Debunking conventional wisdom to get out of the security and privacy rut

Given the unprecedented rate of technological change, the dizzying news cycle, and an always-on social media mentality, it may be surprising to learn that when it comes to security and privacy we are actually deep in a rut.

Faced with seemingly daily news stories of mega breaches and unauthorized selling or sharing of personal data, the general public is overwhelmed with the contradictory feelings of defeatism and anger. Congressional hearings and legislative proposals have attempted to raise awareness of data privacy and security but, to date, little progress has been made. And all the while the security industry continues to advocate for “best practices” that even experts have trouble following consistently.

This rut persists largely due to conventional wisdom that has been taken as gospel but which, upon closer inspection, is blocking any technological or legal innovation in data security and privacy.

We see this same mentality dominating the social media business model, which takes for granted that ad-based revenue is the only possible business model. Dr. Zeynep Tufekci recently eloquently rejected this conventional wisdom, providing counter examples and alternative regulations to force a reimagining of revenue streams that are not dependent on the vast data collection behind an ad-based business model. We similarly must overturn the conventional wisdom that deters data privacy and security.

Here are four beliefs that must be debunked by the big tech and security communities in order to make meaningful progress towards a society that values and protects data privacy:

1. Data privacy protections hinder innovation

The conventional wisdom most embedded within the tech and business community is that data protection hinders innovation. This was a theme during the debate over the recently passed California Consumer Privacy Act (CCPA). However, this myopic perspective signals a general disconnect with the state of cybersecurity and attacks by criminals and nation-states on American corporations.

By some accounts, the intellectual property stolen from U.S. companies through digital means constitutes “the greatest transfer of wealth in history.” Intellectual property is at the core of innovation, and it is being plundered at historically unprecedented rates measured in the trillions of dollars. As a recent United States Trade Representative report highlighted, China alone is responsible for “unauthorized access to intellectual property, trade secrets, confidential business information, technical data, negotiating positions, and sensitive and proprietary internal business communications.”

The lack of persistent, useable data protection tools and the absence of national privacy legislation are already hindering American innovation. With trillions of dollars and the intellectual property that serves as the backbone of our economic prosperity and national security lost, we need to view data privacy and security as core to innovation, not a hindrance.

2. Data privacy is irrelevant if you have nothing to hide

Conventional wisdom also holds that data protection and privacy aren’t relevant for those who have nothing to hide. Even if you have somehow avoided social media, e-commerce and any tangential connection to corporate proprietary data, there’s still a good chance your financial, health, and personally identifiable information (PII) have been compromised. Corporate breaches extend well beyond personal secrets and target very specific and lucrative PII in addition to intellectual property.

After the Marriott breach, China is now considered to be the biggest threat to individual privacy. Having amassed consumer data – including social security numbers, birth dates, income and addresses – from the Office of Personnel Management, Anthem, and now potentially Marriott (to just name a few sources), consumers are direct victims when it comes to corporate attacks. You can even assess how much of your personally identifiable information has been stolen across all of the most high-profile breaches.

3. There is an inherent trade-off between security and convenience

Of course, data protection has historically been so cumbersome that even those who do take data privacy seriously find security “best practices” too difficult to implement. Conventional wisdom holds that an inherent trade-off must exist between security and convenience and has left us with the sage advice to avoid clicking on links and to memorize lengthy and complex passwords and change them often.

It is mind-blowing that this has been the state of security for so long. Also, data privacy and security best practices have disrupted business workflows, ignored user experience, and have been obscured within lengthy, esoteric terms of agreements for far too long. There are signs that this is slowly changing, but usable security must become a core part of development instead of being accessible to only the most sophisticated users.

4. Self-regulation is sufficient for securing data

Unfortunately, it does not seem like market forces will push data privacy out of its rut. As Apple’s Tim Cook recently noted, when it comes to privacy, “we have to admit when the free market is not working.” While self-regulation was once deemed sufficient for data privacy, there is finally an agreement that some regulation is necessary to protect data privacy. Finely tuned regulation is required to prompt innovation and safeguard privacy. This yet again turns conventional wisdom on its head, as thoughtful regulations can be the conduit for innovation in an industry so deeply muddled in unsustainable best practices.

U.S. legislation has also been stalled for years, but 2019 may finally see some progress toward federal data privacy and security legislation. Driven by global forces such as the European Union’s General Data Protection Regulation and shifting domestic public opinion in favor of some form of data protection, Congress is feeling the pressure to do something about data privacy.

This would be a welcome change, but lessons must be learned from existing efforts to ensure data protection legislation focuses on transparency, control, accountability, and feasibility. Under the proper incentive structures – combining both carrots and sticks – regulations could provide the much- needed spark to elevate innovation in an industry that continues to spend billions of dollars with little progress to show for it.

The digital landscape is only growing in complexity. New technologies are infringing on data integrity and the proliferation of cyber capabilities and threat actors continue to expand without limitations on targets or impact. We must get out of the current rut in our approaches to data privacy and finally make concrete legal and technological progress that prioritizes data privacy as a fundamental right, as well as an economic and national security imperative.