Privacy

Terms

Why should I care about privacy ? I have nothing to hide. I'm not a criminal.

Some people (including myself) are not comfortable with a faceless corporation knowing

• What medical problems I have (ever googled a medical problem for yourself or someone else?).
• Who my contacts are (if you use their webmail) and what we are discussing.
• Tracking just about every page you visit.
• Build up a remarkably accurate profile of who you are and your life.
• What videos you watch.
• What topics you are interested in.

Now each of those on its own is somewhat unsettling, but when you combine all that together and then you don't really know how your data is handled now and how it might be handled in the future, then it starts to get really unsettling.

The thing with all this data is that it just accumulates, and over time the companies can really build up an accurate profile of you, and that is just f***ing creepy.

Some responses to the "I've got nothing to hide; you have something to hide only if you're doing something wrong" argument:

• Do you have curtains ? Why ?
• Can I see your credit-card bills for the last year ? Why not ?
• I don't need to justify my position. You need to justify yours. Come back with a warrant.
• I don't have anything to hide. But I don't have anything I feel like showing you, either.
• If you have nothing to hide, then you don't have a life.
• It's not about having anything to hide, it's about things not being anyone else's business.
• You are willing to let me photograph you naked ?

...

... the nothing-to-hide argument stems from a faulty "premise that privacy is about hiding a wrong." Surveillance, for example, can inhibit such lawful activities as free speech, free association, and other First Amendment rights essential for democracy.

...

Another potential problem ... is one I call exclusion. Exclusion occurs when people are prevented from having knowledge about how information about them is being used, and when they are barred from accessing and correcting errors in that data.

...

Yet another problem ... is distortion. Although personal information can reveal quite a lot about people's personalities and activities, it often fails to reflect the whole person. It can paint a distorted picture [and that can have consequences].

...

What if the government mistakenly determines that based on your pattern of activities, you're likely to engage in a criminal act? What if it denies you the right to fly? What if the government thinks your financial transactions look odd - even if you've done nothing wrong - and freezes your accounts? What if the government doesn't protect your information with adequate security, and an identity thief obtains it and uses it to defraud you? Even if you have nothing to hide, the government can cause you a lot of harm.

> You could also just ask them for all their logins to their
> accounts and see if they would give it to you, and if they
> say no, well then they obviously have something to hide.

No, it doesn't. It means that it's none of your business.

Actor 1: Are you afraid of dying?

Actor 2: No, not really.

Actor 1: Ok, let me kill you.

Actor 2: No.

Actor 1: See, you're afraid of dying.

Actor 2: No. I said I didn't fear death, not that I wanted to die. Do you understand that those are two entirely separate things?

We all segment privacy in our lives. I share my social security number with my bank. That doesn't mean that I want to share it with you. They have a legitimate need for it. You don't.

Same thing as if you asked me for the keys to my house. Absent an invitation, you have no legitimate reason to be in my house. It has nothing to do with whether or not I have anything to hide inside my house.

OP's friends refusal to give up their passwords to OP, who presumably has no legitimate need for them, doesn't prove anything.

The argument itself is a logical fallacy usually the result of the person making it thinking in bumper sticker or meme style debate models.

Reasons someone might want to attack you

• Your info (personal data, credit card info, etc) can be sold for money.
  
  
• Your computer stores info that connects to your money (your bank accounts, credit cards, tax filings).
  
  
• Your computer stores credentials that connect to your employer's network.
  
  
• Your computer stores info that is valuable to you (family photos, etc), which can be encrypted and ransomed back to you.
  
  
• Your computer stores info about other people (Contact lists, etc) that can be sold.
  
  
• Your internet-connected computer can be used as an agent in a bot-net (to send spam or attack other computers).
  
  
• Your computer can be used a point to inject malware to get onto other computers (in your LAN or your work or school).
  
  
• Your resources (e.g. US phone number, US ISP connection, etc) can be used to get something that a person outside USA can't get themselves (e.g. Google Voice number).
  
  
• Your accounts (e.g. cloud VPS, cloud storage) can be used to host attacks or provide illegal services. article
  
  
• Your reputation (identity) can be used to fool your friends/family into falling for scams sent from "you".
  
  

As an employer I run every name and email address I am given by a potential hire through Google and Facebook. I look at everything public to make sure there isn't something completely f**king insane.

