How to raise users’ expectations about security and privacy?
Users do not seem to care much about privacy and security.
When buying a new smartphone, for example, they rarely ask about security updates and how long the device will be supported. When downloading a new app, most of them don’t even glance at the permissions it asks.
They effectively don’t ask for security and privacy, and those two things consequently slip down the tech developers’ and creators’ list of things that are important when creating new things.
“Nobody starts developing by saying ‘let’s make a secure product’,” Runa Sandvik, security and privacy researcher and technical advisor to the Freedom of the Press Foundation, pointed out in her closing keynote at the Hack in the Box conference last week in Amsterdam. “Security is not ‘sexy’.”
So do we make it sexy? How can we return the discussion on privacy and security? How can we re-calibrate users’ baseline security expectations about online services, mobile devices, security cameras, and other Internet-connected devices?
A group that could help change those expectations is the media, by shying away from sensationalistic pieces and poorly explained buzz-words like “NSA-proof.”
Hackers are also partially to blame for this current situation, she believes: vulnerabilities are released to the world complete with a snazzy logo and fancy website, hackers become a brand, they change the way they interact with journalists and share their knowledge, they overhype the threat, and they are occasionally irresponsible.
But ultimately, it’s the companies that should do most of the work, by changing what they make. Citing the example of Linux-powered rifles, she pointed out that just because one can make something, it doesn’t not mean one should.
They should also change what they advertize and keep the focus on security features.
Services should write clear security and privacy policies. When more and more of them effect this change, expectations will be changed.
The public is slowly coming to the realization that their data has value. RadioShack selling customer data when they promised they wouldn’t, Adult Friend Finder failing to protect sensitive data as it was expected of them – these incidents have been an unpleasant wake-up call for many.
When it comes to changing users’ behavior and use of devices and services, it’s important for companies to clearly state the “rules of the road”. “Transparency is key,” she noted. When it comes, for example, to app permissions, this is not enough (why, exactly, are these permissions needed?):
Another important thing to remember is that you can’t tell users what not to do – they will do it anyway if they really want to. Instead, companies should teach them how they can do what they want safely.
Finally, introducing security requirements into contracts is could also help raise security expectations.
Sandvik is aware that there’s never going to be a privacy utopia. But if all those groups push in the right direction, and users attempt to explain their needs in a language companies can understand, definite improvements can be achieved, she noted, and concluded her talk by mentioning two organizations that are actively trying to push the message that security and privacy are important: I Am The Cavalry and BuildItSecure.ly.