On Privacy and Security
When the Big Brother shows up in front of your house, you should just slap him with a slice of frozen pizza.
Ah, we finally got here.
There are no good words to describe how much I have been wanting to write about personal security & privacy. I truly think that, if I have to make a list of top 10 things that people should pay more attention in today’s society, the duo would end up somewhere on the list. (To give you my view of how important they are relative to the rest: two items that made the list are climate change management and resolution of geopolitical conflicts.)
Although, I should clarify that I’m more of a passionate fan and not a trained practitioner — everything below is based on my somewhat educated understanding. I have done a fair amount of reading that’s appropriate for the scope of this blog post, but this is nowhere enough to serve as a research or technical reference. In other words: any of the information below isn’t intended to serve as professional advice.
If you’re not as invested in these topics as I do, I hope you walk away with some new insights, but do spend more time to learn about them in your own accord. There are links littered throughout this post that would point you to different resources and tools.
(Note my liberal use of the two terms here: by security, I’m referring to any means of safeguarding your information, and by privacy, it’s the result of having that information be seen or distributed in ways that you approve of — the two concepts complement each other. Since this isn’t meant to be a deep dive, the loose definitions should work just fine.)
Lastly, there’s one core idea to everything presented below that we have to bear in mind: it all comes down to the weighing of pros vs cons, and our goal is to maximize the former and minimize the latter, but there will always be downsides no matter what you do.
Why Privacy?
If you’re reading this, I’m going to bet that you’re at least quite aware of the important roles that those security & privacy play in our modern life. However, if you find yourself asking “well, I don’t know, why should I care?” — then I hope this section will serve you well.
Here’s an analogy to get us started:
Let’s say you’re in a one-person restroom. The door works as a privacy control by employing the secure mechanism of the door lock, which keeps others from interrupting your personal business. People are going to assume you’re dealing with your call of nature when you’re in it — but assuming you’re doing something is different from being able to see exactly what you’re doing — few would be willing to relieve themselves in the public eyes; even if you aren’t consciously thinking about the lock itself, you do find the resulting privacy comforting.
(Of course, personal privacy in real world is a lot more susceptible to harm than a hypothetical scenario. Take Korea’s spycam pandemic, for instance.)
Due to the commonality of restroom usage, we should all find the threat of intrusion relatable. Yet, there are plenty of similar events taking place on a daily basis that aren’t as conspicuous — breach of personal privacy is one of such — and the fact that you can’t perceive or comprehend them doesn’t make them any less worthwhile of your attention.
(Check it yourself if you aren’t convinced: just open up any mainstream search engine, search for “privacy concern” in the news category, and pick any five articles to read — I can guarantee that you will soon change your mind.)
Here are a few common examples to illustrate my point above:
We store plenty of detailed personal data on social networks and think that they are safeguarded as long as we don’t open our account to the public, but it should raise a question when social media companies claim that nobody else besides ourselves has access to our private data (the fact that the service is a proverbial “free lunch” should be suspicious enough in itself), because this has been proven to be false many times in the past.
When you’re asked to voluntarily provide your info in person or online in exchange of some conditional benefits, such as giving your contact info and home address to sign up for promotional discounts, know that the info is usually not kept in a dependable manner. At best, it’s saved in a database somewhere with questionable protections; at worst, it’s written on paper and could’ve been left anywhere for all you know. It’s just a matter of when, not if, that those info will end up where it shouldn’t belong.
Whenever we make a purchase using a credit or debit card, the issuing company collects that data to detect fraud and to analyze our purchase habits — both of which are designed to work in favor of the institution. Essentially, we can’t buy anything without the company knowing some of the transactional details, and if we aren’t careful with picking financial providers, we could end up with the ones that actively make use of that insight to prey on us.
(I’m not telling you to avoid using any of those services or products — even I myself can’t manage to achieve that. I’m saying you need to at least understand that you’re always taking some amount of risk by using them.
Again, you need to be informed and weigh the pros vs cons for yourself, because that risk level also varies depending how you set things up, what info you share, and who are the third parties that have access. Generally speaking, the more restrained your habits are, the better the privacy you have.)
That said, you’d be hard-pressed to immediately see the benefits of being protective of your digital privacy. This often takes quite a bit of work without a clear payoff, especially considering the sophisticated technologies and immense resources the corporations have pitched against us. Unlike the peeping Tom scenario earlier, where there’s an obvious threat that distresses you, this isn’t the case with digital privacy; you’re betting on an unknown probability of that the society will correct its course in the long run and not turn the world into a corporatocracy dystopia.
But obviously, the answer isn’t to just let go. Given the creeping threats that we face these days, that’d be akin to never brushing your teeth and waiting for cavity to torment you several weeks down the road.
