How Can It Be Safe to Give My Information To Anyone?

//
With all the recent data breaches out there, how safe is it to give my information to all the various services that seem to need it? When it comes to the government I figure I am not giving them any information it doesn’t already have. But when it comes to school applications, jobs, banks and so many others, they ask for social security numbers, birthdates, taxes, and account information for everyone in the household! And of course all of this presumably ends up in “the cloud” and transmitted over the internet. Some talk about encryption, but then in their terms of service they’ll say something like “we accept no responsibility for the security of information transmitted over the internet.” How can that work, since the internet is the only way to get the information in?! I mean, really, how can it be safe to share any data online at all?

I know that the news has many people left wondering that as well. It’s hard not to, when it seems like every other day there’s a report of some new compromise somewhere.

As you might expect, I have a slightly different perspective.

1) I don’t believe things are as dire as they seem.

2) I don’t believe avoiding the internet will help.

Become a Patron of Ask Leo! and go ad-free!

What makes “news”

One of the things that’s important to remember is exactly what makes “news”.

The commonplace, the average, the expected … these things don’t make news. Things that are routine don’t get reported as news.

News, almost by definition, means that something is exceptional or unusual.

Think about that for a minute. The mere fact that something is being reported on the news means that it is something that is not common. It might be big, it might be exceptional, it might impact a large number of people, but the reason it’s making news is that it was unexpected or unlikely.

It’s the uncommon and sensational that cause people to pay attention to the news, and that’s exactly what gets reported.

So, if you follow that logic, data breaches being reported as news mean that data breaches, in general, are not common.

Pandering for your eyeballs

News! News! NEWS!Note that I said the uncommon and sensational.

One of the trends in the current media is that if something isn’t sensational enough, the news outlets do everything they can to portray it as such. With over-stated headlines and stories, media outlets compete with each other to get the most viewers, the most readers, and the most clicks. As a result, the actual severity of the story, the importance of the story, and the practical impact of the story on the average reader/viewer is left by the wayside.

So what do we see? News outlets, social media sites, even forwarded emails parrot the over-sensationalized story, making it out to be much worse than it really is, simply to attract your eyeballs.

Same news from different sources is still the same old news

I’ve talked about “the echo chamber” before.

The concept is very simple: when the exact same story from the exact same source is repeated, or “echoed”, by many different channels of information, it begins to appear as if it were many independent sources all arriving at the same conclusion.

It’s not. One source is still one source, no matter how many different places you hear it.

If you saw only one report of an incident, you’d probably give it no second thought. Seeing that same single report from several different venues, however, gives the impression it’s more important, since everyone’s reporting it. It’s not, necessarily. It’s still one story, from one source.

It’s almost impossible these days not to get that same story thrown at you from dozens of different venues. Radio and TV, to be sure, but throw in online technology and social media, and all of a sudden we’re inundated by everything – both important and trivial – with no real distinction between the two.

My point, of course, is that data breaches aren’t happening as often as you think.

They do happen, of course, and they do impact individuals. But it’s not “hackers gone wild”. At least not yet.

No matter how many times you hear of it.

Attacks happen from the other side

Of course everyone is quick to blame “the internet” (or “the cloud”) when breaches happen. Many people, such as yourself, may be thinking that both are things to be avoided as a result.

Not at all.

First, “the cloud” has been there all along. That thing we call “the cloud” is nothing more than online service providers and the servers used by the companies we do business with. If you’ve been using email for any length of time, you’ve been using “the cloud” since the day you started.

You might consider filling out paper forms and taking them physically to your bank or other institution, but you know what? Guess where that information goes once you hand it over or (snail) mail it in? It goes onto their servers, which are likely connected to the internet anyway, as a critical part of their operations.

The fact is that most of the breaches we hear about aren’t from any path that you or I have control over. It’s the back side, the internal systems, that most commonly get compromised when a hack is successful. Your actions wouldn’t have made any difference whatsoever in whether or not you’d be impacted.

Not all companies get it right

That puts the onus on each company holding our data to do it securely.

And most actually do. If it were otherwise, compromises would become commonplace and get reported in the equivalent of the local police blotter every day. In fact, much of the commercial infrastructure would simply collapse, or come to a halt, if hacks were really that prevalent.

