NICOLE CHIPI—On February 17, 2017, the Bundesnetzagentur (Germany’s telecommunications watchdog) issued an official warning to the citizens of Germany, banning a product it declared a threat to the private sphere. Jochen Homann, the agency’s president, added that the ban was “about protecting the rights of the weakest in society.” What was this unauthorized wireless transmitting equipment compromising German privacy?
My Friend Cayla, an internet-connected smart doll that talks—but more importantly—listens to users through a concealed microphone that records speech and transmits recordings to the doll’s manufacturer. The Bundesnetzagentur’s ban was executed under the authority of § 90 Telekommunikationsgesetz (Germany’s Telecommunications Act), which prohibits the possession, production, distribution, and importation of everyday objects (e.g. toys) that contain hidden cameras or microphones. The agency’s warning was compelled by concerns that Cayla’s microphone could be hacked and used to eavesdrop on German citizens.
American media outlets met the Bundesnetzagentur’s pronouncement that a toy was a domestic spy with an understandable degree of mirth, especially after a subsequent decree threatened a €25,000 fine to parents who failed to destroy any Cayla doll harbored in their home. But other articles reported that the ban was to be expected given Germany’s many privacy and data-protection laws, which are arguably the strongest privacy laws in the world.
This legislative resistance to threats of invasion of privacy has bred a collective preoccupation with data integrity among German citizens. This attitude has made Germans slow to purchase ‘smart’ devices, and generally resistant to the so-called Internet of Things (IoT). The Internet of Things is most-readily described as a network where objects have a digital presence and the ability to communicate with other objects and people. The IoT includes any Internet-connected device that isn’t a mobile phone, tablet, or traditional computer. Some popular IoT devices include smart health trackers like Fitbits, wearable computers like the Apple Watch, and smart speakers like the Amazon Echo. Over the past decade, these devices have become integrated into our lives and embedded in our homes. Some estimates suggest that there are approximately 25 billion of these IoT devices in use today.
Despite the explosive growth of IoT devices across all sectors, recent surveys reflect that less than a quarter of German adults own internet-connected devices and over 75% report that security and data protection concerns prevent them from purchasing IoT devices. And perhaps these preoccupations are not unfounded, given how easy it is to hack into internet-connected cars, medical devices, and even baby monitors.
Across the pond, American consumers seem less concerned with these potential threats, with nearly two-thirds (62%) reporting that they own at least one internet-connected device. This willingness to welcome IoT devices into American homes is not difficult to understand. The Internet of Things makes our lives more convenient and is the natural extension of a world that increasingly relies on digital networks. According to a study by the PEW Research Center, approximately two-thirds of American adults place their financial, health or other sensitive data online. But as our lives become increasingly digitized and networked, risks of privacy invasion and exposure grow alongside it. In fact, the same PEW study shows that two-thirds of Americans have personally experienced a major data breach.
Despite these direct experiences with hacking, nearly 70% of American adults do not express worries about cybersecurity in their personal lives, or in their expectations for the data integrity of various public institutions. This lack of concern exists even though a substantial majority of Americans anticipate major cyberattacks in the next five years on our nation’s public infrastructure, or banking and financial systems.
But what is this apathy fueled by? Surveys suggest that unlike Germans, Americans are generally not preoccupied with data integrity and are willing to share personal information with a third party in exchange for a benefit, like free services. Some commentators have noted that Germans are likely sensitive to privacy and data collection issues because of trauma experienced during the era of Nazi and Communist governments, when the release of personal information could result in incarceration or death. By contrast, one might reason that over two centuries of American democracy have fostered a society that is generally unpreoccupied with the threat of privacy invasion, even in a Post-Snowden world.
This apathy towards cybersecurity issues has been on display as of late, in the shadow of revelations that the Russian government orchestrated the hacking and release of thousands of Democratic National Convention emails with the intent of influencing the 2016 presidential election. Where overwhelming evidence suggests that a foreign power engaged in aggressive cyberespionage and attacks against American democracy, one would expect a unified public outcry. But even as 72% of Americans say that Russia was “definitely or probably behind the hacks,” less than half believe that the sanctions imposed on Russia in response to the attacks were “about right,” while another 20% report that they “go too far.”
Though survey responses were not necessarily partisan, a piece by the New York Times suggests that Trump supporters are especially unconcerned with the cybersecurity threat to our democracy. When questioned about the release of an official intelligence chiefs report unanimously concluding that Russia ordered an extensive covert cyber-operation to help President Trump win the election, one Trump supporter said, “If that’s what it took, I’m glad they did it.” Another reported that the general consensus among friends on his social network could be summed up as “what’s the big deal?”
But this general lack of outrage seems to extend beyond partisanship. The more likely culprit is desensitization. Unlike Germany, which was the first nation in the world to pass encompassing data integrity laws, the United States has not made the digital privacy of American citizens a priority. As the survey results above suggest, these legislative differences have enormous effects on the way citizens engage with the digital world and create expectations about cybersecurity. Absent a legislative climate that errs on the side of privacy protection, Americans have resigned themselves to a world where cyberattacks are par for the course, and any expectation of privacy is readily sacrificed for the convenience of an internet-connected existence. In this sense, the same phenomenon that makes Americans more open to the presence of IoT devices in their homes may be the thing that makes them apathetic about a foreign power hacking a democratic election.
Recently, stories of Russian election hacking have evolved into allegations that the Trump campaign may have coordinated efforts with the Russian government. Though the President once famously encouraged Russia to hack into his political opponents e-mails, he now claims that accusations of collusion are “made up.” And even looming investigations have failed to stir up any palpable outrage on the part of American citizens.
This culture of cybersecurity and privacy apathy, fostered by a lack of protective legislation and a willingness to sacrifice personal data for convenience, actively endangers the future of American democracy. As tensions between the United States and foreign powers continue to escalate, we can safely anticipate an increase in the number of cyberespionage attacks targeting the American government and private citizens alike. And though we might get a good laugh from a country that concerns itself with the national security threat imposed by a talking doll, perhaps some German-style skepticism would better protect what some political scientists report is a weakening democracy.
American attitudes towards privacy and data integrity might best be addressed with the cybersecurity equivalent of a public health and safety campaign. While collectively abandoning the IoT may not be necessary (or even possible), increasing awareness of prophylactic measures that decrease the exposure these products create could improve our herd immunity against cybersecurity threats and better our value system around issues of privacy. This shift in attitude is sorely needed, as is a collective movement to counteract efforts by the Republican party to repeal what precious few digital privacy protections Americans do have. If not, it may be the Bundesnetzagentur that has the last laugh. In private, of course.