Let’s get something out of the way: I know that all the data says people care more about their privacy than ever before, and especially the under-40 age group sees it as a “key issue.” And I don’t for a second doubt the data—if you ask me in a survey, “Is privacy important to you?,” I’ll say yes. If you ask “Would you do business with a company that does not protect your privacy?,” I would say no—because those are the right answers, and intellectually we understand that. But there is a gigantic disconnect between what people say in a survey, and how they actually behave. I’m the first to admit guilt here.
On a grand scale, there’s some evidence of this. Anthem, the healthcare company that was recently breached, is reporting record earnings. Target, the most infamous breach victim, is flying right along—it was nothing but a blip for the company. The US government gets hacked every day (rough estimate) and no one seems to care. SnapChat and Apple have had issues—not entirely their own, as SnapChat was due to third-party extensions and Apple was due to poor end-user password management, but still issues that their own lax standards played a hand in. Yet they continue to roll on. Facebook was just sued in Europe for tracking people that don’t even have Facebook accounts and tracking people who were not even on Facebook’s site at the time, but there’s no substantial backlash. Lenovo is a story unto itself, and they’re not going anywhere. And we could talk Snowden/NSA for a decade without understanding the public reaction, or lack thereof.
Every example here is incomplete and subject to more factors than would fit in a blog, but they collectively point to a bigger truth. People don’t change their behavior. At the end of the day, it’s just too inconvenient. Even the most direct attack possible—say, a ransomware attack. Someone has their machine hijacked and locked down, and they are extorted for money to buy their access back. How many people are going to buy a new computer instead? How many people are going to download (and pay for) a full suite of cybersecurity products, and lock all their devices down, and strengthen all their passwords, and observe best practices in their browsing habits after that? How many are just going to carry on and just hope it doesn’t happen again? I think car accidents are a fair comparison. Maybe some people will be scared and drastically change their driving habits afterwards—but most will get the car fixed, go back to driving just how they used to, and simply hope for the best moving forward.
This is a problem so old and tired in the cybersecurity world that it’s barely worth exploring anymore (I say, as I explore it). The oldest direct trace to this behavior might be to antivirus programs—people have always wanted protection, but notification fatigue causes most people to ignore or disable their programs after a short while. Take the risk and hope for the best—it’s better than being inconvenienced and annoyed, right?
The world is intensely interested in privacy and security for brief sprints, but unwilling to run the marathon that leads to change. It’s just human nature. The conclusion, if there is one to be had, is that this discussion isn’t going away anytime soon.