Written by Researchers from the Information Security Group (ISG) at Royal Holloway, University of London worked together with UK online to conduct a survey of privacy attitudes and behaviours. Focusing on our concerns about privacy while using the internet, the survey reveals that online identity theft is currently the greatest fear for internet users.
[From Online identity theft is the greatest fear for internet users]
The great majority of respondents (almost all of them, in fact) use the Internet daily from home, work or school. In this group, their top concerns about privacy are:
- “Online identity theft”
- “Spying on online activity”
- Payment card data being intercepted.
- Merchant mischarging.
- Having to provide too much personal information when purchasing online.
I noticed an odd gender imbalance, in the sense that women report being more concerned about privacy than men do, but men were much more likely than women were to actually do anything about it, presumably because doing something means (to a large extent) technological activities such as turning on firewalls.
There were a cluster of concerns just below the top five that caught my eye.
- People online not being who they say they are.
- E-mails not being from the people who they say they’re from.
- E-mails being read by someone other than the person you sent them to.
Now, on the one hand, technologists might dismiss these issues and say that they are a result of the way that e-mail works and that we should educate people about that. Normal people (eg, my good lady wife) do not see it like this. She is genuinely puzzled as to why technical geniuses can’t figure out how to stop her from getting spam e-mails that purport to be from friends, and the like. It’s a bit of an inditement, really, that we don’t have even the most basic identity infrastructure in place for the simplest of services, and I think the public can reasonably be annoyed about this.
I think these concerns also show that we haven’t managed to get even the simplest elements of identity infrastructure working. A decade ago I would have assumed that by now I would be able to flip a switch on our Outlook server to junk all emails that didn’t have a valid digital signature (set aside what valid means for a moment). But it just hasn’t happened, despite all of the technology being in place.
There were two more concerns than I hadn’t really though much about.
- E-mail being inappropriately forwarded.
- E-mail being printed out.
It’s clear from these concerns that people simply do not see e-mail the way that we (ie, technical persons) do. I remember, many years ago, reading something by Phil Zimmerman in the original PGP manual. Phil said, in essence, that you should think of e-mail as being like postcards that anyone can read and do what they like with. That’s how I’ve always thought of it. Perhaps it’s time for government campaign, possibly under the Race Online 2012 banner.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]
If you do a fuller threat analysis of communications technologies like email, chat, skype, voice, etc … the largest threat of all by risks & costs is your own trusted counterparty turning against you. Think divorce.
There has been relatively little work to address this in the technical world. There was a protocol to permit deniability, and I’ve experimented with some contract-based ideas … but on the whole, communications methods remain terribly unbalanced as far as privacy goes. Most work still derives from the old military threat models of MITM which are woefully inadequate for the net and general society.