The Privacy Myth: Binary vs Spectrum
In my time in the privacy community, I’ve noticed a prevailing myth. Sometimes this myth is brought in by newbies who have a preconceived notion. Sometimes it is inadvertently (or intentionally) perpetuated by hardcore privacy enthusiasts. But in short, the myth is the idea that privacy is a binary thing, an all-or-nothing game, go big or go home, start building your cabin in the woods or don’t even bother using two-factor authentication. Quite frankly, this is a crock of garbage.
Privacy and security are often sliding scales. It’s rarely a binary yes or no, but rather a spectrum. Very few people are 100% secure or 0% secure. If you use a password – any type of password, even “password” or “admin” – that’s a level of security above just having an open account or document. But that’s a poor level of security against a password such as “(z”a8j#;uU$>s!;–;6!G”. That’s a far better password with far better security. But even that’s only 20 characters, and can be improved. It’s almost always a spectrum.
Most of us, by default and the way we were raised, tend to fall on the “less secure” end of the spectrum. We use easily remembered – and therefore easily guessed or hacked – passwords. We don’t use 2FA. We use Google Search and Google Calendar and Gmail.
The goal of my website, as I’ve said before, is to nudge you to the “more secure” side of the spectrum. It actually doesn’t take much to get there. Using 2FA, password managers, and similar techniques discussed on this site will actually move you considerably far on the spectrum. Because the thing is, the spectrum is relative. If we have a group of 100 people and 90 of them aren’t using 2FA but you do, that automatically puts you in the top 10% of the “most secure” spectrum. If the other 90 people add 2FA, the bar has been raised. Sadly a lot of the techniques I share on this site aren’t being used by the majority of people, so just doing these basic things dramatically moves you along the spectrum.
Now I do want it to be noted that where you need to be on that spectrum depends heavily on your threat model. So while Person A’s threat model may be as simple as 2FA and a VPN, Person B might have need of secure messaging and even extra protection against location tracking. Person C might opt to not even have a phone and live in an apartment rented in cash or a shell corporation (totally legal, I assure you). It’s different for each person.
I encourage you to go as far as you can and do as much as you can for the sake of herd immunity. If everyone uses encrypted messaging or a VPN, then it doesn’t stand out and look suspicious, and it makes reading the traffic uneconomical for the companies who do it. But at the end of the day, you’re still doing something even if you only do a little bit. Some people – including your own doubts – might lead you to believe that if you aren’t going whole-hog – deleting Facebook, deleting Google, and hosting your own email server – then you aren’t doing enough. Those are certainly great things to do if you can, but honestly don’t listen to those people. If you eat two dozen donuts every day for breakfast and suddenly decide to cut down to one dozen, you’ve still made a difference. It may not be enough to run a marathon and you'll probably still have some health problems, but it’s certainly better than eating two dozen and it may even be the first step towards a healthier lifestyle in the long run. Don’t let anyone make you feel bad for not going as hardcore as them. It’s a journey, and there is no one-size-fits-all solution. Do what you can and go from there.