In life – and the privacy and security communities – we are constantly assaulted with a variety of conflicting information. I’m sure there’s no need to give examples, you can find plenty of them just by reading the news or cruising the Privacy subreddit. This week, I want to write possibly my most important blog topic: Critical Think 101, or “how to evaluate a claim.” Don’t let the title fool you, this is not going to be a condescending, partisan politics post about how [insert group here] is dumb and you just need to use common sense. Instead I’m going to give you real, practical steps that you can use in almost any situation to help determine if a person and their claim are worth considering. Please note that this process may not always give you a definite “yes” or “no” on whether a claim is true or not, but it will help you weed out a lot of low-hanging fruit and can be part of your process when deciding whether or not to believe something.
Step 0: Solipsism, Certainty, & Standards of Proof
We need to get something out of the way right now: it is literally impossible to ever be 100%, truly, “come down off a mountain and found a religion” positive about anything. Have you ever heard the famous phrase “I think therefore I am?” It was said by Rene Descartes while he was attempting to determine the nature of reality. Suppose you sat down and decided “I want to prove beyond any doubt what is real.” Am I [Nate Bartram of The New Oil] real to you, the reader? Maybe not. Maybe I’m a VERY well programmed AI, complete with deepfake videos on Surveillance Report and all. Is this blog post real? Maybe not, it could be a glitch on your device. Is your device that you’re reading this on real? Surely, right? After all, you’re holding it in your hand, you can feel it. Not necessarily. Maybe you’re hallucinating. Maybe your home is a hallucination, and your loved ones. You could be in a coma right now, or a brain in a jar being stimulated with electricity by researchers to see what happens. At the end of the day, the only thing you can truly be certain is 100% real is your sense of self, the fact you are perceiving something and that you are conscious. What you are perceiving may be a hallucination, it may not be real, but the fact that you are conscious at all shows that if nothing else, you are real. This is called solipsism. I apologize if I just gave anyone an existential crisis. At the end of the day, I personally do not believe in solipsism and I don’t think it matters either, but the point is that in the most extreme sense of the word, we can never be certain that anything is real.
When it comes to deciding if you believe something, you base that on the “standard of proof,” which could also be called the evidence, the argument, or any number of things. The standard of proof is the level at which someone has presented enough evidence or logic that you say “okay, I believe that.” The standard of proof for a claim should vary depending on the claim. Again, there are some people who demand unrealistic standards of proof, like the infamous “if X is open source, how do we know the-company-behind-X isn’t running a different version on their servers?” At the end of day, a person can always raise their standard of proof to unrealistic levels to the point where you can never meet it and therefore never convince them otherwise. This is a common meme both in media and real life: someone admits they made something up, the believers respond by saying that person was paid off or intimidated into a false confession. The standard of proof is too high to ever be met.
I encourage you to find a balance between the fact that you can never be truly certain and the severity of the claim. It’s a lot like threat modeling: if you tell me that you’re a professional plumber, I’m not going to demand a lot of proof given that the stakes aren’t very high. If you tell me that Matrix has a backdoor, I’m going to demand a higher standard of proof. It is with these two important points in mind – the lack of achieving true certainty and the fact that standards of proof rightfully shift – that we can now move forward. Remember these as I go.
Step 1: The Claim
The Earth is flat. The Moon is made of green cheese. The CIA can read my thoughts. These are all claims that are blatantly ridiculous, and we know this because they are proven, scientific facts. Now look, I know that to some, science itself is suspect these days but as I said above we have to accept that we can never truly be 100% certain of anything. That said, when someone is making a claim, the first place to start is the claim itself. Does this claim contradict proven, repeated evidence? Let me cite a common example: “Signal is a honeypot because it’s an American company.” This claim rests on the idea that because Signal is based in America – a country that is openly hostile towards end-to-end encryption – and because it’s centralized that it therefore must secretly be spyware and that using it is no better (or arguably worse) than just using regular SMS. However, baring any new evidence (which we’ll discuss in a second), this claim is easily disproven. Signal is open source and wildly popular, meaning that many, many experts have laid eyes on it. Numerous experts from across a variety of fields, companies, and levels of experience (this will also be covered later) have all stated that there is no indication in the source code of Signal’s client app that there is any kind of vulnerability. This means that even if the servers were compromised, the messages are still secure. The only way the message could be compromised would be at the device level – if your phone had a keylogger or something like that. This is a claim that has been tested and proven many times over during the course of many years. In fact, we can even go a step further and look at the infamous Vault 7 CIA document leaks and see that the US intelligence community has spent considerable effort attempting (and failing) to crack Signal and find workarounds to circumvent their encryption. If Signal was a honeypot, why would they do that?
