Online security won’t improve until companies stop passing the buck to the customer

The Teen Vogue article was widely praised by security experts, in stark contrast to an article in The Guardian that made the eye-catching claim that encrypted messaging service WhatsApp is insecure, without making clear that this only applies in an obscure and extremely unlikely set of circumstances.

Zeynep Tufekci, a researcher studying the effects of technology on society, reported that the article was exploited to legitimize misleading advice given by the Turkish government that WhatsApp is unsafe, resulting in human rights activists using SMS instead – which is far easier for the government to censor and monitor.

The Turkish government’s “security advice” to move from WhatsApp to less secure SMS was clearly aimed more at assisting its surveillance efforts than helping the activists to whom the advice was directed. Another case where the advice is more for the benefit of the organization giving it is that of banks, where the terms and conditions small print gives incomprehensible security advice that isn’t true security advice, instead merely a legal technique to allow the banks wiggle room to refuse to refund victims of fraud.

It’s for this reason that prominent bank marketing is aimed at making customers feel safe, while security advice is buried in places banks know customers don’t read. Despite complaints from consumer groups like Which? to the Payment Systems Regulator, so far banks have got away with this.

Out of your hands
Giving good security advice is hard because very often individuals have little or no effective control over their security. For example, the extent to which a customer is at risk of being defrauded largely depends on how good their bank’s security is, something customers cannot know.

Similarly, identity fraud is the result of companies doing a poor job at verifying identity. If a criminal can fraudulently take out a loan using another’s name, address, and date of birth from the public record, that’s the fault of the lender – not, as Cifas, a trade organization for lenders, claims, because customers “don’t take the same care to protect our most important asset – our identities”.

Keeping your computer or smartphone software up-to-date is good advice, but is only any use if the device’s manufacturer provides security updates and ensures that they’re tested and don’t cause more problems than they solve.

It is precisely because security is so often out of the hands of individuals that the new UK National Cyber Security Centre (NCSC) has focused its advice on helping companies improve security, without placing an undue burden on the customer (or even requiring them to read the advice). Its passwords guidance shows how companies can remain secure even when most of their customers choose fairly simple passwords. This advice was developed in collaboration with the Research Institute in Science of Cyber Security (RISCS) which promotes evidence-based research.

NCSC chief executive Ciaran Martin promoted this guidance at an event in February, and at the CyberUK event in Liverpool last month. And in March, NCSC launched a video explaining that “If security does not work for people, it doesn’t work.” This workable security advice, based on RISCS research, is having an effect: the government no longer recommends regularly changing passwords, because doing so has been shown to have a harmful effect on security. However, Cyber Aware, another government website, still offers advice to consumers that is out-of-date and counterproductive.

Customers do want to protect themselves, and there is a clear demand for good security advice. But this advice needs to be realistic, needs to consider that different individuals have different circumstances that require different approaches, and put the interests of the customer first. Companies that develop security systems are in the best position to improve security, and they must take responsibility for doing so by learning from the research that reveals how individuals really use, understand, and misunderstand security technology.

Steven J. Murdoch is Royal Society University Research Fellow, UCL. This article is published courtesy of The Conversation (under Creative Commons-Attribution / No derivative).