Someone finally decided to examine “cybercrime” statistics, and here’s what they found:

The cybercrime surveys we have examined exhibit [a] pattern of enormous, unverified outliers dominating the data. In some, 90 percent of the estimate appears to come from the answers of one or two individuals. In a 2006 survey of identity theft by the Federal Trade Commission, two respondents gave answers that would have added $37 billion to the estimate, dwarfing that of all other respondents combined. This is not simply a failure to achieve perfection or a matter of a few percentage points; it is the rule, rather than the exception. Among dozens of surveys, from security vendors, industry analysts and government agencies, we have not found one that appears free of this upward bias.

That’s Dinei Florêncio and Cormac Herley of Microsoft Research in a New York Times piece entitled: “The Cybercrime Wave That Wasn’t.”





You see, cybercrime statistics have been generated using surveys of individuals and businesses, but you can’t generate valid numerical results that way. An opinion poll’s errors will naturally cancel out—there are a roughly equal number of wrongly stated “thumbs-up“s and “thumbs-down“s.





When you ask people to estimate losses, though, they can never estimate less than zero, so errors will always push results to the high side. High‐​side errors extrapolated society‐​wide drive the perception that cybercrime is out of control.





There are more drivers of excess insecurity than just bad loss estimates. There are also data breach notification laws, which require data holders to report various kinds of personal data spillage. These reports are the high‐​tech, grown‐​up version of a favorite schoolyard taunt: “Your epidermis is showing!” Epidermis is, of course, a scientific name for skin. It often doesn’t matter that one’s epidermis is showing. The questions are: What part of the epidermis? And what social or economic consequences does it have?





Most breached data is put to no use whatsoever. A 2005 study of data breaches found the highest fraudulent misuse rate for all breaches under examination to be 0.098 percent—less than one in 1,000 identities. (The Government Accountability Office concurs that misuse of breached data is rare.) Larger breaches tend to have lower misuse rates, which makes popular reporting on gross numbers of personal data breaches misleading. Identity frauds are limited by the time and difficulty of executing them, not by access to data.





Why does excess cyber‐​insecurity matter? Doesn’t it beneficially drive companies to adopt better security practices for personal data?





It undoubtedly does, but security is not costless, and money driven to data security measures comes from other uses that might do more to make consumers better off. More importantly, though, data breach agitation and distended crime statistics have joined with other cybersecurity hype to generate a commitment in Congress to pass cybersecurity legislation.





Cybersecurity bills pending in both the House and Senate could have gruesome consequences for privacy because of “information sharing” provisions that immunize companies sharing data with the government for cybersecurity purposes. The potential for a huge, lawless cyberspying operation is significant if anyone can feed data to the government free of liability, including the privacy protections in property law, torts, and contract. Congress would not improve things by regulating in the name of cybersecurity, and it just might make things a lot worse.





It is ironic that overwrought claims about cybercrime and data breach could be privacy’s undoing, but they just might.