What Public Health Can Teach Us About Cyber-Security
When I sat down to write this article, I tried to log onto eBay. As it turns out, my account’s been deleted. I can’t say I’m shocked—it’s been years since I last placed a bid—but to recover my account, I’d have to go through the hassle of “live assistance.” Pass.
Of course, there was a time when eBay was the online marketplace. I wouldn’t dare forget my password, much less stay away long enough to see my account unceremoniously scrubbed. But I imagine I’m not alone. Do you know your eBay password? When was the last time you bid on an item?
As the Internet has evolved, so too have our ecommerce options.
In the last ten years, with the rise of Amazon, Etsy, and the like, eBay has finally become what it also set out to be—an online auction house. No longer a one-stop ecommerce destination, it proffers niche, rarer items and large lots to a specific clientele. Where once I’d surf ebay for deals on movies, books, or shoes, now it’s far cheaper and convenient to surf Amazon.
I can’t recall my first eBay purchase (which is why I was trying to access my old account in the first place), but I do remember the hurdles I jumped just to make it. I was young enough to have to rely on my mother’s goodwill (and her credit card), and I’m not entirely sure how I finally convinced her that eBay, and by extension, PayPal, were safe.
In the early 2000s, it was still strange to type your personal information into an online form.
In fact, during that first decade of Internet—when I used to connect through the phone line on my mom’s work laptop—my mom was incredibly cautious about online sharing. I was told to use fake names, fake birthdays, and fake addresses when signing up for services. Entering banking information? Unthinkable.
Then, eBay bought PayPal. Myspace and Facebook hit the scene. Amazon became a behemoth. And with the rise of these mega-sites, privacy concerns quickly melted away. Financial security and privacy increased while we were simultaneously encourage to share the most personal information. Now, I don’t think twice before entering my real name, shipping address, billing address, and payment information into online forms on the smallest of ecommerce sites.
These changes have brought about plenty of good. As a consumer, my options have skyrocketed. As a social creature, I can easily meet new friends or potential mates. It’s harder for trolls to hide behind eggs on message boards. But there are downsides too. Scams have evolved. Ads follow me around the Internet. And, scariest of all—bad guys can access more personal information than ever.
In the early 2010s, I never would have written this article. The benefits seemed to far outweigh the costs. But in the last few years, with Sony, Ashley Madison, Target, Russia, and even the recent law giving ISP providers the right to sell browsing history, cyber-security and cyber-hygiene has exploded into the public conscience. But just because it’s in the public conscience doesn’t mean everyone has taken note.
Recently, I had to take a major exam. And like all major exams, to register, I had to share a wealth of personal information to verify my identity—a photo, my address, my passport number. I get it. They have to make sure I am who I say I am, not some dirty cheat. But in sharing this information, I expect it to be treated with some level of gravity. If a scan of my passports lands in the wrong hands…well, that’s not something I like to think about.
But that’s not how my personal information was treated. Instead, I was casually asked to attach a scan of my passport and send it off to a specified address.
Short of posting the image on my Facebook or Twitter, I’m hard pressed to imagine a less secure way to share my private data. Although I secure my account with two factor authentication and use a reasonably secure passwords, I can’t assume the recipient does. The sheer fact that they asked for an email rather than using a secure form leads me to believe they don’t use two-factor authentication or have much more account security than comes standard with whatever service they use.
In 2012, maybe that was acceptable. In 2017, it seems ignorant bordering on disrespectful.
As I steamed about this registration, I thought about the continuing debates over vaccines.
One fact public health professionals know is that not everyone will get vaccinated. But in the end, that’s alright. Because as long as enough people are vaccinated, the disease will die out of the population for lack of a critical mass of targets. If 98 people in a population get vaccinated, the 2 that don’t are still protected. That’s called herd immunity. However, when enough people choose to forego vaccinations (as we’re seeing now), then diseases are allowed to return and spread (like measles today). In fact, if measles returns and mutates in the bodies of the unvaccinated, then it could end up infecting even those who are currently protected.
The self-interested (or ignorant) choices of individuals end up endangering the entire population. And Internet security is no different. It has its own version of herd immunity.
Imagine a 100 person population that, like ours, shares personal information via email. Like, say, passport scans. If 99 people have great cyber-hygiene—strong passwords, two-factor authentication, vpns—then it’s unlikely (1%) that the unsecured person randomly gets hacked and ends up losing everyone’s personal info. On the other hand, if only 50 of the 100 have good cyber-hygiene, the odds are much higher that a bad guy could access the entire group’s personal information sitting in someone else’s inbox. The entire community is put at risk when we don’t act in our collective best interest.
Vaccines were invented over 200 years ago, and increasing vaccination rates have helped eradicate many deadly diseases. The Internet is much younger, and our predilection to share personal information on the Internet is even younger than that. While I don’t advocate we go back to the fake name era, we have to accept the reality that Internet security is a collective good. There will always be free-riders, and the system is structured to deal with a few. But we cannot go on pretending the Internet is a safe community with a shared interest.
Yes, two-factor authentication, changing passwords every month, and the like are annoying and inconvenient. If you don’t think you have anything for hackers to steal (or assume you won’t be targeted), it may not seem worth the trouble. But it’s about more than protecting just ourselves. It’s about protecting our herd.
Three Things is about creativity, improv, and inspiration. If you enjoyed this week’s letter, you can sign up to get them delivered to your inbox each week by digital carrier pigeon.