Even before we get close to connecting everyone on Earth to the internet, data breaches are threatening to drive people away from the internet, according to the Internet Society.
The Internet Society, or ISOC, a non-profit founded by the 'father of the internet' Vint Cerf, fears that seemingly endless data breaches are seriously damaging people's trust in the technology.
That dwindling confidence could hamper already slowing growth in internet adoption, and throw a spanner into plans to use the internet for business, education, healthcare, and public services.
ISOC in its 2016 Global Internet Report, released today, argues that breached organizations are getting off too lightly and unless they're given more incentive to invest in cybersecurity, breaches will continue piling up.
The Have I Been Pwned breach alert service now contains a database of 1.9 billion breached accounts. ISOC's report highlights that in 2015 over 700 million records were exposed. It believes these could be the thousand cuts that kill the internet.
The breach of UK ISP TalkTalk, which exposed financial details of over 100,000 users, exemplifies what the report's author, economist and ISOC senior fellow, Michael Kende, considers a market failure in cybersecurity investments.
"It was a breach of their system using a known vulnerability that they hadn't patched. The hackers were a bunch of teenagers. This is a technology company. Why can't they do better than that; be more up-to-date, patch vulnerabilities, encrypt data, and use the tools that are available?" Kende told ZDNet.
Even though TalkTalk's breach cost £60m ($74.4m) and it was later fined £400,000 ($496,000) by the UK's privacy regulator, it is unlikely to come close to capturing all the additional costs, or externalities, that were carried by customers.
As Kende points out, little is known about the time and money users spend after a breach calling banks, cancelling cards, or getting a lawyer. There's also a dearth of information on the impact of identity theft, which might surface several years after a breach.
Some recent studies have drawn attention to the relatively low cost of data breaches and its impact on incentives to invest in cybersecurity.
A Rand Corporation study found the cost of a breach was just 0.4 percent of a firm's annual revenues, matching what they spent on cybersecurity. Another estimated that the breaches at Target, Sony, and Home Depot cost the firms less than one percent of annual revenues. In Home Depot's case, credit-card firms faced a higher bill than it did due to the cost of replacing cards.
The other key issue is asymmetrical information. It's hard to tell which organization has invested more in cybersecurity than others. Consumers are faced with a market for lemons, much like second-hand cars, while organizations don't reap all the benefits when they do invest.
One reason the Internet Society is drawing attention to trust is a persistent slowdown in internet penetration despite more than half of the world's population remaining disconnected.
ISOC is worried that data breaches could exacerbate that trend and contends that recent breaches have already impacted user trust, particularly in Europe and the US.
Figures from the International Telecommunications Union (ITU) show that the past decade's double-digit annual growth rates for internet penetration fell to eight percent in 2015.
"The fact that growth rates keep falling with internet penetration still below 50 percent is cause for alarm," Kende notes in the report.
Concerns over mass surveillance and even fake news could also be having a chilling effect on trust, but Kende argues data breaches are more damaging.
"When you hear 110 million credit cards were stolen, or that passwords of 500 million Yahoo users were taken and what can be done with that, I think that's more concrete evidence of personal harm," Kende said.
"You don't have to be a customer of Ashley Madison to imagine the situation and stress these people were in, even if you don't agree with what they were doing. The accumulation of these breaches and the financial cost, because it's so tangible, is having a significant effect."
ISOC's five recommendations to prevent the slow death of trust in the internet is firstly to include impacts to the user when assessing the cost of a breach. It also calls for greater transparency through data-breach notification laws. Organizations should also be held accountable and must be given greater incentives to invest.
But the report also stops short of outlining a path to achieving this goal. Kende is supportive of a European proposal for cybersecurity labels on electronic devices as one way to overcome information asymmetry.