The timing of both surveys is interesting: the June 2015 survey happened two weeks after the breach of the US Office of Personnel Management, which exposed the personal information and social security numbers of millions of US government workers. To me, that explains (as the report suggests) why those households with federal employees were twice as likely as other households to report identity theft concerns in 2015.
It does raise the question whether the OPM leak artificially inflates the 2015 numbers. I think not. For one thing, November 2017 would’ve been two months after the massive Equifax leak, when the personal information (and social security numbers!) of millions of Americans (both federal employees and not) were exposed. There are always leaks capturing headlines.
For another, I think the drastic across-the-board reduction in avoided activities (Figure 1) can’t be explained just by OPM leak-induced jitters.
Here we are now, almost a year since the Equifax leak. Can any readers of this newsletter point to some specific damage they’ve sustained because of it? Some action they’ve taken as a direct result?
I suspect the answer is “no” to both questions, and that’s driving the sentiment in Figure 1, that despite everything that happened between 2015 and 2017, we’re just not more concerned about social networks vacuuming up our data and having our identity stolen. Anecdotally, I get the sense that my friends just.. care less about online security. Social media is a Russian meddling-induced dumpster fire and all their information has either been posted online or wound up on a government server or four.
I suspect there might be a sort of “breach fatigue” happening here. Think of the sheer number of information leaks that happen. Off the top of my head, in the last five or so years: the Snowden leaks, the CIA Vault leaks, the Reality Winner leak. The 2014 iCloud photo leak that everyone called “The Fappening.” Sony, OPM, Equifax, Ashley Madison, Reddit, Cambridge Analytica. This, combined with the the lack of direct, demonstrable harm, is creating an interesting dynamic: at the same time as a seemingly never-ending drip-drip of “another day, another data breach”, there seems to be a growing sense of — well, so what?
Bonus round: a counterpoint
One notable exception to the “leaks don’t matter much because there’s no direct personal harm” argument: the summer 2015 breach of Ashley Madison, a social network marketed toward people seeking extramarital affairs. At least two individuals, a pastor in Louisiana and a police officer in Texas, committed suicide soon after their names appeared on the leaked user list.
As always, I welcome your feedback, and I’d love to hear your suggestions for what you’d like to see covered in this newsletter. I’m @tommycollison on Twitter, or you can email email@example.com. Please get in touch! 📩📬