Today, Thursday 28th January is International Data Privacy day. Historically, this has caught little attention but I hope and believe that its significance and profile might grow in the future.
For the last two decades, online media has focused on the development of ever more intrusive and detailed online user profiling. Its purpose was both to ensnare users in a dopamine-craving bubble and then empower advertisers to exploit the resultant glued audience with micro-targeted messages precisely optimised to convert.
Metrics such as engagement or CPMs, which were considered the measures of success for the media owners, rocketed. Yet too few questions were asked as to whether the growth in those metrics might simultaneously be to the long-term detriment of the users or indeed society. Certainly, one casualty of that relentless growth was users’ privacy.
The fact that during this month alone, over one hundred million people have opened accounts at the privacy-first messaging apps Signal and Telecom suggests that there is now a large body of consumers who have had enough. (To put this in context, daily downloads of Signal were 50,000 last year). In all the turmoil of the last 12 months, there seems to have been a eureka moment regarding the heavy price some online media is exacting on privacy.
Whether this shift results in a lasting change in consumers’ choice of messaging app remains to be seen but what is clear is that when properly apprised of the facts, consumers’ choices suggest they value the privacy of their data.
We at MIRACL believe the same awakening needs to occur in the way we choose to authenticate our identities online.Unfortunately, we cannot rely on governments to make this happen because just as has occurred in online media, regulators have singularly failed to protect consumers in the face of rapid developments in technology.
Today, there are on average 4 online identities for sale on the dark web for every single user of the internet globally. Indeed, Data Privacy Day is hard to celebrate when you look at the mass of stolen identity data and the way it is being exploited by hackers.
For example, in January alone, one hacker, Shinyhunters (see link) has been responsible for freely distributing over 80 million user records from 3 hacks (Nitro PDF, Pixlr and Bonobos) which included email addresses, full names, hashed passwords, titles, company names and IP addresses. In addition, the hacker distributed 3.5 million partial credit card records and hashed passwords.
Hackers such as Shinyhunters focus almost all of their attacks on the user databases of the services they target. In particular, the authentication database that typically contains poorly hashed passwords, which in the large majority of instances have been reused across multiple sites by the corresponding username.
A vast and booming underground industry has evolved in the distribution, purchase, exploitation of these credentials followed by the resale and exploitation of the compromised users’ accounts. According to Juniper Research the cost of account takeovers to US businesses was $25.6 billion in 2020 and over $40 billion globally.
Here’s the eureka moment in relation to authentication: using modern cryptography there is no need for an authentication database. In other words, the vast majority of the data that is enabling this underground twenty-billion-dollar criminal economy could have never existed in a single location where it was available to be stolen.
Rather than switching to security architectures such as MIRACL’s that entirely obviate the authentication database, the focus of much of the industry has instead been on driving best practice to ensure that data is more securely salted, encrypted and stored. The current situation shows this has not been very effective.It is a truism that the most secure form of database is no database.
While consumers can make some difference, to cause a lasting change, it is really down to website and app operators to adopt modern authentication systems in their security architecture. As GDPR begins to bite (GDPR fines were up 39% in 2020 despite heavily discounted penalty settlements as a result of the impact of Covid-19), there is good reason to believe that this will happen.This will make celebrating Data Privacy Day a good deal easier and more meaningful in the future.