I was watching a video of a terrier harassing a robot when I saw the news reports about Ingrid Lyne. The Seattle mother of three had disappeared while on her first date with a man she’d met online. Her dismembered body was found several days later. The alleged killer had a long criminal history, including attempted aggravated robbery, and his parents had previously filed a restraining order against him. He’s currently being held on $5 million bail.
Behold the modern marvel of the internet: a medium that enthralls us with videos of cats riding Roombas, yet also poses a significant threat to our very lives.
Lyne’s death is not unique. Though such violent crimes are rare, there are 7.2 billion people in the world, and roughly 40% of them are online. In any group of 2.9 billion people, you’re bound to find some who aren’t very nice, and the internet makes it easier than ever to meet them. In February, for example, two tourists in Australia were brutally assaulted by a man who answered their online request for a ride from Adelaide to Melbourne. Last fall, a young man in Detroit was robbed, beaten, and strangled by someone he met online. Such stories are becoming commonplace, as are the constant warnings about child predators. Ever day, scammers crack passwords and drain bank accounts, or spoof phone numbers and talk unwitting targets into handing over the loot voluntarily. In short, all the dangers of the real world also exist online. They may pose an even greater risk there, since the nature of online interaction encourages us to feel we know others better than we really do.
Managing risk online calls for the same skills we use offline: Learning about the history of people or organizations before trusting them. Observing someone’s interactions with others to detect unhealthy behaviors. Limiting our exposure to those we don’t know well, or who treat us disrespectfully. Those skills aren’t always easy to deploy, but they are fairly straightforward, and we can strengthen them with practice. However, they aren’t easily commodified. Just ask anyone who teaches personal safety for a living: helping people work on their assertiveness skills is an even tougher sell than getting them to see the dentist.
What is easy to sell? “Internet security,” as marketed by Fear, Inc., consists primarily of products that protect our livelihoods rather than our lives. Hardware encryption is a $296 billion market worldwide. Anti-virus software for home computer owners, which promises to keep our machines free of malware, is also a big-ticket item. Norton antivirus products alone generate about half a billion dollars per year. And for nervous parents, there are subscription services that will let you control your kids’ online activity.
Ads for all these products rely heavily on images of badges, shields and locks. Blue is their color of choice—a subliminal melding of law enforcement’s traditional hue with IBM’s “Big Blue” aesthetic. Marketing for these products tends to contrast the chaotic nature of online environments—their risks too many and too diverse to comprehend—with the simplicity of the service being sold. One simple payment can resolve all your worries.
Do we get our money’s worth? On an average week last year, U.S. businesses suffered 160 successful cyber attacks. Among the most recent cases to make the news, hackers have purloined user data from major health insurers like Anthem and Blue Cross; from Forbes.com; web hosting site Github, domain registry Register.com; Penn State; and, of course, Ashley Madison. About thirty percent of America’s personal computers are infected with malware. Things would no doubt be worse without some of the products Fear, Inc. is selling, yet despite the money we’re spending, we’re hardly “secure.”
Significantly, a lot of online security crises aren’t even related to the products we buy or don’t buy. They’re related to behavioral mistakes we make, like using weak passwords, or sending information to the wrong email address. There’s a substantial gap between the way we’re advised to behave online—don’t open email attachments from people you don’t know, don’t use public Wi-Fi, change your passwords often, etc. —and what we actually do. That gap exists because we’re lazy, and because deep down, we’d like to believe that the internet really holds nothing more sinister than cat videos. But the gap is exacerbated by people who model and encourage risky behavior. Sometimes that encouragement comes from the very industries trying to sell us security.
Which brings us to LifeLock.
LifeLock Inc. (NYSE:LOCK) is a service that purports to safeguard your personal information from theft. Their name is a good example of the way Fear, Inc. conflates online “identity” with personal safety. LifeLock doesn’t protect your life; it protects your assets. For many years its chief marketing ploy was to splash the Social Security number of co-founder and Executive Vice Chairman Todd Davis on billboards, web ads, and the side of a truck which was featured in LifeLock TV commercials. The company’s message was clear: Even though “an identity is stolen every three seconds,” LifeLock will prevent any harm that might befall you due to identity theft.