Now of course, as I said, there will always be the people with a standard of proof that’s unreachable. Those people will say “maybe all those researchers were paid off” or “maybe Vault 7 was disinformation.” Personally I find that these suggestions make the security of Signal even more likely because of the additional unlikeliness and assumptions required: you have to assume that not a single one of those researchers is ethical, that the ones who were have somehow been COMPLETELY silenced or overlooked, and not to mention this is all stuff that can be verified by any given individual who cares to learn the programming language and examine the Signal code themselves.
This blog post is not meant to be a defense of Signal, but this is a good example: the claim itself can’t stand up scrutiny. There is years of evidence from multiple credible sources that disprove it right off the bat. Unless the person making the claim is presenting new evidence, then the claim itself is probably safe to discredit and ignore. On that note:
Step 2: The Evidence
Suppose, in the Signal example, that the person is presenting new evidence. In fact, they kind of already presented some in the claim: “because Signal is an American company.” Not all evidence is equal or valid. In this case, the person’s evidence is that American companies all inevitably have encryption backdoors. While that specific claim is untrue, it’s a valid concern and it has precedent. Popular messaging platforms like Clubhouse, Facebook Messenger, Skype, Reddit, SMS, and others are not end-to-end encrypted and the providers frequently keep message content for at least a certain period of time. All it takes is one court case and a subpoena for Verizon to turn over all your SMS messages – plus content – to the court to be read aloud in public. But then there’s also the hidden programs like the infamous PRISM program in which the US intelligence community paid companies like Apple, Google, and AT&T for direct, backdoor access into their databases to pop in any time they wanted to collect whatever data they desired. The UK had their own version, TEMPORA, which involved physically splicing into the country’s main internet cables so the government could make a copy of every single piece of internet traffic that passed through the country. And recently, several western countries teamed up to make an “encrypted” messenger with the sole purpose of infiltration criminal groups, all the while it was backdoored and submitted decrypted message content back to authorities. With evidence like this, it’s not hard to see why someone who say that any American-based service is compromised by default.
This brings us the importance of evaluating multiple parts of the claim. While Signal is indeed an American company and that does warrant scrutiny, further evidence has shown that despite Signal’s country of origin, it is likely safe and secure. Suppose the evidence for the claim was new. Suppose the claimant said “because Signal is a UK-based company” or “because Signal sold to Amazon.” These are not true, and if the person is making this claim then they need to provide new evidence to back up that claim such as reputable articles, a company blog, or some sort of public record documents that were filed like a transfer of ownership document with the state. So just to sum up and be clear: sometimes a claim may seem outright ridiculous (“the medical community killed black people just to see what would happen”), but that doesn’t mean you should dismiss it on that alone. You should also examine the other factors, like the person making the claim or the evidence.
The final piece of critical thinking that must be examined is the person making the claim. Now let me be clear: this is NOT the same as an “ad hominem” attack, which is Latin for “to the person.” You’ve likely seen this, and if we’re all being honest we’ve all probably done it in fits of emotional outburst. Let’s keep rolling with the Signal example and let’s pretend I’m the one making the claim that Signal is compromised on account of its American origins. An ad hominem attack might be to point out that I’m openly critical of the federal government and therefore I’m biased. Or to cite my recent interview with Session as proof that I’m trying to knock Signal down a peg to promote Session instead. Or, since in reality I do encourage the use of Signal, you might argue the opposite: because I’m an American I would be loyal to my country and refuse to admit the possibility that Signal might be compromised on that grounds alone.
