Safer than you may think, but caution is still called for.
It seems like every other day there’s a report of some new compromise somewhere. It’s hard not to wonder if we shouldn’t share personal information at all.
I have a slightly different perspective.
- I don’t believe things are as dire as they seem.
- I don’t believe avoiding the internet helps.
Become a Patron of Ask Leo! and go ad-free!
Giving your information to anyone
Scary news about data breaches makes it seem like sharing info online isn’t safe, but breaches aren’t as common as they sound. Most happen in ways you and I can’t control. Be careful, choose trusted services, and follow basic safety steps. Avoiding the internet won’t help, but smart use keeps you safe and connected.
What makes news “news”
It’s important to understand what makes the news “news”.
Commonplace, average, expected, and routine things don’t make the news.
By definition, news is something that is exceptional, unusual, or sensational.
If something is being reported on the news, that means it is out of the ordinary. It might be big, exceptional, important, or affect many people, but the reason it’s news is that it’s unexpected, unlikely, and uncommon.
People pay attention to the uncommon and sensational, so that’s exactly what gets reported.
When data breaches are reported as news, they are by definition uncommon.
Pandering for your eyeballs
In current media, if something isn’t sensational enough, the news outlets do everything they can to portray it as such.
Media outlets compete to get the most viewers, the most readers, and the most clicks with overstated sensationalistic headlines and stories. The true severity, importance, and practical impact of the story is left by the wayside.
So what do we see? News outlets, social media sites, and forwarded emails parrot the over-sensationalized story, making it out to be much worse than it really is, simply to attract your eyeballs.
The same news from different sources is still the same old news
I’ve talked about the echo chamber before.
When the same story from the same source is repeated (or echoed) by many channels of information, it appears as if it were many independent sources all arriving at the same conclusion.
It’s not. One source repeated in many places is still just one source.
If you saw only one report of an incident, you probably wouldn’t give it much thought. Seeing that same single report from several venues, however, gives the impression it’s more important (and more true) since everyone’s reporting it. It’s not, necessarily; it’s still one story from one source.
It’s almost impossible these days not to get that same story thrown at you from dozens of different venues. Radio and TV, sure, but throw in online technology and social media, and suddenly we’re inundated by everything — both important and trivial — with no real distinction between the two.
My point, of course, is that data breaches aren’t happening as often as you think.
They do happen, of course, and they do impact individuals. But it’s not hackers gone wild1 — at least not yet — no matter how many times you hear it.
Related
Secure Your Most Important Accounts
Experts always recommend securing your "most important accounts". Great. Which accounts would those be?Your information still ends up in the cloud
People seem quick to blame the internet (or the cloud) when breaches happen. Many people might think both are things to be avoided.
No. Not at all.
First, “the cloud” has been there all along. That thing we call “the cloud” is nothing more than online service providers and the servers used by the companies we do business with. For example, if you’ve been using email for any length of time, you’ve been using “the cloud” since the day you created your first account.
You might think that filling out paper forms and taking them physically to your bank or other institution would be safer. It’s not. Guess where that information goes once you hand it over or (snail) mail it in? It goes onto their servers — the same servers it would have gone to had you provided your information online.
Most breaches we hear about aren’t from any path you or I have control over. It’s the back end — the internal systems — that most commonly get compromised when a hack is successful. Your choice of how to provide information wouldn’t have made any difference whatsoever.
Not all companies get it right
That puts the onus on each company holding our data to do it securely.
And most do. If it were otherwise, compromises would become commonplace and get reported in the equivalent of the local police blotter every day. Much of the commercial infrastructure would collapse or come to a halt if hacks were that prevalent.
But some companies get it wrong — sometimes embarrassingly so — at least from a technical perspective.2 And those companies should be held accountable.
When that has happened, however, most companies are quick to remedy the situation and follow up with various forms of support to the individuals affected, the most common example being free credit monitoring for some period.
Hacks do happen; just not as often as it might seem.
What I do
As you know, I’m all about technology and the opportunities it offers.
So it should not surprise you that I’m pretty much all in for online services, both personal and business.
