Published on the 06/08/2020 | Written by Jonathan Cotton
So why are we so bad at protecting ourselves?…
We’re sure good at talking about security. Whenever there’s a new breach, a new data-deal scandal, or a nefarious new plot to track too much, we know it. Add to that the collective angst over the privacy implications of the contact tracing imperative, and you’d think we care about our data security, a lot.
But there’s often a significant gap between what we want and what we’re actually willing to do to get it, and just as often, our attitude and abilities don’t quite match up.
Our study confirms the existence of the privacy paradox and also reveals the limited influence awareness raising exerts.
According to new research from Digital Identity NZ, a whopping 90 percent of Kiwis don’t know how to protect their personal information and identity data.
While the report finds a growing awareness amongst the population of the ways personal data is harvested and used by organisations and tech providers, it’s also coupled with ‘a high degree of anger and disappointment’ at the widespread sale and sharing of that information.
And with no shortage of bad actors waiting to exploit the unwary, the impotent anger is perhaps justified. After all breaches are up, with the latest data breach report from the Office of the Australian Information Commissioner showing an increase in notifications of 16 percent compared to the same period last year.
Of the 518 notifications received, 61 percent were attributed to ‘malicious or criminal attacks’, just over a third were due to ‘human error’, and five percent were system faults.
“Malicious actors and criminals are responsible for three in five data breaches notified to the OAIC over the past six months,” explains Privacy Commissioner Angelene Falk.
“This includes ransomware attacks, where a strain of malicious software is used to encrypt data and render it unusable or inaccessible.
“This trend has significant implications for how organisations respond to suspected data breaches – particularly when systems may be inaccessible due to these attacks.
“It highlights the need for organisations to have a clear understanding of how and where personal information is stored on their network, and to consider additional measures such as network segmentation, robust access controls and encryption.”
With increasing instances of malicious activity – and a strong public desire for better data security – you’d think we’d all be experts at keeping out private information private, but studies say it just isn’t so.
While increasing numbers of us are increasingly concerned about online privacy, a much smaller percentage of us actually take the steps required to keep ourselves safe.
Although we say we care deeply about privacy, our just actions don’t match. This disconnect, known as the Privacy Paradox, has been studied extensively, most recently in relation to IoT devices and particularly privacy-conscious Saudis.
The research, carried out by the University of Queensland, Rhodes University, and the Saudi Electronic University, shows that, despite being concerned about privacy, participants were more willing to suspend that concern in return for the convenience afforded by an internet-connected device – even when presented with evidence of a privacy violation.
“Our Saudi Arabian participants, despite expressing high levels of privacy concerns, generally chose not to respond to this evidence with preventative action,” says the research. “Most preferred to retain the functionality the smart device offered, effectively choosing to tolerate likely privacy violations.
“Moreover, while the improved awareness increased privacy concerns and reduced trust in the device straight after the experiment, these had regressed to pre-awareness levels a month later. Our study confirms the existence of the privacy paradox in the Saudi Arabian IoT domain, and also reveals the limited influence awareness raising exerts on long-term privacy concern and trust levels.”
So what gives with the disconnect?
“Explanations for the privacy paradox abound,” says Ivano Bongiovanni lecturer in information security at University of Queensland and one of the researchers involved in the study.
“Some suggest people find it difficult to associate a specific value to their privacy and therefore, the value of protecting it.”
Others do not consider their personal information to be their own and thus might not appreciate the need to secure it, says Bongiovanni, while some simply ‘lack awareness of their right to privacy or privacy issues and believe their desired goals outweigh the potential risks’.
“The likely explanation for the privacy paradox is a mix of all these factors.”
So given the public’s tendency towards passivity, who then should be ultimately responsible for securing user data? According to Digital ID’s survey, over 90 percent of those surveyed said they wanted more control and ownership of the personal data, with a further 34 percent believing businesses must take greater responsibility in protecting user data.
Digital Identity says we have to do more to communicate the risks and challenges associated with our highly connected world.
“We are placing too heavy a burden on people to protect themselves without adjusting our systems and processes to make it easier for them to understand and take action,” says Andrew Weaver, executive director of Digital Identity NZ.
“We must increase transparency, provide meaningful privacy controls and simple, straightforward policies and technology that make it easier for people to take meaningful action.”