If my long-winded speech above has managed to convince you somehow, keep on reading for my suggested next steps. (If after reading all of this, you still don’t think that this is worthwhile of your time, well, I wish you good luck, because you will need it.)
Your Own Threat Model
Now that you’ve gotten acquainted with the core concepts, you might be wondering what actions you should take. Before that, let’s answer the most important question of:
What am I trying to achieve and how am I going to do it?
At its core, we have one essential goal: to secure our data and improve our privacy. A way to get to the answer is to come up with a personal threat model — by mapping out where and how you have stored your information or digital assets, you will have a better sense of where you are most susceptible to threats. It should take no longer than 10-15 minutes to finish this exercise.
(An actual threat model is much more elaborate and has more technical details; we’re only aiming for a lite version of this to help us kick things off.)
Start by listing your top 10 most frequently used or crucial websites or apps. Typical candidates would be your main bank accounts, the social networks that you have been using the most, or the e-commerce site that you habitually shop at.
For each one of these, take a few minutes to think and answer the following:
Will there be serious consequences (e.g., money stolen, private photos leaked) if a hacker gets control of the account?
Are my login credentials (e.g. username & password) for this site or app reused in several other places?
Do I only need my basic credentials (e.g., no text message to verify security code) to login?
Rank the results accordingly, where the ones with the most number of “yes” are on top and the ones with more “no” are towards the bottom.
There you have it — a simplified threat model that covers the most prominent areas of your digital life.
If you have several items on the list that you answered all “yes” to, then you now know what are your specific targets of improvement. Consider doing the following:
Instead of reusing identical credentials across different places, use a password manager instead, otherwise if someone can get a hold of your credentials, they can just login into everything that you are registered to.
This is also why it’s important to have additional verification in case others do learn about your credentials — most apps and services have them nowadays, so you just need to find out where the settings are and activate at least one of the options.
If the products don’t offer decent security controls or the company has a poor reputation when it comes to customer data protection, maybe it’s about time to switch to a different provider.
(Note that these preventative measures don’t fully resolve the risks — like I said earlier, there will always be downsides — they merely lessen the overall risk level by strengthening or altering your weak spots, but you still can get hurt badly if worse comes to worst. For example, if you aren’t careful about protecting your password manager, you could end up leaking all of the passwords you’ve stored instead.
Sometimes, it is a matter of choosing between the lesser of two evils: if you add your phone number to a website for multi-factor authentication, the company can now associate that number to your identity and potentially share that insight with their advertising affiliates to track you elsewhere, but if your private information or activities on the site is crucial to you, at least you will be better protected from people with ill intentions.)
Hopefully, this short exercise has given you a sense of why it’s important to assess your situation when it comes to privacy improvements: not only will you have a clearer view of your weaknesses, you will also know what needs your attention the most.
Again, this is a simplified construction of a threat model — you can certainly spend more time to do your own research and add in details, scoring, and rationales if you should prefer to do so. And I do encourage it if you have the patience to learn more about the topic and go beyond what we did above; one of such example is actively monitoring for mass data breaches that might have impacted you. But that would require us to dig into the deeper technicalities beyond what this post is set out to achieve.
For now, pat yourself in the back — you’ve just taken a first step towards a more secure digital lifestyle.
Getting the Buy-in
What’s more important than enhancing your security and protecting your privacy? Getting your family members and close friends to do the same!
The real challenge is getting people around you to start valuing this mindset and adopt relevant practices. Due to our social nature, if people in our life have sloppy security & privacy habits, we will be impacted by their actions as well. For example, married couples often share some of their devices, which means that both sides assume the risk that the other person takes on — it doesn’t matter that the wife is extra careful whenever she is on the computer, if the husband is gullible and susceptible to even the simplest scam tricks, he can easily undo all of her efforts by unknowingly letting a nasty malware crawl into their computer.
Those who are uninformed tend to insist that they don’t need to care about these things; these folks are a particularly hard egg to crack. Typically, they still haven’t begin to understand the precarious situation they are in and how their carelessness will bring harm to not only themselves but to people around them as well — until they experience a catastrophic incident firsthand, they won’t know the cost of their negligence. (Just like those who choose to buy an expensive car yet can’t afford the premium insurance.)
The way I see it, there are three progressive levels in how we can engage the laypeople around us:
Gearing them up to protect themselves from on-going threats. If you do nothing else, at least take care of this one; it’s the best shot you have with stubborn or not tech-savvy folks anyway. After obtaining their initial consent — this is more important, remember we’re trying to get their buy-in — help them setup hassle-free tools like a reputable malware scanner and a more privacy-friendly browser with helpful plugins. This action alone will bring upon major improvement. (Beware that you might end up becoming the dedicated IT person of the family.)