I don’t do so recklessly. I pick the companies and services I do business with based on their reputation and my experience with the technologies they use. I select or avoid services offered based on what I feel is their potential for getting it right or getting it wrong.
As an example, when my American Express card was compromised some years ago (while I was out of town, no less), I heard about it from American Express. They overnighted me a replacement card in time for me to pay my hotel bill. 
That kind of experience leads me to feel comfortable using their services.
Of course, I take sensible precautions: the same precautions I outline in The Ask Leo! Guide to Staying Safe on the Internet. Those steps apply to me just as much as they do to you.
Do this
I don’t think that the average online user — which I assume describes you — needs to be overly paranoid when using most online services. Aware? Yes. Conscientious? Of course. Careful? Absolutely.
But by following basic safety principles, understanding what is and isn’t “news”, and doing business with trustworthy organizations, you can navigate the internet’s opportunities and requirements safely.
If it were otherwise… well, we’d all be in a lot of trouble.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Footnotes & References
1: Current U.S. government incursions and coup attempts notwithstanding.
2: For some hacks, when the technical details become public, you’ll occasionally hear the technical and security community exclaim, “What the heck were they thinking?” about implementation decisions that put the system at risk.
A excellent article Leo. Although I don’t have the tech knowledge you do,I can relate to everything you say. I am a firm believer in technology and would not be without my computer. Having said that I still think we were born with the best computer. The one between our ears. It provides us with the common sense to make wise decisions about everything we do.Unfortunately it seems people are using technology as a replacement for our own brain and that is where the problem lies.
I believe we should make rational decision about what we want and what we need,and most times we don’t need everything we want.We do need to apply common sense when using the internet as much as we do when using any electrical or mechanical tool. All great tool if used wisely. Only we can control that. Your articles gives another great tool to to help us use technology wisely. Thanks
I’ve had fraudulent charges made to my credit card twice and 2 fraudulent checks made and cashed against my account. In each of those cases, the bank reversed those charges immediately after a 10 minute phone call. None of those breaches were caused by internet activity and I buy on the internet regularly. From that experience, I gather that bank has to take the loss for any data breaches, not the account holder.
I suspect a lot of the hacking involves someone leaving the info unprotected. I share my passwords with my wife and no one else. Ben Franklin said it best when he said” if three people share a secret it’s safe if two of them are dead.:
There is one situation which does concern me. I use QUICKEN. Now, I have accounts at quite a few mutual fund companies, brokerage accounts, etc. I enter transactions manually on Quicken. That is not the most efficient way to use it. Quicken Forum members have given me a hard time about this. I guess most users provide all the user codes and passwords to Quicken so it can get on my accounts and correctly download all my transactions. I just won’t do that because giving ALL my information to Quicken can subject me to MAJOR issues should a data breach occur. It would be far more than one credit card or one checking account. A thief would have access to my entire financial situation. AM I BEING OVERLY PARANOID ABOUT THIS. I would welcome some opinions/feedback here.
Mel
All I can say is that when I elect to trust an agency – like Quicken – I typically go all in. And companies like Intuit (the makers of Quicken and Quickbooks) have an incredible responsibility to keep things secure. Whether or not you’re overly paranoid, you’re at least an outlier – more people are using the online service than not, meaning more people are trusting Intuit with this information than are downloading things manually. If anything ever did happen I’d expect Intuit to deal with it, and related institutions to deal with it as well, in a way that would minimize the impact to affected users. Ultimately I’d probably trust Intuit to do it right. I don’t choose who to trust lightly so that when I trust I can feel comfortable trusting more-or-less completely.
Excellent article. Do not become paranoid…
Louis Harmsen, the Netherlands
I think your approach is smart, but not for the reasons you mentioned. By entering your transactions manually you are double checking the bank, account brokerage or whatever. If they make a mistake (and it does happen, although rarely), you will notice it when you numbers are different.
Re: Sharing passwords with wife or family. The probem then is that if there’s a breach you don’t know if it was you or your wife that caused the breach. I want to be sure that it was me or the thief, not to suspect family, so no sharing my passwords.
You’d also be surprised at the number of questions I get from “ex’s” who are sorry that they shared.
