Dr. Addas sits with us to discuss all of the behavioural aspects of security, highlighting how security issues are often rooted in vulnerabilities exploited through human behaviours rather than technology glitches. With a great deal of his research surrounding how technology and psychology are linked, Dr. Addas provided great insight on current trends, threats, tools, and theories surrounding data privacy for Canadians.
Watch Dr. Addas in the interview or read the full transcript below.
Dr. Shamel Addas – Professor of Digital Technology at Smith School of Business, Queen’s University
Dr. Addas holds a B.Sc. in Mechanical Engineering from the American University in Cairo, an MBA from the John Molson School of Business, Concordia University, and a Ph.D. in Management from McGill University. Through his research, he examines the impact of information technology use on individuals in work-related and health care settings. Dr. Addas is interested in how IT use interrupts work and work performance, how we interact with virtual assistants, and how technology can affect patient care and clinical outcomes. His work has been published in MIS Quarterly, Journal of Management Information Systems, and Sloan Management review – amongst others.
Transcript of Interview
[00:00:00] Nathan Navidzadeh: We have Dr. Addas here, a professor of Digital Technology at Smith School of Business at Queen’s University. Uh, Dr. Addas, can you tell us a bit about your background and, uh, what drew you to the field of data security?
[00:00:20] Dr. Shamel Addas: Well, my name is, uh, Shamel Addas and I’m, uh, originally from, from Egypt. And I’ve been, I’ve immigrated to Canada about 22 years ago now. And I’m, I’ve always been fascinated by the field of, of privacy and security, whether it’s physical security or online security. So that’s right now, it’s one of the, my, um, my streams of research. I’d like to look at, um, mostly at behavioral aspects of security because time and time again, research shows that it’s not really the security problems are most of the time, not technical, it’s really our human behaviors that causes security vulnerabilities. So because a lot of my research touches upon the intersection of, uh, technology and psychology, it’s only natural that I become drawn to this, to this line of research, to really understand why we fall, pray to security problems and what we can do about it also as individuals.
[00:01:16] Nathan Navidzadeh: Is data privacy important? You know, why should people, uh, care about data privacy at all?
[00:01:22] Dr. Shamel Addas: Well, because our day to day life is, is conducted online now, almost a hundred percent. It’s, it’s hard to think of any task, whether it’s personal or work related or social that is not done by technology. And, and when, when it comes to conducting your life over technology, then online privacy and online security become become issues, right? There’s a famous saying that the most secure, um, computer is the one that’s buried 30 feet under underground. Right. But once you have internet connectivity, then all kinds of things can happen in the background because you don’t see it. Right. You, you you’re connected to the internet. You. Talking with a friend or doing zoom or conducting a task online, but there’s so much that’s, um, hidden from you that can jeopardize your, your privacy insecurity online.
[00:02:12] Nathan Navidzadeh: And if it’s the government or, you know, third party trackers or whoever has that data, why should I be concerned about them having that, that data?
[00:02:21] Dr. Shamel Addas: Yeah, I think a lot of the, uh, the problem comes from the fact that there is this unidentified entity that might be involved in, in using your information online. So a lot of the privacy research is, is, is based on, on, on the notion of trust, right? When you engage in any interaction with another entity, whether it’s a person or an organization, there’s someone you, you might trust or not. But the problem with, with, with online interactions is that oftentimes, that entity is, is unidentified. So let me give you an example. You’re browsing a website. Let’s say you go to ABC or CNN. Um, you are not just interacting with BBC or CNN.
[00:03:05] There’s a lot of other entities that might be involved in, um, in tracking information. So third party trackers is, is what we call for instance, these, these entities. Um, similarly, um, when you interact with Facebook or Google, there’s third parties that you’re unaware of that might have access to your information and your data might actually get commercialized and sold to these, uh, third parties. So the problem with this is that it’s hard to, to really understand what’s going on and to prove it or not, because you don’t know who has access to information. So there’s no one to trust with other than just trusting the, the Internet, you know, which this, this vague or obscure concept. So, so that’s where I think a lot of the behavioral issues come about when, when it comes to online privacy.
[00:03:53] Nathan Navidzadeh: I’m just a regular person living in this world, you know, why, why should I care? You know, it doesn’t matter if they have that information, nothing bad is gonna happen to me. Is that a valid, uh, uh, point?
