For Shame: Assigning Fault for Privacy and Security Breaches

—Nora A. Draper

In the fall of 2018, during a meeting in the Oval Office with President Donald Trump, rapper Kanye West accidently revealed his iPhone passcode to cameras. His code? ‘000000.’ The internet was quick to take West to task for his use of a passcode so easily hacked that Apple devices issue a warning prompt when a user selects it. West’s blunder, which was designated one of the worst security offenses of the year, was gleefully mocked across Twitter.

While a celebrity’s inadvertent disclosure of their ill-advised password is a rare event, public hand-wringing and shaming over security blunders are far more common. Posts that warn of the dangers of viral memes that ask users to share their “stripper names” – a combination of one’s first pet and the street they grew up on – tend to be followed by ridicule for those who fail to recognize phishing scams designed to learn answers to commonly asked security questions.

Recently, articles warned that FaceApp, a popular app that uses artificial intelligent to show users what they might look like as they age, might be harvesting information for nefarious purposes. Again, cautions were followed by lamentations about the public’s susceptibility to privacy-invasive traps disguised as fun internet games.

There are, of course, reasons to be concerned by what Pinelopi Troullinou calls “seductive surveillance” – the use of gamification, convenience, and other pleasures to encourage risky privacy and security practices. But a focus on individual apps or memes obscures the larger ecosystem that is awash in technologies that capture demographic, behavioral, and biometric data. And while it makes sense to encourage individuals to take steps to minimize security vulnerabilities – including using strong passwords and enabling multifactor authentication – it makes less sense to treat privacy and security breaches as the result of individual failures to lock down their digital information.

The futility of solving privacy and security issues through individual actions becomes clear when we consider the impact of data breaches including the recent exploitation of a vulnerability in Capital One’s cloud system to reveal sensitive information for over 100 million Canadian and American consumers. Capital One joined Target, Home Depot, Marriott, and, of course, Equifax in publicly addressing a massive security breach.

Security experts encourage people to take action to protect themselves in response to these incidents. Consumers, they urge, should closely monitor their credit card statements and credit scores. If an individual suspects they are among the 50% of Americans whose information was compromised in the Equifax breach, they should take steps to freeze their credit and set a fraud alert.

Measures that encourage people to take steps to protect themselves against security threats are part of an ethos of individualized responsibilzation: the argument that people must engage in proactive and persistent risk management to prevent themselves from being victimized. Not only should individual be mindful of how their own actions open them up to exploitation, but they must be vigilant about monitoring their various accounts for indications they have been compromised. For those with the means to do so, these tasks can be outsources to identity theft monitoring companies and reputation management services.

The rhetoric that calls on individuals to protect themselves from those looking to exploit digital systems to steal sensitive information is part of a larger discourse of contemporary risk. Similar warnings about the need to engage in self-defense campaigns are made by companies selling everything from background check services to smart home security systems. These discourses rely on a suspicion of others and a belief that the responsibility for self-protection rests with the individual. They also encourage users to pay for security solutions that reduce the pressure for regulatory intervention. This commodification of security, as with privacy, turns personal safety into a luxury good for some at the same time as it introduces risk for others who are more likely to be viewed as suspect.

The deluge of information about security and privacy breaches can take a toll on individuals who are told they are responsible for managing their digital information to avoid becoming vulnerable. This relentlessness can stimulate anxieties that a person is vulnerable to exploitation at the same time as it encourages a sense of resigned futility that little can be done to mitigate the threats. While some consumers chose to walk away from companies and services that mishandle their information, others shrug at what they view as an inevitable part of everyday life in the digital world.

We should not downplay security and privacy threats, which are, indeed, real aspects of the contemporary digital landscape. But the capacity individuals have to respond to those risks must be measured against a broader context that recognizes a current digital ecosystem defined by the indiscriminate creation and collection of data. As we look for solutions to these very real problems, we must avoid approaches that encourage people to protect themselves by adopting tactics that endanger others. We must also be conscious of overburdening individuals who view privacy and security protections as an accelerating game of whack-a-mole. Finally, we must avoid turning privacy and security literacy into a litmus test.


Nora A. Draper is Assistant Professor of Communication at the University of New Hampshire and author of The Identity Trade: Selling Privacy and Reputation Online, available from NYU Press.




Featured image courtesy of Tdorante10 [CC BY-SA 4.0]

Website | + posts