In Who Do We Trust? How Privilege Plays Out in Security and Privacy Online
Protecting yourself online takes time, money and privilege.
In a digital world where most users have to choose between having their information stolen, or their internet activities monitored, it’s clear not all of us are able to keep up with the latest measures to protect ourselves online.
This past June, I tweeted:
“Tech peeps, serious question for a talk I’m writing: what should the *average* computer user already be doing? ie have VPN, a pwd manager?”
Takeaways included: you should NEVER use public wifi without a VPN. You should never pay for anything with a debit card. You should use an ad blocker in your browser. Have you backed up your data? Even though the topic never made it into my talk, one thing stuck out to me: while I consider myself to be above average in terms of “computer savviness”, there was a lot of foundational knowledge I just didn’t have.
As I set to work searching for new VPN providers and turning 2FA (two-factor authentication) on everything, stories on the latest hacks and data breaches were bringing security lexicon into the mainstream. With each subsequent data breach, and the inevitable, follow-up “How to Protect Your Data” pieces, users continue to be lulled out of a false sense of security online… but the skills and tools needed to mitigate these risks still require altering one’s behavior substantially. Don’t many of us know really intelligent people — and companies — who trust their data completely to the “others” they believe are doing the dirty work of keeping it safe? In 2015, as online threats grow, most users still don’t have the privilege, skills and resources needed to navigate online spaces safely, securely, and privately.
Rethinking “Private”
Photo CC-BY Kayla Kandzorra, filtered.
2015 was a dizzying year in data breach news. Millions of users of “infidelity dating” service Ashley Madison found their data — including names, email addresses, and credit card transactions — posted online for anyone to see. Password manager LastPass reported it was the victim of a hack that exposed user data. In October, data collector Experian was hacked and the names, addresses, social security numbers, and driver’s license numbers of 15 million T-Mobile customers was leaked. Earlier that same week, crowdfunding site Patreon disclosed that its servers had been breached and names, email addresses, and donation records were exposed. Health insurance firms were breached, as was the Army National Guard. It seemed no one was safe.
Even taking the necessary precautions to protect yourself, a lot of your information is already out there. A Pew Research report published in 2014 showed that 21% of adults had their email or social networking accounts compromised, while over 18% of online adults had sensitive data stolen, an increase from 11% in 2013. The same report found that more than half of American adults are worried about the amount of personal information available about them online. At the same time, what’s considered “private” and who we deem trustworthy enough to have access to certain pieces of information about us is as evolving and murky as the technology made to handle it. I find myself in the privileged position of being surrounded by folks with more technical prowess than me, which makes it easier to learn and ask questions to make sure that I protect myself as best I can. But what about users who don’t have this privilege?
Vulnerable Online and Off
Photo CC-BY Frédéric BISSON, filtered.
Marginalized people, including women and people of color, are disproportionately impacted by Internet-related crimes, harassment and invasion of privacy. While statistics per country are lacking, an independent survey found that over 90% of “revenge porn” (cybersexual assault) victims were women and girls. Young women reported “experiencing particularly severe forms of online harassment”, and women are more likely to be the victims of cyberstalking than men. According to a 2014 report published by the Bureau of Justice Statistics, more women than men were victims of identity theft, and the number people over the age of 65 who were falling victim to identity theft was increasing. Further, communities of color are particularly targeted by mass surveillance programs: for example, The Intercept published a report this summer that shed light into the surveillance of members of the Black Lives Matter movement, and how the NSA and the FBI spied on the communications of prominent Muslim-American leaders. Both cases echo back to the NYPD’s “Stop and Frisk” program and its mass surveillance of the Muslim-American community after 9/11.
While marginalized populations are most targeted, they also lack the privileges needed to protect themselves, including cybersecurity skills in a country where STEM fields are notoriously white and male-dominated, and where technology, tools and computer education are inaccessible to many: in just one example of the digital divide, low-income people, people of color, and younger adults are more likely to only have access to the Internet on a mobile device, and only 66% of Black households and 70% of Latino households have a home computer. Gaps in education and access begin in childhood and persist in schools, communities and workplaces throughout life.
The benefit of all the increased awareness in 2015 is that people know that something needs to be done, but learning how to stay on top of everything remains overwhelming: another Pew Research study showed that despite increased awareness of cybersecurity and online privacy issues in the media, most Americans have not changed their online behaviors. Among reasons cited, 54% stated “it would be difficult to find the tools and strategies that would enhance their privacy online.” Consider the time, money, and research that goes into learning more about internet security: I started using a password manager over two years ago, but I’ve dedicated the past eight months to learning whatever I can about protecting myself online. I’ve spent upwards of $400 on books, on products and services — a good VPN provider, security freezes through various credit bureaus (yup, I was a victim of a data breach), an encrypted hard drive, a PO box, privacy screens on my laptop and cell phone, and a webcam cover — just this year alone. Not a problem for me, but prohibitive to someone who doesn’t have disposable income to throw at this stuff. I’ve also spent significant amounts of time improving my password hygiene, closing down old social media accounts, encrypting my devices, and learning how to use PGP. Protecting yourself online takes time, money and privilege.