As it happens though, Davis’ Social Security number (it’s 457-55-5462, if you were curious) has been stolen at least thirteen times. In many of those cases, Davis was apparently unaware that his identity had been stolen until collection agencies started calling him. This would seem to disprove the company’s messaging about how devastating identity theft is. In fact, Davis made a lot more money by shouting his Social Security number from the rooftops than he lost from its theft. He started LifeLock with $2 million in seed funding, and it now has total assets of $146 million. So maybe the lesson here is that it’s possible to strike a balance between security and productive activity online.
Maybe—but if so, LifeLock hasn’t found that balance quite yet. In 2010, the Federal Trade Commission determined that Davis’ cavalier treatment of his own personal information was mirrored by his company’s laissez-faire approach to customer data. LifeLock’s services “did not prevent identity theft and did not provide many of the protections claimed by Defendants.” The FTC fined LifeLock $12 million and placed it under a federal court order to properly secure its customers’ data and stop lying in its ads.
Given five years to correct these problem, LifeLock either failed, or decided not to try. Late last year, the FTC slapped the company with a $100 million fine for violating the previous court order. This is presumably why, if you visit Lifelock’s website today, you won’t see Davis’ Social Security number. You will see a lot of claims, like “1 in 4 people have experienced identity theft,” a statistic from an online survey that LifeLock paid for. You’ll see comforting language about monitoring "over a trillion data points a day” with “3 layers of protection” and “Identity Restoration Specialists.” And you’ll see footnotes— tiny, inconspicuous footnotes—that say things like “LifeLock does not monitor all transactions at all businesses” and “Phone alerts made during normal business hours,” and my favorite, in gray print on a gray background, at the very bottom of every page: “No one can prevent all identity theft.”
If you’re persuaded by LifeLock’s claims that “identity theft is America’s fastest growing crime,” and “everything you own could be at stake,” you can choose from three different Lifelock plans: Standard, Advantage, and Ultimate Plus, ranging from $9.99 to $29.99 monthly (plus tax). You also have the option of purchasing LifeLock Junior for your kids (only $5.99 a month). In addition to forking over the cash for this protection, you’ll need to provide the company with your social security number, birth date, bank account information, credit card numbers, driver’s license number, insurance information, address, email address, phone numbers, and your mother’s maiden name. You have to provide this information over an internet connection, to a company that has repeatedly been proven to disregard basic online safety protocols like encrypting data, limiting access to sensitive information, applying security patches to its network, and installing antivirus software.
Some four million people have been perfectly willing to entrust their personal data to LifeLock, a fact that seems incredible until you recall that the most popular password in use online is “password.”
Another reason LifeLock has four million customers is that companies suffering large data breaches often give victims a free subscription to such services. This happened to a friend of mine, not once but twice. In both cases, she was signed up without her knowledge or permission. Oddly enough, discovering this did not make her feel more secure.
There is an inherent tension Fear, Inc. must manage when selling online safety: To separate us from our money, companies need to cultivate our sense of vulnerability. “Scammers are everywhere,” this message runs. “Trust no one!” But the merchants of fear must also convince us they are worthy of our trust. “We’re OK though!” the message continues. “You can tell because our logos are blue.” The goal is a consumer anxious to spend, and willing to turn a blind eye to the inherent risk of the transaction itself.
LifeLock, like many of the companies that make up Fear, Inc., is creating a more frightened public via their marketing. At the same time, they’re distorting our perception of trustworthiness, and conditioning us to be more careless about our safety. “About 50 million U.S. consumers spent $3.5 billion in 2010 to buy products that are claimed to protect their identity,” according to Consumer Reports. “But do-it-yourself safeguards are just as effective as paid services.”
Yes, we’re lazy, and our passwords suck, and sometimes we click on email attachments we shouldn’t. But we can improve. We can construct better passwords, review our privacy settings, and cultivate a healthy skepticism toward emails that sound too good to be true.
Or we can pay someone to say they’re being responsible on our behalf. Maybe they will be. There’s really no way to know until something goes wrong. But we could, rather than swallowing the industry’s “Trust no one—except us” motto, begin our pursuit of online safety by trusting ourselves.