"All human beings have three lives: public, private, and secret."
-- Gabriel Garcia Marquez
Suppose you do some searches about cancer, or diabetes, or alcoholism.
Do you want that info popping up the next time you apply for health insurance or car insurance or a job ?
Even if you don't have cancer, diabetes, or an alcohol problem ?
Easiest for the company to just deny you the insurance or the job, rather than investigate or take a risk. Dilbert
Suppose you're a woman with an abusive ex-husband, or a creepy ex-boyfriend ?
Do you want them to be able to track your location in real-time, or track you
even if you move to another city ? Or to know where your new job is, or who
many of your friends are ?
Suppose some of your friends or family care much more about their privacy than you do about your privacy.
Exposing your info to the world could expose some of their info to the world.
It even could affect future generations of your family: suppose you post about some genetic disease you have,
and years or decades later this affects your descendants ability to get medical insurance ?
Some people do depend on privacy for their profession, or their life. They work in journalism or activism
or investigations. Maybe they live under oppressive regimes, or investigate organizations which have a history
of retaliation against opponents, or work in the justice system (where criminals might retaliate
against them). If the rest of us don't value our privacy, there will be fewer tools
to protect them, too.
From noir_lord on reddit:
Some people (including myself) are not comfortable with a faceless corporation knowing
What medical problems I have (ever googled a medical problem for yourself or someone else?).
Who my contacts are (if you use their webmail) and what we are discussing.
Tracking just about every page you visit.
Build up a remarkably accurate profile of who you are and your life.
What videos you watch.
What topics you are interested in.
Now each of those on its own is somewhat unsettling, but when you combine all that together and then
you don't really know how your data is handled now and how it might be handled in the future,
then it starts to get really unsettling.
The thing with all this data is that it just accumulates, and over time the companies can really
build up an accurate profile of you, and that is just f***ing creepy.
Some responses to the "I've got nothing to hide; you have something to hide only if you're doing something wrong" argument:
Do you have curtains ? Why ?
Can I see your credit-card bills for the last year ? Why not ?
I don't need to justify my position. You need to justify yours. Come back with a warrant.
I don't have anything to hide. But I don't have anything I feel like showing you, either.
If you have nothing to hide, then you don't have a life.
It's not about having anything to hide, it's about things not being anyone else's business.
You are willing to let me photograph you naked ?
... the nothing-to-hide argument stems from a faulty "premise that privacy is about hiding a wrong."
Surveillance, for example, can inhibit such lawful activities as free speech, free association,
and other First Amendment rights essential for democracy.
Another potential problem ... is one I call exclusion. Exclusion occurs when people are prevented
from having knowledge about how information about them is being used, and when they are barred
from accessing and correcting errors in that data.
Yet another problem ... is distortion. Although personal information can reveal quite a lot about people's
personalities and activities, it often fails to reflect the whole person. It can paint a distorted picture
[and that can have consequences].
What if the government mistakenly determines that based on your pattern of activities, you're likely
to engage in a criminal act? What if it denies you the right to fly? What if the government thinks your
financial transactions look odd - even if you've done nothing wrong - and freezes your accounts?
What if the government doesn't protect your information with adequate security, and an identity thief
obtains it and uses it to defraud you? Even if you have nothing to hide, the government can cause you a lot of harm.
> You could also just ask them for all their logins to their
> accounts and see if they would give it to you, and if they
> say no, well then they obviously have something to hide.
No, it doesn't. It means that it's none of your business.
Actor 1: Are you afraid of dying?
Actor 2: No, not really.
Actor 1: Ok, let me kill you.
Actor 2: No.
Actor 1: See, you're afraid of dying.
Actor 2: No. I said I didn't fear death, not that I wanted to die.
Do you understand that those are two entirely separate things?
We all segment privacy in our lives. I share my social security number with my bank.
That doesn't mean that I want to share it with you. They have a legitimate need for it. You don't.
Same thing as if you asked me for the keys to my house. Absent an invitation,
you have no legitimate reason to be in my house. It has nothing to do with whether
or not I have anything to hide inside my house.
OP's friends refusal to give up their passwords to OP, who presumably has no legitimate
need for them, doesn't prove anything.
The argument itself is a logical fallacy usually the result of the person making it
thinking in bumper sticker or meme style debate models.
Reasons someone might want to attack you:
Your info (personal data, credit card info, etc) can be sold for money.