To make matters worse, there are often conflicting reports on how consumers should protect themselves from identity theft, surveillance and other online threats. Without trusted beacons out there, it is often up to individuals to figure out how to protect themselves — or recover — from invasions when they do occur. Threatening the situation even further is the acceleration of cybersecurity misinformation and government manipulation in the wake of the November 13th Paris attacks. As information about the Daesh (aka ISIS)-affiliated perpetrators began to emerge, so did reports on how they planned their attacks. According to various sources, they may have used encrypted messaging phone apps, the Party Chat feature on the PS4, and social media. Even former CIA director Michael Morell said that it would soon be evident that the attackers used encrypted apps to carry out the attacks. Encryption, the government insists, makes it really hard to catch the bad guys. As a result, it is working to weaken these technologies and make them more vulnerable to surveillance by intelligence agencies.
What many users don’t know is that the government has recently locked horns with technology companies — like Apple and Sony — regarding encryption; these companies claim, rightly so, that weakening encryption by making it easier for the government to crack will also make it easier for hackers. Encryption is used to protect everything from passwords to pieces of private data, like credit card numbers, bank account numbers, social security numbers, and so on. We now know, for example, that weak security practices made it easier for hackers to access Ashley Madison’s databases, but it meant that information LastPass stored in its databases was much more difficult for hackers to access. But the media unwittingly publishing misinformation on a developing story — and the government’s take on encryption as a way to push a political agenda — serve to further confuse average citizens already feeling like they aren’t savvy enough to protect themselves online.
Going Beyond “Just Update Your Passwords”
Photo CC-BY Christiaan Colen, filtered.
There remains a lot more to be done when it comes to helping everyone protect themselves online. The players in this online drama include cyber criminals, cyber bullies, stalkers, hacktivists, governments… and you. As an industry, we have to do a better job educating consumers on becoming more privacy savvy, even if it means removing the facade of a seamless user experience every single time. Security isn’t always user-friendly, but I would prefer a company tell me what I can do to prevent serious damage upfront than point me in dozens of directions when I ask them how to pick up the mess after the damage is done.
When I started thinking about how privacy plays in my own life, a friend suggested I read The Smart Girl’s Guide to Privacy by Violet Blue, which discusses ways women are targeted online and also ways that women and girls can keep themselves safe. The book offers practical advice and doesn’t suggest that keeping oneself safe on the Internet is easy. That part in particular — that being safe online takes a lot of work — is something that we need to be communicating to average users more often.
As the ways in which we depend on technology develop (think “Internet of Things”), the focus should be on more consumer education, not less, especially since users already feel that they don’t have the resources nor the skills needed to keep themselves safe. Companies with security teams or departments should teach skills that enhance and encourage employees to protect themselves online. Developers and companies should find ways to build encouraging behaviors into their UX, such as incorporating 2FA in device setup, making encryption an easy-to-find option, instructing customers to change router names right on the packaging, etc.
At the grassroots level, there are numerous things that can be done in conjunction with community organizations and nonprofits. Disseminating easy-to-understand security and online privacy checklists (or infographics) to users can help demystify security and develop good online privacy behaviors. Individuals and collectives alike can organize free workshops that teach people how to protect their data online – even in ways that aren’t super technical (i.e. What kinds of cards should I use for online shopping? What should I use to store important data?). Such workshops could also teach people how to encrypt their devices or turn on their computer’s firewall.
As a tech worker, you can help on an interpersonal level too: I’ve already gotten loved ones learning about password hygiene and browsing over public wi-fi using VPN by telling them about my preferred providers and helping them set it all up. Finding ways to make security approachable is the goal. Educating “average” users helps manage the very real fears people have about navigating the online world, it helps them discern helpful information from misinformation, and it gives them the opportunity to speak up on cybersecurity issues that are very real and affect their lives.
Security should NOT be treated as a nice-to-have — it should be considered part and parcel of the online experience. Online privacy and security can’t remain strictly in the realm — real or perceived — of those who are “tech savvy” or “computer smart” or “geeks”. Many of us in the West engage online in very meaningful ways: we partake in activities that shape our lives and how we gain access to the world. Treating online privacy and security as a responsibility that everyone who goes online should be aware of is something to strive towards. We owe it to users to do everything we can to protect their data, but part of that also means showing what they can do to protect themselves. As technology evolves and allows people, corporations and governments to access user data in increasingly invasive ways, so must our defenses evolve. In some cases, our lives depend on it.