Practical privacy and simple cybersecurity.
TheNewOil.org

Making Privacy Tools Worth It Part 1: The End User

Many of you may have come across this blog post from The Privacy Dad, which serves as a follow up to a previous post titled “Privacy Tools Are Not Worth the Hassle.” A few years back, I had my “aha moment” in regards to privacy. Ever since, I’ve delved deeply into privacy, always cautious not to negatively impacting my life my too much, a topic I’ve written about many times.As such, I was very interested to hear directly from a user why they didn’t stick with Tutanota and what obstacles they had.

As I read through TPD’s Friend’s feedback, I had a lot of thoughts I wanted to share, both for end users and developers. This post ended up being much longer than I expected, so I’ve decided to split this up into two parts. This week, let’s dissect TPD’s friend’s criticisms that ultimately led them to decide that privacy tech was no longer worth it and see where we can improve on the end user’s side of the equation. I’ll put the developers on blast next time.

Patience and Compromise

I’ve shared before that I served in the military. This included a half-year stint in Iraq. At the end of my rotation, I was replaced by a reservist, who of course I had to train on how to do things in theater. Now, readers should know that I’m not a violent person. I make jokes, I like to be hyperbolic (like saying that I’m going to “Office Space” my computer if it keeps acting up), but I’ve never actually hit anyone in my life on purpose. But I came dangerously close to full-on beating this guy. That’s because when I was teaching him how to navigate the systems in Iraq (our job required computer and internet access), he was extremely impatient. He would click a link, wait maybe a second or two at the most, and then start clicking it over and over again when it didn’t load instantly. For those who don’t know, clicking a link a second time can sometimes refresh the request if the request timed out or is lagging, but usually that’s not the case and in some cases may actually slow down the new page loading. Furthermore, I had told this kid multiple times that he needed to be patient. We were in Iraq. I’m not sure what the exact speeds were, but they were somewhere between 5-10 seconds from click to full page load most of the time. The fact we had internet at all was absolutely freaking astounding when you think about it, and the fact that it took a few extra seconds to load instead of being instant like his broadband back home (yes, I’m old) was a small price to pay. It was about the fifth time or so when he repeated this behavior that I finally told him “I swear to god if you do that one more time I will take you outside and beat you.” He finally stopped.

I’m recalling this incident as I write this post because sometimes we as the end-user act like that guy. Citing TPD’s Friend’s list of reasons they stopped using Tutanota, they stated things like “The system of seeing previous and post emails was confusing and difficult to manage,” “it always took a while (a few seconds) to load and to switch boxes, it was slow to delete and save messages,” and “too many updates – they used to arrive regularly and you are bothered by the pop-ups reminding you whenever you need to log on.” These grievances highlight a common trend among modern end users: a growing impatience and demanding attitude toward technology. We are clicking the link with Iraq’s dial-up speeds and expecting our entire 4K video to load instantly. If we want our privacy back, we’re going to have to learn to temper our expectations and be prepared to make some compromises.

“It’s Just The Price We Pay”

For years, we've been told that the cost of enjoying free services like Google Search and Facebook is surrendering our data. It's a “seemingly” fair trade for something that works smoothly and appears aesthetically pleasing. However, these notions are fundamentally flawed. But for the sake of argument, let's assume they're true for a moment. This means that to reclaim our privacy, we must be willing to make concessions. We must acknowledge that things may load more slowly due to necessary decryption processes – data isn't stored unencrypted, ready and waiting on servers. We must also accept that user interfaces may lack the visual finesse of commercial counterparts, as privacy-focused developers prioritize security and reliability over aesthetics rather than A/B testing two different shades of blue to see which one is more addictive.

Perhaps that’s the biggest thing: we have to accept that privacy tech isn’t designed to captivate and addict us. It’s not going to be as attractive because it’s not designed to monopolize our attention for more ad impressions. It’s designed to deliver a certain functionality while respecting your privacy – “an inherently less exciting endeavor” as my proofreader so excellently put it. We also have to accept that services like Tutanota and ProtonMail have only been around since 2011 and 2014 respectively, while services like Gmail and Facebook have both been around since 2004, giving Big Tech nearly a full decade or more advantage in some cases.

There’s also the constraints: in the world of crime, the good guys will always be at a disadvantage. They have to work within the confines of the law like obeying due process, respecting innocent civilians’ rights, and gathering evidence. The bad guys don’t have any such handicaps. This is equally true of Big Tech and Privacy Tech. Big Tech can scoop up infinite amounts of data, and along the way they might notice something that improves the service for the end user. They can also freely accept a variety of funding sources – such as shareholders and venture capital – which gives them more resources to implement and grow more quickly, so long as they turn a profit. Privacy Tech, meanwhile, should strive to get the analytics they need while invading your privacy as little as possible, which means they might actually miss some important feedback by accident. They also have to be cautious of what strings might come attached to larger funding sources, instead relying on often smaller and inconsistent avenues like donations, merch sales, freemium features, or maybe certain types of sponsorships. If we want to commit to protecting our privacy, enhancing our security, or simply sending a message to Big Tech, we must be prepared to accept reasonable bugs, rough edges, and even performance hits at times. I feel your pain, okay? I’m a fast person-paced person. I’m bouncing my leg with “nervous” energy as I type this, I hate stop signs, I watch movies while I play video games (which frequently take a performance hit on Linux, if they’re playable at all), and I listen to my podcasts at double speed. That said, an extra 2-3 seconds of load time won’t kill you. I promise. I lived it ten years ago, and I’ve been living it every day since I committed to privacy.