Your computer stores info that connects to your money (your bank accounts, credit cards, tax filings).
Your computer stores info that is valuable to you (family photos, etc), which can be encrypted and ransomed back to you.
Your computer stores info about other people (Contact lists, etc) that can be sold.
Your internet-connected computer can be used as an agent in a bot-net (to send spam or attack other computers).
Your computer can be used a point to inject malware to get onto other computers (in your LAN or your work or school).
Your resources (e.g. US phone number, US ISP connection, etc) can be used to get
something that a person outside USA can't get themselves (e.g. Google Voice number).
Your reputation (identity) can be used to fool your friends/family into falling for scams sent from "you".
Another way to look at it: will anyone ever develop a grudge against you,
and look for ammunition against you ? Ways to embarrass you, or harass you ?
Perhaps you'll get involved in a divorce, get in a dispute with a neighbor, get
in a feud with a coworker. Or some idiot on the internet might come after you.
How much information do you want to make available to them ?
From someone on reddit 1/2014:
As an employer I run every name and email address I am given by a potential hire
through Google and Facebook. I look at everything public to make sure there isn't something completely f**king insane.
Things I don't do: I don't hold what their friends say against them. I don't Friend them or try to look at
things that are private. I don't hold it against them if they don't have an account or I can't find it.
I do look at public photos and statuses. I don't care if they go to parties. I do care if they
skip work to do so or because of it.
So far I'd say 80% of the applicants are fine. But in that other 20% I have found obvious racists,
people who actively hate gays, people who play games every working minute (while at work).
Funniest was someone who had set their account to public and constantly complains about being at work
FROM work and asked friends to come by and visit and talk, at a job where that was not appropriate.
For people who apply as interns, I let their school know to have them remind the student to lock down their account.
For people who apply for real jobs, I don't say a word.
Some people say: Innocent people have nothing to fear from government spying.
I'd certainly feel uncomfortable and creeped-out if someone followed me
around all day, videotaping everything I did, documenting every place I went
and everything I did, watching me. Should it be okay for the govt to do this ?
Why was protection from unreasonable search put in the Bill of Rights (4th Amendment) ?
It fits this situation exactly: govt is supposed to have a good reason for invading
Some huge government investigations have targeted and ruined the lives of
innocent people: the McCarthy hearings, the Atlanta Olympics bombing (Richard Jewell was innocent), and the
anthrax attacks (Steven Hatfill was innocent) come to mind.
Government powers have been used to target people with unpopular views, or journalists reporting news
that politicians didn't want reported: FBI under Hoover, Nixon's enemies list. Wikipedia's "COINTELPRO"
My response to someone who asked "Why is this NSA scandal such a big deal ? I'm not doing anything illegal.":
1- NSA scandal is just one symptom of a bigger issue: govt checks and balances have broken down.
Intelligence spending and activities are out of control, military spending is out of control,
citizens got panicked by 9/11 and let govt take major new powers and now govt is out of our control.
2- NSA is just one point along a spectrum of threats to you. It is the least likely but most powerful threat.
It points out that you are vulnerable to scammers, stalkers, eavesdroppers, online criminals, etc.
It reveals that our online security and privacy tools and laws are weak.
3- Technology, and the threats from it, will only get more powerful and more invasive in the future.
Insurance companies and advertisers and your wacky neighbor will all get more powerful tools to threaten your privacy.
4- Things you do that aren't illegal still may be private. Why do you have curtains on your windows ?
Why do you close the door when you go to the bathroom ? Would you mind if someone published your tax returns, your salary and net worth numbers,
your credit-card statements, your bank account statements, your medical records ? Why ? You're not doing anything illegal.
The majority of the money is made from selling a "risk profile" about you, rather than from advertising to you.
Data brokers do not deal in anonymized data, they specialize in collecting and creating personal data about you.
They may have thousands of data points about you, including things such as an estimate of when they think you will die,
what diseases you might have, etc.
There is "your data" and "their data". Your data is your Facebook Likes, your use of apps, location data from your phone, your purchases, etc.
Their data is all the profiles and scores they derive from your data. Their data is proprietary to them, owned by them.
They may be willing to tell you which of "your data" they possess, but they won't tell you what "their data"
says about you.
... you do not need to be registered with Facebook for them to make a profile for you.
Once you have visited any page that is affiliated with them, they will create a file about
you and collect each and every visit to every site that has a "Like" button or a Facebook plugin.