[00:04:04] Dr. Shamel Addas: Well, sure. It it’s a valid point as long as the person making the point is, is, is consciously, um, thinking about the costs of benefits of, of, um, of his or her interactions. Right? So, so as long as, as you know what you’re giving up by connecting to, um, a website or subscribing to a service, let’s say. And you can weigh the costs and benefits. Yes. It’s very valid to say, you know what? I don’t really care. You know, I’m, um, giving up some information. It’s not really sensitive credit card information, and in return, I’m getting a service that I’m gonna, it’s gonna be useful for me. The problem though, is that a lot of times this, um, what we call the privacy calculus, you know, this calculated rational decision making is not in the picture. So people just, you know, um, either don’t think about it or, or they rely on, um, biases or heuristics, um, or in, in other cases, and which is actually what we found in our research, um, they just become conditioned to, uh, this concept, which is psychology is called Learned Helplessness. They just, you know, learn to be pessimistic. They learn that they get, there’s nothing they can do about controlling the privacy of it information, so they might as well just give up, you know, and who cares. So, so it really depends on the mindset and, and, and on whether you accept risks and benefits, or you’re aware of the risks and benefit or not.
[00:05:28] Nathan Navidzadeh: Why don’t people protect their online privacy, even when they have the tools, uh, to do so?
[00:05:34] Dr. Shamel Addas: There’s two dominant, uh, reasons. One, one of them is that they don’t want to, you know, they can, but they don’t want to because they’re well aware of the cost benefit. But I would say, um, if I had to guess there’s probably a minority of people who, who go that route, because as I said, there’s so many biases that go into that, uh, story. Um, the more common explanation is, is this notion of learned helplessness is that people, they don’t do anything about it, even though they have the tools to do something about. Because they just don’t see, uh, they become conditioned to the idea that there’s, whatever you do is not gonna work. You know, there there’s, there’s always gonna be, uh, root to, uh, compromising their information. Even if I block this particular interaction right now, there’s so many different ways by which my information can become, uh, used or accessed or compromised, so they just give.
[00:06:29] Nathan Navidzadeh: How does [learned helplessness] relate to data and privacy concerns?
[00:06:35] Dr. Shamel Addas: Well, the, the concept of learned helplessness is, is, is very old. So, so it emerged in research, uh, in the 1960s, uh, Martin Seligman from the University of Pennsylvania is, uh, is a key researcher behind this, uh, series of experiments. And interestingly, it was about dogs in the beginning. So, so there was a series of experiments in which, um, they showed that dogs, um, who, who were subjected to small electric shocks became conditioned, um, to doing nothing about these shocks, even though in the next phase of the experiment, they could easily escape those shocks.
[00:07:13] So this research at the time was conducted with, with animals, unfortunately at the time they, they, you know, they did these kind of re um, experiments with animals. But since then, it’s been extended with humans and it’s been tested in many different contexts. And it’s the same thing. So when it comes to applying this, this concept to, uh, privacy and security, is that people become conditioned to learned helplessness. So, um, if someone experiences let’s say, um, an identity theft or, or, you know, their computers become, uh, compromised or a trojan or ransomware, or what have you, um, that can lead to this conditioned effect that you know, they say, well, you know what, it’s gonna happen again, if it happened once it can happen again. But the interesting thing is that you don’t have to experience something negative yourself. So just by hearing in the media, for instance, that you know, all of these stories about big, um,
[00:08:06] Organizational, you know, websites that get hacked and credit card information that gets leaked, um, governments, um, um, observing, you know, the citizens, you, you know, they, you, through the, you know, you threw the smartphones and all kinds of things, they didn’t happen to you personally, uh, contribute to conditioning people to this, uh, mental state of learned helplessness. They just, as I said, they just give up, you know, they say, well, this is something that’s so broad, it’s so stable. It’s so global. It can happen in so many different shapes and forms and ways, that no matter what I do is not gonna make a difference. You know, like there’s million ways online by which information can be leaked. So why should I bother and just learn to accept it? And I just move on.
[00:08:51] Nathan Navidzadeh: What is your advice for, uh, Canadians who are reluctant to protect themselves either through learned helplessness, uh, or for any other reason?
