The ambiguous role of transparency
Public opinion (and individual action) is subject to, among other things, macro factors such as media representations of important issues. By studying media discourses we can better understand the way discourses construct reality (or parts of it) and the role individuals are accorded within it. The most important results of the discourse analysis pertain to a) the role of individuals (end-users) in cybersecurity, b) the role of organisations in cybersecurity, c) privacy as a fundamental right versus data ownership, and d) the way a false trade-off between cybersecurity and privacy negatively influences overall cybersecurity and the corresponding ambiguous role of law enforcement agencies. The last concern, i.e. the ambiguous role of law enforcement agencies with respect to cybersecurity, is being voiced in particular by non-governmental human rights organizations. The findings raised the following questions for the TRUESSEC.eu project researchers:
What is the role of consumers in enhancing cybersecurity? What should be their role? Which responsibilities are accorded to ICT providers, which responsibilities should be accorded to them? It is precisely the rise of organizational cybersecurity measures (e.g. banks have invested lots of money to secure their infrastructures against cyberattacks), one common argument goes, which shifted cybercriminal activity from infrastructure to the end-user (social engineering).
What are the limits of state power with respect to ICT products and services? Is it legitimate to compromise the entire ICT infrastructure (through zero-day exploits) on the off-chance of catching criminals? Should more energy be invested into enhancing the security of the IT infrastructure (as opposed to catching criminals), under the assumption that better infrastructure by itself prevents crime? Or is crime just a natural overflow of society that needs to be contained in whichever ways possible
These dilemmas and their media coverage arguably negatively affect public trust in the Internet infrastructure. The debate is therefore not concerned with possible ways to influence public opinion (which is elusive anyway), but rather with possible implications for standardization and regulation of businesses and public authorities. To what extent should these organizations be held responsible? Would a duty to inform customers and the general public about data breaches increase their trustworthiness while keeping in mind that data breaches are usually reasons to distrust someone? Would a universal duty have “paradox” effects here (i.e. increase rather than decrease levels of trust)?
Where do YOU stand on these dilemmas? Do you think that security is key and in order to achieve it, it is okay not to catch a few criminals? Is transparency key for trustworthiness, or are there aspects of organizations that should remain hidden?