Categories: Security and Privacy

Security/Privacy Insights from Mozcamp Asia

In my last blog post, I talked about the workshop I led at Mozcamp Singapore regarding security and privacy concerns in Asia. Here, I’ll talk about some of the insights I’ve been mulling over from that discussion and other ones I had with the Mozilla community during that weekend. Note that my thoughts here aren’t meant to be a definitive look at security and privacy in Asia; rather, they are broad ideas for further research in the region.

My top five findings from the workshop (explanations in the full post below):

  1. Security needs to be convenient. People have little incentive to stop what they’re doing and figure out how to keep themselves safe.
  2. People see hints of our connected world’s security/privacy flaws in their daily lives, but don’t feel that they have true control over addressing these concerns.
  3. Many Asian countries have a growing desire for safer online banking and e-commerce, but security best practices and regulation have yet to catch up.
  4. Asians tend to trust institutions, big businesses, and well-established Western companies with their security. However, they had mixed feelings about Western companies when it came to privacy concerns.
  5. Mozilla can best help our users feel safer online by maintaining a sense of integrity in what we say and do.

If you’re from the Asia-Pacific region, I’d especially love to hear what you think about these insights. If you’re from somewhere else in the world, we’d love to hear your answers to some of the questions we asked our Asian participants:

What is online security and privacy like in your country?  What can Mozilla do to make you feel safer on the Web?


What’s similar to what we’re learning in North America:

1. Security needs to be convenient. People have little incentive to stop what they’re doing and figure out how to keep themselves safe.

When asked about what online security and privacy is like in their country, most participants initially shrugged and said that nobody cares about it. But when asked to explain why this is the case, they said it’s because these  features and warnings are too difficult for the average person to really understand. Thus, when faced with a choice, most people would rather just have “fun” online (in the words of one of our participants) instead of worrying about their safety: “Users want to access sites, not deal with security and privacy jargon. Knowledge [about what these mean] makes a lot of difference.”

Some of the improvements that participants wanted to see to help them understand how to be safer online include:

  • Making privacy policies less “boring and difficult”
  • Clear distinctions about what security/privacy messages are important or unimportant (they can’t ALL be equally important), and what behavior is secure or insecure.
  • Making privacy settings easier to understand
  • Clearer information about how browser add-ons work (ever accidentally added a random site’s toolbar?) and any security/privacy concerns with particular ones.

2. People see hints of our connected world’s security/privacy flaws in their daily lives, but don’t feel that they have true control over addressing these concerns.

Our workshop was full of anecdotes of participants who were uncomfortable with gaps in their privacy/security:

  • “I get people calling me all the time. All they don’t have is my [bank] PIN”
  • One participant said he “doesn’t feel very safe online because of adware”
  • “People give up personal ID numbers (China), social security in US for access to free software. Younger generations increasingly reluctant to give up these ID numbers”
  • “Websites track your activities by default”

Participants had the sense that the entities who were violating their privacy (or security, in the case of hackers) were too big, too abstract, too far away, for them to impact. Foreign companies especially seemed like they could do whatever they want with few constraints in most parts of Asia.

Most tried a variety of strategies to feel a little safer online. Some tried to avoid the problem by not submitting personal information online. Others had a “don’t think about it until something bad happens” mentality. One person’s rule was: “If geeks use it, it must be safe”. Happily, many others suggested using Firefox features such as private browsing mode, master password, security add-ons, Do Not Track.

But the real theme that emerged was that everyone was attempting to be safe online, but no one felt confident that their actions actually made a difference.

These anecdotes show that proactive security/privacy features in the browser could have a big impact on how safe our users feel online. However, they need to be easier to discover and use; people shouldn’t need to hunt for them and assemble their own arsenal of protections.

 


New themes that came up in Asia (that might still apply to the rest of the world):

3. Many Asian countries have a growing desire for safer online banking and e-commerce, but security best practices and regulation have yet to catch up.

Some countries such as Singapore and Hong Kong have well-established regulations for online financial transactions. Participants from these countries felt that there’s “not really anything that cannot be done [online] due to strict enforcement of laws [which] ensure that companies play by the rules of the law.”

However, in more parts of Asia, such as China, Indonesia, and Taiwan, the desire for e-commerce is outpacing sophisticated regulation. When participants were asked what they’d like to do more of online if they didn’t have security or privacy concerns, many spoke about banking and other financial transactions:

  • “E-commerce is convenient but has privacy and security concerns.”
  • “In China, 2-factor authentication exists but is not common. Managing [customers’] security / privacy is not very strong.”
  • “If I want something with the bank, I go there in person.”

(In comparison to banking, other activities such as using social media and playing online games were common in most parts of Asia.)

Though Mozilla might not have a direct impact on financial regulations in these countries, we can improve or add features to our browser that support the growing desire in Asia for secure financial transactions online.

4. Asians tend to trust institutions, big businesses, and well-established Western companies with their security. However, they had mixed feelings about Western companies when it came to privacy concerns.

In general, participants were more likely to trust organizations that have the capacity to invest in security or have more to lose from a breach, both because of the number of customers they serve and because of their prominence in the media. For example, people in China are more likely to trust industry leaders like QQ, Taobao, Alibaba over a business with a small customer base. Amazon was another company that people said they trusted because it was “big”.

Participants in countries where online transactions are common said that they trust banks and utilities companies because “they have to invest in security”.  (Though one Taiwanese participant did say that he doesn’t trust government sites anymore because “they outsource the site”.)

The perception that big = trustworthy is one that I’m curious about comparing to North America, where so many of our institutions and big businesses have dramatically eroded our trust in the past decade through scandals and financial mismanagement.

When it comes to protecting personal information, participants had mixed views on who they trust. A couple said that people are more likely to trust Western companies like Google with their data because they had to respect higher privacy standards than local companies. However, many were also suspicious of Facebook and Google because of the amount of data they collect. “I know they store my data and [are] gonna sell it someday”, said one participant. Perhaps the widespread usage of services from these global companies makes it easier to be suspicious of them compared with local ones .

It was great to hear that Mozilla’s values and those of other open source companies resonated with our participants’ peers in Asia too. Of course, our workshop audience was more than a little skewed, but given what they defined as trustworthy by Asian standards, I still think Mozilla has a great opportunity to reinforce its role as a trustworthy entity in the region.

5. Mozilla can best help our users feel safer online by maintaining a sense of integrity in what we say and do.

I was really surprised by the number of participants who explicitly mentioned the word “integrity” in their conversations as they key way Mozilla can help them feel safer online. Sure, people also mentioned browser features we could develop, but they were very clear that living up to our values is just as important:

  • “Be honest to [the] Firefox user: [fix] security holes, vulnerabilities, uninstall some add-ons. Be honest.”
  • “Be direct: communicate problems”
  •  “Admit that Mozilla has a problem, if a problem exists”

I certainly hope that as a company, we can live up to the high bar for integrity that our contributors in Asia have set for us.

2 comments on “Security/Privacy Insights from Mozcamp Asia”

  1. Ping from Security and Privacy Workshop at Mozcamp Asia | Mozilla UX on

    […] Dec. 18, 2012 Update: You can find the link to the insights blog post here. […]

  2. Shen Hao wrote on

    I think your conclusion is very accurate. I’m looking forward to see the product improved.
    btw: I’m your partner in MozCamp2012 Asia. ;)