I’ve been reading with interest recently the groundswell of discontent around Facebook and their practices around privacy. There is indeed a rather large issue of disclosing way too much data and not understanding who has access to it via Facebook but what interests me more is not the big wide world being able to see me sharing such genius as “Going down the pub”, “Ate Pie…” or seeing me in my speedo’s on holiday (hey I’m European) but the fact that the huge backlash occurring is significantly larger than anything we’ve seen when compared to ongoing credit card loss and breaches.
Using the genius of Google trends and at least 36 seconds of diligent research, I estimate that the whole world has searched on the issues of Facebook in the last month compared to 21 people and two nervous felines on the subject of data breaches. I should point out that this research was not carried out scientifically but I was wearing a lab coat at the time so I’m probably right.
In the last few days I’ve had many of my friends ask me on my thoughts around Facebook, the security implications surrounding the misuse and complexity of the privacy controls within it and how badly they are exposing themselves. This is unusual for me in the fact that:
1. My “normal” friends are discussing privacy and data leakage and
2. Their fear is drastically disproportionate to the risks.
People are worried about the undesirables getting hold of personal information and discussing how Facebook should implement stricter privacy controls which is a good thing but in reality the information shared on Facebook is a small percentage of the data they share every day. As soon as I move the subject on to the bigger worry of credit card fraud and lack of adherence to good security best practices like PCI, I get a vacant look and a whispered mouthing of ”PCI?”.
This imbalance of the concern around Facebook v’s the real threat of credit card loss is not right but the genuine curiosity around security and privacy should be embraced and extended. Only when the great unwashed are voting with their feet and forcing companies to become compliant to PCI by not spending their hard earned cash unless they have transparency into the PCI status of a retailer, will we truly have adoption on a wider scale. Look at Facebook’s response to this uprising around privacy – Mark Zuckerberg pulled together a crisis meeting and came up with a “solution” in double quick time to nip the issue in the bud and stop users fleeing on mass to another site. If only we could have the same with PCI and credit card security.
My suggestion would be that all retailers have to display their current compliance rating in their window, website or as part of their delightful welcome message when dialling the call centre. This increase in visibility will cause retailers to see PCI and security controls as a differentiator in the market to be used against competition and drive consumers to those retailers that actually care what they do with this critical data. The cost of being slapped with a fine or running the risk of paying for replacement cards would probably pale in comparison to a significant drop in sales due to hesitancy of consumers spending money with insecure institutions, which in turn will drag the whole industry up a few notches on the security ladder.
This increase in vigilance won’t happen until the same people that care about Facebook privacy understand and care about where they stick their credit card numbers and what happens after they click “BUY”.