Security news that informs and inspires
Mary Meeker speaking at the 2019 Code Conference in Scottsdale, Arizona. Asa Mathat | Vox Media.

Encryption, Privacy in the Internet Trends Report

Every year, venture capitalist Mary Meeker publishes key trends in technology—and she has a long track record of correctly recognizing significant trends. This year, online privacy, secure communications, and data protection made the list.

In this year’s 333-slide Internet Trends report, Meeker noted that online communications are becoming more secure, and individual users are making decisions that helps them be more secure. At the start of 2019, 87 percent of Web traffic was encrypted, compared to just 53 percent in 2016, Meeker said, citing Fortinet’s Quarterly Threat Landscape Report. Encrypted messaging apps are also increasingly popular, with services such as Telegram, iMessage, and WhatsApp outpacing the growth of non-encrypted services such as Twitter and WeChat. Even services that offer encryption as an optional feature, or have announced plans to introduce end-to-end encryption, such as Gmail, Instagram, and Facebook Messenger, have higher growth rates than non-encrypted services.

Meeker has released the exhaustive annual report examining who is connected online and how people are using the Internet since 1995, when she was an analyst at Morgan Stanley. The last few reports were while she was at venture capital firm Kleiner Perkins. Last fall, she moved to a new growth fund, Bond Cap LLC. This year’s technology trends report was unveiled during a 30-minute presentation at the Code Conference in Arizona.

State of Cybersecurity

The report acknowledged the increase in state-sponsored actor attacks and large-scale data provider attacks. The United States, United Kingdom, the Netherlands, and Germany have publicly indicted state-actors for attacking their networks over the past few years. Cloud providers, telecommunications companies, and data brokers (such as Equifax) are seeing more attack activity. According to the report, more data is now stored in the cloud than on private enterprise servers or consumer devices. Attackers are increasingly going after the data stored within cloud providers.

The report also cited figures from the Uptime Institute that 31 percent of data center operators experiences a data center outage in 2018, compared to 25 percent in 2017.

Considering the number of data breaches that were the result of poorly configured server instances in cloud environments, it is clear that cloud security is going to become a bigger part of the conversation. So much of the data resides on someone else’s networks, and organizations need to know what controls are in place.

One good figure to pull out: Meeker cited FireEye’s M-Trends Report to note that attack-to-detection dwell time has been falling over the past few years, from 416 days to detect and attack in 2011 to 78 days in 2018.

2FA on Notice

At first glance, the figures on two-factor authentication in the report—which claimed 52 percent of websites globally supported two-factor authentication—was very encouraging. So many data breaches and attacks could have been blocked if the user had enabled two-factor authentication on their accounts: it is easier than ever to steal passwords, but much harder to steal something you have (or part of your body). However, the actual figure is likely far, far, far, lower.

Meeker was citing research by Elie Bursztein, the security and anti-abuse lead at Google, who’d analyzed the thousand or so websites listed on dongleauth.info and found about half offered some form of two-factor authentication. It is too early to celebrate such a high number of websites offering this level of protection to their users, since dongleauth.info offers a highly curated list of commonly used websites to users who are looking to turn on two-factor authentication on as many of their accounts as possible. Bursztein said that mapping the sites listed on dongeauth.info against a 2015 list of Alexa top 1000 (since Amazon no longer makes this list public) showed about a 40 percent overlap of the top 100 domains and 23 percent overlap of the top 500.

Meeker also noted a point made by FireEye Threat Research: while there was an “uptick” in organizations securing their Virtual Private Networks (VPNs) and remote access infrastructure with multi-factor authentication, that level of protection was generally missing for applications “being accessed from within the internal corporate network.”

Growing Cost of Privacy

There are now 3.8 billion Internet users globally, which is a little more than half of the world’s population. Back in 1995, Meeker said only 10 million of 150 million PC owners used the Internet. Contrast that 23 years later, where more than a quarter of U.S. adults said they are “almost constantly online,” according to the Pew Research report cited by Meeker in her report. That number jumps to 39 percent when looking specifically at 18 to 29 year olds.

