Does data privacy need a certification scheme?
Badges like “fair trade” help informed consumers to pressure companies into raising their standards. Could a similar scheme work with data security?
Every time I say “Hey Cortana” at my home, multiple devices light up. They are listening to my every word. I don’t lose any sleep over this, because I work for Microsoft, I know the company well, and I have a high level of trust that Microsoft takes the security of my data seriously.
I see an advert for a security camera with face recognition software that can tell me when my family members arrive home. It’s a service that might interest me – but I’ve never heard of the manufacturer. With regret I decide not to buy the camera because I can’t trust that their devices and service are robust enough to protect my family’s privacy.
Often, I have no choice but to entrust my personal data to third parties. How much effort and expertise does my doctor’s practice bring to bear, for example, on protecting my medical history from being accessed by a hacker? I have no idea, no way of finding out, and no possibility to put pressure on the doctor’s practice to adopt higher standards.
In an ideal world, I would be able to trust regulators to impose robust standards on my doctor’s practice and the camera manufacturer. But laws lag behind technology – many countries’ data regulations are older than Windows 95. And pressure to minimize cost burdens means regulatory frameworks rarely go beyond the bare minimum.
In any case, governments themselves can be the ones trying to access information I’d rather they didn’t see. Hacking capabilities have become a crucial part of modern warfare – indeed, Microsoft’s president Brad Smith has called for a Digital Geneva Convention to define protections for civilians’ data.
The battle between governments and tech companies to define the privacy rights of their users has dramatically played out in court cases, such as Apple refusing to break the encryption of a terrorist’s iPhone, and Microsoft suing for the right to inform customers when the government demands access to their data.
Part of the problem is that many citizens don’t see the problem. They assume they have nothing to fear from the government if they have nothing to hide. As for cybercrime, they may care about keeping their finances secure, but they can’t imagine why a hacker would want to access their Fitbit profile to find out how well they slept last night.
Often, consumers have little incentive to care about inadequate security because the impact is felt by someone else. In late 2016, for example, many popular websites were taken down for hours by a denial of service attack using a botnet of compromised webcams and DVRs – but their owners will not have noticed anything wrong.
It is safe to predict that people will eventually come to understand the need for greater data security. The amount of hackable information about our lives is huge and growing, as are the nefarious uses to which it can potentially be put. But it will take time, and high-profile cases, for citizens to be convinced to pressure their governments for stronger action.
In the meantime, how might we take forward the conversation on data security? One answer could lie in labels you see on food when you go to the supermarket: you might look for meat that is certified as organic, eggs that are certified as free range, or bananas that are certified as fair trade.
In each case, a nonprofit organization is setting standards and making checks on organizations that pay to be allowed to use their badge on their products. Such schemes enable consumers who care about these things to use their purchasing power to reward producers that meet the standards.
Crucially, they also create pressure for other producers to raise their standards. As more and more coffee producers display the “fair trade” symbol, for example, those who do not display the symbol begin to stand out as looking socially irresponsible.
I believe something similar could work with data security. Imagine a nonprofit organization, funded by philanthropists or an alliance of industry leaders, that defines a set of standards on data security – more rigorous than the bare legal minimum – and regularly tests companies’ procedures to check if they meet them. If so, the company can display the organization’s badge.
That would help consumers, like myself, who are concerned about data security. And it would help businesses to gain my trust. I would be happy to buy a home security camera from a manufacturer I had never heard of if that manufacturer had been audited and approved by an organization I trust.
More importantly, it would help to mainstream conversations about taking data security seriously: when some companies visibly go the extra mile, pressure will gradually build on others to do the same. As a consumer, would you reward companies that credibly signal their commitment to securing your data?