On the futility of breach notifications in an indifferent world.
Of course, I would rather Facebook have said something earlier about the trove of user data that was irregularly scraped from its innards.
It is not clear to me what or how or when the company might have said something but, as a user, if someone using a site I've given my stuff to takes my stuff without me or the site knowing about it, and then the theft is discovered, I'd like to know. Big big "that said" ahead...
It is April of 2021. Data leaks, hacks, thefts, misuse of scraping tools have proliferated to the point of being dull background noise.
For a subset of people who use Twitter, we know how to tend to our individual gardens using multi-factor authentication, password managers, regular checks of the dark web (haveIbeenpwned.com), mindfulness before sharing data or responding to messages, app permission scrubs, etc.
This knowledge and the technologies the knowledge creators have produced to help us are widely available.
But our intuitions about central cyber governance — still, bad! — our misunderstanding of digital physics, architecture choices about efficiency over security, and the lack of social pressure to be cyber competent are more powerful forces that prevent companies, platforms, technologists and governments from meeting most of us where we actually live.
There is, in April 2021, no standard as to what type of privacy breach should be subject to mandatory notification; no consensus about to whom the disclosures will be directed, and how they will be formatted. There is no central registry of privacy breaches, outside of sites that scrape the dark web for you and some collected by tech advocacy organizations -- and no good public communication about which breaches ordinary people need to care about.
Further, though there are tools, and they are marvelous, they are not compatible with each other, often not open source, often hard to adopt (transferring 100 passwords from service A to a password manager should be easy!), and after a day or two of news, nothing to remind.
Further/Further, legal liability for privacy breaches remains a sketchy, thorny topic, and although the @CyberSolarium has great ideas to move forward, the "we" I write about it is focused on Solar Winds and the defense supply chain./9
Aside from those of us who are not indifferent, we are basically indifferent.
Since I believe that the best cyber defense is resilience, and since I think that resilience practices have to be widely adopted by Americans before the concept has teeth, I worry. It should be -- it HAS to be -- easy to change passwords on breached sites. It should be easy for a person to assess the potential privacy and personal and financial damage a particular breach might cause.
(If you're an OnlyFans creator, I know you're hurting this week.)
We should have a shared language to communicate these ideas in non-technical language and open-source platforms to make the remedies intelligible and reliably easy to implement.
The remedies should be constructed to engage with the way our social minds rapidly communicate online, should be well-designed, so as to facilitate ease of use, and ubiquitous, so we say -- ah -- yes, i should do this, because it will only take a second.
Until we do, indifference reigns, and I don't blame companies for throwing up their hands and saying, essentially, what the hell?