Whether we recognize it or not, we are at war. The war is not physical, instead it is fought on computers around the world over your information. So few people are ready to call it a war because they don’t quite understand what it means to have a war over information.
Europe has started to take action on publicly visible information like cookies and stored system information, with administrative actions like GDPR. California (US) also has legislation similar to GDPR called the Consumer Privacy Act. Both of these pieces of legislation aim to have companies disclose when they are collecting information about a consumer when they visit a website. Furthermore companies must inform the user whether their information is shared with other companies or parties.
There is currently a piece of legislation in California, called Proposition 65, which requires anything which could pose a cancer or reproductive threat to have an alert attached. It has become a joke since everything, everywhere has a Proposition 65 warning now. The notice has become noise.
In much the same way, GDPR and the Consumer Privacy Act will generate the same kind of noise. When people are alerted all the time about a potential concern, it is effectively the same as never being alerted at all. Users will become blind to the notice and will agree to things which they might never have accepted had they known there was a real threat. This kind of behavior is depended upon by companies as they clickwrap their way into your life and privacy.
Though these public pieces of legislation and the companies they impact are not the only part of the war which is being fought. If anything, this is the kind of fighting which leads to TSA agent pat-downs at the airport — no real value comes from the inconvenience, but people feel like someone is paying attention so they don’t need to.
The Real Information War
While public shows of force are going on, the real fight is happening quietly on computers across the world. Companies like Facebook provide information to active threat organizations like Cambridge Analytica and the associated government bodies have hearings which provide no remedy and take no action to protect their citizens. This kind of malicious act barely registers with elected officials and, since citizens see actions like GDPR and the Consumer Protections Act, they believe they are being protected by their government.
Even as companies become aggressors in this war over information, other active threats do even more damage. Nation states and technically savvy attackers breach computer security and collect information about people including their identity information, credit card data, and more. Nations spy on nations and individuals of particular interest.
All of these threats are scattered through the news and buried somewhere deep below the top headlines. Even worse, some of the news companies are, unwittingly, complicit in this data collection effort as they force users through a cattle run of paywalls and information collection efforts, spreading user data even further across the internet.
Each system which contains data about you or someone like you, makes illicit data collection efforts easier. In the end, humans are in charge of protecting the data on these computer systems and humans are prone to mistakes. This means the only way users can protect themselves is to become ever more vigilant.
This expectation of user vigilance is, at best, unreasonable. Even professionals make mistakes, so how can we expect home users to effectively and consistently protect themselves from attackers who are constantly investigating and uncovering new ways to penetrate computers and extract information. Even worse, these users who are being expected to protect themselves from attackers only control their choice to interact with a system and must put their faith in the professionals who are protecting user data.
With the government taking limited real action, security professionals expected to stay one step ahead of motivated attackers, and ever more advanced knowledge on how to compromise data systems, our data is constantly under attack and security practices may not be able to defend against new, sophisticated breach tactics. In the end, it seems the only reasonable action a user can take to protect their data is to completely disconnect.