A study released by Intercede today says that: “Millennials in the U.S. and U.K. have almost entirely lost trust in government and business to protect their personal information online.”
Millennials are often accused in reports of having little or no understanding of security based on their social media profiles. This view is constantly repeated despite security reports showing that they are more aware than their managers from the baby boomer generation.
The research was conducted by Atomik Research on behalf of Intercede and involved approximately 2,000 16-35 year olds. There were asked: “..their perceptions of current security measures and the level of importance they place on having their data protected.” It was not just about whether their data was encrypted but they were also asked about the sharing of data by sites with third parties without their explicit permission.
According to Richard Parris, CEO of Intercede: “Unfortunately we now live in an age where data breaches have become a common occurrence and the more digitally connected we become, the greater the risk.
“Government and business need to step up to more effectively safeguard the private information of their constituents and customers online or risk eroding trust and further damage to their reputations. Millennials are a prime and extensive demographic driving votes and dollars worldwide. Restoring digital trust by taking active measures to ensure privacy and secure personal data should be a top priority.”
No option to see cultural differences between Millennials
The survey covered a wide range of organisations on both sides of the Atlantic. Unfortunately, in the data set provided to us we did not get the raw data on all the organisations and it was not possible to separate out the US and UK responses. It would have been interesting to see if there was a cultural difference between those spoken to.
Another area of interest would have been to extend the survey into France, Germany, Korea and Japan to get a much wider view of this age group and its attitudes towards security. After all they are already running many of the data systems we use and will have a significant impact in designing the next generation of products, software and security systems.
Complete trust is hard to come by
For each of the 17 type organisations spoken to, people were given the choice of five answers as to their level of trust although we were only allowed to see the raw data on 8 of the 15 organisations:
- A little
- A Lot
As can be seen from the image below, not a single organisation came close to having “Complete” trust as the top rating. In fact, in only 5 managed to score above 10%, Employers, Schools/Universities, Financial Institutions and Government departments. Of these, only Financial Institutions scored above 20%.
When it came to no trust, the worst organisations were Dating Sites, Social Media Platforms, Search Engines and Recommendation Engines. Over 20% of people said that they had no trust in these organisations to protect their data and not to share it.
Awareness of data sharing risk almost universal
It was clear that the millennials who responded were all aware of the risk of data sharing. When asked about their financial data: “For the following categories of information, how important is it to you that the information is only shared with those individuals or companies you have specifically authorised?”; only 3.7% said it was not important compared to 68.44% who said it was vital that sharing was strictly limited.
A similar level of concern was shown when asked about medical data. Interestingly the responses were not as high in terms of the need for protection as for financial data. Only 58.23% said it was vital to protect their data while 4.88% said it was not important. There has been a significant interest from medical companies in wanting access to medical data in order to carry out research. It’s clear that while this is not being ruled out, Millennials are not willing to just give it up.
Interestingly a recent article in Computer Weekly showed that the NHS trial of the Verify ID assurance system found patients concerns over the use of banks to control access to medical data. Banks were chosen on the grounds that the project leaders initially thought that people would see their banks as a good identity provider. With that now not the case, Computer Weekly reported that the project will now use Passport checks through local GPs instead.
Ambivalence to the sharing of social media and purchasing preferences
When asked about the sharing of content on social media the responses were much more like the general perception of Millennials. Only 28.11% thought it was vital to control the sharing of data while 16.91% said it was not important. The same was true when it came to purchasing preferences. While 29.68% thought it was vital to protect data 16.57% were not bothered.
The numbers around not important show an ambivalence to the need to protect personal data. What is not clear from the data set is whether these are an age related response. That level of detail was not released to us and we don’t know if Atomik Research actually collected the data to that degree of granularity. If they did, it would be interesting to see how the not important responses are distributed by age.
For companies such as Google, Bing and Yahoo this is good news. It means that they can continue to reap customer data through their search and shopping engines and share it with advertisers. Facebook and Twitter will also be happy with the responses here especially as they are coming under attack about the way they share user data with third-parties.
Protection needed for location and movement data
Every mobile app seems to want to have access to location-based data. Much of this is so that they can push advertising related to businesses nearby. On one hand this is perfectly reasonable but the problem is one of unintended consequences. It has already been shown by studies in the UK and US that it takes very little effort to take multiple seemingly anonymous data sets and quickly begin to identify individuals.
There is also an issue for businesses here as they capture data. While they might share it having taken steps to anonymise it, if it is later used to identify an individual there are data privacy issues here. With draconian laws and fines being enacted around the world, companies need to start thinking carefully about how they share and mix data sets.
47.24% felt it was vital to protect this data while 8.33% said it was not important. As with the issue over social media and purchasing preferences, this may well be an age related response. If so, it indicates a failure of online safety programmes.
Motivation for allowing companies access to personal data
It was interesting to see that the survey was thought out well enough to try and get to the core of why people might be willing to share their data. Respondents were allowed to select up to three options but there was no ranking of these choices. As well as allowing people to say why they would share their data there was also the option to say I don’t allow access if at all possible. The top answers from this question were:
- 34.66% – I don’t allow them access to my data if I can prevent it and take steps to do so
- 23.82% – I trust those I give access to and am not worried about how they will use the information
- 23.32% – I believe that allowing access to my data will allow them to improve their services and ultimately help “the greater good”
Surprisingly these responses contain the two extremes and just one acceptable reason for sharing data.
Will poor cybersecurity cause riots?
The survey respondents were asked to select from a list what they felt were the likely outcomes of the statement: “The failure of companies and governments to adequately protect the identities and personal data of consumers and citizens will eventually lead to..” The top three answers were:
- 54.44% – Public distrust of goods and services
- 43.59% – Decline in data sharing / opt-in settings
- 36.44% – Public uprising / demand for action
The top answer is really something to be expected. However the fact that 36.44% felt that it could lead to public unrest is quite surprising. What it does show is that the response to the financial crash and the anti-austerity movements, both of which saw people take to the streets have created an acceptable approach when people feel they are not being listened to.
Of all the responses in this survey it is the one that will surprise many people and for those companies that handle large amounts of personal data, it means they need to rethink their current trust models. No CIO wants to be responsible for any office building to be trashed by protesters angry at the way their personal data is being treated.
This survey comes at the end of a two week period where we have seen two major judgements in the European Court of Justice dealing with the protection of personal data. Europe and the US are now in the process of having to redefine Safe Harbor as well as decide how to deal with personal data protection in the upcoming Transatlantic Trade and Investment Partnership (TTIP).
It also shows that categorising Millennials as not caring about the personal data is just plain wrong. While they are willing to allow some sharing and there are areas where they see sharing as acceptable, they want to exercise control over that process. Attitudes to data protection are changing and businesses need to make sure that they take notice.