Data Privacy Week: is it time to rethink our approach to privacy?

It's Data Privacy Week again, the annual event that reminds us to secure our data online. I'm sure, though, that with the changing laws and events around the globe, most of us have been thinking hard about our privacy in the past 12 months. 

For instance, while opening up new exciting possibilities, the AI chatbot frenzy also brought fresh concerns about data harvesting and online scams. The use of VPN services is still high around the world among both citizens and organizations, too. In the meantime, Big Tech received some of the biggest fines ever for infringing GDPR rules in Europe—already earning enough to pay them off. If that's not enough, the quantum computing threat continues to loom in the background which will make traditional encryption methods obsolete.

Looking back at last year's events, I couldn't refrain from wondering whether the steps we take as users, organizations, and lawmakers are enough as technological developments land with increasing pace. With this in mind, I turned to cybersecurity experts and asked whether or not they think it's time to change our approach to privacy.  

New tech, new privacy issues

Artificial intelligence (AI) is the latest hot topic in tech, and it's an umbrella term that has many iterations. You may already recognize some of them, like the face ID feature on your smartphone, social media filters that personalize your feed, or even services like ChatGPT.

Andrew Sullivan, President and CEO of the Internet Society—a global non-profit organization that works to keep the internet open, connected, and secure—believes that the biggest challenge now is managing to predict exactly what the new threats to data privacy are going to be in the future.

He told me: "It’s especially bad in the case of AI because it’s a catch-all term for about nine different things. So, it’s really hard to understand what the consequences are of any particular piece of technology."

We may not have a full understanding of all the security risks caused by AI, but the larger adoption of ChatGPT and similar apps has already given a glimpse of the privacy mess these tools can cause.

ChatGPT's privacy nightmare starts with how it collects and stores your personal data, as it scrapes from the web without consent, or that we actively share in the chatbot. OpenAI and similar firms are also infamous for employing invasive privacy policies—ChatGPT was briefly banned in Italy because of this.

Then there are the challenges of regulating such applications, especially in countries like the US, where data protection laws are still lacking—as privacy advocate Brittany Kaiser pointed out. While the EU is currently finalizing the text for its AI Act, which is likely to become the go-to model for the West, the process isn't free of controversy from a privacy and security point of view.

In the meantime, cybercriminals have been using these tools to craft convincing phishing scams, ID fraud, and even deepfakes to spread misinformation online.

Outside of the realms of AI, another beast is lying in wait: quantum computing. Despite the full adoption of quantum computing being "quite a distance away," as Sullivan noted, cybercriminals are already prolific in so-called store now, decrypt later (SNDL) attacks. This means they are currently accumulating huge quantities of encrypted data to decrypt once quantum technology is capable (which is expected within the next 5 to 20 years).

Take a step back

According to Simon Wistow, Co-founder of cloud computing service provider Fastly, now is the time to reflect on how these exciting, but also concerning, tech innovations are going to affect everyone's privacy.

"Even if we think there’s going to be mostly positives, we still need to think about what the negatives are. That’s for all new technologies," he told me. "The more we plan, the better it's going to be."

A similar approach seems to be shared by the team at Kape Technologies, the security firm behind some of the biggest names in the VPN world like ExpressVPN, Private Internet Access, and CyberGhost.

Jose Blaya, the Director of Engineering at Kape, told me: "As we step into an era of more advanced technologies, our approach to data privacy must evolve. It should be proactive, not just reactive, adapting to potential future challenges while leveraging new opportunities to strengthen data protection."

AI, for example, is also a powerful tool that security software developers can use to their advantage. Engineers at NordVPN have already started to experiment with new ideas and approaches in this remit with the NordLabs initiative. The team already launched Sonar last September (an AI-enabled tool to fight back against increasingly sophisticated phishing attacks), and new projects are expected to be released this year.

Privacy should be the default

For Amandine Le Pape, co-founder at UK-based encrypted communication and collaboration platform Element, it isn't exactly the approach to data privacy that needs to be changed but rather the way software is developed in the first place.

She believes there are few ways lawmakers can ensure companies use and store data, besides finding the right balance at a policy level to protect users without putting too much burden on small companies. That's why she thinks privacy should be a priority from the start.

"Privacy should be designed by default. People need to think about it when they build software. I think more and more people are getting it, but there are still a lot of people who don’t," she told me. "Education and awareness are, for me, the things we should keep working on."

Andreas Theodorou, digital privacy expert and Editor-in-Chief of Tech/Software at Future plc (the publishing company behind TechRadar), also believes privacy should be a default for today's software. 

When it comes to security software, for instance, he believes it should be legally mandatory for all encryption-providing services to adhere to the NIST-recommended quantum-safe standards to protect against new threats. He said: "Far too many companies fall behind on this matter and it puts people more at risk with a false sense of security." 

While some providers have already started to implement quantum-resistant cryptography in their services, many others are yet to catch up. The list so far includes the encrypted messaging app Signal, secure email provider Tuta (previously known as Tutanota), and some VPN services, including ExpressVPN and PureVPN.

We should be in charge of our privacy

As Data Privacy Week seeks to teach us, we should all take agency back over our data. Even when it looks like the threats are bigger than us, there are still ways to minimize their impact.

"Our approach to privacy must change—there's no doubt about it. People are far too complacent with their digital privacy, and with the rapidly increasing complexity of cyberattacks and social engineering, it's all too easy for someone with malicious intent to cause you harm," Andreas explained.

First and foremost, we should all think carefully about the personal information we share online, especially on social media, as these can reveal more details than we think about our offline lives. It's also very important to use a VPN for everyday browsing, especially when using an insecure network like public Wi-Fi.

A virtual private network (VPN) is security software that has become very popular for accessing geo-restricted content as it spoofs your IP addresses. Yet, it also encrypts internet connections to prevent snoopers from spying on your activities—and that's exactly why they can help to make us more anonymous online.

On this point, Andreas said: "In this modern world, where our digital privacy is being repeatedly encroached upon, it's no longer a luxury to use tools like VPNs, it's a necessity. We must claw back our digital privacy if we don't want to be exploited at every opportunity."