As I mentioned a few weeks ago, I have recently written a book on digital security. This post is going to kick off a series on digital security (and secure communications – a skill that might become very important for freedom lovers in the near future) that roughly follows the outline of the book. This is completely free information that I make a very good living teaching. I’ve worked hard to put this into plain language (and perhaps even made it enjoyable to read, as well). If you enjoy this content, please consider picking up a copy of Digital Self Defense: The Layman’s Guide to Digital Security when it comes out this spring. Thanks!
Part I | Part II | Part III | Part IV.1
This post is going to lay some groundwork. Hopefully, it will answer your questions about, “why bother? Google already has everything.” I know most of you that are actually taking the time to read this probably want to jump right into the “fun” stuff of encryption, but establishing a context to put those tools into is important. Bear with me, and we’ll get to the good stuff soon.
Privacy Vs. Security
Critical to understanding this framework is disambiguating privacy and security. Though they are often thought of as the same thing, they aren’t. Let’s use my house as an example.
Privacy. I could put up a 10′ privacy fence that would give the privacy to sunbathe in my backyard, unobserved. I could purchase my home in a land trust or other instrument to keep me private from data brokers. I could blur my house in Google Streetview. All of these things increase my privacy, but none makes my home harder to get into. In the case of the privacy fence, it may actually make my home easier to get into by giving a burglar a covered/concealed approach, or a concealed location from which to observe my comings and goings (privacy fences work both ways like that). Hence the need for security.
Security. My home has UL-437 locks with upgraded door jambs, motion lights, an IDS, a camera system, a decent safe, a very well trained German Shepherd Dog, and other physical security measures in place (and of course, me). These all make my home harder to get into a protect my goods, but by themselves don’t offer me any privacy.
Privacy & Security. Together privacy and security do compliment each other really well. If you are looking to come after me specifically and can’t find my home I’ve created another significant barrier before you even get to my physical security measures.
The bottom line: security prevents access to a location, account, etc. Privacy is the obfuscation or minimization of the information that is publicly findable or viewable about you. Ideally, we want both, but we compromise some on both to make life livable. Finding your balance is up to you.
Threat Modeling
Finding the balance is the product of security and privacy and convenience is called Threat Modeling. A threat model is a realistic, plausible accounting of potential threat actors and their intersection with your attack surface. This is a topic unto itself but is critically important. If we overestimate our threats we spend too much time, energy, and money protecting ourselves from implausible threats; if we underestimate our threats we get hurt, hacked, or otherwise pwned. Questions to ask to determine your threat model:
- What are you trying to protect? This could be physical access to your home, unauthorized access to your bank/email/social media accounts, etc.
- Who are you trying to protect it from? This ranges from everyday criminal threats to sophisticated state actors. That last one sounds implausible…but it’s not. More on that in a future post.
- What are the consequences if you fail to protect it? Failing to protect your PII could literally result in financial ruin. One in 5 victims of identity theft never recover. Think about that and it’s implications for you and your family for a minute.
The Framework
There isn’t really a digital security problem that can’t be hung on this framework. There are implied tasks (good, strong passwords for instance) under each of these. This is my preferred way to think about digital security.
- Malware resilience. It doesn’t matter what sexy encryption you’re using if I’m just reading your data directly from your keyboard or screen. This is an imperative step and one that every human should undertake.
- Protecting data-at-rest. This is just protecting the data that is stored on your various devices.
- Protecting data-in-motion. Protecting the data we elect to cede physical control of through electronic transmittal.
- Protecting cloud-stored data, and
- Protecting personally identifiable information.
There are tons of tools to help with each of these, but honestly, the best security measure in most cases is better human behavior.
I will get to the cool privacy/security tools in subsequent posts but there is some important groundwork to lay. Without a way to conceptualize privacy and the art of the possible, you could spend a lot of time spinning your wheels on mitigations that require a ton of effort but at the end of the day aren’t worth the squeeze. So without further ado, let’s talk about…
Security Nihilism vs. Security Purism vs. Security Harm Reduction, and Personal Responsibility
Security Nihilism: This is where most of you are. Security Nihilism presents as one of two things. The first and most common is, “I have nothing to hide.” First of all, that is patently false – every human on earth has thoughts, words, or actions he or she would not want to become public knowledge. If those have been recorded on digital media there is a greater than zero chance they will be exposed. We all have something to hide.
