Most people say they care about their online security and privacy. Poll after poll confirm what one would expect: They don’t want their identities stolen, phones hacked, credit cards compromised or bank accounts drained. They don’t welcome government or anyone else conducting surveillance on them, especially in their private lives.
But those polls also show that an alarmingly small percentage of those same people don’t seem to be willing to make much effort to do what they say they want – protect their privacy and security.
One of the more recent, a survey of 2,000 consumers done by Morar Consulting for the VPN provider Hide My Ass!, found that 67 percent of respondents said they wanted extra layers of privacy, but only 16 percent used privacy enhancing browser plug-ins; 13 percent used two-factor authentication; 11 percent used a VPN, 9 percent used email encryption; and 4 percent used anonymity software, such as Tor (the onion router).
Why? It is not just that people are lazy or incompetent, according to psychological research. It is more the way we are hard-wired. Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology (CDT), notes that research about it goes back more than a century.
Indeed, in 1883, Dutch cryptographer Auguste Kerckhoff wrote that in order for a military cryptographic system to work, it would have to be, “… easy to use and must neither require stress of mind, nor the knowledge of a long series of rules …”
Apply that to the modern online world, and it pretty much guarantees that exhortations to use complex passwords for different sites and devices to maintain security will be ignored by most people.
As Brett McDowell, executive director of the FIDO Alliance, put it, “unfortunately for those of us in information security, users have ‘voted with their habits,’ and the vast majority have told us loud and clear that user experience (UX) trumps privacy and security.”
It is not just the UX that is in play either. Much more recently, in 2008, researcher Ryan West wrote that more than a century of research shows that most people believe they are less vulnerable to risks than others – better drivers than others, less likely to be harmed by consumer products and that they will live beyond average life expectancy.
“It stands to reason that any computer user has the preset belief that they are at less risk of a computer vulnerability than others,” he wrote.
West added there is evidence that when people do increase their security measures, such as installing a personal firewall, they tend to engage in more risky behavior – something known as “risk homeostasis,” or risk leveling.
That, West wrote, is because the rewards of convenience are immediate and tangible, while those for security are abstract and intangible, even though the potential inconvenience and cost if a user is hacked is vastly greater.
Hall’s colleague at the CDT, Katharina Kopp, director of privacy and data, believes it is not simply a matter of delayed or abstract gratification. She believes it is because security is time consuming and complicated.
“I cannot think of many areas in our modern times where we ask so much of consumers,” she said. “In the automobile or pharmaceutical markets, for example, it is perfectly understood that we don't expect individual consumers to be experts and build in all the safeguards.”
Hall agreed in part. While consumers don’t need to build their own security tools, he said those tools can be tough for the average consumer to use.
“Few people surf like I do,” he said, “in Firefox, with noscript (no JavaScript), RequestPolicy (all third-party loads must be manually whitelisted), HTTPSEverywhere, etc.
“I have decent control over my desktop browsing experience but it takes a lot of grooming, a lot of technical understanding, and it looks like I'm surfing in 1996, with black text on white background and few images.”
McDowell offered another example: “Many sites offer two-factor authentication as an option, but these options, such as one-time passwords from a physical security token or SMS sent to a specific mobile device in the user’s possession, are a hassle for users,” he said.
“Consumers don’t want to type in multiple passcodes to get into one account, so many either never opt-in or quickly opt-out.”
And Markus Jakobsson, security researcher, CTO and founder of ZapFraud, said another problem is that, “the connection between cause and effect is very vague to most people. What is safe to do? What is unsafe?”
He said users also tend to become fatalistic when they keep hearing of major breaches that had nothing to do with them. “When issues are outside of their control, people tend to throw up their hands, and say, ‘Why bother?’” he said.
Kopp said online security is difficult enough that government should, as it does with many consumer products, set some “baseline requirements” for product vendors, “not just to protect individual well-being, but society as a whole.”
While not everybody agrees that government is the best entity to set standards, the somewhat good news is that there are moves in the industry toward making consumer security simpler – although it has a ways to go to reach critical mass.
According to Hall, some tools, such as iMessage, “are quite usable, while others, like PGP (Pretty Good Privacy – an encryption tool), are very, very difficult to use.”
Drew Mitnick, policy counsel for Access Now, said, “private messenger apps that provide end-to-end encryption are everywhere.” He said the growing market for those and other apps that protect user privacy and security, “shows that people do care.”
McDowell said the FIDO Alliance, a nonprofit established in 2013, has created, “open industry specifications for a new generation of online authentication capabilities designed specifically to offer users better UX while quietly and unobtrusively improving their security.”
The organization allows users to replace passwords and one-time passcodes with, “public-key key cryptography and/or on-device biometrics like fingerprint or iris sensors,” providing what he called, “a low-friction UX and strong security.”
Jakobsson agreed that effective user security tools, “must be very easy to use – you plug them in or sign up, and then you can forget about them and rely on the tools’ functions. That’s the key to a good tool: make it easy.”
But he warns that even the best tools can’t stop a user from falling for social engineering, which he said is now, “very slick. It is not about Libyan princesses any more.
“Today, it is well applied in reasonable-sounding requests that can come in conjunction with something that is expected, or in response to something that the target has expressed interest in, like your boss asking you to review a PowerPoint presentation and send some files to add clarity,” he said.
Still, the reality is that it comes down to users’ perception of the threat, and whether that trumps convenience. As Mitnick noted, “tools like Tor and VPNs can be the difference between life and death for certain users. For others, they are an added layer of protection to bring peace of mind that the actions that we take online are private.”
Hall sees room for limited optimism.” We are getting better at this through human-centered design that focuses on usable security mechanisms,” he said, but added, “I'm not sure it's getting better fast enough, though.”