Encryption as a Consumer Privacy Issue

Encryption is often discussed as an issue of law enforcement, cybersecurity, or free expression for specific groups of users. However, it is also crucial to the privacy and security of everyone who browses the internet, communicates online, or uses websites for convenient activities like banking, shopping, or filing taxes. Unfortunately, many companies do not employ best practices for securing data, such as encrypting databases, which has resulted in many cases of people’s personal, health, and financial information being hacked. For example, the Equifax data breach of 2017 exposed the personal information of 147 million people from a database that was not encrypted.¹ Cybersecurity incidents like this show that consumers need stronger data privacy protections for their personal information. People are “weary and angry,” said Katie McInnis, policy counsel at Consumer Reports, “at their data being out there,” and of the privacy and security consequences that they might face.

A 2019 survey by the Pew Research Center points to deep public concern about a lack of control over the increasing amount of personal data available to third parties. Eighty-one percent of respondents felt they have very little to no control over the data that companies collect on them, such as their demonstrated interests, past purchases, or other characteristics.² These types of personal information could potentially be used to identify individuals’ financial information and make them more susceptible to fraud or online threats. Consumers are also learning that any kind of data, even anonymized data or metadata, can reveal a lot about their personal activities. Research consistently indicates that anonymized or de-identified data can be reidentified to the individual.³

Given increasing user concern over the collection of personal information and the threat of someone accessing that data, companies need to adopt strong cybersecurity safeguards to protect consumer data. This should include encrypting user data, as well as minimizing access to user-created data. As described earlier, consumers have theoretically had access to various forms of encryption for decades; however, it often required a certain level of technical expertise to implement, and was often the responsibility of an individual user to set up. Privacy should not be limited to only those with technical knowledge; rather, companies should broadly protect consumers to the fullest extent. During the event, McInnis pointed out that even if consumers are not well educated on privacy or are going to be reckless in their use of a product, they should be protected, “just like when you drive, a car should have seatbelts and airbags just in case you ram into a wall.”

Encryption by default improves data protection and privacy by removing the obstacle of manual user implementation. As noted above, Apple and Google’s decision to encrypt their mobile devices by default (previously the setting was optional) was a huge shift in the protection of user data at rest.⁴ As Quay-de la Vallee explained, when an iPhone screen is locked the device is encrypted. Once the phone has been unlocked, any iMessage communication is protected by end-to-end encryption, or encryption in transit, so that nobody along the way is able to read it.

Encryption, therefore, can promote trust between companies and consumers, as it builds in protection not incumbent upon consumer knowledge of privacy practices. Products should be designed with the best interests of the end user in mind. As McInnis remarked, “Just the way your toaster shouldn't set your house on fire, the services you use shouldn't expose your data to the public either.”