Things I don't do: I don't hold what their friends say against them. I don't Friend them or try to look at things that are private. I don't hold it against them if they don't have an account or I can't find it.

I do look at public photos and statuses. I don't care if they go to parties. I do care if they skip work to do so or because of it.

So far I'd say 80% of the applicants are fine. But in that other 20% I have found obvious racists, people who actively hate gays, people who play games every working minute (while at work).

Funniest was someone who had set their account to public and constantly complains about being at work FROM work and asked friends to come by and visit and talk, at a job where that was not appropriate.

For people who apply as interns, I let their school know to have them remind the student to lock down their account. For people who apply for real jobs, I don't say a word.

Some say: Innocent people have nothing to fear from government spying

I'd certainly feel uncomfortable and creeped-out if someone followed me around all day, videotaping everything I did, documenting every place I went and everything I did, watching me. Should it be okay for the govt to do this ?

Why was protection from unreasonable search put in the Bill of Rights (4th Amendment) ? It fits this situation exactly: govt is supposed to have a good reason for invading your privacy.

Some huge government investigations have targeted and ruined the lives of innocent people: the McCarthy hearings, the Atlanta Olympics bombing (Richard Jewell was innocent), and the anthrax attacks (Steven Hatfill was innocent) come to mind.

Government powers have been used to target people with unpopular views, or journalists reporting news that politicians didn't want reported: FBI under Hoover, Nixon's enemies list.
Wikipedia's "COINTELPRO"

Some reasons:

1- NSA scandal is just one symptom of a bigger issue: govt checks and balances have broken down. Intelligence spending and activities are out of control, military spending is out of control, citizens got panicked by 9/11 and let govt take major new powers and now govt is out of our control.

2- NSA is just one point along a spectrum of threats to you. It is the least likely but most powerful threat. It points out that you are vulnerable to scammers, stalkers, eavesdroppers, online criminals, etc. It reveals that our online security and privacy tools and laws are weak.

3- Technology, and the threats from it, will only get more powerful and more invasive in the future. Insurance companies and advertisers and your wacky neighbor will all get more powerful tools to threaten your privacy.

4- Things you do that aren't illegal still may be private. Why do you have curtains on your windows ? Why do you close the door when you go to the bathroom ? Would you mind if someone published your tax returns, your salary and net worth numbers, your credit-card statements, your bank account statements, your medical records ? Why ? You're not doing anything illegal.

Future threats to privacy will be greater

• Many things people post about may be technically illegal. They may be rarely caught or prosecuted. But bragging about them online creates a permanent record, and who knows what authority might see them someday and decide to act ? Posting about downloading movies or music for free, about how drunk you were when you drove home last night, about how you got back at your Ex by doing some nasty prank.
  
  
• Someone researching you in the future may not like what they find. A potential employer, a potential mate, an insurance company. How will they react when they see you complaining bitterly about your current boss, bragging about how many one-night stands you have, how much you drank or smoked last weekend ? And they may not distinguish between 18-year-old you and 28-year-old you.
  
  
• People who have sensitive jobs, or may ever find themselves in sensitive jobs, have to be especially careful. Teacher, politician, priest, banker, reporter, law enforcement, any bonded job (bank guard, cashier, treasurer, etc). Teachers have been fired for online pictures of them doing things that are deemed bad examples to students.
  
  
• All of the online world carries risks; it's not just a problem with social networks such as Facebook. If you comment on YouTube or newspaper sites or blogs, you might be identifiable. Using pseudonyms can help avoid this, but may not avoid it completely.
  
  
• Risks come from your friends and their behavior, too. If a friend or someone else at the same party posts a party-video or party-pictures, and you're tagged on it, or identifiable in it, you may have a problem. Suppose one of your friends Photoshops your face onto a picture of someone doing something obscene, and the resulting image gets out into public ?
  
  
• Some posts can violate rules at your current job, or even violate SEC regulations. Or just massively irritate your boss or coworkers.
  
  

The costs of maintaining privacy are too high

• Do one-time changes that pay off forever
  
  If you change to a better browser, or turn on a blocker in the browser, or start using a VPN, or tweak privacy settings in your accounts, you are doing some work once, that will pay off a little bit every day after that, forever. You don't have to keep spending that effort again and again, you just do it once.
  
