
Clarifications on Digital Privacy
An article from the July / August 2017 issue of The Atlantic, The Smartphone Psychiatrist, by David Dobbs, mentioned digital privacy in a way that readers could take as advice about their personal digital safety. The discussion was a little hazy, and I care about people having informed consent, so I’m going to provide clarifications.
Dobbs writes:
The only thing stopping [your mental health data from being accessed by someone trying to exploit you] might be the strength of [the company mentioned in this article’s] firewall or its willingness to defy a government request for data.
This dangerously omits the most common way that people’s info is breached: their own mistakes. A company with a dedicated security team can present a hardened target to attackers, and government requests are extremely rare if you’re not of national security interest. A far easier approach is tricking you into betraying yourself:
- With phishing, the attacker presents a fake login page that looks identical to the real thing. If you’re not paying attention to the green lock icon in the browser, you may enter your password on the fake site. That would give the attackers access to your account.
- If you use a weak password like “gohan”, your pet’s name, or your birthday, attackers can figure out your password by guessing a relatively small number of times.
- If you have a “password I use for everything”, and one site where you use that password gets breached, then attackers will use that password on other sites around the Internet to see if it gets them any access under your name.
Russians seeking to influence the 2016 US presidential election leaked emails from Clinton’s campaign. They didn’t breach Google’s security or use a court order. They tricked senior campaign staffers into revealing their password on a fake login page.
A major protection against all of this is enabling two-factor authentication, which combines your password with a one-time code generated by your phone to allow you to log in. That way, someone can steal your password, but without having physical access to your phone, it’s useless to them.
About government-mandated disclosures, Dobbs notes:
[Google] reveals little to the public about which requests it honors or why.
The article doesn’t mention this, but some government subpoenas come with gag orders that prohibit the receiving company from “revealing” anything to the public about the request. And this is not necessarily Orwellian; it has been used in cases of prosecuting child pornography, for instance.
Dobbs continues:
Others argue that [the worry about sharing sensitive psychiatric data with a particular company] is … naïve, since most of us already leave enough footprints with smartphones, computers, phone calls, and credit-card purchases to forfeit … privacy. The question may not be whether [this company’s] firewall would be perfect, but whether it would be stronger than many porous containers already holding our personal and medical information.
This line of reasoning is deeply misguided. Yes, existing as a digitally connected person in today’s society means giving up a great deal of privacy. Every interaction you have with a digital system is recorded, and in aggregate it can reveal a lot about you. (And I’m not just referring to the content of the tweets you send, but also every button you pressed on the way to sending that tweet, how long you lingered viewing other tweets, your location every time you’ve opened the app, etc.)
That said, this reality absolutely does not mean that you can’t hurt yourself further by sharing additional information. Everything you do online and all the information you willingly share expands the surface area that someone has to exploit you or invade your privacy. The question for you is whether a given service provides enough value in your life to justify the risk. For many people and many services, the answer is “yes”. But to have a healthy digital life, it is a question you need to consider for each new bridge you build across the metaphorical moat between your private and public lives. Yes, I can find out a lot about you if I have your credit card records. I could find out even more if you decide to share your mental health information with a company and I break into your account.
Mental health is important and unfairly stigmatized in today’s society. If you think that using a digital tool will help your mental health and the benefits outweigh the privacy risks, definitely do so! But you should be aware that those risks are present, and the biggest risk to your privacy is your own failure to protect yourself adequately. The threat to consider isn’t whether the bad guys have a metaphorical sledgehammer big enough to break your car’s windshield, but whether you remembered to roll up the windows in addition to locking the car doors.