While I generally agree with your conclusion, I disagree with your argument.
A story need not be unusual to get coverage. Routine things — like sports scores, business results, and weather — get daily coverage. It’s not logical to conclude that an event is rare because it merited coverage. Moreover, there is some evidence that many data breaches are not disclosed because entities don’t want to air their dirty linen in public.
A symphony is more than the echo of a single musician. If multiple legitimate news outlets cover the same event, it is more than the same information being passed around. At the very least, it means multiple editors judged the information to be worth relating.
“I pick and choose what companies and services I do business with, based on reputation….” How does a company get a reputation, other than through news coverage? So on one hand you are saying to dismiss news reports as overblown, while on the other hand you are saying to pay attention to reputation — which is in large part established by news reports.
However rare the singularities in the universe of computing major hacks may be, it’s an incomprehensibly large universe, and if one happens to impinge on your personal turf you can get scorched awfully badly. Security be damned, if they want in they’ll get in – just be glad you didn’t have any holdings in that ultra-secure, ultra-protected, ultra-cautious bitcoin bank they broke into, bilked and bankrupted. Or that you didn’t have a Target account, or Winners, or buy a Lenovo computer with that embarrassing hole, or… There have been so many others.
The fact is, even the the corporation is all goodwill and generosity (and being sued in a class-action lawsuit) you can be at best severely inconvenienced and at worst have your life totally destroyed in the wrong information gets into the wrong hands from the wrong place. It is a long chance but it’s there. Do you know how to take safe shelter in a lightning storm, and do you use the knowledge?
Convenience has its price, and you have to pay it. But does the store really need your phone number? Why? How to they guarantee to defence it from the phone spammers? In precise countries (many in Europe, and Canada) do they need all your postal code, which can be as precise as floors in a building?
If you must give information, as is often the case, at least demand to know who will handle it, how soon and how thoroughly it will be encrypted, if they have an air-gapped network for confidential information storage, and who can access it under what restrictions. This will not win you any popularity contests, but when stores and financial institutions find they aren’t going to get your custom (or mine or Leo’s or anyone else’s) until they produce satisfactory answers, we will get them soon enough.
I don’t know about the United States or any other country, but in Canada, you also have a right to know what information a company is collecting about you and what they do with the information. If the company doesn’t have a good reason for collecting a piece of data, they are not allowed to collect. Some companies still do, but you have the right to ask them if they need it and why. And if they can’t give you a good reason, you don’t have to give them the information; otherwise you can file a complaint with the Privacy Commission. In fact, somethings are legislated even further. For example, it is illegal to use an Ontario health card number for any other purpose except health services. Therefore, if a business wants your health card number, you can tell them no, unless they are providing a health service. In the same way, a social insurance number (like the US social security number) can only be used by banks, employers, and anyone else who pays you money. It’s amazing how many applications will ask for your SIN number when they have no business needing it.
So while I agree with Leo in that if you’ve decided to trust the business with your business, you have to trust that they will protect your information, we do have the right to limit what information we give them, in case something does happen.
That said, even the biggest businesses do fail at some time. For example, Home Depot had a credit card incident. I have never got a satisfactory answer from them why they need to keep my credit card number in their computer after they have settled the transaction with the bank. Does it make refunds quicker? Yes. But it only takes 5 seconds for me to pull out my credit card, insert it into the machine, and for the machine to issue a refund to my credit card. So it’s not much of a convenience for the risk of hundreds of credit card accounts.
Hi Leo,
I agree with you on your implication that security of self and safety of ones’ property depends much more on one’s discrimination than the data breaches you hear. To me, using Internet is no different from using any other facility such as a Vehicle, Power, Medication that always require my own discrimination and safe behaviour first than the ‘external’ factors. Sure, external factors do affect us sometimes. But, it is our own action/inaction/negligence that outstrips the ‘external factors’ role many times.
So, when applying for jobs and if you accept a position, How do you know your personal information is secure with your Human Resources Department?
You can never be 100% sure. It all comes down to trust.
You don’t. If that’s of concern, then the only solution I’m aware of is to only apply to places you trust.