The Dearth of Online Privacy in America


Posted on by Robert Ackerman Jr.

For a long time, most Americans cherished their privacy. More than a century ago, Robert Frost, one of the most celebrated figures in American poetry, penned Mending Wall,” and its famous phrase, “good fences make good neighbors,” was embraced by generation after generation.

As time passed, the U.S. population soared, and cities grew increasingly crowded, appreciation of the phrase began to wither, but that was nothing compared to what subsequently occurred with the advent and surge of the internet.

There almost is no privacy anymore. Majorities think their personal data is less secure now that data collection poses more risks than benefits and that, by and large, it’s probably not possible to go through life without being tracked. Consumers are grudgingly accepting that being monitored by corporations has become a fact of life.

The COVID-19 pandemic has made things even worse, initially pressuring most Americans to stay at home rather than go out, adding tens of millions to the ranks of remote workers. Almost every need relied on internet access. Food came from supermarket and restaurant delivery services. Purchases of almost everything else occurred on online shopping platforms, and Zoom replaced in-person discussions and even attendance at weddings and funerals.

While online attacks soared, attempts to enact federal legislation to protect digital privacy were derailed, initially because of the pandemic itself and today because of politicization over how the internet should be regulated.

In fairness, it’s important to note that the internet was born as an open research tool – one never designed to provide security or privacy. Although it still has a long way to go, security has substantially improved over the years. But privacy has gotten worse. More of an abstract concept open to different interpretations, it barely got to first base. Most companies understood that customers expected their data to remain private. The meaning of privacy became murky, however, typically described with broad generalizations that varied among companies, states, and countries.

In effect, privacy is now fundamentally ignored. This may change under growing media and Congressional pressure, but today there are still few widespread rules of the road and no national standard requiring breach notification.

It’s hard to pinpoint just when privacy began tanking, but two huge breaches of Yahoo in 2013 and 2014 and discovered in 2016 certainly fueled the fire. The privacy of all 3 billion Yahoo users at the time was impacted by the largest data breach ever. Two years later, further aggravating the protection landscape, Marriott reported an unusually large privacy breach impacting 500 million guests of Marriott’s Starwood brands, including the Westin, Sheraton, and W hotels.  

There have been additional corporate privacy breaches this year. Making matters worse, some companies do not report breaches, especially smaller ones, and that means the privacy of some people is exposed without their knowledge. Moreover, stolen data doesn’t stay just in the hands of the thief. It often gets passed around among countless third parties, aggravating the initial impact, and it’s not uncommon to be used in surprising ways.

For instance, a victim of a privacy violation might get a call from a bill collector asking him or her to make a payment on a loan—even though the person doesn’t have a loan. This typically means someone else applied for and secured the loan using the victim’s PII (personally identifiable information).

Studies show rising citizen discontent. Two years ago, shortly before the advent of the pandemic subsequently made things even worse, a Pew Research Center survey found that more than six in ten Americans didn’t believe it was possible to go through daily life without having their data collected by companies or the government. In addition, 72 percent said all or almost all of what they do online is being tracked by advertisers or technology companies.

Independently, research companies have found that Google tracks 80 percent of websites and Facebook 25 percent.

There have been some positive developments. One is the budding growth of privacy-enhancing technologies (PETs) such as homomorphic encryption, which secures data while it’s being used or processed. Technology researcher Gartner has identified PETs as one of its top strategic tech trends in 2021 and 2022 and says half of large organizations will implement them by 2025. “This will change the privacy paradigm,” predicts Ellison Anne Williams, Founder and CEO of Enveil, a HE software developer.

On the legal enforcement front, meanwhile, three states—California, Virginia, and Colorado—have filled some of the federal government’s privacy chasm by passing their own consumer privacy laws. A company operating in these states must tell customers if it’s selling their data and whether they are comfortable with that. Customers also have the right to access, delete, or correct their data. The California law is considered the strongest of the trio, in part because the Golden State alone offers the ability to sue a company against select types of data breaches.

Far more needs to be done, of course. A huge drawback of current opt-out systems in most of America is so-called notification fatigue. It becomes tiresome when almost every app and website asks people for multiple permissions. Most folks decide it’s better to back off and accept the status quo, notwithstanding the consequences and—at least for now—the online privacy nightmare in the United States.

Contributors
Robert Ackerman Jr.

Founder and Managing Director, AllegisCyber

Privacy

privacy data security data lakes PII

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community