Slashdot Mirror
How to Convince Non-IT Friends that Privacy Matters?
mmtux writes:
"As technology becomes more advanced, I am increasingly worried about privacy in all aspects of my life. Unfortunately, whenever I attempt to discuss the matter with my friends, they show little understanding and write me off as a hyper-neurotic IT student. They say they simply don't care that the data they share on social networks may be accessible by others, that some laws passed by governments today might be privacy-infringing and dangerous, or that they shouldn't use on-line banking without a virus scanner and a firewall. Have you ever attempted to discuss data security and privacy concerns with a friend who isn't tech-savvy? How do you convince the average modern user that they should think about their privacy and the privacy of others when turning on their computer?"
...Is to demonstrate the dangers to them. e.g. get their passwords (without them knowing) and change data on their profiles to prove your point. There's no better way.
I've discovered that most people generally get really annoyed when you play the devil's advocate, poking holes in logically fallacious arguments. Also, people don't like being told what to do. In my opinion, a healthy sense of caution is good, and I've made more progress trying to inform people instead of telling them what they ought to do. If they don't want to take any action, well... It's their loss, in the end for the most part.
Of course, if they have access to something you'd rather keep private (such as documents, photos, conversations, etc.) then you're kind of at a loss there...
Food for thought: when we get all riled up about privacy, are we any better than the crazies who rail about pedophiles on the internet and make it seem like there are bogeymen around every corner?
Sometimes I wonder if I think too much.
I try to convince them that they should be pushing to have this data made open to everyone rather than allowing the data to be kept as a private resource for the use of a few. And I try to make them understand that the Trusted Computing threat, which is all about remote censorship, is a real danger to them that can't really be effectively fought while the illusion of privacy maintained by obscurity is allowed to continue to exist.
And to Captain Splendid and his friends, who will surely once more come along asking why I don't publish my home address and phone number here so he can come stare at me, it's because in the presence of rampant hypocracy that thrives untroubled by the transparency I hope to see one day, singling myself out makes me vulnerable in a way that systematic transparency would not. There is a difference between negotiating a unilateral disarming, which is how I view this effort, and throwing down your guns first and getting shot in the head, which is what you're suggesting I should do.
-1 Uncomfortable Truth
I generally remind them that privacy is not just from the government, but is a matter of having some control over who knows what about your life. You may not be ashamed about your partying, for example, but that doesn't mean that you want employers or parents to know too much about it -- definitely not to find out about it without you having the excuse to explain that you're careful and responsible. Political beliefs are also important, whether to avoid arguments with family members who disagree, or to avoid reprisals from a boss whose political persuasions are opposite yours ("If he has enough money to donate to that campaign, clearly he doesn't need a raise!"), or even from a government whose views you oppose.
And there are lots of personal details we're not ashamed of that we nevertheless would like to not be public. Vacation plans ought to be private from stalkers, ex-girlfriends, that really annoying friend from college who lives one town over from the hotel, etc. My sex life is nothing to be ashamed of, but nobody but my partner has any right to know about it.
Ultimately, privacy is not about secrecy, it's about personal sovereignty: who gets to say what people have what information about my life?
No, because in the case of privacy, people are constantly trying to pry into each other's business. Speaking personally, I have had it confirmed at least once that an email sent to me had been maliciously faked in order to manipulate me, and I have had some circumstantial evidence that someone was reading email conversations I had with someone else. I've been approached by people who know that I am a programmer, and want to know if I could "hack into" someone else' email account so that they could read through it. This stuff isn't about the boogeyman government, it is about ordinary people who actually do have no respect for the privacy of others.
Here's another angle to consider: sometimes, a message is easily misinterpreted when read by an uninformed party. When I was in Junior High School, I was once accused of plotting to blow up the school because of a note I had written to a friend, which had been misread by a teacher who found it after class. It isn't so uncommon. There are a dozen different situations like this, where some message is ambiguous and should only be read by someone who is fully informed on the context.
Palm trees and 8
In this case we are talking about 2-3 different things:
First, the problem of formerly private information that your friends have willingly made public, either because of convienience (information given to a website that they use for shopping) or on a social networking website.
Second, the private information that they are unwittingly making public, or leaving themselves at risk of making it public.
Third, that governments may be helping themselves to information thought to be private.