The amount of data collected this way can be tremendous, which few people realize. Google is even more
extreme, as they collect data from every place that has AdSense, Analytics and similar services,
which basically covers almost everything the average person visits. Those services may not always be
as obvious as a "Like" button - for instance, some are implemented by displaying a single transparent pixel image.
You cannot know what kind of surveillance methods and laws will be implemented in the future.
Already, biometric information gathering such as the identification of people from video recordings
is becoming more and more successful, even prompting for the EU to begin implementing a system
that can link people in public places to their Facebook pages and other photographs. Similar plans
are implemented by the US. Other technologies include public voice surveillance, supervision of vehicle movement
or behavioral analysis in public spaces. All this data can and will be linked and combined with what is collected about you online.
More about the future: new technologies such as Google Glass and face-recognition and license-plate-recognition and CCTV
will connect your "real" life and your online life more tightly, and in real-time. Facebook, law enforcement, even
big retail stores are starting to do facial recognition. Things you do in public without giving your name, or giving fake data,
and using cash, may still be connected back to your personal info.
What you do online won't stay only online; what you do offline won't stay only offline. George Dvorsky's "How Your Body's Unique Biosignatures Are Used for Surveillance"
In the future, CCTV and consumer cameras only will get better and better. In public, or through your window,
cameras may be able to read the screen on your phone, hear your conversation from a distance, photograph you in infrared at night.
One of the first users of this is the police force that brought us "stop and frisk":
Joe Coscarelli's "The NYPD's Domain Awareness System Is Watching You".
And "The Internet Of Things" is coming: your own devices (car, house, refrigerator, toilet, etc) will make more and more data available,
and some of that could be used to reveal your activities.
Another hint about where tech may go in the future: scanning your face and posture and movements to diagnose
Maybe a good thing in a doctor's office. Maybe a bad thing when a retailer is doing it
and selling the data to insurance companies.
Many things people post about may be technically illegal. They may be rarely caught or prosecuted.
But bragging about them online creates a permanent record, and who knows what authority might
see them someday and decide to act ? Posting about downloading movies or music for free, about
how drunk you were when you drove home last night, about how you got back at your Ex by doing some nasty prank.
Someone researching you in the future may not like what they find.
A potential employer, a potential mate, an insurance company.
How will they react when they see you complaining bitterly about your current boss,
bragging about how many one-night stands you have, how much you drank or smoked last weekend ?
And they may not distinguish between 18-year-old you and 28-year-old you.
People who have sensitive jobs, or may ever find themselves in sensitive jobs, have to
be especially careful. Teacher, politician, priest, banker, reporter, law enforcement,
any bonded job (bank guard, cashier, treasurer, etc). Teachers have been fired for online pictures of
them doing things that are deemed bad examples to students.
All of the online world carries risks; it's not just a problem with social networks such as Facebook.
If you comment on YouTube or newspaper sites or blogs, you might be identifiable.
Using pseudonyms can help avoid this, but may not avoid it completely.
Risks come from your friends and their behavior, too.
If a friend or someone else at the same party posts a party-video or party-pictures,
and you're tagged on it, or identifiable in it, you may have a problem.
Suppose one of your friends Photoshops your face onto a picture of someone doing
something obscene, and the resulting image gets out into public ?
Some posts can violate rules at your current job, or even violate SEC regulations. Or just
massively irritate your boss or coworkers.
Future threats to security will be greater, too.
One scenario to consider: Today's cloud backup may be encrypted so well that no one can crack it.
But that encrypted data may still be available somewhere in the cloud 20 years from now, and maybe
20-years-future technology WILL be able to crack today's encryption.
Our goal as a society shouldn't be total privacy for citizens. Should your neighbor be
guaranteed total privacy as he abuses his wife and children, or brews up anthrax or meth in
his garage ?
Of course the government needs to spy, on foreign citizens and foreign leaders and domestic citizens.
It helps prevent wars and terrorist attacks, and helps defend against espionage from foreign sources.
In some cases, it may defend against crime and commercial espionage.
Sure, often the effectiveness is exaggerated and the costs (in money, and to our privacy) are not examined.
And today in USA we don't have proper controls and transparency.
We need to find the appropriate balance. But the spying has always happened and there are good reasons for it.
A technical issue: it's not clear that NSA can separate "domestic" and "foreign" any more, even if it wanted to.
It is estimated that 90% of all internet traffic passes through US servers. US companies have servers all over the world.
