The hidden link between Phishing attacks and the American Data Privacy and Protection Act

On how human nature and digital literacy are connecting privacy regulations and phishing attacks.

This week I read two seemingly unrelated pieces of news: one was related to the American Data Privacy and Protection Act (ADPPA) being pushed for a vote in the House. The second one was on phishing attacks skyrocketing with top brands like Microsoft and Facebook being heavily abused in the process.

The ADPPA is an American equivalent of GDPR and sets the standards for how tech companies and other businesses can use consumers’ personal information. The bill sets boundaries on how user data can be collected and used for tracking and targeted advertising There is plenty of anxiety in the advertising industry due to the new privacy regulations and the approaching cookieless future.

The other piece of news frustrated me quite a bit. It talks about the vulnerability of the general public when faced with nicely crafted phishing campaigns. There are many studies and reports showing that phishing techniques are used in up to 90% of all cyber-attacks. Criminals are becoming increasingly skillful in leveraging brands (and not only brands) that people trust in order to trick them into exposing (e.g. credential stealing) or losing access to their personal data (e.g. ransomware).

Though personal data is at the center of both topics above, there is a huge and obvious difference between the two. While using personal data for advertising purposes is legit (in principle) and brings real value to both businesses and individuals, phishing is illegit to the bones. But as different as they are, there is also a strong underlying connection: digital literacy of users and human nature. Specifically, the large gap between the public’s (lack of) digital literacy and interest on one side and the capabilities/determination of those interested in using/abusing personal information on the other side.

Let me state this bluntly: while the efforts to create a solid foundation of digital literacy should be an ongoing priority, there is no way to raise the awareness of the general population to the level where they can match professionals (from big tech or cyber-crime). The inequality of resources and capabilities will always be there. And here is where laws and regulations come into play.

As uncomfortable as this might be for some industries, the state must step in and set boundaries, guardrails in order to balance the ecosystem. Regulations like GDPR and ADPPA are to restore a healthy balance between the users’ best interest and the drive for profit of big tech. This obviously creates challenges for a much wider range of entities in the economy. But this is fine, as with any other resource in the world, data in general and personal data, in particular, should be used with consideration for the entire ecosystem.