I also want to take a quick second to circle back to what I said earlier: the notion that we have to give up our data in exchange for a clean, functional product is a myth perpetuated by Big Tech. One need look no further than companies like Pop! OS, Proton, or Bitwarden to see that’s obviously not true. All of these are fully functional, modern, beautiful, responsive projects that respect your privacy. But these are also projects that are flourishing. Proton is a behemoth in the privacy community, Bitwarden is so successful they’ve actually acquired at least one other company, and Pop! OS has an entire team behind it. These projects can compete, but what I said about being at a disadvantage remains true.

Overcoming Learned Helplessness

Let’s dive into the concept of “learned helplessness.” This is a psychological phenomenon where you’re capable of solving a problem but you’ve been conditioned not to try. TPD’s Friend says that “The system of seeing previous and post emails was confusing and difficult to manage,” and that Tutanota’s FAQ was full of “technical jargon” unsuitable for “ordinary people” like them. I took a look at Tutanota’s FAQ and I tried my hardest to view it with fresh eyes and look for anything that might be a bit technical. While there certainly are some technical parts, those seem to be aimed at companies or addressing things that “ordinary people” don’t really need to concern themselves with. like “What encryption algorithms does Tutanota use?” I encourage you to peruse yourself and call me out if you think I’m wrong.

I’ve written in the past that I believe the standard of tech literacy is rising and everyone is going to have to learn to be more tech-savvy to survive in modern society. This is not an attempt to TPD’s Friend an idiot, nor is it an effort to victim-blame (as I said, there will be another post soon about what developers can do better). I do, however, think they’ve succumbed to “learned helplessness,” where they’re so used to everything “just working” that they never have to think about it. They probably haven’t had to bother with account settings in ages (this is by design, the defaults usually benefit the company more than the user), so the idea of making any changes other than dark mode or display name – even simple changes in the settings that are easily reversible – becomes intimidating. Nobody’s used to the settings anymore. It’s become scary “technical jargon,” but in reality it’s simply uncharted space – more akin to a forgotten city than a haunted labyrinth. This is another hurdle we’ll need to overcome in our quest to fix the problems with our current surveillance state. As I’ve said many times before, not everyone needs to become an expert sysadmin or network architect, but we’re going to have to start accepting that we’ll need to learn how to navigate simple things like account settings, picking an “instance” on a federated service, how to properly set up a home router, and how to do basic troubleshooting on an error (such as “googling” the error code), among other simple tasks.

In Defense of TPD’s Friend

Before I close, I want to touch on subjectivity. TPD’s Friend stated that they preferred Outlook because it’s “much easier to use; it's intuitive and clear.” I strongly disagree. We use Office 365 at my day job, and I find Outlook absolutely maddening. If I had any hair, I’d pull it out. I can never find anything I need, things seem to have been thrown into random menus haphazardly with no coherence or cohesion, names for things are not intuitive, settings are missing or placement makes no sense. I say I’ve listened to intoxicated people explain conspiracy theories that made more sense than Outlook. I wonder if perhaps TPD’s Friend might’ve fared better on something like ProtonMail, with their more polished interface, more complete offering of features and products, and better support. Maybe not. Everyone has different ideas of what looks “good” or even “good enough.” It’s just proof that you’ll never please everyone all the time, and a reminder that there are no “one-size-fits-all” solutions.

As I close, I want to remind readers – particularly those who feel that I just spent 2,000 words blaming end users and telling them to just “suck it up” – that in the next couple of weeks I’ll be re-examining this same blog post but focusing on the parts where TPD’s Friend is right: while I think end users need to be much more forgiving and patient with privacy tech, I think the developers also have a responsibility to deliver a usable product – both in the sense that it’s stable and functional but also in the sense that users want to use it because it’s easy and attractive. For all of us to improve our privacy, it has to be a relationship where both of us give. For example, end users of FOSS projects should submit feedback: bugs you find, ideas for features or improvements you’d like to see, etc. Developers should welcome that feedback and – in the case of less-tech-savvy users – work patiently with them to help get whatever information they need to act on that feedback. If these projects are respecting your privacy, they can’t read your mind and may not automatically know what parts of the service could be better. This blog post is already double my usual target length, so I figured I should split it up into two parts rather than write a novel. So tune in next time for Part 2 where we’ll explore the developers’ side of this relationship and what they can do attract and retain more users.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...