Practical privacy and simple cybersecurity.
TheNewOil.org

A Plea for Patience From a Privacy Enthusiast

Paranoid. Tin-foil hat. Crazy. Weird. Obsessive. Whatever you want to call me, I guarantee I’ve heard it before. And honestly I’ve called you things, too. Blind. Apathetic. In denial. Let me explain: one of the most common questions I see in the privacy community is something along the lines of “how do I get other people to care about their privacy?” The question usually goes something like “all my friends think I’m crazy because I don’t use Google and they don’t want to switch from WhatsApp to Signal. They think I’m being paranoid, like ‘why would anyone want to watch you? What are you hiding? What are you up to?’”

It’s a frustrating position for people on both sides of the fence. It’s frustrating to you, the person who doesn’t care about privacy, because your friend or loved one is asking you to do extra work just to chat or hang out. But it’s equally frustrating to us. So this is an open letter to all the folks who don’t care about privacy. I’m asking you to be patient with us privacy-minded folks. That doesn’t give us the right to bully you or be obnoxious, but respect is a two-way street. I want to try to explain why we’re so paranoid so you know where we’re coming from. This isn’t meant to sway you to our side, simply to consider things from our perspective and see if it might be worth taking some reasonable steps at the request of your loved ones.

It’s About Respect

Before I get into any concrete reasons for why we care about privacy, I think I should start with the most basic concept of all: respect. You are a sovereign person, meaning that you have the right to make decisions about yourself with zero justification whatsoever. You don’t have to justify to me why you want a tattoo, why you watch the shows you do, why you’re vegetarian, or why you go to church. That’s your right as a human being. Likewise, us privacy folks shouldn’t have to justify our choices either. If we ask you not to post pictures of us on the internet or not to gift our kids a Chromebook or something like that, you should respect it because that’s what decent human beings do. This doesn’t have anything to do with race, gender, politics, or age. It’s about being a good person. They’re called boundaries.

When it comes to two-way situations, such as encrypted messaging, I think it’s a decent human move to at least try it out or consider the request. Signal, for example, is insultingly easy to set up and use. It literally could not be any easier. I don’t think asking anyone to use Signal is an unrealistic request and those who take the five seconds to download and set it up will find it very reasonable and easy to use. Switching to PGP is a little more involved, and I understand if you say no to that one.

On that note, whatever happened to compromise? I made a deal with my mother that if I set up a ProtonMail account for her, she would use it when emailing me. She agreed, and she’s held up her end of that bargain. Setting up ProtonMail is not hard. It’s no harder than setting up any other email account. Yet I still made the offer. Likewise though, I respect her. If she uses her old email account to contact me, I don’t ignore it. I still respond. The point is, it’s mutual respect. I don’t hardline people and tell them “use encrypted messaging or I’ll never talk to you again.” I respect their wishes, and in turn they respect mine. That’s how human relationships work, and if you won’t at least consider your privacy-oriented friend’s request, honestly you’re being kind of a dick.

We’re Not Crazy (But We Are Abstract Thinkers)

Calling somebody a negative name is what’s known as a “thought-terminating cliché.” In other words, if I call you crazy, I have now discredited you. It doesn’t matter what you say, you’re crazy so there’s no point in listening to your argument, even if your argument is “the sky is blue.” You’re crazy, who cares what evidence you spout to support your claims?

Most of us are not crazy (though some of us are a little extreme). When we talk about things like how data collection can be abused, we’re not just being paranoid. We’ve seen it happen before dozens of times. The difference is that we realize it could happen here to us. Often when I talk about abuses of data in other countries, people go “yeah but that would never happen here.” You’d be amazed. China’s social credit system is on it’s way to America. Random strangers are routinely swatted or harassed for the smallest things. Even the federal governent itself has doxxed dissidents. It can happen here, and it can happen to us.

We’re Not Crazy, We’re Playing a Numbers Game

“Okay,” you think, “fine. It can happen here, it can happen to me. But is it really likely?” Maybe not. But consider this: your odds of dying in a plane crash are 1 in 11 million, yet society doesn’t find a fear of flying odd or paranoid. Meanwhile the odds of being caught up in a data breach are 1 in 4, yet somehow I’m viewed as weird because I reduce my odds by giving up as little information as possible to those companies so that less of my information gets leaked? Why is it the more likely and valid fear gets shunned and mocked? Is it because these companies have built the most powerful and wealthy businesses on the planet by you giving up your data willingly? The CIA sure is jealous of how readily we hand stuff over to Facebook. It’s almost as if these companies have a financial interest in making privacy weird and socially unacceptable.

Everyone Lies

“Okay, but it’s not just that you don’t have Facebook,” you say again. “It’s the fact that you give fake names and numbers. You go out of your way to hide. Why?” Because, in the words of famous Dr Gregory House: “everyone lies.” Famous hacker Kevin Mitnick writes in his book about a proprietary encryption software that claimed to use 56-bits of encryption. When Mitnick hacked their system and examined the code himself, he found out they were really only using 30. For context, that’s the difference between 2 seconds and 25 days for the attacker to guess that password. In the HBO Documentary “Kill Chain” it was mentioned how companies who make electronic voting machines love to advertise how secure and “unhackable” their machines are, yet this is routinely proven to be untrue – not only are the machines easily hackable, but the companies refuse to let cybersecurity experts audit and fix their security. (By the way, nothing is “unhackable,” but that's a topic for another day.)

We’re Trying to Meet You Halfway

So yeah, in light of all this, you’ll have to be patient with us when we don’t trust Apple’s claim that they’re going to start respecting privacy more. Or Google’s claim that they delete our data. Or Facebook’s claim that they won’t abuse your data (which has already been proven a lie numerous times). These are all companies who refuse to let us see behind the curtain. These companies and others just like them routinely get proven to be liars, and we just don’t trust them. Would you trust your friend who says he missed your party because he was sick after he accidentally sent you a selfie from the bar? Of course not! So why do we get blamed for not trusting companies that routinely get caught lying? We’re scared. We’re scared of what these companies aren’t telling us. We’re scared of when these companies change hands and now that data – which has the potential to essentially mind control us – is in the hands of someone who will do anything to make another buck, or win another term in office. We’re scared of when this stuff gets breached and now our sensitive information (including financial and government records) is on the public web through no fault of our own.

If you’re reading this and you’re scared, I get it. If you’re not scared, you should go back and click on some of the links I posted. We know this stuff can be overwhelming. When you’ve been in a certain field long enough, you forget how to talk to outsiders. If I asked you to explain how to do your job, you might struggle. It’s second nature to you, but to me it would be completely foreign. Things like DNS, onion routing, and psuedo-anonymous accounts are child’s play to me, but I’ve been living and breathing this field for the past few years. You may not have understood any of those terms. We’re sorry that sometimes we forget to simplify it or we fail to explain it well or we just get really overzealous. It’s empowering and exciting to feel like you’re improving yourself. A lot of this stuff is scary and overwhelming, but there’s hope and light and sometimes we get a little too excited when trying to share that. We’re not trying to overwhelm you, we’re trying to help you. And we need to respect it if you don’t want our help. That’s your choice to make. But when it comes to us, you should also respect our choices to be more private even if you don’t agree with them. The world would be a much better place, I think, if everyone was just a little more considerate of each other.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...