The other way this presents is, “there’s so much out there about me already OR the NSA/corporate surveillance apparatus/Russians can get anything they want…so what’s the point?” Well, if the NSA is a credible threat actor within your threat model, I can’t help you very much. I can help you a little, and I can help you a lot against everything else. Opting out of default collection is (relatively) easy; opting out of a targeted intelligence effort or law enforcement investigation against you is not. I’m happy to elaborate on this if there’s a specific question about it (though obviously I can’t reveal certain capabilities/TTPs, so please *don’t* ask that one).
Security Purism: I’ve been down this road. I’ve rented apartments, registered cars, and turned on utilities in the names of anonymous LLCs. I’ve become a resident of a state I’ve spent exactly one night in, used expensive mail drop services…the list goes on and on. Unless privacy is your job and/or you have no need to earn a living, date/have a social life, leave your house, etc., this is a challenge for most people. I have too many other pursuits and skillsets that need to be developed and maintained to remain the “purist”.
It is possible for the purist to be insanely private. However, even he cannot avoid leaving his home. He can’t stop shopping. This means he can’t stop being recorded on video, in association with his name when using an ATM, withdrawing money at the bank, etc. He can’t stop his license plate from being recorded by automated license plate readers (ALPR)(most of which are owned by private corporations). The issue with security Purism is it isn’t sustainable unless you’re independently wealthy and don’t have to leave home and/or have no other responsibilities, and/or it is your only interest area. If it is your only interest area…dude, get out from behind the computer!
Security Harm Reduction: This is the strategy I take. Harm reduction means, in a nutshell, “do what you can. Every little bit helps.” I liken it to quitting smoking – if you’ve smoked for 20 years, your lungs probably suck. If you quit today you’re not going to be in perfect health tomorrow, but in 10 years you’re going to be massively better off. If you tighten up some privacy and security problems now, they aren’t going to turn into big problems later on.
The harm reduction strategy is sustainable. It doesn’t require you “burn it down” tonight and start life as a new person tomorrow. A lot of people try this and get discouraged, and give up. Harm reduction involves mitigating privacy/security interventions into your life as they are necessary, or you have the time, money, and mental bandwidth. There are a few things I think everyone should do IMMEDIATELY (if not sooner), but most things can wait another month or two.
It’s also possible to be very private and very secure in this category. I can go as far as I want, but at the same time accept the things that aren’t worth it relative to my threat model and not be kept up at night worrying about them. This is a very sustainable model and the one you should begin with. If you want to be a purist later and have the time and money – go for it! If you try to go all-in right now, you have a daunting task ahead of you and not many succeed.
Personal Responsibility
I think you do have personal responsibility for your own privacy and security. Believe me, NO ONE ELSE CARES ABOUT YOU. No one is coming to save you. When your accounts get hacked or your data gets spilled, what do you think your local police department is going to do? They’re going to give you a report…to prove that you filed a police report. That’s it. Good luck with that.
Your responsibility is to yourself and those within your financial care. It’s funny – we’ll spend hours debating red dots versus LPVOs for something that we will almost certainly never use in extremis, but completely cop-out to something that will almost certainly happen to someone reading this. Take responsibility for yourself.
Responsibility also means you have to stop saying, “well, I hate Google having all my data, but what can you do?” There are things you can do. But like most things worth having, they will cost you something. Google is – in my opinion – email welfare. I don’t want free email; I’ll pay for my products and services.
We also have a bigger responsibility to limit the information available to those in power (corporate powers or government powers). You may be a big fan of the current administration and not view your relationship with them as adversarial. But guess what? Yep – a new administration will eventually take this one’s place. Do you want them to be able to subpoena Google for a list of devices that have ever been to a gun store or shooting range? Do you want to enable the DEA to demand devices that have been to marijuana dispensaries? I don’t. Let’s keep in mind that the power we give a government cuts both ways.
In light of the erosion against the First and Fourth Amendments in the last decade (yes, those protects all others, too. Hell, the whole thing is important, and I’m not “pro-2A”, I’m “pro-Constitution”) we have to take it upon ourselves to limit that information. The national gun registry is here and the organization maintaining it isn’t ATF or DHS – it’s FAANG: Facebook, Amazon, Apple, Netflix, and Google.
Do something about it. Assume your responsibility and stop throwing up your hands in hopelessness.