What are we so subsceptible to social engineering? Because we’re stupid, venal, eager to please animals – but think we are oh so clever. Scams are as old as nature itself–animals are masters of subterfuge. The chimpanzee baby, say, grabbing a smashed nut from her mother and putting on a “it wasn’t me” face. Many animals indulge in camouflage and trickery—bite a grub poking out of the sand and discover its a rattle snake’s tail…
Telling consumers the “rules of better online conduct” teaches us nothing. Rules and dictats tend to have little impact on culture, and culture eats process for breakfast. As more and more banks refuse to bail out customers that have fallen for phishing scams the problem will be more visible and likely more pressing, more “real”. Fear-and getting hit with a massive charge- will tend to change the culture going forward. But so much of commerce is based on “ease of use” its often hard to push back when we’re asked for more information. Privacy tends to take a back seat to convenience. There is also the related business culture of collecting every bit of data conceivable from a customer or prospect– even when you can’t actually put the data to any use…. how many times have you shared your address and name in the last month? What about your pet’s name, which might be a password for another of your web services? Or perhaps you’re a small private company asked by a major corporate customer to provide names and addresses of your entire client list… [happened to RedMonk recently . we said thanks but no thanks]
As consumers we’re used to companies taking liberties and erring on the side of gleaning too much information. Then these same companies do a poor job of securing our shared information assets—so its no surprise when an email comes out of the blue pointing out that some remediation is required. Go phish. This business culture of information gluttony is problematical and can lead to fraud just as surely as any fault of the consumer–more information is by definition harder to manage. Cultural changes then are required from both sides.
Phishing could be reduced if businesses did less fishing. What do you need to know? What do you need to hide?
I believe organizations should err on the side of less data collection not more unless they have a good reason for collecting the data- with a concept somewhat like Tim Bray’s developer maxim Minimum Progress Required For Victory – in other words, don’t over engineer solutions or add function that isn’t required by the user. Kind of extreme thinking.
The equivalent in this context might be Minimum Data Required to Declare A Business Relationship (to offer an interface?), shorted to Minimum Data Collected To Declare Victory. That is – don’t collect what you don’t need. Many would disagree-probably Axciom for example, but i have a feeling the Long Tail suits more lightweight approaches. we’re happy to make recommendations to complete strangers. we dont need to know who they are.
I am sure there are those that will think i am barking mad – big Corporates with armies of lawyers and marketers for obvious reasons, but also many exponents of the New Transparency.
As far as i am concerned however the last 24 hours have taught me everything i need to know about the effectivess of transparency today. Therefore I, for one, will continue to push for privacy, where appropriate. On a final note i heard a potentially worrying story for the US economy the other day – a Pakistani friend told me there is an exodus of professional, well educated Pakistanis and their assets out of the US at the moment because of threats that financial affairs will be put through the absolute ringer. It seems to me folks like these helped build Silicon valley and many American success stories. Now they are taking their money and intellectual capital home.
Some might push back that anyone leaving the country must have something to hide. Perhaps. I would argue however we all have something to hide – its part of being an animal, let alone part of being human.