January 28 is Data Privacy Day. In honor of that, I’d like to share some random thoughts on privacy that I put together for a recent webcast with StaySafeOnline.org. And when I say, “random thoughts,” I really do mean random thoughts.
Privacy is an intricate topic to tackle. That’s because even the term ‘privacy’ itself has different implications to each individual. And there are certainly differences in the fundamental expectations of privacy that people within different regional contexts have. But even more than that, there is an internal understanding, expectation, and appreciation of privacy that is extremely context-based. That makes privacy really difficult to solve for.
Let me explain:
Privacy exists in a delicate balance. And that balance has inherent tension and give-and-take between each element. The elements are:
And here’s how those elements create tension. We have to make trade-offs between privacy and security. For example, if you are going to a big concert, sporting event, or traveling on a plane, you usually have to subject yourself to having your bags searched and walking through some type of personal screening system. In those instances, we are trading away a bit of privacy in the name of the security needs associated with the event we are participating in.
Adding to tension and confusion is the fact that security measures are usually required to ensure privacy. So, security can either strip away privacy, or can enhance privacy; the devil is in the details. And some forms of privacy can be scary or threatening in some contexts. Encryption is a security technology that is also privacy enhancing. But – as you probably know – many governments fear strong encryption because it limits their ability to monitor and alert on traffic that may reveal threats to national security. Tensions escalate and debates rage.
There is also tension between security, privacy, and convenience. As a society, we tend to make impulsive decisions for our short-term comfort. And that’s at the heart of why people around the world are trading away privacy every day. If we want to participate in a social networking site, then we must trade away rights to a certain amount of privacy. If we want to purchase goods/services through some retailers, or sign-up for customer loyalty programs or attend certain conferences, then we are basically required to sign-away some of our privacy. Heck, even when our kids take college entrance exams like the ACT or SAT, they are forced to consent for the testing vendor to share data broadly (i.e. sell student data to a broad spectrum of colleges and other interested parties).
The last balancing element that I see is all related to ‘trust.’ Depending on the activities that we are engaging in, there can be a tension between ‘trust’ and ‘convenience.’ For example, within the context of banking, most people would actually feel less comfortable if an online transaction with their account is too easy/convenient. In other words, when there is an inherent, emotional feeling of risk involved, then the person engaging in the activity can actually experience a sense of comfort when they feel a bit of security-related friction associated with signing-in, performing additional step-up authentication, and so on. And so, sometimes a sense of trust can be injected and enhanced by making security and privacy controls more visible and felt versus allowing for more convenient, invisible ways to achieving the same goal.
And here’s my take-away and our dilemma:
Even more than technology, privacy is an issue involving mindsets and behaviors
… and these involve “in the moment” tradeoffs that
neither humans nor corporations are good at being rational about.
Humans keep making the “in the moment” decision to accept privacy-onerous terms and conditions statements for social networks and other everyday lifestyle platforms and activities. And corporations persist in trading in personal data because of the short-term benefits that they get from exploiting and/or monetizing personal data. In a sense, both parties are now stuck in an ecosystem of their own creation and complacency. And, I don’t see it changing anytime soon.
Those of you who know my work, will be familiar with what I call the “Three realities of security awareness.” They are:
- Just because I’m aware doesn’t mean that I care
- If you try to work against human nature, you will fail
- What your employees do is way more important than what they know
And I typically pair these three realities to a similar trio of realities mentioned by B.J. Fogg, Ph.D. He says, there are “3 Truths about human nature. We’re lazy, social, and creatures of habit.”
These realities are just as true when it comes to privacy awareness and our dilemma. People and corporations know that the status quo is, let’s say, less than desirable… but that goes out the window whenever presented with a quick in-the-moment decision. That’s directly because of “reality #2.” Specifically, much of society is now setup such that people feel like they must participate in all of the social networks, apps, platforms, and (fill in the blank) of the day. If not, then they are “missing out” of social inclusion, activities, discounts, incentives, or other real-or-perceived benefits. And so, the price for not blindly accepting the terms and conditions can feel like social isolation and fear of missing out (FOMO). And the fact that most terms and conditions statements are binary (simple yet or no to everything) leads to complacency and hopelessness. So now society is conditioned to simply click ‘yes’ and move on…
That sounds pretty hopeless doesn’t it? Society is conditioned into complacency, and corporations are caught in a cycle of data hoarding, exploitation, and monetization. How do we break the cycle? Well, there’s no quick fix… but I do think that there is some hope.
We need to consider a combination of social pressures/supports, morality tales, creative motivation, ease-of-use, and tech-based facilitation:
1. Security & Privacy awareness
2. Finding ways to change the social dynamic
3. Creating new social pressures for corporations
If you need to arm yourself with resources for Data Privacy Day, I highly suggest checking out a recent webinar with my colleague and KnowBe4's Data Privacy Director Lecio DePaula on best practices to creating a robust data privacy impact assessment. You can watch the webinar here.