Is the Fight for Online Privacy a Lost Battle?

We’ve witnessed Edward Snowden’s shocking revelations of government surveillance, been rocked by Cambridge Analytica’s data scandal, and balked at invasive new laws like the UK’s Snoopers’ Charter.

Yet the thing that troubles me most is that these developments are just the tip of the iceberg.

As the amount of digital data has ballooned, so too has the activity of cybercriminals.

High-profile data breaches now make headlines on a near-monthly basis, and the latest Experian Data Breach Industry Forecast predicts the pace will continue. At the same time, lucrative advertising models ensure that corporations and marketers remain committed to tracking our online behavior despite third-party cookies approaching the end of their reign.

Privacy is no longer a given, and I have to wonder, are we fighting a losing battle?

To help me answer this question, I had the pleasure of speaking with four leading experts who built the tools and foundations that keep our online presence private:

• Philip Zimmermann – Cryptographer and creator of Pretty Good Privacy
• Martin Hellman – Cryptographer and co-inventor of public key cryptography
• Vincent Rijmen – Cryptographer and co-creator of Rijndael, the Advanced Encryption Standard
• Mark Curphey – Computer scientist and founder of OWASP (Open Web Application Security Project)

How did we get where we are?

In the early days of the internet, encryption was primarily reserved for national governments, military institutions, and, later, for corporations with trade secrets to protect. Ordinary people had nothing – that was until Philip Zimmermann created Pretty Good Privacy (PGP) in 1991 to increase the security of email communication.

“I'd spent several years as an activist in the peace movement [...], and I felt there was a need for grassroots organizations and activists to protect themselves from their own government,” says Philip. “So PGP started out as a human rights project.”

The invention of PGP didn’t go unnoticed, however, and prompted the first major attempt by the US government to limit the public and foreign nations' access to cryptography under the guise of protecting national security. Such attempts, dubbed crypto wars, have repeatedly happened since, but so has the creation of an entirely different internet.

Challenges to our online privacy today

Today, almost 5 billion people use the web, and worldwide retail e-commerce sales reached $5.2 trillion in 2021. The total amount of data created annually is now in the order of zettabytes, with global data creation forecast to reach more than 180 zettabytes by the end of 2025.

Unsurprisingly, the scale of privacy concerns has multiplied in line with the explosion of data we now share online, and I’m particularly alarmed by the growth in criminal activity. In 2021, the overall number of data breaches increased by 68% year on year to reach an all-time high, according to a report from the Identity Theft Resource Center (ITRC). Of these incidents, over 86% were related to cyberattacks.

But it’s not just cybercriminals I’m worried about.

A multi-billion dollar advertising industry ensures that corporations are just as determined to capture and exploit our data.

“Marketing automation is so sophisticated,” says Mark. “Last week, I put out a tweet about something, and within two minutes, it was showing up as a recommendation on YouTube. This data is pervasive, and understanding what you share and where it is being shared is really challenging.”

Perhaps less visible but equally prevalent, in my opinion, is the issue of surveillance. In 2013, Edward Snowden brought to light alarming revelations of government-run mass surveillance programs in the United States. Shock waves rippled out across the world, prompting changes in the law and compelling technology companies to tighten up their standards.

Even so, with developments like the UK government’s highly criticized Investigatory Powers Act (dubbed the Snoopers' Charter) in 2016 and the reauthorization of the USA Freedom Act in 2020, the specter of mass surveillance continues to haunt us.

The future of digital privacy protection

As we race to keep pace with cybercriminals, corporations, and governments, I’m keeping a close eye on a new generation of threats lurking on the horizon. Some experts have heralded quantum computing as the biggest threat to privacy since the dawn of the internet, citing its ability to breeze through modern encryption and render current cryptographic techniques useless. Should we be worried? Vincent thinks not.

“I'm what you could call a quantum skeptic,” he says.

“As soon as you say the word quantum, people try to expand and expand and expand [the key size]. Of course, there are certain algorithms that we need to rethink, many of them public key algorithms, but it's not the main thing we need to address now. And in many places, it has been included in the equation, so I think a lot of the fuss is not needed.”

At the same time, machine learning continues to evolve, and I don’t see its role in targeted advertising showing any sign of dwindling. “The more data companies have, the better they are at producing revenue, and their incentive model is certainly not to reduce that data,” says Mark. “With unbounded, cheap cloud storage, there's not even an economic barrier to doing it.”

Is striving for privacy a lost cause?

Despite the growing complexity of securing our privacy in the online space, there are many ways that the average user can protect themselves, for example:

• Practice good security hygiene – always use strong passwords, enable two-factor authentication, and promptly install security updates.

• Disable ad and data tracking. You can achieve this by using browsers that support privacy such as Brave or Tor.

• For messaging, use apps that leverage end-to-end encryption, such as WhatsApp or Signal.
• Be mindful of what data you’re sharing online, and ensure you set the privacy settings of your accounts to the most restrictive, including disabling location tracking.

In many cases, though, I believe the problem isn’t a shortage of tools or technology to increase protection; it’s simply a lack of user awareness. “For every secure product I've worked on, the biggest competitor wasn’t other peer competitors, but rather, it was nothing,” says Philip. “How do you talk people into raising their awareness and using some form of encryption?”

It’s a difficult question to answer, and it concerns me that our preference for convenience over security further compounds the issue. “There's a tradeoff between security and ease of use,” says Martin. “If you have to do something special, like click something to get security, most people won’t do it, so we need integrated, automatic, transparent encryption.”

There’s no getting away from the fact that securing our data is a mammoth task for professionals and consumers alike.

On the question of whether we’re fighting a losing battle, for me, the jury’s still out. It’s an immense and growing challenge, and many factors are out of our control, but one thing I am certain of, I won’t give up without a fight.