I was asked a question on Twitter today. The question was, “Is staying safe online possible?” This is a great question because I increasingly see a sense of apathy in users due to the frequent threats to online safety that are reported. They ask questions such as “If big companies can’t protect themselves, what chance do I have?” or “If identify theft is inevitable, what is the point of protecting oneself?” Let’s look at the question in an Aristotelian manner.
We first must establish what staying safe is. Let’s start with this definition:
Being safe online is having the knowledge, ability and opportunity to utilize the Internet and Internet-based resources without subjecting oneself to harm*
Having the knowledge, ability and opportunity to utilize the Internet and Internet-based resources without subjecting oneself or others to harm*
*harm is being described as the following:
- Unauthorized disclosure of personal or sensitive information
- Identify theft
- Misuse of computing resources due to unauthorized access or presence of malicious code
- Persuasion or coercion to perform actions due to misrepresentation or incorrect facts presented in phishing emails
With this definition in hand, I can now consider whether this is possible. First, this definition means that no harm, as described above, would come to the individual despite the frequency of use as long as they utilized sufficient knowledge, ability and opportunity. I believe this is false. Even those equipped with sufficient knowledge, ability and opportunity will eventually come to some harm in utilizing the Internet and Internet-based resources. So, what if I revise my definition to this?
Being safe online is having the knowledge, ability and opportunity to minimize the harm* and frequency of harm caused due to the use of the Internet and Internet-based resources.
This definition allows for someone to be safe online but still have harm occasionally occur. However, in such occurrences, the damage done would be minimized. For example, if personal information was disclosed, the individual would be able to recognize that disclosure quickly and work with persons and companies to restrict the value the ability of malicious user to employ the information disclosed and to reduce the amount of damage incurred through use. More specifically, if a person entered a username and password in a fake web site, they would realize their mistake and change their password on the legitimate site before an attacker would have the ability to utilize their credentials. They would also utilize different credentials for other sites so the information gained would have no value if employed for other Internet services.
Using this definition, I believe I could say that it is possible to stay safe online. However, possibility is not probability. Those that would be safe under this definition must have the knowledge, ability and opportunity. If the majority of people utilizing the Internet do not have this then the majority of users are not safe. Our logical step, therefore, is to educate users to give them the knowledge and ability and to make the technology and environment that will provide them with the opportunity something that is available to the majority of users.