  
• Learning about privacy tools will pay off in other ways
  
  If you learn about privacy aspects of browsers or networks, you will gain knowledge that you can use to do better at your job or learn more about other computer things.
  
  

Some societal nuances to privacy

• Our goal as a society shouldn't be total privacy for citizens. Should your neighbor be guaranteed total privacy as he abuses his wife and children, or brews up anthrax or meth in his garage ?
  
  
• Of course the government needs to spy, on foreign citizens and foreign leaders and domestic citizens. It helps prevent wars and terrorist attacks, and helps defend against espionage from foreign sources. In some cases, it may defend against crime and commercial espionage. Sure, often the effectiveness is exaggerated and the costs (in money, and to our privacy) are not examined. And today in USA we don't have proper controls and transparency. We need to find the appropriate balance. But the spying has always happened and there are good reasons for it.
  
  A technical issue: it's not clear that NSA can separate "domestic" and "foreign" any more, even if it wanted to. It is estimated that 90% of all internet traffic passes through US servers. US companies have servers all over the world. There are plenty of foreign visitors, temporary residents, and illegal aliens or illegal immigrants inside the USA at all times. Many US citizens routinely reside or travel overseas. US citizens or residents have traveled to foreign countries to join terrorist groups or be trained by them. US citizens or residents have sent money or information to foreign terrorists. US citizens have committed terrorist acts inside USA, motivated by foreign or domestic agendas.
  
  Some say that the costs of the spying outweigh the costs of terrorism. I agree that the costs of spying (our privacy, our rights, money, reputation) are large. But the cost of terrorism shouldn't be judged solely by past events, bad as they were. The future of top-level terrorism is in bio-technology. A major bio-attack could kill hundreds of millions of people. I don't know if it will happen, or when it will happen, but you can't judge costs just by the past. Better arguments: spying usually doesn't stop terrorism, other risks (homicide, drunk driving, disease) are greater, perhaps we should address the causes of terrorism.
  
  Spirit of the law
  The Onion's "President Curbing NSA Spying"
  
  
  
• Even if we develop tools to give each person total control over their private data, this may not result in "total privacy". Each individual may find it in their self-interest to give away some of that data to Facebook, Google, and other companies in exchange for services. And in fact that is what happens today in many cases: we voluntarily give away some measure of our data, to get benefits. But there are other cases where our data is taken against our will, or without our knowledge. Better tools and laws can address that issue.
  
  
• There is societal pressure to reduce your privacy. If all of your family and friends are on Facebook, they will ask "Why aren't you on Facebook too ?" They will make announcements or post pictures only on Facebook, and if you aren't on there, you will miss out. If you refuse to provide certain info that everyone else provides, insurance companies or others may refuse to deal with you. If you refuse to answer police questions that most people answer routinely, you may find yourself given extra scrutiny.
  
  

Companies

I think this is overblown. I could stop using Facebook and Google and Twitter tomorrow, with some effects but not big effects on my life. I can give them false info, give them minimal info, use alternatives to them, do without them.

Government and military and police have the potential to have unavoidable, huge effects on my life. They take some of my money (and give me services) without much choice on my part. Sometimes they cause other people to attack our country. They have access to my tax information, credit info, bank account info, phone records, etc.

Some companies have large physical effects on my life and my health. Fossil-fuel power companies, and other companies that put who-knows-what into the air I breathe and the food and drink I consume.

Other companies have pervasive effects throughout our economy and/or culture. TV networks. Phone companies. Walmart. Exxon.

The two political parties control much of what happens in the government and culture and economy.

Super-rich people could destroy me with lawsuits, or buy laws that affect me severely.

No, I think Facebook and Google and Twitter are pretty low on the list of powerful entities to worry about.

How do companies justify selling your information ?

• They are giving you a great free service, and they need to make money to keep it going.
  
  
• With more info, they can give you more relevant ads and news items and pointers to new Friends.
  
  
• They give you lots of ways to control the privacy/selling of your info.
  [But sometimes have been caught cheating on this.]
  
  
• You agreed to it when you signed up for the service. And you could stop using their service and close your account.
  
  
• They sell your info in general/aggregate, not your specific name, address, phone number, etc.

Don't rely on a company's promise to safeguard your data, even from police

Terms of Service often say "we reserve the right to change these TOS in the future".

