With centralized services suffering constant breaches and hacks, consumers are losing trust in the tech industry to protect their data. This leaves clear room in the market for tech companies to position themselves as champions of data protection, particularly in the enterprise sector. But to stay credible in the long term, you have to live the brand, and that means embracing accountability and privacy by design.
What happened to technology’s halo? In 2021, according to the Edelman Trust Barometer, trust in the sector has fallen in almost all of the 27 countries surveyed – in 17 of them, including the US and UK, it has reached an all-time low. In the US, where for the first time tech is not trusted, it has suffered a 21-point drop over the past 10 years.
Wave after wave of headlines has given the public plenty of reason to lose faith in tech businesses “doing what is right”, as Edelman measures trust. From shocking data breaches at nearly every major platform to high-profile scandals such as the Cambridge Analytica misuse of Facebook records, computer users have been made uncomfortably aware of how their personal information is being mishandled.
Even more shocking than the data misuse itself is the way the companies responsible often shrug off their failures. In 2015, Facebook promised to take “swift action” on misuse by Cambridge Analytica’s parent SCL; yet in 2018, when the data harvesting scandal broke, it turned out Facebook hadn’t done much at all, and insisted there had actually been no breach since no hacking took place. That line has become wearyingly familiar, having been used by both LinkedIn and social audio app Clubhouse in separate incidents this year after millions of profiles were scraped and offered on hacker forums, and by Google back in 2018 when 52 million Google Plus profiles were exposed to developers. For the exposed user, this kind of sophistry is anything but comforting; if anything, it lowers trust in the prevaricating company.
Privacy concerns have moved up the public agenda
Nearly everybody has been or is in danger of being, affected. A few years ago, consumers were vaguely aware of such attacks but many did not grasp the full implications. Now, however, sites like haveibeenpwned.com have become viral hits, bringing home the vast magnitude of such data breaches. Just enter your email address into the search box to find out how many of your accounts have been compromised and how much of your data is now potentially being traded among cyber criminals on the dark web. In my case, a quick check revealed breaches of five services I was using, including my cloud storage provider and fitness tracker. Once a company has been exposed like this, it faces an uphill battle to restore faith – especially if data privacy is part of its brand.
Meanwhile, legislators on both sides of the Atlantic are focusing their attention and with it the media spotlight, on widespread data misuse. In Europe, GDPR fines have been levied on companies ranging from banks and telecoms to Google and Twitter. In the US, Google has been attacked in antitrust hearings over a turnaround that saw it “destroying user privacy”, while the “SAFE DATA” bill is sparking renewed conversation around privacy. In this environment, a brand’s reputation for data protection has never been more important – or harder to defend.
Apple has staked its reputation on privacy, building its current iPhone campaign around fears of data exploitation, but that brand is taking a hit as it faces criticism against its own tracking practices and automated surveillance (introduced with the worthy intention of fighting child sexual abuse, but hair-raising in its implications). This latest development highlights the problems with privacy being a question of policy rather than design: how can the user trust any company not to bow to government pressure, for instance, to hand over private messages?
Microsoft has taken similar hits to its reputation. In 2013 it ran political-style attack ads against Google’s data policies, but by 2015 was being slated for the “privacy morass” of Windows 10. This year’s Windows 11 release has drawn further scrutiny for privacy flaws, and worse yet, hack after hack – as well as simple bad practice – has exposed millions of customer records.
Just as in politics, if there is a gap between words and actions, the public will lose faith. The only way to sustain a reputation as a trustworthy firm in this environment is through absolute consistency of approach, backed up with tangible actions. Privacy by design is crucial here: it can’t be an afterthought, and it can’t rely on policies and procedures. Every decision around data management, every aspect of system design, needs to be rooted in privacy.
Security looks different in the super-connected era
Meanwhile, Covid has introduced new challenges, in data security as in everything else. The rise in home working (likely to continue to some degree long after the pandemic) has brought a range of less secure devices and routers into the cybersecurity mix. Employees are no longer protected by the corporate firewall, at exactly the same time that they are facing more fraud and phishing attacks. This makes edge security increasingly critical and highlights the dangers of centralized approaches.
It’s not just computers and phones that bring risks, either. The vulnerability of Kalay devices, including baby monitors and security cameras, shows how much risk is inherent in the still immature Internet of Things. Consumers need to become far more alert to the dangers in their IoT devices, but the technological complexities make this a big ask. As security researcher Jake Valletta pointed out, even manufacturers using Kalay tech failed for three years to implement the update that would have fixed the weakness, presumably because they did not realize how urgent it was. As people and devices continue to build dependencies, cybersecurity runs the risk of becoming so complicated that no one will understand the system as a whole, leaving us all open to cascading failures.
One of the reasons it is so important for people to become familiar with and learn about decentralized blockchain services is that they offer consumers leverage in demanding transparency. A public blockchain can offer mutual accountability: consumers could view manufacturer authentication and crowdsource documentation about hacks (without relying on and potentially missing disclosures from manufacturers). In turn, if consumers file false claims, manufacturers will have the opportunity to refute them. This could be a major step in making our connected society a more secure one.
Any business that handles personal information, provides a platform for information exchange or supplies any kind of connected device needs to build security into the bedrock of the design. This is a business-critical decision. Privacy by design, not by policy, is the only way to protect a reputation for data protection – which is increasingly critical as a brand differentiator. Ten years ago, or even five, such worries were a niche thing; most users were willing to shrug off warnings that tech companies were after their data. But the world has turned. Nothing shows that more clearly than the mass exodus of WhatsApp users earlier this year when a terms-of-use change raised awareness of its practices. No company can afford to be complacent about data protection: your customers simply won’t allow it.
The only way forward is to become partners in security: finding a way to conduct business while still protecting data security. Fortunately, by changing the way information can be made transparent and accessible, blockchain offers a way to do so.
Stephanie So is an economist, policy analyst, and co-founder of Geeq (http://geeq.io/).
Throughout her career, she has applied technology within her specialist disciplines. In 2001, she was the first to use machine learning on social science data at the National Center for Supercomputing Applications. More recently, she researched the use of distributed networking processes in healthcare and patient safety in her role as a Senior Lecturer at Vanderbilt University. Stephanie is a graduate of Princeton University (A.B.) and the University of Rochester (M.A., M.S., Ph.D.).