The first is a cultural difference, the third is out of your control, and the second is the really important one. You aren't going to win the debate on the first one. We've seen this debate before, on anonymity for BBS users, later on the rise of cookies. On one side were the forces of good, arguing that these changes were very real invasions of privacy and made your computer do things you didn't know it was doing and wouldn't want it to do if you did know. On the other side was convenience. It sucks to have to log in to slashdot every time I open a new browser window. It's kind of nice that Amazon can make recommendations to me. Cookies let that happen and the public debate, for what it was worth was won pretty handily. Now, that doesn't mean that companies started using cookies as an outgrowth of the democratic will of internet users. It just means that the level of outrage was muted over cookies enough for image conscious companies to get by with using them.
the same thing is going on w/ facebook/myspace/etc. The tables may turn on them (and will probably turn on facebook soonish), but for now we like the fact that others can see our name/face/job/school more than we dislike that these things are no longer private. Part of that outlook comes from the fact that we are limited in imagination. We see facebook one screen at a time. We can't look at people who aren't in our group (I think, haven't used it in a while). It takes a non-trivial amount of time to look through information. Consequently, we see that as the ONLY way to grab data from facebook. We don't connect (or at least the non-IT ppl) the fact that someone broke down anon/aggregate survey data from aol and netflix to get private information automatically. We don't think about scraping programs that read sites like myspace/facebook and correlate names and zipcodes with other sources of inoformation on the web.
The last part of this failure of imagination is that there is a cost to privacy. If I want my personal information to be private wholly from facebook, I can't be on facebook. Relatively speaking, that is a large cost. There is no 'maximum privacy' level for facebook where you can post pics of you and your friends and make comments and it won't be recorded somewhere. That product doesn't exist.
Ok. I won't touch on the third point because that is a flame war waiting to happen. Needless to say, it is out of your direct control.
The second point. My advice is be direct when the situation calls for it, but don't bother when it doesn't. If you are out at a baseball game, don't strike up a conversation like "Gee bob, I noticed that your password for your computer is 1 2 3 4 5 and that you sure do have an awful lot of sensitive info on there. Don't you think that you ought to change that?".
And then just tell them to get a mac. If they aren't security conscious enough to get a virus scanner while running windows then they really should be using an OS that does everything for them.
Attacking your friend's accounts is a good way to lose your friends. Most people don't take very kindly to that sort of practical demonstration without first giving their permission.
Palm trees and 8
I've tried to point out problems to several people (the ones with Post-It notes with their passwords on screen corners or under keyboards). They don't want to take the time to learn enough and make a method for keeping things "straight". They just want things "to work, like the TV".
I've pointed out to one friend that letting people use your account on your Mac will eventually cause problems (half a dozen teenage grandkids = reinstall the OS after God knows what was done). She wasn't interested in setting up a Guest account.
I've pointed out to one friend that with 3 late grade school kids he needs parental control software on his Dell to keep the kids in line (at least a bit), but that fell on deaf ears. I pointed out his home PC was a part of a Botnet (3 gradeschool kids on the machine, so no wonder). I specifically noted that means virtually anything on that machine including passwords he types is known to the person who controls the BotNet including any financial or work docs (he's a lawyer). He said he would fix it, but 9 months later, it is obvious nothing changed, except... they found the kids surfing porn.
I mentioned that the "Near Zero" time for a busy person to fix "the problems" is a MacMini for around $600, and they can still run Windows XP if they want. No change observed.
I simply have no answer for dumb human habits used by smart people. They are good friends, so I don't say anything more.
and see if you can find something about them(hopefully without paying) that they haven't shared with you. Something like, "Oh, so your (mother/brother/sister) was born in xxxx" or "Your middle name is Tiffany"? Or you could just show them that site. Scariest site on the internet if you ask me(well, aside from vomit porn)
Monstar L
Start by explaining a real-world current personal problem. (I do not crack so showing his bank balance is not possible.)
A friend loves his wireless laptop. We encrypted router communication at both homes. Explaining why encryption is needed led to an explanation of the dangers of handling financial transactions while wandering NYC -- that any open router could record everything including passwords and perform man-in-the-middle attacks to bypass SSL. Anybody willing to capture his information could; expecting those people not to use the information maliciously seems silly.
Once those dangers were understood, my friend was eager to hear about more insidious problems such as government policies (telecommunication recording), other insecure devices (iPhone), and deliberately open websites (Facebook).
I spend my life entertaining my brain.
I consider myself to have a reasonable technical knowledge (e.g. I've just written a telnet client from scratch in c++) and I don't use a virus scanner when online banking or at any other time; they're a complete waste of space.
For now you can get by without a virus scanner if you're using OS X or another of the Unices but one is needed for online banking using Windows, even Vista with it's nagware notices. Many will turn off the "Need your permission to continue" prompts. And with today's hdds approaching terabyte sizes space isn't nearly as much of a concern as it used to be. I've got a 500 GB external hdd I can stick in one of my pants' or shorts' pockets. And I used to use a cassette tape for storage.
FalconShould there be a Law?
Have you considered the possibility that politics just might not feature very large in their lives?
If they live in a place where no matter who they vote for, they (as individuals) won't actually make any material difference, then it may be that they know this, either tacitly or explicitly and therefore have decided to expend their energies on more meaningful pursuits.
Back on topic. The security-innocents may have a similar set of values: they don't know anyone who's lost money/property through ID theft and therefore have no way of measuring the risk to them and are therefore more interested in tangible risks?
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
There was a brief window of history between urbanization and computerization when real anonymity existed; that's closed and we're returning to the way humans have always lived.
Not to quibble, but before censuses and technology humans were generally anonymous up until the 1870s (varying country by country). Sure you knew your neighbors, but it wasn't quite hard to move to another town and change your name or publish works anonymously without a good way to track you. Many great works were actually published anonymously over the centuries that were often critiques of the powers that be or society in times when their life or limb was threatened.
The internet has provided some persons a way to speak out since anonymity has been repressed by the powers that being during the 20th century in many totalitarian governments.
Secondly, it isn't far fetched that someone given what you buy at a grocery store could target you in someway or another. They wouldn't do it on an individual basis but imagine if a "pro-dolphin" group saw that you were buying tuna from a questionable company and then targeted you by exposing you name on a list on their website.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
I was sued in federal court for violating someone's right to privacy (06-cv-01164, D. Minn). I posted their photo on my website, and they sued to get it removed and get damages. I represented myself, had a trial Nov. 5th, and the verdict was issued last Friday. I won. Yes, I demonize the person who sued me over his exaggerated privacy concerns, which led to a baseless federal lawsuit that tried to quash my free speech rights. Their exaggerated privacy concerns were not harmless.
I've posted about this litigation on Slashdot before, but the verdict is in now so here's the URL again: Gregerson v. Vilana
The plus side of sharing private info on the web: I got to know my wife only after seeing her photo on her geocities page, scoping her out to see what the stranger from the other side of the world, who emailed me asking for a .pdf file, looked like (her formal writing style made her seem middle-aged, but her photo showed she was actually much younger, and we started corresponding).
I posted my own medical information online 10 years ago, which has since helped other patients. I posted info about my late brother's illness, also to help other patients, which it seems to have done. If you reply to this post and attack me over my health problems, or my deceased brother's illness, I don't think that exposes me as a bad person -- it exposes you as a jerk. If you won't hire me because of these things, I -- me, personally -- am OK with that.
www.cgstock.com
Even better:
Ask them if such cameras can be fed straight to their insurance companies. Most people will write off things about random strangers, 1984 style government stuff, etc, as paranoid. If you can get them in the "It could raise you insurance rates..." angle, though, they listen much more often.
Direct financial motivation usually works better than theoretical effects...
Ce n'est pas une signature automatique.
If they don't get it after you explain that, walk away, as you are never going to convince them.
Google around for the Slashdot story on the FBI using the purchase of falafel as an indicator of terrorist intent. There was a serious proposal put forth by law enforcement to datamine for people who bought falafel (and presumably no pork and no alcohol :) at the Wrong Sorts Of Grocery Stores, and to feed that list into some other datamining operation, presumably because people with those dietary choices are more likely to be terrorists than us beer-and-bratwurst types.
Ask the descendants of Japanese WW2 internees. Both Japanese immigrants and American citizens, whose only crime was being "of Japanese descent" were rounded up, sent to camps in the middle of nowhere, and their homes and fishing boats were sold at sub-foreclosure prices. The data used to figure out whom to round up came from the Census.
The only thing that separates those two programmes is the whim of a Congressman and the stroke of a pen.
Those who do not remember the past are condemned to repeat it.
Speaking of which, there are still a few old fogies from Europe who never had trouble remembering the past, because they had funny numeric tattoos that remind them of it. Most of them lived like you did -- freely practising their religion (and buying wine, but not pork), proudly sleeping around with whoever they liked, being active in some of the new political movements of their day, and it's not Godwinning the thread when you're pointing out that the "open culture" of which you speak made it a lot easier, once the Weimar Republic fell, for its replacement government to figure out who should get a yellow star, a pink triangle, or a red triangle to wear.
is either already knowledgeable enough to take care of themselves, or completely ignorant. There seems to be little middle ground, because those that consider their personal information valuable take steps to protect it, learn what they need to learn in order to accomplish that. They ask questions like, "I understand I need a firewall, can you recommend a good one?" or "I'm looking to get a wireless setup at home ... how do I configure it so it's more secure?" I can deal with people like that. They're willing to learn.
... but I always come back to find the firewall turned off because "Facebook stopped working and I thought it might be the firewall" or "this game I got off the Internet kept throwing up little windows saying 'this program is trying to access the Internet' and I got tired of clicking Allow." Gagh. That's not even counting the utter inability of these people to take even the slightest precautions when it comes to email. It's not like they haven't been told, in no uncertain terms, what they need to do to keep their data safe. They just refuse to do it ... and when something bad happens to them I just shrug. An "I told you so" just isn't worth the effort.
Then there are the clueless ones, those who agree that privacy and security are important, but simply refuse to see their friendly personal computer as a potential threat in that regard. Just can't see it. Sure, I've set up security for people, done my best to keep them from screwing up too much, tried to educate them a little
It's very frustrating: you just want to smack them with a cluebat, you really do. I guess I'll just have to get used to willful ignorance. Might as well wish that SUV drivers would stop being four-wheeled sociopathic assholes. I don't see either situation improving any time soon.
The higher the technology, the sharper that two-edged sword.
Against the "I have nothing to fear because I have nothing to hide"-like arguments I always say that you don't know what you would want to have kept hidden in, say, 10 or 20 years from now.
Before WW2 the European Jews used the same argument that anyone was allowed to know they were Jewish when they allowed the registration of their religion. They were (sort of) right then, but we all know what happened in WW2, where the nazis made 'good' use of this registration.
You do not know who will use your data for what purposes. I read once that for every proposed law, before accepting it, one should imagine what his worst enemy would be able to do with it if he (the enemy) got the power. Wise words, in my opinion.
What person will donate an airborne act of love?
While I agree in general, there's more to be considered than just "we're IT, so we care more." Privacy doesn't exist solely in the IT world; for most people, the majority of the privacy that they get isn't from their IT policies, it's from their home's walls, the blinds on their windows and the door on the bathroom. Likewise, most identity theft comes from dumpster diving and other traditional means, with online identity theft actually going down. If you use that as a metric of privacy (the important data not getting into the wrong hands), then that would indicate that IT privacy is actually getting better than other areas.
What this actually means is that people are more used to dealing with privacy than other areas. Everyone in the world cares about privacy to one extent or another, and it's practically (if not literally) an instinct since we're taught it from birth, which puts advocates of online privacy in a better position than a fitness nut or a dentist. We can draw real, direct analogies between facebook's policies and brick and mortar company's policies. If my credit card offers me double rewards at a coffee house, should that coffee house get my address, full name, mother's maiden name and social security number just for having that relationship with my card company? Should the guy who sets up a chess game in a cafe get all the personal information of the people they play against?
Privacy isn't new, and it's problems aren't unique to IT. All we need to do is put the issues in plain terms and let people make their own decisions.
Daniel Solove, an associate professor of law at George Washington University Law School, has a good paper on this subject titled, "I've Got Nothing To Hide" and other Misunderstandings of Privacy (http://www.scribd.com/doc/187371/-Ive-Got-Nothing-To-Hide-and-other-Misunderstandings-of-Privacy).
Ask them if they use envelopes when they mail out bills or other correspondence. "Of course I do!" will usually be the response. Then ask them if they'd mind if you listened in while they talked on the phone or in person to their doctor or lawyer or spouse or significant other. "That's none of your business!" will again be the usual response. "But why? If you're not concerned about privacy, why should you care about other people seeing what bills you pay, what you write or say to your lawyer or doctor or spouse or lover?"
-- Ed Carp, N7EKG erc@pobox.com PGP KeyID: 0x0BD32C9B What I'm up to: http://intuitives.mine.nu
>>And more than likely, the lender will laugh them off the phone. Why would they voluntarily take a smaller payment?
For the same reason that CC companies LOVE people who only pay off the interest. The interest is their profit. If you pay only interest to them for a few years, that's a few years of pure profit to them. If you turn a 30-year mortgage into a 45 year, with the same terms, then they just made 15 years of interest payments without losing the capital. If you default, they run the risk of losing the capital.
So I disagree. My gut- and my bank- both tell me to inform them of any difficulties I might have with my mortgage. Maybe the market is different where you live.
-b
No offense, but I've stopped responding to AC's.
I actually had made plans with a group of students at the university to go around my city to various high schools, giving physics demonstrations and talking about what sort of jobs are available in science. There was also talk of a mentoring sort of thing for students interested in science but that do not have the resources to learn more. It made me feel good, I was going to be volunteering to help my community! Exciting.
I inquired about how to contact teachers to do these demonstrations in science classes, and was told I could set up a meeting with this one outreach program representative. No big deal I thought. We made the appointment and I met with her. Well, I was given an hour-long meeting on how to fill out a stack of papers about who I was, what organization I was with, who authorized me, what I wanted to do, where I wanted to do it, what days of the week I proposed to give these presentations. It included authorizations for background checks at both the state and federal levels. Finally when I thought it was all over, she hands me a fingerprinting kit and says I have to go on my own time to a local company, get fingerprinted, and wait to get verified before I can finally start.
My group gave up our plans for demonstrations and meet a scientist day right after she left. That is completely ridiculous, a huge intrusion into our lives that doesn't need to exist. We work for the university physics department, you can verify that, what else do you really need to know? We wanted to come talk to a class during school hours about physics; it's not like I was planning "Physics Sleepover! No Parents Allowed!".
I've been trying to figure out how to respond to the whole "If you do nothing wrong, you have nothing to hide" argument, but I'm not a good debater. Any thoughts anyone?
;-) but life doesn't seem to work that way very often...sigh
Day 1: Nothing to hide? sure, nope, use of Bitorrent isn't illegal, no problems here sir, please move along.
Day 2: knock knock. Sir, based on current laws passed 5 minutes ago, Bitorrent is illegal, and we've been monitoring your intarweb usage today and you'll need to come with us now. No you don't get a phone call.
If they know what you're doing, they can make it illegal for whatever reasons they like.
Another thought: Isn't the "since you have nothing to hide you shouldn't worry" argument mostly the same as 'Just because' argument kids will use?
I'm no great debater either, much prefer these board type systems
People in cars cause accidents....accidents in cars cause people
I have tried showing them with a mock attack as suggested above but it never works. Recently, however, I have had a small victory in the "Teach the philistines they will suffer if they continue" war. I was shopping at The Container Store for some stuff (actual stuff omitted so they cant figure out who I am based on purchase data cross referenced with cc info. Just Kidding) and was asked what my phone number was when I paid for the stuff. I, to my wife's dismay, told the cute girl behind the counter that I would not give it to her because it was a danger to my security to do so and that it was irresponsible for them to ask their customers to publicly announce their phone numbers. She, as well as the people in the line behind me looked at me like I just said that aliens killed JFK with a locked soup thermos. The woman behind me told me that I was being a little paranoid and that no wrong could become me by giving the nice girl my number for her database. I told her that even if you disregard the fact that the store is probably selling the information or not keeping it safe from a storage point of view you still had to worry about who was in line with you also getting that information. She told me that short of crank calling someone with there was no danger. I gave here the following scenario which to my amazement hit a nerve with her and everyone else within earshot. What if I, who just heard the number of the shopper before me, wrote it down. One hour later I call that person and tell them that I am (insert The Container Store name tag name here) and that her credit card was rejected due to a bad read and that she needs to please come back to the store so that they may rescan it. Or, if she has it handy she can read off the number to him along with the security code on the back to save her the trip. I have never gotten such an amazing response from laymen to any other example as I have with this one. I have used it over and over and over now with much success.
"This message was sent from an Apple