If the company gets sold/acquired/merged, the new company may change the terms/policies.

Kate Cox's "Search warrant overrides 1M users' choice not to share DNA with cops"

How could your information be used ?

[From most likely to least likely:]

• To advertise to you.
  
  
• To adjust prices offered to you.
  
  
• To gain knowledge about how people similar to you would behave.
  
  
• To gain knowledge about your contacts (friends, family, associates).
  
  
• To influence your opinion or behavior or vote (maybe to discourage you from voting).
  
  
• To deny services or employment to you.
  
  
• To attack you.
  
  

From someone on reddit:

Never post on social media about your physical condition in the aftermath of a traffic accident, this can be used by insurance companies to prove your injuries weren't as severe as claimed. Seemingly innocent statements like "I'm okay!" will be misconstrued, especially by insurance companies.

Product labeling we need (for IoT, Internet of Things)

• This product does/doesn't require a constant internet connection to operate.
  
  
• This product does/doesn't require user account registration to operate.
  
  
• This product does/doesn't require connection to an external service to operate.
  
  
• This product does/doesn't send data to manufacturer during operation.
  
  
• This product does/doesn't allow manufacturer to read/access/modify data in the product.
  
  
• This product contains firmware/software that can/can't be updated by the user.
  
  

Defenses

Disinformation

In places where it's not illegal to lie, such as stores requiring you to give data, and wrong data would not hurt you, you might want to:

• Misspell your name slightly.
  
  
• Give a fake mailing address.
  
  
• Give a fake email address.
  
  
• Give a fake phone number.
  
  

The law (in USA)

[Mostly from Daniel Zwerdling's "Your Digital Trail: Does The Fourth Amendment Protect Us?"]

Two legal ways the govt or others can get your data:

• Warrant: requires "probable cause"; has to be signed by a judge.
  
  
• Subpoena: requires "relevant to an investigation"; can be signed by a prosecutor, some other govt agents, in some states even by a lawyer (such as in divorce case).

Fourth amendment of the Constitution protects against search and seizure.

But location of your data matters:

• In your home: requires a warrant.
  
  
• If it's shared with someone else (web company, phone company, your bank, your credit-card company, etc): either subpoena or warrant. There may be even lower standards if the data has been on there more than 6 months, so is considered "abandoned" by the law (1986 Electronic Communications Privacy Act).

But there are other standards. For example, once NSA collects masses of phone-metadata, it isn't supposed to search within it and use pieces of it without a "reasonable, articulable suspicion" (RAS) that it is related to terrorism. [from Ryan Lizza's "State of Deception"]

And your cell-phone data may get swept up with that of criminals, with each phone company applying its own rules about what data is given to police. [from David Kravets's "Cops and Feds Routinely 'Dump' Cell Towers to Track Everyone Nearby"]

There are special legal protections for some kinds of data. HIPAA protects health status and medical records of individuals.

Of course, legal protection doesn't mean much if your data is collected and then the database is stolen. See for example Wikipedia's "Office of Personnel Management data breach" and Dan Munro's "Data Breaches In Healthcare Totaled Over 112 Million Records In 2015". But if you don't let them collect it in the first place, it can't be stolen.

Daniel Solove's "Why I Love the GDPR: 10 Reasons"

Miscellaneous

The Hard truths of Cybersecurity

[From The Binary Blogger (modified to apply to home users instead of businesses):]

• Various hackers/criminals have all your information already. Billions of records are stolen/breached every year. That doesn't mean we stop protecting stuff. [Just because China has your info doesn't mean the script-kiddie down the block has it too.] Protect your new info as best as possible. Change your passwords, maybe change your credit-card number, monitor your accounts, monitor your financial identity.
  
  
• Social engineering and bad patching practices are responsible for most breaches. People are the weakest link, both directly (phishing, mistakes, downloading bad stuff), and indirectly (laziness about patching).
  
  
• You don't have to have perfect security, but do your best. Many threats are simple or opportunistic, and can be stopped easily (firewall, up-to-date patches, unused services turned off, etc). The hacker or scanner-software will move on to some easier target.
  
  
• Attitude is more important than having the best tools. You can have great software, but if you don't know how to configure it or you ignore alerts from it, you'll have problems.
  
  
• Motto of the show: The more aware you are, the more secure you can be.