Last year’s report emphasized data and personalization. There was a lot of focus on how companies were boosting their data collection efforts to provide targeted user experiences. This year’s report illuminated the increased concerns over companies having so much information.

About 52 percent of users are concerned about Internet privacy, Meeker said, citing the CIGI-IPSOS Global Survey on Internet Security & Trust. This sounds like a high figure but is actually lower than previous years. One of the reasons for the decline may be the changes in the regulatory landscape, such as the European Union’s GDPR and California’s CCPA, and the fact that many of the technology companies have rolled out more privacy tools for users. For example, Apple has tightened its rules for iOS developers on what kind of data can be collected and how the information can used.

“Consumers are aware of concerns about internet usage overload and are taking steps to reduce usage—leading [U.S.] Internet platforms have rolled out tools to help monitor usage and social media usage growth appears to be decelerating following a period of strong growth. Privacy and problematic content concerns are also top-of-mind and are following similar patterns,” Meeker said.

The report also noted that Facebook recently talked aboutt tpivoting to a “privacy-focused” company and creating smaller, more intimate networking experiences for users. Social networking may shift to an experience that feels more like secure group messaging. The regulatory changes and new developer rules require changes in how companies have relied on advertising, data collection, and user consent. Facebook CFO David Wehner said the new "Clear History" feature will affect the company's "ability to do third-party targeting."

China’s Influence

China, by virtue of its population and market size, exerts a lot of influence on technology, and Meeker acknowledged that fact in her report. More than half of the world’s Internet users live in the Asia-Pacific region, and China has the most Internet users in the world, or about 800 million (21 percent). India is second, and the United States has 8 percent. Along with having the most users, China also has a lot of Internet companies. Of the top 30 Internet market cap leaders, seven were Chinese: Alibaba, Tencent, Meituan Dianping, JD.com, Baidu, NetEAse, and Xiaomi.

This combination puts China in a good position to influence how the Internet grows and changes. For example, many of the features that are now ubiquitous in messaging and social media apps—such as mini-programs and e-commerce capabilities—were first introduced and popularized by Tencent’s WeChat. (so many challenges and filters originate in Weibo before coming to Twitter and Instagram) Meituan’s “super app” offers more than 30 services, such as restaurant reviews and reservations, home rentals, hotel bookings, and grocery shopping. Alipay transformed itself from just handling payments to other financial activities such as managing investments, invoices, and insurance. Non-Chinese companies such as Grab, Rappi, and Uber are following this approach to add more services and expand their userbase.

There will be more features and business practices coming out of China that will become common everywhere else. On one hand, there is nothing wrong with a company—or a group of companies—introducing new features, but some of the new tech features currently being tested in China pose serious privacy questions.

China offers a lot of public services through apps, such as applying for visas, paying utility bills, taking a number to be seen at the hospital, and renewing a driver’s license. China is experimenting with a social credit system, that assigns each citizen a score based on their behavior and perceived trustworthiness. A low score has social consequences. Play music too loud on the train, and be unable to book a flight. Criticize the government and be banned from traveling on certain train lines or take out a loan to buy property. There are several private systems as well as an official government program, and the idea that these systems could be linked and put together an in-depth dossier on individuals is unsettling. That's a lot of data being collected with little protection, and no transparency on how it is used.

Health Care Warning

The healthcare tech sector is growing, as consumers now have new tools, wearables, and new methods to interact with physicians. The healthcare industry’s digital transformation push is correlated with the rising cost of health care in the United States, Meeker said, as consumers increasingly rely on these new technologies to make better decisions about their healthcare.

However, many of these new technologies are not coming from healthcare providers, but from the same tech giants pushing new consumer technologies. Apple’s ResearchKit allows clinicians use the Apple Watch for clinical research, and Google and Microsoft are building artificial intelligence systems to help physicians diagnose diseases.

The role non-healthcare companies are playing can be concerning. It’s one thing to make mistakes and expose user data collected via consumer devices to third party entities—but that would be unacceptable breach of patient privacy and confidentiality were they to happen with healthcare data.

Image: Mary Meeker speaking at the 2019 Code Conference in Scottsdale, Arizona. Asa Mathat | Vox Media.