each setting you turn on or off affects the security of your account. Perhaps it could even issue an overall security score, like how many sites now grade passwords on a scale from red (Weak) to green (Strong). Would such a score oversimplify things, giving us a false sense of security, or would it be a useful step toward security standardization?

These suggestions are meant to serve as a starting point for imagining all the ways we could structure user experience. If regulations of the size and scope of the GDPR targeted end-user defaults, the results could be dramatic. As with data sharing, companies’ interests do not necessarily align with those of their customers. When 2FA is the exception and not the norm, pushing consumers to adopt it too aggressively might lead them to switch to a different platform. The constant reminders might become too bothersome, or even create the impression that the company issuing them is prone to security breaches. Much like how banks moved away from armed guards and fortress architecture in their branches, online companies don’t like visible security because they are afraid it scares users off instead of reassuring them. But if standards for 2FA were uniform and easy to use, there would be far less friction standing in the way of widespread adoption.

The most effective approach, then, is a blend of regulation, standardization, and individual action. Put another way, we must work to restructure the architecture that guides our decisions, while remaining committed to keeping ourselves safe within a forever-imperfect system. Perhaps, then, it’s worth going back into your inbox and reopening some of those emails you received when the GDPR came into force. Did you take time to review the updated terms of service sent to you by the various sites and programs you rely on? Organizations were required to make this information clearer and easier to understand for consumers. But it remains your responsibility to take the time to read it.

The reach of the digital sphere into every aspect of our lives is a relatively new development, and it will take some time for societal norms to catch up. We know that flossing and exercise are important to physical health; in much the same way, practicing good “cyber-hygiene” is essential to online safety. Utopia isn’t just around the corner, of course. Dentists are still doing good business because people don’t follow best practices. We’ve had a century to work out our systems of automobile transportation and we still have countless accidents and fatalities. (Hurry up, self-driving cars!) But although we cannot control every variable, we can make ourselves safer with good habits, and, slowly but surely, that makes us all safer.

I hope that, if you’re reading this post, you will help set an example for those around you by adopting better security practices. Over time, as the average consumer grows more educated and demands more in terms of privacy and security, companies and governments will respond with new and better system architecture and regulations. The result will be a system that works synergistically, as individuals make smart choices, and institutions strive to ensure that those choices add up to a safe and transparent digital world.

--> -->