There are plenty of foreign visitors,
temporary residents, and illegal aliens or illegal immigrants inside the USA at all times. Many
US citizens routinely reside or travel overseas. US citizens or residents
have traveled to foreign countries to join terrorist groups or be trained by them. US citizens or residents
have sent money or information to foreign terrorists. US citizens have committed
terrorist acts inside USA, motivated by foreign or domestic agendas.
Some say that the costs of the spying outweigh the costs of terrorism.
I agree that the costs of spying (our privacy, our rights, money, reputation)
are large. But the cost of terrorism shouldn't be judged solely by past events, bad as they were.
The future of top-level terrorism is in bio-technology. A major bio-attack could kill hundreds of millions of people.
I don't know if it will happen, or when it will happen, but you can't judge costs just by the past.
Better arguments: spying usually doesn't stop terrorism, other risks (homicide, drunk driving, disease) are greater,
perhaps we should address the causes of terrorism.
Even if we develop tools to give each person total control over their private data,
this may not result in "total privacy". Each individual may find it in their self-interest
to give away some of that data to Facebook, Google, and other companies in exchange for
services. And in fact that is what happens today in many cases: we voluntarily give
away some measure of our data, to get benefits. But there are other cases where our data is taken against our will,
or without our knowledge. Better tools and laws can address that issue.
There is societal pressure to reduce your privacy.
If all of your family and friends are on Facebook, they will ask "Why aren't you on Facebook too ?"
They will make announcements or post pictures only on Facebook, and if you aren't on there, you will miss out.
If you refuse to provide certain info that everyone else provides, insurance companies
or others may refuse to deal with you.
If you refuse to answer police questions that most people answer routinely,
you may find yourself given extra scrutiny.
My response to an article saying "Google and Facebook and Twitter have not created new products that stand alone
like a car or a new house; they have created things that invade every other aspect of the economy and our culture.
That is a different level of power.":
I think this is overblown. I could stop using Facebook and Google and Twitter tomorrow,
with some effects but not big effects on my life. I can give them false info, give them minimal info,
use alternatives to them, do without them.
Government and military and police have the potential to have unavoidable, huge effects on my life.
They take some of my money (and give me services) without much choice on my part. Sometimes they cause other people to attack our country.
They have access to my tax information, credit info, bank account info, phone records, etc.
Some companies have large physical effects on my life and my health. Fossil-fuel power companies,
and other companies that put who-knows-what into the air I breathe and the food and drink I consume.
Other companies have pervasive effects throughout our economy and/or culture. TV networks. Phone companies. Walmart. Exxon.
The two political parties control much of what happens in the government and culture and economy.
Super-rich people could destroy me with lawsuits, or buy laws that affect me severely.
No, I think Facebook and Google and Twitter are pretty low on the list of powerful entities to worry about.
Some ways technology is stretching old notions of privacy:
Technology makes possible:
Constant, multimedia surveillance of people.
Connecting together various flows of data about a person.
Publishing that data globally.
Storing that data publicly forever.
Making that data easily searchable or analyzable.
Extracting information (such as mood or health) from that data that could not be extracted before.
How could your information be used ?
[From most likely to least likely:]
To advertise to you.
To adjust prices offered to you.
To gain knowledge about how people similar to you would behave.
To gain knowledge about your contacts (friends, family, associates).
To influence your opinion or behavior or vote (maybe to discourage you from voting).
To deny services or employment to you.
To attack you.
From someone on reddit:
Never post on social media about your physical condition in the aftermath of a traffic accident,
this can be used by insurance companies to prove your injuries weren't as severe as claimed.
Seemingly innocent statements like "I'm okay!" will be misconstrued, especially by insurance companies.
Product labeling we need (for IoT, Internet of Things):
This product does/doesn't require a constant internet connection to operate.
This product does/doesn't require user account registration to operate.
This product does/doesn't require connection to an external service to operate.
This product does/doesn't send data to manufacturer during operation.
This product does/doesn't allow manufacturer to read/access/modify data in the product.
This product contains firmware/software that can/can't be updated by the user.
> If I ever want to get a job, how do I cope with the data
> collection? When using job portals you need to put a whole
> lot of information online just to have more companies look
> at you and decide whether you're the right person for them
> to hire. You may include your birthday (and / or age maybe),
> your address, your education, where you worked, what other
> activities / diplomas you've got, even a picture of you and
> so on. It is actually more data that you'd ever put on
> Facebook and maybe more data than Google would know about
> you based on your years of search (or maybe more important
> in any case), and it's public, like, anyone can create a
> business account and collect all of this data. You may
> even get them your data if you want to be employed.
