One Size Does Not Fit All

March 7, 2020

There’s a problem prevalent in some of the more experienced members of the privacy community: the problem of assuming that privacy and security are binary, that one size fits all. As I peruse questions from new people freshly introduced to privacy, I see more experienced people throw out ridiculous solutions. For example, I often see the question in other forums “should I use ProtonMail or Tutanota?” and without fail there’s always one person who says “self-host your own email. It’s more private cause you own your own data, and more secure because you don’t have to rely on anyone else and you’re not a target for attackers the same way a big company like Proton would be.” These answers aren’t technically wrong, but I find them ridiculous for a number of reasons. For one, there’s the technical obstacles: I have my own Nextcloud server at home and I promise you that was not easy to set up. No average person has the time, energy, resources, or sometimes courage to do that. For another, security is relative. I personally would rather trust a major company rather than trust myself to create a “secure” email. I am far from a cybersecurity expert. I think even a big target like Tutanota would be more secure than my garbage server at home. And there’s that: most people don’t have a spare computer lying around, and they’re not willing to go buy one just to spend weeks starting over and agonizing over how to get it barely working like a Rube Goldberg machine made of tinker toys and duct tape. The thing that most makes these solutions “ridiculous” however, is the egotistical assumption that their offered solution is perfect for everyone.

Privacy is Not Binary

Privacy is a sliding scale. Privacy is not a matter of “delete your Facebook and use Signal and now you’re secure.” Deleting Facebook from your phone makes you MORE secure than keeping Facebook’s app on your phone. Using Signal makes you MORE secure than using regular SMS. Doing both makes you MORE secure than doing just one. However, doing one is still better than doing neither. Deleting Facebook altogether is a great idea for so many reasons, but only accessing Facebook from your browser is MORE private than using the phone app. There is a gray area in between “go live in a cabin in the woods purchased under a fake name” and “post your Social Security number on Twitter.”

Privacy is Not One-Size Fits All

More importantly, privacy and security is not a one-size-fits-all solution. That’s exactly why I’ve organized my site in a “pros/cons” format. Using instant messaging as an example, Signal is world-renowned for their security and it’s ease of use, but it requires a phone number. That can be an issue for someone trying to maintain a degree of anonymity. Some people aren’t worried about that. My mom doesn’t care about privacy. If I want her to respect my private communications wishes, I have to find a solution that’s easy for her to adopt, and it doesn’t get much easier than Signal. In the early days of my career, I worked a job where work schedules and announcements were disseminated via a private Facebook group. If I didn’t at least have an account to access the group, I didn’t get my schedule or important updates. And that early in my career, I was still very much in the “take any job you can get” phase (these days I have a more robust resume and I can afford to be picky).

There are many, many valid reasons that a person may choose to keep their Facebook account. Or WhatsApp. Or Gmail. Or Windows operating system. There are even more valid reasons that a person may choose to use a service someone else created and hosts like Firefox, Wire, Tutanota, Bitwarden, and more. Privacy and security are not black-and-white “either you are secure or you aren’t.” In running this site, I have made myself less secure by creating a public image, posting regularly, and engaging with others. If I wanted total privacy and security, I wouldn’t do any of that. I would stay off the internet. But I’ve also reduced my “attack surface” by doing things like using services that don’t require a real name, using the Tor network to post, and using services that don’t track me such as Write.As and Mastodon.

I will always encourage you, my reader, to be as secure and private as possible because digital rights are human rights. But don’t let the more elitist hipsters of the privacy community fool you: if you’re reading their opinion online, they could be doing better as well. There are circumstances that sometimes require you to take a less secure option: work requires you to use Apple products, or your family simply refuses to leave WhatsApp, or you need Twitter to stay updated on a local issue, etc. I will always suggest you opt out of those things as much as possible and find workarounds, but I will also respect that that’s not always possible. And while you should try to be as strict with your privacy and security as you reasonably can, don’t beat yourself up. The fact that you’re here means you’re going in the right direction, and sometimes it’s enough just to lock your doors and windows.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here.