An ad hominem attack in common usage refers to attacking the person without validity. It’s the fancy equivalent of calling someone a buttface because you didn’t like what they said. But there is, in fact, a way to evaluate a person in a valid, ethical way. Technically this can be broken up in a number of different categories, but in my opinion it all comes down to one broad factor: qualifications. Qualifications are made up of a number of factors that aren’t always necessarily equal or important. For example, education is one. If I’m making the claim that Signal is broken, do I have any education as a cryptographer? A programmer? Did I go to college for it? Did I graduate from MIT or community college? Of course, education alone is not the end-all-be-all. There are many incredibly talented individuals in a variety of fields that are self-taught, and there’s also tons of Harvard and MIT graduates who barely scraped by with C’s and never really did anything exceptional (or at all) in their field of study. This is why I say that qualifications are made up of several factors and that they’re not always equally important. I want my doctor to not be self taught. My app developer, on the other hand, I’m less concerned about. Other factors in the “qualifications” category include things like experience – have they been in this field for ten years or ten months? – and reputation – is this person generally regarded as someone who knows what they’re talking about or are they widely considered a crackpot who’s good for little more than entertainment? It’s also worth considering the person’s possible conflicts of interest, like employer. If ProtonMail releases a study touting the efficacy of PGP, Proton is based on and heavily uses PGP so they have a conflict of interest. Of course they want to say why PGP is good and downplay (or ignore) any evidence that it’s bad. As discussed before, this doesn’t mean they’re wrong and you shouldn’t ignore the claim on this alone, but it’s worth keeping in mind when researching the claim.
Personally I also find it important to separate information about a person based on relevance. For example, let’s say the person making the claim that Signal is bad is an alcoholic. Does that matter? In my opinion, not really. As long as they were sober when they did the research and presented their findings, what they do in their free time is none of my business. Personally I think that’s about as relevant as their sexuality or gender. On the other hand vices like alcohol, drug use, sexual lifestyle or interests, these could potentially (“potentially” being the key word) indicate things like blackmail or sloppiness (hence my “was the person sober when they did the research” caveat), and they tend to be used to smear a person even if it has no bearing on the claim (ad hominem). This is why intelligence communities often look into things like sexual orientation or history of addiction in potential applicants – they want to know if you can be blackmailed by the enemy for things like cheating on your wife or gambling away your kid’s Christmas budget in Vegas.
Toward the beginning of this post, I mentioned that the standard of proof can vary, but so can your level of belief in something. For example, I said in my recent interview with Opt-Out Podcast that I firmly believe that Apple can see everything I do on my phone despite having no evidence. Well, that’s not entirely true. I base that claim on the 2014 Documentary “Terms And Conditions May Apply,” in which they demonstrate how digital forensics tools can in certain cases be able to recover the exact keystrokes from your device. If third-party tools can do that after the fact, why wouldn’t Apple be able to in real time? It is for this reason that I don’t trust my phone, but honestly other than this single documentary I don’t have any real proof. I don’t have any leaked Apple memos, any news stories about this, or anything like that. I’m basing all of that off a single story from a person who I know almost nothing about. I believe this claim, but I’m also willing to admit that I’m wrong. My level of belief, if I had to put it on a scale of 1-10 (1 being I don’t believe it at all and 10 being I’m certain of it), I’d say I’m about at a 7.
The point is that you can think something is likely without being convinced of it, and vice versa. You can always change your views as more information comes to light later, and in fact you should. You don’t have to be totally certain of something. You can evaluate a claim, the evidence, and the person making the claim and still walk away going “I’m not really sure, honestly.” As I said at the beginning, the point of this post is not to tell you what to think or how to be certain of something, but rather it’s to give you some tools to help with that process. I see far too many people in all areas of life believing claims at face value. There’s never anything wrong with critical thinking. Now go forth and think great thoughts.
You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates at @firstname.lastname@example.org or support my work in a variety of ways here.