Security professionals gave a large collective sigh of sadness this past weekend when BoingBoing published this headline by Cory Doctorow: "Half of Americans reluctant to shop online due to privacy & security fears." Sarcastic remarks like "No kidding" and "You don't say" floated through the infosec ether. Why? Because anyone who has studied information security for more than a decade has probably predicted this kind of news at least once. I will cite some examples in a moment, but first let's be clear on why this particular piece of news is significant. The short answer is this: the US government has admitted things are going downhill in cyberspace, and published solid statistical evidence to back that claim.

To put this in context, most surveys seeking to assess the public's attitude to issues of cybersecurity and data privacy have been carried out by the private sector, often by companies that sell security and privacy products and services. Quite naturally, some people are going to discount or reject survey findings from a source like that, particularly if they don't like their implications (e.g. we have to spend more and work harder to achieve the levels of security necessary to earn and maintain the public's trust).

Clarity about levels of cybercrime and reactions to it has been undermined by some of the security industry's less than stellar efforts at conducting and interpreting surveys. The US government's historic abdication of its crime tracking responsibilities has definitely not helped. (These issues I documented in my Virus Bulletin paper "Sizing Cybercrime", which is available here, complete with video.)

This is the US Department of Commerce speaking

But now we have confirmation, from no less a source than the United States Department of Commerce, that: "Lack of Trust in Internet Privacy and Security May Deter Economic and Other Online Activities". Frankly, it is not hard to imagine the draft of that statement starting out even stronger, without the "may" qualifier (without may, the statement might have been too pessimistic for commerce pronouncement, not to mention embarrassing). The point being, when you get to the data cited beneath that statement, which come from the National Telecommunications and Information Administration and are based on a very large sample surveyed in July of last year, they make it abundantly clear that privacy and security concerns do deter online activity, both economic and social.

While the media's "half of Americans" headline is a rounding up, the 45% cited by the NTIA is still chilling, as in: "Forty-five percent of online households reported that [privacy and security] concerns stopped them from conducting financial transactions, buying goods or services, posting on social networks, or expressing opinions on controversial or political issues via the Internet."

But this finding is not at all surprising, given the massive amount of personal data that had been exposed in the two years leading up to the survey date, not to mention the massive scale of secretive state surveillance revealed by Edward Snowden in that period. I think most economists and sociologists would have been stunned if those factors had not had a deleterious effect on online activity.

Past evidence of growing problems

Consider what US adults told us about their Internet use in the wake of the initial Snowden revelations when we surveyed them in 2013:

  • I have done less banking online: 19%
  • I have done less shopping online: 14%
  • I am less inclined to use email: 19%

These findings were reported here on We Live Security, as well as here. A few months later we did a broader survey that found even stronger evidence of Internet aversion and distrust in post-Snowden America:

  • 47% said that they have “changed their behavior and think more carefully about where they go, what they say, and what they do online.”
  • 26% said they are shopping less online. Among people aged 18 to 34, one third said they were doing less online shopping.
  • 29% of women said they were doing less shopping online, compared with 23% of men and 26% overall.
  • 29% of people aged 18 to 34 said they had reduced online banking.
  • 24% of respondents said they were “less inclined to use email.”

Those findings were reported here, and also by the Wall Street Journal and USA Today. The fact that the government now has solid evidence that these declines in Internet trust have been compounded by breaches of personal data is not surprising, given the long string of commercial and government security failures that have occurred since 2013 (Target, Home Depot, Morgan Stanley, Anthem Health, the Office of Personnel Management, and the IRS, to name but a few). All of which speaks to the "erosion of trust" that security researchers have warned about since way before Snowden and Target.

Here are a few more data points we have gleaned over the past 12 months using Google Consumer surveys:

  • 13% of US adults say they have withheld information from their healthcare providers because they were worried about the security or privacy of their medical records.
  •  64.5% of US adults are somewhat concerned (31.7%) or very concerned (32.8%) that cyber criminals could steal their personal data such as emails, bank account info, or medical records.
  •  38% of US adults see the fact that the government has "many different pieces of information about people which computers can bring together very quickly" as a very serious threat to individual privacy. Another 29% consider it to be a fairly serious threat.

Erosion of trust

The idea that security and privacy issues could undermine Internet use is not new. I started talking about erosion of trust as a threat to e-commerce back in the 1990s when defacing home pages was the Internet crime du jour and still grabbed headlines. However, because Internet adoption was still very low then, the spectacular growth rates over the next decade overwhelmed any suggestion that people might not be 100% happy with it. So I started saying "the Internet is doing so well, we can't see how badly it's doing" but that was darned hard to prove.

Certainly there was academic discussion about Internet trust erosion in relation to privacy and security by the turn of the century, such as the article by Goldbery, Hill and Shostack in the April 2001 issue of the Boston University Law Review. And I certainly don't mean to imply that I was the first or only person saying things like this. In fact, that's the point: numerous security professionals have been saying similar things for just as long.

Society's ability to ignore good advice, like "don't under-estimate the potential for unbridled cybercrime and sloppy data privacy practices to undermine the Internet" is sadly legendary. And speaking of legends, the privacy pioneer Willis Ware warned us, back in 1973: "the apprehension and distrust of even a minority of the public can grossly complicate even a safe, straightforward data-gathering and record-keeping operation that may be of undoubted social advantage."

How to move forward

So what do we do about this? First, read the NTIA article. Then consider getting involved in the areas on which the NTIA says it will continue to work:

1. Encouraging "the widespread deployment of strong encryption and other security measures—that could help build trust in the Internet and stimulate the free flow of information and commerce online."

2. Supporting the draft privacy legislation that "would provide baseline privacy protections to all Americans."

3. Participating in the "multistakeholder processes aimed at improving private sector online privacy and cybersecurity practices" that the NTIA is organizing, including providing comment on privacy, security, and other policy issues connected to the Internet of Things.

4. Letting your elected representatives know that you agree with the NTIA that "To ensure continued growth in the digital economy, we as a nation must continue to address privacy and security concerns that may lead to a lack of trust in the Internet." And also ask what they, our representatives, are doing about this problem.

In the meantime, I'm going to keep using the Internet, albeit from well-protected devices that are under my control and that I handle and use with care. I will keep an eye on new threats and scams and adjust my actions accordingly. I will keep up with my cyber-hygiene and backup regimen. And I'll also be reaching out to my representatives in Washington.