> So I am curious to know: How do you protect (or did you
> protect) your data while looking for jobs? What is the
> data you might regard as less sensible that can be
> available for any "business" (account, of course) and
> what is not? Did you manage to protect all this data
> and get hired? Or maybe tips on how to get a job while
> keeping the data private at the same time.
The only advice I've heard applies more to printed resumes, may not work on web forms:
leave some data marked as "available upon request" or "available upon hiring".
Phone number, birthdate, Social Security number, address. And maybe use a new
temporary email address while applying.
Privacy from your employer:
Get new, virtual postal address and phone number (via mail-forwarding or other service) and a unique new email address,
and then tell them "hey, I've moved, here's my new info". Don't go in to HR and say "I want more privacy, I want to hide
my real info".
If employer gives you a work cell-phone and expects you to carry it 24/7, get a burner phone and tell them
"hey, your cell-provider doesn't have coverage where I live, you'll have to call me at THIS number instead",
and put the work-phone in a Faraday bag every day as you drive home from work.
Key data you might want to keep private:
Your physical address.
Your email address.
Your credit card info.
Your phone number.
Your medical information.
Your biometric information (fingerprints, DNA, etc).
Note that there are two kinds of data: things you can change, and things you can't.
If someone steals your credit-card info, you can cancel the card, change the number, etc.
If someone steals your medical history, you can't change that.
Some of the data most valuable to companies are your "social graphs": how
you connect to other people, things, places, companies, jobs, etc.
Your friends, family, places, jobs, schools, politics, religion: Facebook.
Your purchases: Amazon, credit-card company, PayPal.
Your locations, stores: Apple and Google via smartphones.
Your jobs, employers, skills, coworkers: LinkedIn.
Your credit-cards, debts, mortgage: the credit-reporting agencies.
In places where it's not illegal to lie, such as stores requiring you to give data, and wrong data would not
hurt you, you might want to:
Two legal ways the govt or others can get your data:
Warrant: requires "probable cause"; has to be signed by a judge.
Subpoena: requires "relevant to an investigation"; can be signed by a prosecutor, some other
govt agents, in some states even by a lawyer (such as in divorce case).
Fourth amendment of the Constitution protects against search and seizure.
But location of your data matters:
In your home: requires a warrant.
If it's shared with someone else (web company, phone company, your bank, your credit-card company,
etc): either subpoena or warrant. There may be even lower standards if the data has been on there more
than 6 months, so is considered "abandoned" by the law (1986 Electronic Communications Privacy Act).
But there are other standards. For example, once NSA collects masses of phone-metadata, it isn't supposed to search within it
and use pieces of it without a "reasonable, articulable suspicion" (RAS) that it is related to terrorism.
[from Ryan Lizza's "State of Deception"]
The Hard truths of Cybersecurity
from The Binary Blogger
(modified to apply to home users instead of businesses):
Various hackers/criminals have all your information already. Billions of records are
stolen/breached every year. That doesn't mean we stop protecting stuff.
[Just because China has your info doesn't mean the script-kiddie down the block has it too.]
Protect your new info as best as possible. Change your passwords,
maybe change your credit-card number, monitor
your accounts, monitor your financial identity.
Social engineering and bad patching practices are responsible for most breaches.
People are the weakest link, both directly (phishing, mistakes, downloading bad stuff),
and indirectly (laziness about patching).
You don't have to have perfect security, but do your best. Many threats
are simple or opportunistic, and can be stopped easily (firewall,
up-to-date patches, unused services turned off, etc).
The hacker or scanner-software will
move on to some easier target.
Attitude is more important than having the best tools.
You can have great software, but if you don't know how to configure it
or you ignore alerts from it, you'll have problems.
Motto of the show: The more aware you are, the more secure you can be.
Heard on a podcast: some car-repair places (especially big national changes) will grab the registration and insurance
documents out of your glove-box and copy the data into their computer, so they can sell it.
Don't use privacy/security techniques to break the law, especially for tax evasion.
Governments will spend anything necessary to catch tax cheats.
From Justin on The Complete Privacy & Security Podcast episode 073:
"There ain't no privacy in prison."