But certainly some companies get it wrong – sometimes embarrassingly so – at least from a technical perspective.1 And, indeed, those companies should be held accountable.

When that has happened, however, most companies are quick to remedy the situation and follow up with various forms of support to the individuals affected – the most common example being free credit monitoring for some period of time.

Hacks happen. Just not as often as it might seem.

What I do

As you know, I’m all about technology and the opportunities it offers.

So it should come as no surprise to you that I’m pretty much “all in” when it comes to online services, both personal and business.

I don’t do so recklessly, however. I pick and choose what companies and services I do business with, based on reputation and my experience with the technologies they use. I select, or not select, services offered based on what I might feel as their potential for getting it right … or wrong. As an example, when my American Express card was somehow compromised some years ago – while I was out of town, no less – I heard about it from American Express. And they overnighted me a replacement card, in time for me to pay my hotel bill. 🙂 That kind of experience leads me to feel comfortable using their services even more.

Of course, I take sensible precautions – the same precautions I outline in The Ask Leo! Guide to Staying Safe on the Internet. I’m just like anyone else; those steps apply to me just as much as they do to you.

You can be safe

I don’t think that the average online user – which I assume describes you – needs to be overly paranoid when it comes to using most online services. Aware? Yes. Conscientious? Of course. Careful? Absolutely.

But by following basic safety principles, understanding what is and isn’t “news”, and doing business with trustworthy organizations, the opportunities – and sometimes the requirements – that the internet presents can be navigated safely.

If it were otherwise… well, I’d be in a whole lot of trouble. 🙂

Podcast audio

Play

Footnotes & references

2 For some hacks, when the technical details are finally made public, occasionally you’ll hear the technical and security community exclaim “what the heck were they thinking?” about some implementation decision that put the system at risk.

13 comments on “How Can It Be Safe to Give My Information To Anyone?”

  1. A excellent article Leo. Although I don’t have the tech knowledge you do,I can relate to everything you say. I am a firm believer in technology and would not be without my computer. Having said that I still think we were born with the best computer. The one between our ears. It provides us with the common sense to make wise decisions about everything we do.Unfortunately it seems people are using technology as a replacement for our own brain and that is where the problem lies.
    I believe we should make rational decision about what we want and what we need,and most times we don’t need everything we want.We do need to apply common sense when using the internet as much as we do when using any electrical or mechanical tool. All great tool if used wisely. Only we can control that. Your articles gives another great tool to to help us use technology wisely. Thanks

  2. I’ve had fraudulent charges made to my credit card twice and 2 fraudulent checks made and cashed against my account. In each of those cases, the bank reversed those charges immediately after a 10 minute phone call. None of those breaches were caused by internet activity and I buy on the internet regularly. From that experience, I gather that bank has to take the loss for any data breaches, not the account holder.

  3. I suspect a lot of the hacking involves someone leaving the info unprotected. I share my passwords with my wife and no one else. Ben Franklin said it best when he said” if three people share a secret it’s safe if two of them are dead.:

  4. There is one situation which does concern me. I use QUICKEN. Now, I have accounts at quite a few mutual fund companies, brokerage accounts, etc. I enter transactions manually on Quicken. That is not the most efficient way to use it. Quicken Forum members have given me a hard time about this. I guess most users provide all the user codes and passwords to Quicken so it can get on my accounts and correctly download all my transactions. I just won’t do that because giving ALL my information to Quicken can subject me to MAJOR issues should a data breach occur. It would be far more than one credit card or one checking account. A thief would have access to my entire financial situation. AM I BEING OVERLY PARANOID ABOUT THIS. I would welcome some opinions/feedback here.

    Mel

    • All I can say is that when I elect to trust an agency – like Quicken – I typically go all in. And companies like Intuit (the makers of Quicken and Quickbooks) have an incredible responsibility to keep things secure. Whether or not you’re overly paranoid, you’re at least an outlier – more people are using the online service than not, meaning more people are trusting Intuit with this information than are downloading things manually. If anything ever did happen I’d expect Intuit to deal with it, and related institutions to deal with it as well, in a way that would minimize the impact to affected users. Ultimately I’d probably trust Intuit to do it right. I don’t choose who to trust lightly so that when I trust I can feel comfortable trusting more-or-less completely.

