A Network Built for Friends
The internet began as a military and academic experiment. ARPANET, the precursor to the modern web, was designed in the late 1960s with one goal: resilience. If one node went down, the network would reroute. It was built to survive a nuclear attack. But there was a hidden assumption baked into the architecture: Trust.
The users were a small group of researchers, scientists, and government officials. They knew each other and they shared a common goal. There was no need for locks, keys, or firewalls. Everyone was a "peer." The protocol was designed for connection, not protection.
Then came Tim Berners-Lee and the World Wide Web in 1989. He wanted to make information sharing easy. He succeeded brilliantly, but he, too, assumed a world of cooperation. He didn't build in security because he didn't anticipate a world of predators.
These are the flaws baked in from the start.
The Great Rush
Fast forward to the 1990s. The internet went commercial. Suddenly, the "friends" were replaced by corporations, advertisers, and strangers. The goal shifted from "sharing knowledge" to "capturing attention" and "selling products." And the market demanded speed.
"We need to launch the site now."
"We can't wait for security audits; we'll fix it later."
"Users won't tolerate a slow login process."
This was the birth of the "Move Fast and Break Things" mentality. In the race to dominate the market, security was the first thing sacrificed.
I saw this firsthand while working for a SaaS company. The platform handled sensitive marketing operations data. One day, I learned from an off-shore engineer that entire client database was stored in plain text—completely unencrypted.
I stared at it for a second. Then I asked the question that any reasonable person would ask: "Why isn't this encrypted?" The answer was because it was expensive, complex and they wanted to get the platform out as quickly and affordably as possible. Clients were unaware of this trade off. I redesign not long after.
And this wasn't uncommon for similar companies to do the same thing, especially if they were focused on their exit strategy (how the owners plan to sell the company). It wasn't really a secret. It was just how things were done.
The Band-Aid Era
What happened next is a story of endless patches.
We added passwords because the system was open. But they were weak, easily guessed, and reused everywhere. We treated them as a magic shield when they were really just a paper lock.
We added encryption after the fact, not as a default. For years, your data traveled in plain text across the network, readable by anyone sitting between you and the server. HTTPS came later—much later—and even then, it was treated as an optional upgrade rather than a baseline requirement. We built firewalls around the network, but the doors were left wide open for "convenience."
As the renowned security technologist Bruce Schneier has noted: "The internet was built for openness, not security. And now we're paying the price."
The proof is in the policy. For decades, the official advice from security experts was to "change your password every 90 days." It wasn't until 2017, when the National Institute of Standards and Technology (NIST), that they admitted this practice was counterproductive. They realized that forcing frequent changes didn't make people safer; it just made them lazy. When you force someone to change their password every three months, they don't invent a new, strong password each time. They increment. "Password123!" becomes "Password124!" which becomes "Password125!" The pattern is predictable, and any attacker worth their salt knows it. But the policy persisted for decades because it felt like security. It was theater.
Every time a new vulnerability is discovered—and they're discovered daily—we just add another band-aid. We add two-factor authentication, and CAPTCHAs. We add biometric scans. But the underlying system remains fragile. Each new layer is a patch on a crack that was there from the beginning.
Why This Matters for Your Family
You might think, "So what?" Well, the consequences of this broken foundation are real and immediate.
Because security was an afterthought, massive databases of your family's information are stolen every year. Your child's name, birthday, and school are often the first things leaked. And once that data is out there, it's permanent—there's no undo command.
Weak passwords and poor encryption mean your identity can be stolen with a few clicks. The band-aids don't stop a determined attacker. They just slow them down a little. And the lack of default privacy means your every move is tracked, logged, and sold. The system wasn't designed to protect you; it was designed to extract value from you.
And how's this for unsettling: children are uniquely vulnerable to this broken foundation. A child's identity is a blank slate. When a data breach leaks your child's Social Security number, the thief can open credit accounts, file tax returns, and commit fraud for years before anyone notices—because nobody is checking a seven-year-old's credit report. By the time the damage surfaces, the child is a teenager applying for their first job or student loan, and they discover that someone has been living under their name for a decade.
This isn't hypothetical. It happens thousands of times a year, and it happens because the system was never built to protect the data in the first place. It was built to collect it, store it cheaply, and move on. The internet isn't a safe place by default. It is a hostile environment where you are the product.
Your Path Forward
We can't go back and rebuild the internet. We can't force the giants to tear down their skyscrapers and start over. But we can stop pretending that the current system is safe and stop trusting "default" settings. We can start treating the internet like the fragile, dangerous place it is.
Never trust a connection by default—assume your interactions are being monitored. Use encrypted messaging (Signal) instead of SMS and encrypted email (Proton Mail) instead of Gmail. Use a VPN when you browse so your ISP can't see where you're going.
Never trust a password alone. Assume it will be stolen. Use a password manager so every account has a unique, strong password. Enable two-factor authentication—but use an authenticator app or a hardware key, not SMS, which can be intercepted. SMS was never designed to be a security tool.
Never trusting a "free" service. Assume your data is the price. If you're not paying for the product, you are the product. Choose services where the business model aligns with your privacy, not against it. And pay for the tools that protect you, it's a small monthly fee for a massive shift in power.
Teach your children that the internet isn't a safe neighborhood. It's more like a big city at night. There are beautiful places to visit, but you don't walk down every alley, and you don't leave your doors unlocked. The default posture is caution, and not trust.
Saying the foundation is broken isn't paranoia, it's historical fact. The system was built for speed and openness, not safety and sovereignty. Every patch, every band-aid, every "security update" is evidence that the cracks were there from the beginning.
But you aren't powerless. You can't fix the foundation, but you can choose tools that were designed with security from day one, not as an afterthought. You can audit your permissions, encrypt your data, and teach your kids to navigate the digital world with their eyes open.