Hartzog: It's misguided to think key to Internet privacy is keeping things offline
We should demand security from companies that handle our online information, he says
We should insist on design features, notifications that let us safeguard our own information
Hartzog: Companies that don't protect data must be held accountable by law
Editor’s Note: Woodrow Hartzog is an associate professor at Samford University’s Cumberland School of Law and an affiliate scholar at the Center for Internet and Society at Stanford Law School. The opinions expressed in this commentary are solely those of the author.
“If you want to keep something private, keep it offline.”
This has been a popular reaction to stories about the targeted attack on celebrities’ cloud storage accounts that resulted in the publication of intimate photos. There’s something intuitive in this way of thinking. After all, folks can’t wrongfully access data that doesn’t exist. But it’s simplistic logic, and misguided when viewed as the ethic that should guide digital age conduct.
Blaming the victims of these attacks distracts us from the greater importance of people and companies working together to protect online information.
We should not, of course, be reckless about what we share online and whom we share it with. But keeping sensitive information off the Internet is no cure-all response to these attacks. Taken to its logical conclusion, the “keep it to yourself” mindset would require that we virtually give up using the Internet.
Most of the things we share online leave us all exposed in some way, even if the vulnerability is incremental. And, let’s face it, even if it were possible for people to stay off the Internet and still function in society, we generally can’t keep others from sharing our personal information online.
Putting all the responsibility on people to “keep it offline” ignores the responsibility of companies entrusted with our personal information. Instead of becoming digital recluses, we should demand reasonable security from companies, as well as design features and notifications that will empower us to protect our own information in reasonable ways.
Not everyone (though more than some might think) can relate to sending or storing intimate photos and videos online. But most of us have shared or stored something online in such a way that would be quite hurtful if widely publicized. For example, we commonly share credit card numbers, health information, emails to loved ones, and photos that, if taken out of context, might be misinterpreted in harmful ways.
Even innocuous information in the aggregate can reveal deeply personal and private things about all of us. Does this mean we should have kept all these photos, emails, and documents offline? For most people, using the Internet is a virtual necessity to participate in modern society.
Admittedly, data security can never be perfect. There is a some risk inherent in using any technology. But the burden of predicting an infinite number of speculative harms each time every one of us sends an email, stores a photo online, or makes a commercial transaction using the Internet is simply too great for any of us to bear alone.
So what can we do? In the short term, we can insist on better security protections from companies. At this point, every important online service should probably offer two-factor authentication.
Two-factor authentication is an account verification technique that requires more than just a password. It usually requires both “something you know” (like a password) and “something you have” (like your phone). The way it usually works is that once you’ve activated the feature and given the service your cell phone number, when you want to access your account, you’ll have to provide both your password and an automatically generated code that is sent to your phone. This protects your account from people who can guess your password but don’t have your phone.
Some have suggested a “private photo” mode for phones that would prevent pictures from being uploaded to the Internet.
But creating these protections won’t be enough. Companies must continually notify users these protections exist, make them easy to find and use, and quickly let users know of any potentially unexpected vulnerabilities. For example, many were surprised to learn that the celebrities’ nude photos contained location information.
Ultimately, companies that fail to provide industry-standard data security practices should be held accountable by law. The Federal Trade Commission and other administrative agencies and laws designed to protect consumers must continue to ensure that companies entrusted with personal information respect the process of data security.
Working together, we can avoid having to choose between “enter at your own risk” and living a life disconnected from the modern world.