Helping them to become more proactive and watchful of critical risks. This is the turning point for most people, and it does go beyond following common sense tips like “keep your computer locked” — they have to take an active interest to educate themselves in their own time, however small that initiative may be. This is the only way for us average folks to keep up with the ever-changing security threats and maintain a good privacy profile.
Getting them to fully embrace the privacy-centric mindset and become a privacy evangelist. This is going the extra mile and I certainly don’t expect most people to ever reach this stage. But given how pervasive this issue is and that our lives are becoming increasingly digitized, educating more the public is the only solution towards the betterment of our collective future.
(Which I realized sounds very much like an indoctrination into a cult as I was rereading a draft of this... but I swear this isn’t the case here.)
Unfortunately, it is an uphill battle to get people to care enough about these things. It can’t be helped: unlike the idea of someone peeping into a private physical space, a breach of digital privacy are oftentimes quite abstract, and people aren’t very good at relating to things that are less than concrete (or too technical that the intended message goes over their head). Besides, as I said earlier, the danger is rarely conspicuous or imminent enough for people to bother, and we do have a tendency to go after the most effortless options in life — which is to do nothing.
Older folks tend to operate in a mental model based on physical privacy: they don’t want people trespassing their land or overhearing their conversations. It’s obvious why these actions cross their boundary of comfort, but they would happily do risky things like storing sensitive information on weakly protected platforms, because the tech side of things is close to opaque to them.
On the other hand, much of the current generation is born as digital natives and their mental model of the digital space is constructed differently — my guess is that they have been indoctrinated by the lack of the aforementioned boundary, because their behaviors are molded by the standards of the modern day internet they are born into. They are oblivious to the omnipresent risks of their casual behaviors of sharing things openly on digital platforms and such; it’s always been that way for them and there isn’t anything unusual about their actions.
Perhaps the key is to make people find a scenario that they can relate more tangibly. Here’s one that I can think of based on recent observations:
Recall a particularly embarrassing moment in your teenage years — you surely wouldn’t want to relive that again. Now, imagine all those similar moments have been recorded as videos or pictures, shared online, and are stored in websites that you have no control over in how they are copied or distributed — does this sit well with you? Probably not, and I’m guessing it’s because some of those memories may be quite painful. But this is exactly what’s happening with many parents publicly sharing their teens’ private moments on social networks, without ever pausing to reconsider how those recordings will impact their children in the future.
If the person you’re trying to convince can empathize with the circumstances of the affected, then you should be have their attention for a few more minutes at the very least. Make good use of that window to bring them closer to your side.
The Harm of a Cliquey Culture
I myself know and have interacted with a fair share of privacy enthusiasts — and dare I say that a lot of us who are passionate about this topic is also utterly insufferable when it comes to our attitude to people who are less informed.
The primary offending factor is the condescending attitude against who might prefer to not take nearly as drastic of an approach, such as switching entirely from mainstream operating systems to Linux or deactivating their social network accounts altogether. People who hold this attitude insist that privacy is an all-or-nothing matter and fail to consider the nuances that different individuals have to grapple with in their daily lives.
(Let’s be honest: Someone that uses Linux as an operating system, owns almost no social media accounts, and carries a highly customized smartphone isn’t a normal person at all. And by “not normal”, I’m saying that this person must have the luxuries in life that allows them to carry on with such a lifestyle because they can forgo all the social baggage, or that they grew up having access to more of those technologies and thus they are more comfortable at making extensive use of them.)
This elitist attitude is entirely counter-productive in helping to raise awareness; if anything, it just turns people away.
As I wrote above: privacy is a collective effort. The public awareness lags way behind the years of behavioral modification induced by the tech giants, and consequentially the lack of public political pressure from the public causes delays in regulatory actions, often after significant damage is already done.
(Because of sociopolitical factors, attitude towards privacy vary significantly across countries and regions. There are nations that will always have a more privacy-hostile environment than others, and will likely stay as such for a long time until a regime change takes place.)
So, if you’re one of us: you could take the elitist stance and operate in the mindset that everyone is responsible for their own good, but you should be cognizant that this will only worsen the privacy crisis at a larger scale. By being unkind towards uninformed populations, you’re indirectly contributing to the worsening of the overall situation, which will only come back to harm you in the long run.
If you really care about privacy, strive to help spread awareness and patiently communicate to average folks. This cause is greater than any single one of us — it’s not a win if 99.99% of the population are using privacy hostile technologies, while we huddle in our tiny elitist circle and lament about the crappy reality.
At where we stand now, we still have a long way to go.