Crap, I Forgot to Go Incognito!

This piece was first published in the January 18th issue of the New America Weekly. 

This blog is part of Caffeinated Commentary - a monthly series where the Millennial Fellows create interesting and engaging content around a theme. This month, each fellow has been charged by fellowship director Reid Cramer to explain why anyone, but especially millennials, should care about the specific policy interests they’re passionate about.

What if Google posted your search history online? All of it, I mean—even the stuff you looked at years ago (or perhaps yesterday) in Incognito Mode.

If that question doesn’t send a shiver down your spine, my guess is you’re probably not a Millennial. And to those Millennials who think that Incognito Mode truly protects your data by fully anonymizing your online browsing, I hate to be the bearer of bad news, but—that isn’t really the case. And I’ll tell you why that’s more concerning than you might think.

For people of a certain age who had regular access to the Internet growing up, our formative years were largely shaped by online activities. All those burning middle-school questions were just a short Yahoo! Answers post away from being cleared up. Now, in our 20s and 30s, we’re  mostly comfortable “doing life” online—whether that means paying bills via Venmo, sharing our locations on Google Maps, or, yes, even sending nudes over Snapchat. Every click and every search reveals a little more about us, as NPR’s Hidden Brain podcast describes, until an unadulterated “map of our collective hopes, fears, and desires” emerges.

How do we make sense of this? Our willingness to share such private information over virtual platforms has a lot to do with our willingness to trust that institutions will protect our data. A Gallup report found that 80 percent of Millennials have “some” or “a lot” of trust in businesses to keep their personal information secure. Compared to other generations, Millennials are much more trusting of institutions across every industry, both off and online, to safeguard their personal data.

More than that, though, Millennials are also more likely to use integrated applications on their devices, and often lack the understanding of just how invasive these apps can be. As Lisa Gutermuth describes for Slate, “many apps engage in irresponsible practices” like over-collecting user information, sharing and selling data without your permission, and poorly securing data, leaving you vulnerable to attack. That our entire lives have been documented, shared, tagged, and stored online is a reality that most Millennials accept, even with the awareness of the attendant security risks.

In a paradoxical way, then, Millennials are both the most cyber-secure generation—and the most cyber-insecure one. While we generally have better security habits online, such as choosing stronger passwords and avoiding Nigerian Prince phishing emails, we’re also more willing to give up our private information in return for a service. As cyber threats become more pervasive and harder to thwart—like the recently disclosed Spectre and Meltdown vulnerabilities—even the most security-conscious digital natives will have trouble protecting their information. By placing nearly every aspect of our lives in the cloud, Millennials have the most to lose following a cyber attack.

Imagine, for a moment, everything your online profile reveals about you, and what would happen if that information suddenly became public. Beyond the exposure of financial information and medical data stored on your laptop or cell phone, maybe you download the occasional pirated movie. Or maybe you spend more time on the clock searching for other jobs than completing the work your boss assigned. If you do research to find a nearby abortion clinic or STI testing facility, would you want your family to know? If you’re in an abusive relationship, what would happen if your partner found out about the one-way plane ticket you just purchased to get out of town? What if you’re a closeted, housing-insecure LGBTQ youth seeking online support and your intolerant family finds out?

Clearly, some things we do online are best kept private.

What do we do about this? There are already some well-established steps individuals can take to protect themselves against these nightmarish scenarios: choosing long and strong passwords (while, surprise, minimizing the number of times you change it), setting up two-factor authentication for emails, and using encrypted browsers like Tor or browsing through a Virtual Private Network (VPN). I’ve heard too many friends say, “I could never run for office because of this text or that selfie,” a statement made under the assumption that little can be done to ensure our personal data is protected. But, as Gregory Michaelidis forcefully describes, users should begin thinking of themselves as the first line of defense against cyber attacks, rather than waiting for a magic blend of technology and policy to “fix” cybersecurity.

One reason waiting is dangerous: Though the federal government often seems to engage with cybersecurity problem-solving, progress thus far has been surface-level and painfully slow. As of Jan. 2, The Intercept reported that only four of the 14 cybersecurity reports requested by the White House have been completed on time, and none have been made publicly available for critique or verification. These reports should, first, be completed, and second (to the extent possible), be shared with civil society leaders to strengthen their overall findings. Other weaknesses are apparent in the private sector approach to cybersecurity, as illustrated by Uber’s alleged cover-up of a data breach and Deloitte’s failure to require two-factor authentication leading to the disclosure of sensitive client information.

Companies like Equifax repeatedly suffer massive data breaches but somehow come out ahead in the end—as Senator Elizabeth Warren uncovered, the company is making “millions of dollars off its own screw up.” As former Director of the Consumer Financial Protection Bureau Richard Cordray notes, “it doesn’t work to deregulate around cybersecurity. Nobody in the public is going to accept that. We have to have more accountability, not less, over the safety … and privacy of our information.” Smart regulations ought to be enacted that both encourage robust cybersecurity measures and hold repeat offenders, like Equifax, accountable. More research needs to be done to understand the full lifecycle of harm following data breaches, especially since Millennials will be around longer and face prolonged threats beyond the standard two-year identity theft protection offered after a breach.

For Millennials, these events will be a regular occurrence in our cyber-insecure future, and it’s at least partly our responsibility to do something about it. So, while this article is a principled stand in favor of online privacy, it’s also a call to Millennials to demand more from the businesses we interface with, again and again, and the government we trust to secure our freedom and liberty—and a call to demand more of each other by taking simple, well-established steps to protect ourselves.

Author:

Dillon Roseen is a Millennial Public Policy Fellow in New America’s Cybersecurity Initiative. Roseen, from Peachtree City, Ga., was a Fulbright Scholar in Amsterdam where he conducted research on the intersection of law, politics, and international security.