The Problem with Cybersecurity

It may seem that all digital problems have a technological solution, often in the shape of cybersecurity. Worried your private images could spread across social media? Adjust access settings on Facebook (or Google Play, but who uses that?). Phishing attempts keep you awake at night? Upgrade your anti-virus software, only $7.99 per year. Annoyed that cookies on your browser send personal data to advertisers? Just clear the cache and cookies after every website you visit (or use the private surf mode). The pattern is familiar. Speaking at Austin’s SXSW digital conference, NSA whistle-blower Edward Snowden added to this techno-centric solutionism, suggesting that encryption is the answer to global surveillance: “End to end encryption makes bulk surveillance impossible. There is more oversight, and they won’t be able to pitch exploits at every computer in the world without getting caught”.

Netopia has the greatest respect for mr Snowden, but there are many objections to this view: encryption may well prove a false comfort as there are many ways around even the best protection and while it may slow the NSA down, they just as well might have an answer that we will never know (at least not until the next whistle-blower), just as a majority of us were surprised to learn about the extent of surveillance that was revealed by Snowden himself only last year. But the main problem with encryption as default is that it reinforces the view that it is the individual user that must protect herself against outsiders and society.

Cybersecurity, as described in the examples above, puts the onus of protection on the user. We would never accept that view in any other part of society. Quite the opposite, in fact: we have rights and institutions that protect the individual, the idea that each person should protect themselves is anathema in any civilized society. Sure, you can have an alarm, central lock and a wheelbar for your car. You can take the front off your car stereo and engrave the windows with your plate number (at least if you’re still living in the Eighties). Lots of security companies sell services like those. But that is not to say we also should not have laws against stealing or breaking into cars, that we should not have insurance companies compensating those whose cars are stolen, and police, prosecutors, courts and prisons to deal with the thieves (plus defense attorneys to help the thief’s case!). And help programs for ex-convicts to stay out of trouble once the sentence is over. And social services welfare to try to keep troubled kids off the streets and help challenged communities. And norms that say it is wrong to break into cars and those who do will make their friends and families upset. The car alarm and wheelbar exist in a context. Except if your car was online it would be your own stupid fault if it was stolen or broken in to. If you click on a bad link and reveal your bank log-in, sure you could get the money back from the bank, but no-one would really think of you as a victim. And for sure no-one would expect the criminals to be brought to justice.

Cybersecurity rests on the assumption that everyone is an expert on cybersecurity. Or at least interested in the issue. That is not the case in real life. Lots of people use digital services, with only a basic understanding of how the technology works. That must be so, otherwise many groups would be excluded from the digital revolution. We must be able to rely on the system and if need be put new government functions in place to protect the users. What then about NSA surveillance? It needs to be kept on a shorter leash, which POTUS also agrees to.

More democracy – not more technology – is the answer.