Digital Security: Doing What You Can When You Can

Or: How I learned to stop worrying about earthquakes.

When we talk about making ourselves safer, we first need to lay out what we think might be making us unsafe.

This process is known as threat modeling, harm reduction, or risk management. As introduced in the EFF’s Surveillance Self-Defense guide:

Digital security isn’t about which tools you use; rather, it’s about understanding the threats you face and how you can counter those threats.

How We Decide To Act

Without a threat model, we often end up selecting privacy tools like this:

Figure 1: A popular tool assessment

What’s fun? What’s new? What are our friends doing?

This is how casual privacy enthusiasts learn cool things (encryption) before less cool things (backups, passwords). This becomes a problem when those cooler things depend on the less cool things to work.

The people I’ve met seeking out privacy tools are generally very competent, curious, and assertive. These are great qualities, and they fuel a desire to achieve advancement. In addition to a tool being cool, it can be seen as more desirable if it makes the user feel that they are become more advanced.

Figure 2: A more “advanced” tool assessment

I want to do as much as possible to be safe.

The idea that privacy needs to be difficult is understandable, but is a problematic starting point.

  • This framework discourages people from prioritizing simple precautions, because they may not be as useful.
  • It also discourages people who are less comfortable with technology from engaging, even though not all precautions are technical.
  • And it also creates risk, because sometimes using a difficult tool poorly is worse than using nothing at all.

In reality, users are more advanced when they use the right tools well. What tools are “right” depends on the individual, who must consider their own needs. Specifically:

  1. What risks are possible?
  2. How bad is each outcome?
  3. How likely is each risk?
  4. How easily and effectively can I control that outcome (through prevention before or mitigation after)?

Note that these questions are about risks, rather than tools. They don’t ask “do I need X,” but “what should I be doing about Y?”

Figure 3: A thoughtful risk assessment

What can I actually do?

Analog Examples

What would completely disrupt your life in a terrible, irreversible way?

I live in an old brick building in Oakland, California, so for me it’s indisputably a block-leveling earthquake. It’s not likely to happen tomorrow, but it’s somewhat likely over the next decade. And there’s very little I can do to prevent it, though there’s a little I can do to prepare for dealing with it after the fact (having a good earthquake kit, learning first aid, making a plan).

I model earthquakes like this:

There’s something (but not much) to be done here.

This is very bad, but there’s not much I can do. I have my earthquake kit, and my partner and I know where we’ll meet if one or both of us isn’t home when it happens. Otherwise, I try to live my life without constant and debilitating anxiety about this awful thing that I can’t control.

Another way my life could be upended would be a terrible bike accident. I ride my bicycle a lot, and Oakland has a few great bike lanes and many terrible drivers. Getting sent to the emergency room by a negligent driver is both bad and fairly likely.

Time to get to work!

Fortunately, there’s more I can do about planning for a bike accident: I can wear a helmet, I can make my bicycle very visible, I can choose my routes carefully, and I can take a defensive biking class. I can also buy health insurance, in case these preventative steps aren’t enough.

What This Means

Though an earthquake would be much, much worse, I spend more time preparing for bike accidents.

Similarly, though having all your keystrokes sniffed by NSA lasers would be much worse, most people should worry more about preventing their keystrokes from being sniffed by email phishing scams.

It’s perhaps cynical and definitely distressing to say, but no one is 100% safe from 100% of risks 100% of the time. That level of protection is impossible, and we’ll wear ourselves out trying to get there. But proper threat modeling, which includes considering likelihood and possible control, will go a long way towards helping us get through the day and focus our efforts where they can be effective.