The Internet Stole Your Privacy. Now We Can Take it Back.
When government and corporate cybersecurity defenses repeatedly fail, is protection even possible for personal information and individual privacy? The answer is yes.
So far, 2017 has been a year of devastating revelations for cybersecurity. The extent of Russian intervention in the U.S. presidential election is still under investigation, but the fact that breaches occurred and a foreign government unleashed such an attack on the American democratic process is undeniable. And it’s still not known what will be the ultimate scope of damage from the global cyber-attack caused by the WannaCry malware, which earlier this year triggered emergency meetings by governments and top companies around the world. But these are only two recent hot button cases in a global onslaught of hacks and breaches that continue weekly, daily, hourly.
The threats today to online data and systems security, the integrity of individual privacy, and the management of personally identifiable information are widespread and, largely, out of control. These threats are on multiple fronts: foreign state-sponsored cyber crews, sophisticated criminal hackers, government surveillance programs, and an unregulated Wild West of consumer tracking companies. What is threatened? The privacy of your choices, your preferences, your friends, your conversations — as well as your banking, medical, travel, phone, email, property, and credit card information.
Meanwhile, the battlements of corporate security are crumbling. Last year, some of the world’s most advanced tech titans — Twitter, Spotify, Netflix, Amazon, Paypal, to name a few — were brought down for extended periods in a concerted attack. Deploying phishing email, malware, and distributed denial of service (DDoS), these relatively low-tech hacks caused massive personal and corporate disturbance.
In New York State alone, a record-breaking pace of data breaches in 2016 exposed the personal records of 1.6 million people, triple the previous year’s total. Exposed data, according to the New York Attorney General’s office, “consisted overwhelmingly of social security numbers and financial account information.” Notably, the New York breaches were primarily the result of two distinct security threats: hackers and “inadvertent disclosure.” The death knell for the resilience of corporate cybersecurity may have been last year’s announcement by Yahoo, revealing that hackers connected to a foreign state-sponsored group “stole names, email addresses, phone numbers, dates of birth, and encrypted and unencrypted security questions and answers from more than 1 billion accounts.” As a further blow to transparency and public trust, that revelation only came once a multi-billion-dollar merger was at stake.
For the individual, now continuously at high risk of identity theft, credit card fraud and invasions of privacy, the overwhelming asymmetry of power seems pretty bleak. Companies are not motivated to protect the public, and governments seem incapable of it. And, consequently, distrust runs deep, with 91% of American adults feeling “strongly” that they have lost control over how companies track and use their personal information. Caught in the digital crossfire, people seeking to protect their privacy and personally identifiable information are left scrambling for guidance. Such guidance is more than plentiful, a flood of news articles and blogs that urge adoption of “Top Ten ways to secure your personal data,” “10 practical privacy tips for the post-privacy internet” or, worse yet, “66 Ways.” The enormity of the self-securing task is daunting and, realistically, beyond the capacity of most anyone. It’s akin to saying we can all have six-pack abs, if we just work out more and eat better.
There is no hero on horseback riding to the defense of the townsfolk. In fact, there are more privacy threats gathering on the horizon. For example, a new U.S. law enacted this April further rolled back consumer privacy protections, unleashing broadband providers like Verizon, Comcast, Time Warner Cable and AT&T to do what Internet companies like Google and Facebook already legally can do — that is, collect and sell the browsing and app activity of their customers without their knowledge or permission.
The United Nations Special Rapporteur on Privacy, describing the current state of tracking and surveillance as “Orwellian”, has called for a “Geneva Convention for Privacy” which would set internationally agreed protocols for securing data and protecting privacy. That concept, though noble, would require a global consensus across a wide array of diverse norms and existing law that (as with tariffs, trade, and climate change policies) will not come easily or soon.
As a result, today there are no consistent international rules of the road for online security or privacy. The gap in cultural norms and policy between national privacy regulations is actually widening, mired in trade disputes and court battles. Despite the massive business benefits of policy standardization, especially as cross-border data flows continue to balloon and even overtake the global goods trade, major economic players like Russia and China, with its “Great Firewall,” manifest even more divergent approaches to data protection and individual privacy.
One of the biggest problems is that privacy rights need to accommodate variability. Where you live, the country, community or culture you belong to, the politics of the day, and the diverse modes and capabilities of the technology you use, all currently dictate a wild array of limitations and possibilities. Moreover, like religion or freedom, nations and individual people actually have different ideas of what “privacy” means, ascribe to it differing levels of significance, and depending on what they are engaged in at a particular time, desire and require differing degrees of it. The advent of a “zero knowledge” model for online engagement, apps, and services is therefore significant.
Zero knowledge, a term now commonplace within the tech community, is still relatively unknown among the wider public. In brief, it means services and systems that don’t require, request, or capture from users any personally identifiable information. In effect, it works as an inoculation against privacy invasion and identity theft — if you aren’t forced to share your information, then no else one can steal it. Unlike consumer bills of rights, global regulations, multilateral treaties, or the development of 21st century privacy legislation, this is a solution staring us in the face that could be widely available to all, and almost immediately.
Most importantly, a zero-knowledge model maps to how we interact in our offline lives. How often do you share your birthday, mobile number, and mother’s maiden name with a neighbor, store clerk, or new work colleague? In such everyday interactions, we make these decisions to share personal information on the fly, based on our values, our situation, and perhaps even our mood. Importantly, in our common human-to-human engagements, we can choose. Using zero knowledge tools and services online will mean we can each create our own terms of service — by sharing what we want, only when we want.
Solving the very real crisis of online security will require some measure of individual self-reliance. It will also require the wide availability of zero-knowledge options. And the market is just beginning to deliver those tools. But will our governments allow their use? Time will tell, and it better be soon.