Pages

Thursday, October 24, 2024

Welcome to Online: risks, harms, and duty of care in the virtual high crime neighborhood we all inhabit

Author-generated photo montage of a "Welcome to Online" sign in front of photo of broken windows in Stehli Silk Mill, Lancaster County, Pennsylvania, a public domain image thanks to Wikimedia user Smallbones
Welcome to Online (see Alt text for credit)
Is the constant news of fresh cybercrimes getting you down? 
Has your personal information been shared with criminals, again? 
Are you sick of cybersecurity warnings and
annoying digital security measures? 

Welcome to Online, a place that is both risky and unhealthy,
a worldwide high crime neighborhood,
out of which it is very hard to move. 

Criminals have made Online a high crime neighborhood

Today, most of us have an online identity. We not only spend time online, our digital selves persist even when we are not actively using digital devices. Part of us now lives, and sometimes works, in a virtual neighborhood, a non-physical space we can we refer to as Online. 

Sadly, Online is a place where many crimes are committed. Warnings about crime, evidence of past crimes, and measures to prevent crime: all of these are seen and encountered all over Online. Today, Online can reasonably be described as what social scientists call a "high crime neighborhood." 

Unfortunately, Online is not only a high crime neighborhood, but it is a place in which we are increasingly forced to spend time, and out of which it is hard to move. And that is a serious problem because high crime neighborhoods are known to be bad for human health. 

That's right, we already know for a fact that living in physical neighborhoods with high crime rates is not healthy. Residents of high crime neighborhoods suffer more health problems and die younger as a result. This has been researched and documented over many years by criminologists, epidemiologists, doctors, population health experts, and environmental health scientists. 

I recently described this reality and the science behind it in a talk at Cyberhagen 2024, an annual cybersecurity conference in Copenhagen, Denmark. The title of the talk is: From Frontlines to Lifelines: How reducing cybercrime would make life healthier for us all. You can watch it here or on YouTube. (Feel free to skip to 8 minutes and 39 seconds if you want to dive right in.)
 

I have also made a handy page with a link to some of the related work I have been doing on this problem: Cybercrime & Health. If you want a short URL to share thex page, you can use tinyurl.com/cyberharm.

Why it's risky to tell people "just go online" 

To be clear, if you have a smartphone, email address, or Internet account, then you have an online identity, you have a presence online. This identity persists even when you are not using or connected to the Internet. 

That means there is 7x24 risk that digitally savvy criminals will target you, your devices, and your accounts. They may want to steal your money, take over your accounts, ransom your data, enroll your devices in criminal schemes, and so on. The threat of this happening does not go away when you log off and disconnect.

Yet, despite this state of affairs being well documented, many organizations still use the phrase "just go online" as though Online is a place that offers nothing but helpful and enjoyable experiences. Furthermore, some institutions are now requiring people to go online. This is the case in England where it is not uncommon for medical patients to be told they have to go online to book blood tests or "use the app" to order repeat prescription medication.

If you think about it, inviting or requiring people to go online is similar to some activities in the physical world. For example, when a hotel invites people to spend time on its premises it creates a responsibility to those people; this is commonly referred to as "a duty of care." 

In many countries, it is established in law that hotels have a duty to take reasonable steps to ensure that their premises are safe, secure, and free from foreseeable risks that could result in injury or harm to guests. Hotels also have a duty to provide reasonable security measures to protect guests from criminal acts. A hotel that fails to meet these duties could be exposed to legal claims for compensation by injured or aggrieved guests.

Similarly, a duty of care is created when an employer sends an employee on a business trip. In fact, a duty of care exists in many areas of modern, and I think it is reasonable to make going online another such area. 

In summary, it is my belief that a duty of care already applies to any entity that encourages or requires a person to go online. All that is missing is the right law or lawsuit to make this a concrete reality, one that can then be used to encourage or require serious upgrades in cybersecurity posture across society. In addition, this would create a new regulatory risk that companies would have address.