Nearly every day we hear of more major cases of identity theft, financial crime and other forms of attacks or malicious interference on the internet. Breaches become commonplace and lax standards leave consumers worried about how their information is safeguarded.
The colossal breaches at British Airways and Marriott and Starwood in 2018 compromised the private data of hundreds of millions customers, and dozens more cases have surfaced since.
Such incidents are evidence that consumer data security, and also consumer privacy, are not being taken seriously. The adoption of Internet of Things solutions and the highly anticipated rollout of very fast 5G networks will make consumers’ privacy even more vulnerable in the next few years.
President Trump’s executive order to prevent companies from buying hardware and software from telecommunications firms deemed a national security risk is at least one good step in protecting privacy, but it’s sad to see it had to come to that.
Trump is likely influenced by statements of FCC chairman Ajit Pai, who has warned against using telecom equipment vendors from China on the basis of both national security and concerns for privacy.
In one case last fall, it was reported that Chinese officials put immense pressure on specific private firms to include so-called backdoors in their software or devices, which may be exploited either by government agents alone or with a manufacturer’s help. That only provokes more questions as to the influence of the Chinese Community Party on the Chinese firms that sell abroad.
With that in mind, for the ordinary consumer looking to buy their next smartphone, laptop or WiFi router, how can they rest assured their privacy will be secured?
As a response to threats like this, Australia banned the Chinese network equipment manufacturer Huawei from its 5G network. The United States has effectively done the same. But blanket bans aren’t a silver bullet solution for safeguarding privacy and data security. A mix of solutions is needed.
What we need is a smart policy response that would induce companies to give sufficient weight to consumer data security, all the while achieving that goal without undue market distortions, wholesale bans of certain firms and the limiting of consumer choice.
Healthy competition between private enterprises is the best mechanism for the discovery of the right tools and applications for new tech gear. Keeping new regulation technology-neutral, and thus not deciding by law which technological solution is best, is a very good framework for consumer privacy.
The rules should be focused on outcomes and be as general as possible while still providing sufficient guidance. That means not just the biggest companies who can afford to comply will also have a chance.
At the same time, some kind of certification scheme, or even open source standard, should be adopted to minimize the risk of any backdoors or other vulnerabilities. That said, perfect security cannot be guaranteed. But ensuring companies use encryption and secure methods of authentication should be on the table.
Ideally, there would also be more supply chain liability for telecommunications operators and infrastructure wholesalers. This would push companies to take consumer privacy and security more into account when making procurement decisions.
Outright bans motivated by security concerns have the same effects as trade restrictions in the context of a trade war. The first victim of any trade war are the consumers of the nation imposing tariffs and non-tariff barriers to trade. Unless there is no other workable solution and unless the evidence of a serious security risk is clear, we shouldn’t resort to bans.
The debate around 5G reminds us how vulnerable consumers are in a technologically and politically complex world.
Therefore, smart regulation is needed in order to protect consumers from data breaches and to prevent autocratic governments from spying on them.
By strengthening liability of companies for technological vulnerabilities and by creating good standards, both consumer choice and privacy can be ensured.
Blunt instruments like total bans based on country of origin or regulators picking the technological champions should be seen as measures of the last resort.