    • I think your approach is smart, but not for the reasons you mentioned. By entering your transactions manually you are double checking the bank, account brokerage or whatever. If they make a mistake (and it does happen, although rarely), you will notice it when you numbers are different.

  5. Re: Sharing passwords with wife or family. The probem then is that if there’s a breach you don’t know if it was you or your wife that caused the breach. I want to be sure that it was me or the thief, not to suspect family, so no sharing my passwords.

  6. While I generally agree with your conclusion, I disagree with your argument.

    A story need not be unusual to get coverage. Routine things — like sports scores, business results, and weather — get daily coverage. It’s not logical to conclude that an event is rare because it merited coverage. Moreover, there is some evidence that many data breaches are not disclosed because entities don’t want to air their dirty linen in public.

    A symphony is more than the echo of a single musician. If multiple legitimate news outlets cover the same event, it is more than the same information being passed around. At the very least, it means multiple editors judged the information to be worth relating.

    “I pick and choose what companies and services I do business with, based on reputation….” How does a company get a reputation, other than through news coverage? So on one hand you are saying to dismiss news reports as overblown, while on the other hand you are saying to pay attention to reputation — which is in large part established by news reports.

  7. However rare the singularities in the universe of computing major hacks may be, it’s an incomprehensibly large universe, and if one happens to impinge on your personal turf you can get scorched awfully badly. Security be damned, if they want in they’ll get in – just be glad you didn’t have any holdings in that ultra-secure, ultra-protected, ultra-cautious bitcoin bank they broke into, bilked and bankrupted. Or that you didn’t have a Target account, or Winners, or buy a Lenovo computer with that embarrassing hole, or… There have been so many others.

    The fact is, even the the corporation is all goodwill and generosity (and being sued in a class-action lawsuit) you can be at best severely inconvenienced and at worst have your life totally destroyed in the wrong information gets into the wrong hands from the wrong place. It is a long chance but it’s there. Do you know how to take safe shelter in a lightning storm, and do you use the knowledge?

    Convenience has its price, and you have to pay it. But does the store really need your phone number? Why? How to they guarantee to defence it from the phone spammers? In precise countries (many in Europe, and Canada) do they need all your postal code, which can be as precise as floors in a building?

    If you must give information, as is often the case, at least demand to know who will handle it, how soon and how thoroughly it will be encrypted, if they have an air-gapped network for confidential information storage, and who can access it under what restrictions. This will not win you any popularity contests, but when stores and financial institutions find they aren’t going to get your custom (or mine or Leo’s or anyone else’s) until they produce satisfactory answers, we will get them soon enough.

  8. I don’t know about the United States or any other country, but in Canada, you also have a right to know what information a company is collecting about you and what they do with the information. If the company doesn’t have a good reason for collecting a piece of data, they are not allowed to collect. Some companies still do, but you have the right to ask them if they need it and why. And if they can’t give you a good reason, you don’t have to give them the information; otherwise you can file a complaint with the Privacy Commission. In fact, somethings are legislated even further. For example, it is illegal to use an Ontario health card number for any other purpose except health services. Therefore, if a business wants your health card number, you can tell them no, unless they are providing a health service. In the same way, a social insurance number (like the US social security number) can only be used by banks, employers, and anyone else who pays you money. It’s amazing how many applications will ask for your SIN number when they have no business needing it.

    So while I agree with Leo in that if you’ve decided to trust the business with your business, you have to trust that they will protect your information, we do have the right to limit what information we give them, in case something does happen.

    That said, even the biggest businesses do fail at some time. For example, Home Depot had a credit card incident. I have never got a satisfactory answer from them why they need to keep my credit card number in their computer after they have settled the transaction with the bank. Does it make refunds quicker? Yes. But it only takes 5 seconds for me to pull out my credit card, insert it into the machine, and for the machine to issue a refund to my credit card. So it’s not much of a convenience for the risk of hundreds of credit card accounts.

  9. Hi Leo,
    I agree with you on your implication that security of self and safety of ones’ property depends much more on one’s discrimination than the data breaches you hear. To me, using Internet is no different from using any other facility such as a Vehicle, Power, Medication that always require my own discrimination and safe behaviour first than the ‘external’ factors. Sure, external factors do affect us sometimes. But, it is our own action/inaction/negligence that outstrips the ‘external factors’ role many times.

Leave a reply: