The New Oil

For some people, like myself, jumping into something new is exhilarating and you sink yourself into it 100%. This is where I found myself a few years ago when I first got into privacy, and where you might find yourself. In time, I eventually dialed back a bit and relaxed as I got more comfortable with this stuff, figured out what did and didn’t work, and made convenience adjustments as my threat model allowed. Regardless of where you end up settling on the privacy spectrum, it can sometimes be difficult interacting with people who aren’t privacy-minded. It can be hard to explain why you don’t have a Facebook, why you don’t want them posting your picture online, or asking loved ones to use an encrypted messenger. So this week I wanted to talk about how to interact with non-privacy-minded people. Specifically, I want to talk about how to decide where to draw the line and demand who does or doesn’t need to be using privacy techniques.

Preaching Privacy

Let’s go ahead and start with the hard truth. You can’t evangelize privacy to people like a pastor on the street. Most people just don’t care and beating them over the head with it repeatedly isn’t going to give them Stockholm Syndrome for your message. Furthermore, people aren’t logical. I’ve seen ridiculous suggestions like to hack your friends, start browsing their phone without asking, or start recording them. Nobody is going to go “wow, you’re right, I’m being a hypocrite and I do value my privacy.” They’re going to call you an asshole and stop talking to you. I’ve personally found that the best strategy is just to live your life, make your opinions known respectfully, and let people come to you. A few months ago I wrote a blog post about Ron and his dating conundrum. Ron wasn’t actually my friend, he was a friend of my partner. He had a problem, and my partner knew that I was the most qualified person she knew to solve it. When your friends have problems, they’ll know they come to you to ask. That’s when you can offer solutions. And it doesn’t hurt to ask your friends “hey, are you familiar with password managers?” and offer some advice, but don’t repeatedly bash them with it. They’ll move at their own pace, and quite frankly their security isn’t your problem.

Levels of Closeness

It’s important to remember that not everyone in your life has the same level of closeness with you. Your significant other is closer to you than your coworkers. Your family is closer than your friends (for most people). And your friends are closer than your barber. This should be an important factor when you decide how to deal with people who aren’t privacy-minded. Do you need your significant other using an encrypted messenger as you text throughout the day? Yes. Especially if they like to send you risque stuff and you use company WiFi. Do you need your favorite barber to use encrypted messaging? Probably not. They probably don’t even need your phone number. It’s important to pick your battles.

Context of Power

Do your coworkers need to use encrypted messengers? This becomes a gray area. I mentioned once that when the pandemic started in the US, I asked my boss if we could not use Zoom but I also realized that we have to do what’s best for the company. My coworkers – and my boss – are used to me being tin-foil hat crazy. They don’t mind me suggesting things like Privacy.com, Bitwarden, or Signal. But I also realize that I have no power there. I’m not the IT guy. I’m not the VP or COO. I’m at the bottom of the ladder, and I keep that in check whenever I suggest anything. My coworkers and I chat fairly frequently outside of work – we send each other memes or articles we found interesting and stuff like that – so I don’t think there would be any issue if I said “hey, could we move this conversation to Signal” or “Can we set up PGP keys for stuff like this that isn’t company-related?” I don’t even think anyone would really complain if I suggested setting up PGP keys for inter-office email and opened that option to the outside world (though, for the record, I highly doubt anyone would be on board). But the point is, I realize that when it comes to company policy I have no power, and while I am free to voice my opinion I have to realize that it is not my way or the highway.

Additional Context

I think those two things are the biggest deciding factors when deciding where to draw your privacy line, but there is additional context. When dealing with medical or financial professionals, I don’t see anything wrong in seeking a person who is willing to use encrypted email. I also think age and tech-savvy plays a factor. I mentioned in a prior blog that I was able to switch my mother to ProtonMail by offering to set it up for her and let her take over, and she has been using it ever since. My grandmother, on the other hand, is in her 90s. I love her and I mean no disrespect, but she has one foot in the grave. We also speak about twice a year. I see absolutely no value in fighting over her about using ProtonMail, Signal, or anything else. Think about that: I just said you should get your doctor – who you probably see once or twice a year if you’re healthy – to use encryption but not your grandma. Obviously this varies from person to person. For some people, their grandparents raised them as if they were the actual parents, and those same grandparents are fairly tech competent and can be trained to use encryption reasonably. The point is to measure things with context. It’s impossible to draw a universal line in the sand and say “family MUST use encryption while strangers you only talk to once a month don’t have to.” What you’re communicating, frequency, and audience all matter.

I often see people ask “how do I get my family/friends/significant other/coworkers/etc to care about privacy,” but I rarely see anyone ask “should you get them to care at all?” It’s an important question. Before you ask how to convince them, you should start by asking if you even need to. Now obviously, I would prefer a world where everyone defaults to encryption whenever possible, but that’s not the world we live in right now and I have to pick my battles. It’s just like threat modeling: obviously it’d be nice if we could protect against all threats, but first you have to ask what threats are actually pressing and need to be addressed first and which ones can wait (if be dealt with at all).

I’m sorry this blog was a little scattered, I try to keep my blogs somewhere between 1,000 and 1,500 words and this topic is huge and complex. As I said, I can’t simply say “here’s when you should and shouldn’t demand privacy from others.” It’s almost all one big gray area that varies from person to person. But I hope I’ve at least given you some thoughts and tools to figure out where they gray area ends and the black and white lie for you.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...