I hope we're really close to a Responsibility tipping point in regards to online security, by which I mean a general acceptance by internet users that they, not the site they visit, must take primary responsibility for their online security.
This doesn't remove any responsibility from my bank, paypal, Facebook etc. But until the average person hears about a potential breach of their privacy and thinks "What can I do differently to prevent this happening again?" then breaches are going to be fodder for sensational journalism and outraged users... neither of which helps solve the problem.
I will make a division between some core security - like my credit card details on Amazon - and peripheral security - like my photos on Facebook. This latter type will tip over first, and I hope it's soon.
But what could I do differently to prevent my bank, or employer, or sites I shop at, or anybody else, from leaking my data? Isn't it pretty much their responsibility to make their site work properly? It's my responsibility to not get taken in by phishing scams, sure, but what am I supposed to do about a bank accidentally losing a CD with accounts on it, or getting their database server compromised?
If anything, I'd suggest it should tip over into the other direction, with much stricter liability and penalties for those sorts of information breaches. If somebody promised something and failed to deliver it, that's a pretty classic case of fault. Now if, on the other hand, they said up front that they might make my data public if they felt like it, then that's another story.
In Facebook's case, it feels a bit like the flip-side of their recent proposal to make TOS legally enforceable. Perhaps make 'em legally enforceable in both directions, then, as a real contract with obligations on both parties?
I agree. Other than trying to avoid phishing scams and using sensible passwords there's not much that the user can do to improve their digital security, especially in the era of cloud computing where much of what goes on from a software perspective is not within the user's realm of responsibility.
"I hope we're really close to a Responsibility tipping point in regards to online security, by which I mean a general acceptance by internet users that they, not the site they visit, must take primary responsibility for their online security."
What does that even mean? Should I be fuzzing any site I think about giving my e-mail address to? There's not even a feasible way of knowing if someone's administratively accessing my account.
On the Internet, like in life, you have to end up trusting somebody.
Bollocks. It's unreasonable, not to mention unrealistic, to shift the balance of responsibility for online security from the relatively small set of professional developers to the mass of individual, non-expert users.
Imagine if banks had a policy that their individual customers were responsible for ensuring that their deposits were secure - banks would collapse regularly (and in fact did collapse regularly before the introduction of deposit insurance).
It would help if users didn't give instant, unconditional, blind trust to cloud services, as the vast majority seem to now. Just taking a moment to consider security before dumping their data in a service they don't really need could make a big difference. But learned helplessness is a tough habit to break.
This study by Microsoft Research might interest you. It argues that the individual user rationally ignores security precautions because zis expected loss is less than the cost of a strong security posture.
This doesn't remove any responsibility from my bank, paypal, Facebook etc. But until the average person hears about a potential breach of their privacy and thinks "What can I do differently to prevent this happening again?" then breaches are going to be fodder for sensational journalism and outraged users... neither of which helps solve the problem.
I will make a division between some core security - like my credit card details on Amazon - and peripheral security - like my photos on Facebook. This latter type will tip over first, and I hope it's soon.