[00:08:59] Dr. Shamel Addas: Well, it it’s interesting because we did an, um, a small experiment a while back and, and we, um, it was in the context of party tracking. So we, um, um, met with participants in the study and we, uh, educated them about third party tracking. Some of them didn’t know what that was. Um, and we gave them the tools that they can control third party tracking. So there are tools out there for instance, like browser atoms that you can install and they can help you to, to track the trackers. So it’s kind of like spying on the spies. Um, but the interesting thing is that a lot of the participants, even though they, they, they appreciated the software and they liked it. They ended up not using it, which we, you know, which we then in follow up interviews we’ve um, identified this notion of learned helplessness is that he said, well, it’s just one tool I have, I can, you know, block some of the information, but it’s gonna happen in so many other ways.
[00:09:52] So that’s, I would say like, that’s one of the tools, you know, it’s not the only one, but that’s one of the available quick fixes at least gives you insight about what’s going on. Is these browser add-ins there’s um, there’s a number of them out there, a lot of them are freely available. Um, there’s, there’s, there’s, uh, Ghostery, there’s Privacy Badger there’s disconnect and a bunch of other tools as well.
[00:10:15] And what they do, um, essentially is that when you’re browsing from website to website, they look at which entities are tracking you and building like a complete profile, uh, tracking you across these websites and they can then show you who’s tracking you and they can also block, um, uh, ads. Some of them focus on ads, others focus on any kind of, um, organization or entity or aggregator that tracks you across sites.
[00:10:43] Um, so that’s one thing. I would say more importantly though, is, is this notion of, of switching it’s a mind it’s a mental state, you know, switching from this, um, state of learned helplessness to a state in which you are conscious that, uh, some teams going on with your information potentially, and, you know, going back to this idea of the privacy calculus, you know, weighing the cost and benefits, if you’re fine with it.
[00:11:09] So be it, but I’m aware that my information is being tracked when I, when I visit these five websites, places, right. Um, another thing which I often advise, uh, is, is for Canadians to ask, you know, um, pick up the phone, send an email, ask the organization that you’re interacting with. You know, if you sign up to their service, uh, ask them five questions. What data is being tracked about me? How are you using this data? Who else has access to this data? You know, from your business partners, let’s say, how are they using this data? And finally, um, what can I do about it if I don’t want to share my, my personal data? Can I, do I have, um, um, the possibility of asking, uh, for my data not to be tracked? And if so, then what are the consequences of that?
[00:11:58] So I think being in a more proactive mode and understanding that you can control some things you can ask questions definitely, uh, is, is, is also, um, extremely important. Now, obviously the other thing is also top down. So I talked about bottom up approaches, what you can do as a Canadian, but there’s also top down approaches, you know, regulation, government regulation. Um, some companies are becoming much more aware like Apple now for instance, gives, uh, users, um, this feature of, uh, asking apps not to track, right? Which is very easy on your iPhone. You can simply ask the app not to track you and you are not gonna face any negative consequences. You’re still gonna be able to use the app. So I think a lot more organizations need to give this flexibility and control to, to users.
[00:12:42] Nathan Navidzadeh: Are there any, um, you know, free tools or resources that you like the best or that you use personally?
[00:12:49] Dr. Shamel Addas: I used to love a tool that’s, um, it was developed by Mozilla and unfortunately it’s no longer available. Um, it was called Collusion and, and then the, the other name was given to it was Lightbeam, and I liked it because it gave you like this visual network and it showed you actually, um, um, every organization that’s tracking you, and as it’s tracking you across different websites, so you could actually see it in a really cool network diagram. So this is no longer available. Um, the one I like to use nowadays is, uh, is Privacy Badger. Um, and mostly because it’s unlike many of the other tools that focus just on ads, it doesn’t focus – it doesn’t care about ads. You know, ads is just one, um, one way of third party trackers that the, that, you know, one of the main use cases let’s say for third party tracking. Uh, but it’s not the only one. So it just basically says, all right, so we’re gonna count how many different websites each entity is, is tracking you on. And if it’s three plus, then it blocks it, or it alerts you and tells you, you know, hey, this, um, website or aggregator or entity is tracking you on five websites and then you can control whether to block it or to allow it. Um, so, so that gives you a lot of user control that I like. So I like using Privacy Badger.
[00:14:05] Nathan Navidzadeh: We kind of touched on, you know, who should – you know, you talked about, you know, different businesses, individual level corporations, who would you say is most vulnerable to privacy breaches. And why?
