The Willy-nilly Era of Digital Trust

In Spring last year, my previous employer fell victim to a cyberattack. As staff, we were notified shortly after, with communication that some of our personal information may have been compromised. The organization set up a dedicated public page to answer frequently asked questions and provide updates on its response. (A similar internal page was also set up.) The standard corporate messaging did little to allay fears and was never transparent about the method of attack used.

(My gut instinct says it was probably a successful phishing attempt—a legitimate-looking email with malicious links or attachments with some language urging action within an immediate time period—but that is pure speculation. The larger the organization, the more diverse its workforce and their familiarity with the quick-evolving digital landscape, the more access points available to hackers.)

Aside from the familiar messaging, the employer contracted both national credit reporting agencies and provided those likely affected with two years of credit monitoring services, including fraud insurance. Unfortunate too, by the way, that Canada only has two agencies of this type, both American-owned, and both with utterly mediocre online tools (honestly, Equifax does not even use multi-factor authentication and neither Equifax nor TransUnion allow credit-freezing in Canada outside of Quebec; what a joke).

I bring this up now because in the past few weeks, I have received a similar notification from a national air carrier, also subject to a cyberattack earlier this year. The key messages are nearly identical to those shared by my previous employer, which is not unexpected. The company has also engaged the same credit reporting agency for protection services, and also for the standard two-year span. At this rate, I will have my information imperiled on an annual basis and have access to complementary credit monitoring for life. An unequivocally sarcastic “Hurray!” to that.

What annoys me about these incidents is that we are required to not only hand over our personal information for verification purposes to so many private companies, but also expected to trust them to hold this information indefinitely. It cannot simply be deleted once it has served its purpose. Nor an independent but publicly accountable body be identified or established to safeguard our critical records. Perhaps working within an ecosystem where control of one’s vital information sits with the individual themselves and the smallest group of organizations trained to handle sensitive files with extreme caution. Instead, our identity—which we are still somehow reducing to a few set of numbers—is treated trivially; we have entered the willy-nilly era of digital trust.

Every solution has its flaws, but the current setup is maddening. Our identifying information sits with innumerable entities, each with their own safety systems and protocols, some more robust than others. Only a handful of this data is needed for others to impersonate us and endanger our livelihood. All of it trusted to employees, contractors, or users with varying awareness of cyberthreats. Take me for example—I have undertaken countless courses and workshops over the past decade via my employers’ learning portals to prepare me for digital threats, or to treat and carry confidential data in an appropriate way. I am currently a government employee with a certain level of clearance, which means I should be even more attuned to these things. Despite this history and my experience, I am not certain that I will be able to fend off a highly sophisticated cyberattack attempt directed to my inbox or devices in the future.

I also think about how ignorant we are, generally, about the increasing number of everyday scams sent our way. Forget sitting within a large entity and being responsible for everyone else’s personal details, can you manage your own? So many still pick up random calls from unknown numbers, or do not understand how easily their contact information can be spoofed. They are too willing to hand over data to unknown companies via applications or social media, simply because it’s the norm, providing the desired access to online convenience, services, and tools. The price paid is a lot higher than they, we, you or I understand.

I worry about losing my vigilance and familiarity with the latest cons as I age. All it takes is one mistake to empty your accounts and compromise your future.

And what of the “move fast and break things” ethos of the biggest technology companies globally? The Amazons, Alphabets, Microsofts and Apples that dominate our online interactions yet have a rich history of malpractice. The monopolies they have carved out give them enough dominion over our freedoms and movements to challenge nation states. These companies are surging ahead with integrating artificial intelligence tools based on large language models into every device and system we use. Setting aside persistent and valid issues relating to the ethics, power consumption, algorithmic bias, cognitive change, mental health, you name it—this integration further threatens our ability to control our data through variant digital architecture that is steeped with security problems.

The level of carelessness here is breathtaking.

As a species, we are still in our digital infancy, and it shows. We grant access to our most important information to every application on our phone or company that we engage with, never stopping to question what we are handing over, the value of the product or service returned, and consequences therein. People who happen to know our personal details will gladly spew to them into every corner of the internet without thought. Parents still post pictures of their children on public sites, not the least bit concerned that they cannot provide informed consent, or if they may find issue with the exposure later in life. Just a few examples, but you get the gist.

We are only a few decades proper into our engagement with each other through online platforms, largely mediated by profit-driven conglomerates and enterprises. Our digital profiles, just like our flesh-and-blood selves, deserve a certain standard of protection. One that is far from being met.