How to Fail at Privacy & Security
Often times we look at success stories and go “this is what this person did right and why they succeeded.” This is great, and there’s a lot to be learned from that. However, I do believe there’s also a lot of benefit in examining failure and learning what went wrong. I’m a firm believer that a failure is only a failure if you fail to learn a lesson from it, even if that lesson is “don’t invade Russia in the winter.” So this week, let’s look at some of the top ways that you can fail in securing your own data and how to avoid them. As usual, this list is in no particular order.
Accepting the Default Settings
One of the easiest things you can do to take control of your own security and data is to browse the settings on your accounts. When was the last time you checked any of your app or account settings? Personally that’s usually the first place I go. In addition to doing things like enabling two-factor and dark mode, the settings are where you can often find really basic privacy settings like “make my profile private” or “don’t share my data with advertisers.” These settings alone will not make you as private as you can be, but they help a lot and they’re easy to change. Start small and stop the most obvious data streams you can find.
Never Making Requests
Most privacy and security products only work if both parties are using it. For example, end-to-end encrypted services like Signal or ProtonMail are only truly end-to-end encrypted if both parties are using Signal or ProtonMail (or another PGP-based email account). So if you never ask the people around you to switch to the same service as you, you’re not really getting the full benefit. There’s definitely still benefits, but it never hurts to ask the people around you to respect your values and consider switching. Often times – especially for people with social anxiety or low self esteem – it can be hard to ask other people for favors because you think you’ll be inconveniencing them, but just asking is not a big deal. So don’t be afraid to make your privacy preferences known by asking people to respect it. “Hey, would you mind using Signal to text me from now on?” “Hey, can we try using Jitsi for the weekly staff meeting instead of Zoom?” “Would you mind unplugging Alexa when I come over to visit?” The worst you’ll get is a polite “no.” Often you’ll get a “what’s that/why?” and then you can explain what the service you’re suggesting is and why it would benefit the person you’re making the request of. More often than not, you’ll be surprised by the amount of “yes”es you receive. There is definitely a fine line between making a request and bugging someone. If you ask to use Jitsi instead of Zoom every week, your boss may get tired of hearing it. But bringing it up once or twice will rarely offend anyone, and if you don’t ask the answer will always be no.
Not Doing Your Research
My partner is a big consumer of media. Hulu, Netflix, CrunchyRoll, YouTube, she loves it all. I’m more discerning with my content, but out of love for her I agreed to acquiesce and get a smart TV when we began living together. We made a few compromises: no microphones, no cameras, and I get to pick the TV. Ultimately, after a lot of research, I settled on a Roku TCL. There’s a specific reason I chose this TV. First off, Samsung TVs were right out due to having known NSA backdoors. I don’t think I’m a target of the NSA, but there’s no such thing as a backdoor that only good guys have the keys for. If the weakness exists, bad guys can exploit it, too. Second, I wanted a TV that had a solid history of receiving manufacturer updates to the software. Of course, I also took responsibility for setting up the device, which meant putting it on a VLAN, creating an account using a masked email and strong password, never putting in any payment details, and disabling all the data-sharing options I could. This isn’t an ad for Roku, this is an explanation of my research process. Imagine if I hadn’t done my research and instead just looked for the best deal at my local store: I could’ve walked out with a TV that never gets updated. This isn’t just a security risk. Our TV has had its fair share of bugs: freezes, crashes, twice we’ve even had the mute get stuck on. But our experience is improving as time goes on and Roku keeps pushing out new updates. Very few other TVs get updates, so we’d still be living with those bugs if we had gotten a different TV. We also never have to look at our TV and go “man, I really hope nobody is on the other side of the camera taking snapshots of us in our underwear.” Finally, as I mentioned above, I took the time to disable many of the more invasive “features,” which means I also have less concern about the data being recorded. (For the record, I do still have some concern, but I sleep a little better knowing we’re spewing out less data than the default).
Now of course, this was a multi-hundred dollar investment. I expect that the research will be proportional to the cost and sensitivity of the tool. I spent less time investigating my XMPP server because I don’t really use it very much. I spent much more time investigating ProtonMail and Tutanota because I do use email a lot, and sometimes for very sensitive purposes like banking and medical. You don’t have to spend forever deep diving into every single tool out there: figure out what you want from it, determine how much trust you’re placing in it, then do the appropriate amount of research.
Not Making Time to Implement
My dad imparted one phenomenal piece of advice that has stuck with me for decades: “If something is important to you, you’ll make time for it. If it’s not, you won’t.” To my dad, there was no such thing as “I don’t have the time,” but rather “I don’t want to make the time.” And that’s totally fair if you don’t want to make the time for something. But if there’s something you actually really want to do and you don’t make time for it, then you’re just doing yourself a disservice. If you want to make your life more private and secure and you don’t make time to actually do this stuff, then you’re only cheating yourself. I totally understand that some of this stuff takes work. Signal can be downloaded and set up during a Hulu commercial break, so there’s really no excuse for that one. But signing up for a password manager or moving email accounts, that can take some work and that may not be something you want to do after a hard day of work. I totally respect that. But if you don’t put it on your calendar and say “okay, this weekend I’m gonna migrate to Tutanota/ProtonMail/whatever,” you’re failing yourself. Make time to make the changes you want to make. Don’t keep telling yourself “tomorrow.” Put it on the calendar and let your roommates know you’re busy that afternoon.
Failure is only failure if you don’t learn from it. Maybe you’ve been guilty of some of these things in your own life so far. Maybe you haven’t made time to implement, or you’ve only been using tools others recommend instead of researching it for yourself. But now you’re aware and you can use that awareness to break the cycle. Remember to always seek room for improvement, both in your own personal growth and in your security.