[00:14:18] Dr. Shamel Addas: I think like from a psychological perspective, I think people who are most vulnerable to, to privacy breaches, are the same people who tend to rely more on, um, heuristics and, and, and, and, and, and shortcuts and rules of thumb for decision making. So what we call in psychology, the system one, uh, as opposed to system two. So, uh, same people who would fall prey to fake news, for instance, as opposed to try to think about the source of the news before we share it with others on social media. Um, another common and another very, um, dominant factor is pessimism.
[00:14:56] So, so people who tend to be more pessimistic are also the ones who tend to be more, um, uh, in a mindset, which is characterized by learned helplessness. Um, because basically they feel that, you know, like there’s nothing we can do, that’s gonna make a difference. So they might as well, uh, give up. So I would say, um, at a psychological level, um, you know, that there’s research and psychology on positive psychology on, um, on, on, on learned optimism, which is the opposite of learned helplessness, which can help there’s conditioning. You know, there’s there’s there’s training for people to learn, to understand how to, um, switch to a more mindful mold. Uh, mindfulness training, for instance, you know, instead of, um, automatically, um, conducting things online in certain ways, stopping and thinking about the consequences of your action, which is the system two way of thinking.
[00:15:50] So there are some psychological, um, you know, that there, um, factors and also, um, um, self based training programs that people can do. To kind of help them to, to be in that more deliberative mode, especially when it comes to conducting transactions online, you know, thinking and stopping and, um, considering the consequences of the behaviors, uh, before they jump into something that can then end up, um, compromising.
[00:16:14] Nathan Navidzadeh: Any input on, on privacy breaches on the kind of corporate or industry level?
[00:16:20] Dr. Shamel Addas: Yeah, well, I think nowadays breaches don’t really distinguish, right? There’s, there’s all kinds of big and small corporations. Um, uh, tech companies, insurance companies, banking, uh, organizations that, um, that, uh, are, are bombarded by security threats, you know, denial of service attacks, uh, viruses, Trojans. Um, I think the, the, probably the healthcare industry, um, and banking organizations are, are more vulnerable just because of the nature of the data that they manage. There’s, it’s highly sensitive data, whether it’s patient data for healthcare organizations or, um, you know, um, customer banking data for, for banks and so on, government data as well. So those would be the most, I would say risky if they’re threatened or compromised, but nowadays it’s, it’s really, um, you know, as I said, like, like security threats happen to all kinds of organizations and from all directions, you know, they come from, um, other organizations, um, foreign, local, they come from individual hackers. So there is a lot that we still need to learn, uh, whether at an individual level or also at, um, government and corporate level about how to, um, protect our Canadians information.
[00:17:39] Nathan Navidzadeh: What do you think the future holds for Canadians and their, their private data?
[00:17:44] Dr. Shamel Addas: I think that, that there are worrying signs as well as comforting signs as well. Um, worrying signs because obviously where technology is, is only advancing at an exponential rate and, um, there, everything we do now is, is, is not only done by technology but more and more so also being automated by algorithms. So, um, which means that the privacy and security problems can, can only become, uh, more complex as a lot of these transactions are automated. On the comforting side is as, as I think that, um, governments and organizations are um, becoming more aware, more experienced and more sensitive to, um, the privacy related problems. So sometimes companies have had to, um, face scandals and problems and litigation like Facebook before they acted and, and, you know, to, to come up with better privacy mechanisms, uh, others they’ve acted, um, preemptively like Apple, for instance. Um, there’s, there’s also in Europe, very promising legislation, the GDPR, for instance, which, um, gives a lot of control to people over their privacy. It gives them, uh, for instance, things like the right to be forgotten, um, so that you can, you know, delete information from your history on, on Google, something that you might have done 20 years ago, let’s say, uh, and a lot of these legislations are being adopted in, in, um, in Canada and in north America and other countries in the world, or being in the process of, um, of, of, um, coming into legislation. So I think. It’s hard to tell what the future will bring, but there’s definitely privacy problems will be more complicated, but also, uh, there is more, much more appetite from, uh, um, top down.
[00:19:32] Uh, I’m not seeing as much appetites yet from bottom up. Although there might be signs that, that this is the case. But as I said, we need both. We need top down regulations, top down preemptive actions by companies, as well as bottom up, um, deliberate actions by individuals so that they can protect their privacy and their, uh, security online.
[00:19:52] Nathan Navidzadeh: I just wanna thank you for your time. And, uh, we really, really appreciate it.
