As GDPR settles upon our industry, it’s a good time to reflect on how we got here. How did we end up with top-down, government-enforced data management and retention policies?
In large part, it’s a way to solve a collective action problem for the global community of users who suffer from privacy fatigue. Everyone knows their data is floating around in the ether, bought and sold without so much as a nod to the “owner” of the digital identity. But the fact is that individuals don’t have the power to force change in the face of companies that serve billions of users.
More important, most users overwhelmingly love the convenience and capabilities of these globe-spanning social media services. As a result, frustrated users have just given up fighting for control over their digital identity.
The Mayo Clinic defines “fatigue” as a “nearly constant state of weariness … impact[ing] your emotional and psychological well-being.”
Now apply this lethargic condition to the realization that your private data is not in your control and is no longer private. Faced with this gloomy realization, it is easy to understand the concept of “privacy fatigue”.
Privacy fatigue has been discussed in academic circles for at least a decade, with some researchers believing that it’s a natural reaction to a world where identity data is vulnerable and subject to institutional indifference.
Until recently, privacy fatigue was only a hypothesis, but a recent study indicates the condition is real. Three researchers from South Korea’s National Institute of Science and Technology studied the habits of 324 online users and determined privacy fatigue is genuine and, worse, it creates a sense of futility that puts identity data at even greater risk.
In researching 2017’s “The Role of Privacy Fatigue in Online Privacy Behavior”, Hanbyul Choi, Jonghwa Park and Yoonhyuk Jung determined privacy fatigue is the outcome of a complicated chain of events.
First, people are faced with the challenge of managing personal data in an environment crowded with privacy threats and never-ending data breaches. Against this backdrop, consumers feel they have no control over their identities, triggering a “sense of futility” in expecting online privacy. This futility breeds cynicism, which in turn, the professors conclude, result in a self-fulling prophecy where online users make little effort to protect their credentials. As a result, they are further victimized by both hackers and faceless companies selling their personal data.
This is not entirely news. In fact, the 2017 study cites research from 2010 where mobile phone users wrestled with the excitement of having digital coupons sent directly to their devices, while simultaneously admitting they found the practice “intrusive.”
Since 2010, this unease has only amplified, say Choi, Park and Jung. They believe news of never-ending, high-profile data breaches have bolstered privacy fatigue. They specifically point to the devastating Yahoo data breach in 2013, which impacted 1 billion users, as a key turning point. The 2013 breach, they say, it left many users believing they were simply “not in control of their online information”.
The professors quote from a separate study that followed the Yahoo incident, which concluded: “People feel as though they have no control over personal information, ultimately [driving] them into a state of resignation about online privacy.”
Since then, they write, this sense of helplessness has only grown, resulting in “emotional exhaustion and cynicism” amongst consumers. This state of mind has created the current environment where “users … are not willing to devote major efforts to managing the information they share.”
In fact, the researchers conclude: “People with high levels of privacy fatigue are more likely to ‘do nothing’ in response to the misuse of their personal information.”
In short, people have simply acquiesced to the notion that their identities are no longer their own.
In 2009, Facebook found itself on the defensive when it was discovered the company was sharing private user data. At the time, the social media giant promised new, complex privacy features to help users protect their identities. (This may sound familiar.)
This prompted Mark J. Keith and Courtenay M. Evans, Brigham Young University; Paul Benjamin Lowry, City University of Hong Kong; and Jeffry S. Babb, of West Texas A&M University, to complete Privacy fatigue: The effect of privacy control complexity on consumer electronic information disclosure, a 2104 examining “feature fatigue” a condition, they determined, that discouraged users from protecting their identity credentials.
Although Facebook’s new security features promised to better protect user identity, the study found the features had the opposite effect.
“When Facebook introduced new privacy settings in 2009, the Electronic Frontier Foundation (EFF) accused the social media site of pushing users to disclose more information … than ever before,” the authors wrote. “However, little research indicates that such practices are effective …”
Instead, researchers found, the more complex the privacy controls, the greater “the tendency of consumers to disclose greater information over time.” (The EFF reached a similar conclusion in 2009, stating “[the] changes will lead to Facebook users publishing to the world much more information about themselves than they ever intended.”)
Whether it is feature fatigue or privacy fatigue, the fact remains that our identity information is more vulnerable now than it was in 2009 and, as users, we are becoming less and less inclined to try to protect it.
GDPR serves a useful purpose. It provides a regulatory nudge in the right direction — towards what our industry calls blockchain-based “self-sovereign identity.” Users can’t solve the problem of privacy fatigue alone. As is often the case, we need an impetus or a forcing function to kickstart the industry in the right direction. Necessity is the mother of invention, after all.
Blockchain-based identity solutions can help users overcome their privacy fatigue by giving them an easy, convenient toolbox to manage identity data. Blockchains act as the foundation for a set of tools that can deliver the benefits of cloak-and-dagger cryptography to everyday users — the missing link that allows cryptography to suddenly be used by everyone. Using established cryptography techniques, these new tools allow people to prove things about themselves using decentralized, verifiable credentials just as they do offline. We will dig into how “verified credentials” work in a future post, but for now, the takeaway is that we finally have the tools needed to allow users to reclaim control over their identity data for their future transactions.
The timing is uncanny. It’s almost as if blockchain-based identity solutions are being created specifically to provide an easy transition to GDPR compliance. Despite the fact that the top-down regulation of GDPR is diametrically opposed to the decentralized blockchain ethos, what that really means is that you can more reliably and efficiently control your identity data online and real-world. And perhaps, GDPR will start us on the journey that will help us overcome our fatigue and reach privacy nirvana.