While the news, each week, raises issues of cybersecurity and reports on data breaches, there are also signs that many people have become jaded in the wake of the continual stream of news. In 2022, there were 1,802 data compromises in the U.S. alone, impacting over 422 million individuals.
Davi Ottenheimer, the VP of digital trust and ethics for Inrupt, (web inventor Sir Tim Berners-Lee’s new data-focused company) is watching how despite this growing frequency of data breaches, there is also a simultaneous decline in concern for leaked data from the public. Ottenheimer has outlined his thoughts to Digital Journal.
For Ottenheimer there are two currents to report on (or ‘general themes’) when looking at public concerns about data leaks. He explains these as: “The first is a rise of apathy and hopelessness that is often found in centrally-controlled systems that use “digital moats” to deny freedom of exit. Should people be concerned if they’re in a boat on the ocean that has reported leaks?”
Expanding on this, Ottenheimer moves things back to the Enlightenment, quoting a conservative thinker: “The philosopher David Hume wrote about this in 1748, in Of the Original Contract, explaining how consent is critical to freedom, and would enable a rise in concern”.
Quoting Hume, Ottenheimer cites: “We may as well assert, that a man, by remaining in a vessel, freely consents to the dominion of the master; though he was carried on board while asleep, and must leap into the ocean and perish, the moment he leaves her.”
In his subsequent analysis, Ottenheimer points out: “If there is no freedom from leaks then you may witness declining public concern in them as well. That’s a terrible state of affairs for people accepting they’re destined to drown when they should be demanding lifeboats instead.”
Moving onto the second theme, Ottenheimer details that this “is an interesting twist that came from the 2003 California regulation known as SB1386. Some predicted that the seminal regulation of breach disclosures would lead straight into an explosion of so-called ‘ambulance chasing’ lawsuits and slow market growth.”
Whereas observes Ottenheimer: “The opposite happened, and regulation fed directly into massive innovations in privacy that led to an explosion of fascinating new confidentiality products and options a decade later in 2013. For example, easy-to-use end-to-end encryption in widespread deployments became popular.”
The consequence of this was: “The market regulation expanded security innovation greatly and delivered more options because public-safety representatives demanded better safeguards in the face of data leak reporting. A balance between these two themes unfortunately tends to be difficult, as they seem almost contradictory. Apathy can undermine the kind of urgency that most people associate with regulation. Yet SB1386 is a great example of how and why safety and privacy experts acted on behalf of public needs for protection without a tumultuous rise in concerns.”
Pulling these themes together, Ottenheimer advises: “The best regulation comes in a period of calm through rigorous science and investigation, not from rushed and excited agitation. A process for fairness binding any and all data platforms to execute their privacy obligations, or they lose public trust is a shared norm of moral action, which underpins trust in society. Declining public concern about breaches, as a symptom of hopelessness, is a signal for regulators to deliver meaningful change and reduce data leak frequency and severity: push innovation in consent mechanisms to hold providers accountable by giving the public real freedom from those refusing to perform a basic duty of care.”
Furthermore, the industry can adopt better practices: “Online platforms easily could develop and provide far more privacy, without significant changes in cybersecurity, by working with modern distributed standardized protocols that reduce the cost of confidentiality meant to protect human rights. The bonus from such distributed models’ “human-centric” designs is that they not only significantly reduce the risk of privacy breaches but also give rise to better integrity of data.”
By this, Ottenheimer means something slightly different to the more common GxP meaning: “Data integrity is a function of cybersecurity far too often overlooked because it is harder to conceptualize and measure compared with confidentiality and availability. In other words, refusing to accept all our data has to be public can help usher in a better world, as Poe described in 1843, although it’s best to generate innovation peacefully through representative systems of regulation.”
