Passwords, Privacy, and Proactivity
[Editor’s note: As interesting products and technologies emerge, we want to take the time to understand their implications from a human-centered perspective — what do new technologies mean for the way we live our lives, participate in culture and society, enact our values, and make our decisions. This piece is the first of those, tackling the subject of privacy, security & the ever-changing password.]
On October 8th, 2021, the entirety of Twitch.tv was leaked to the internet (“Updates on the Twitch Security Incident”). The most popular data from the leak to hit the news circuit were the top payouts to streamers over the past few years, indicating each channel’s pre-tax payout. A sobering morning, at the very least, for the online community, as speculating about streamer income is a common discussion among viewers. To suddenly have insight into what had previously been a thought experiment, down to the exact cent, was shocking. In a playful move, streamers included their payout rank in their channel titles that day, embracing the extreme and sudden exposure.
The leak wasn’t all fun and games, though. To earn an income with Twitch.tv requires streamers and viewers to provide a decent amount of personal information. Much of this information is now floating around the internet, though the degree to which it is interpretable is unknown.
Along with some startlingly precise financial information, this breach brings serious brand implications for businesses like Twitch, influencers who use the platform as independent contractors, and the users who sign up to create accounts as viewers.
Security and privacy go hand in hand
But it’s not just professional streamers — we’re all vulnerable to security and privacy breaches online. Creating new internet profiles is, for many, a regularly occurring necessity. As we join new services, social media platforms, start new hobbies or jobs, and engage in anything else involving digital human interaction and communication, we breathe a new username and password into the digital expanse. Each new profile a social node, ripe with opportunity and possibility.
From a Network Security perspective, Data Breaches are an inevitable part of having an online presence. This is a completely fair philosophical and practical approach. However, it begs the question: What do you owe someone when you ask, or require, them to create an identity with you? Unfortunately, it does not feel like many companies have asked themselves this question.
Data breaches seem to be viewed as ‘Yet Another Data Breach’ by most companies. In the past, it seemed that the majority of end users did not express much of a reaction, or were even aware data leaks could, and did, occur. While we still don’t see much activity from breached companies aside from a few bulk email blasts that alert users of a compromised security incident using ‘flat-affect language’, there does seem to be a new trend in end-users’ approach to and attitude towards information security and online privacy.
End-users now have access to a variety of privacy and security-oriented applications, but achieving a holistic degree of cybersecurity is often out of our hands. With the global proliferation of mobile and personal computing devices, 56.7% of humanity (International Telecommunication Union) is at minimum one insecure database away from an inconvenient afternoon of resetting a few passwords (at best) to identity theft (decidedly worse). In response, many websites have increased their password complexity requirements to promote better internet security habits. This distributed, ad hoc approach has certainly made some headway towards increasing user security.
Still — increasing password complexity seems like a good way to prevent brute force attacks, as well as making it hard to manually reverse engineer a targeted user’s passwords.
More password complexity SHOULD equal more foiled data acquisition attempts. And it likely does. Unfortunately, as our passwords and security questions are buffed to thwart malicious access, our brains are stretched thin to remember which password has the “!” at the end, which one starts with an octothorpe, and which one you forgot to update to your most current “same but slightly different” scheme.
Of course, no degree of password complexity will prevent phishing attempts, as phishers aim to trick you into essentially handing over your password by posing as a legitimate site or email address.
So — if platforms are going to continue to be inflexible in communicating what users deserve in return for entrusting them with our identity, end users are left to their own devices and strategies to obtain satisfactory security.
How we protect ourselves now
Enter: Password Managers. These handy programs encrypt your password information on your local device, or store it encrypted on the cloud. Instead of keeping your passwords in a plain text file (presumably called “linux distros,”) you have a password-protected vault to store your coveted login information. These password managers take a bit of user-side effort to configure properly, but are often robust programs accompanied by browser plug-ins and extensions. Whenever you need a password to a site out of your daily rota, you just use your password vault to retrieve it. Moderately easy, moderately peasey.
But how much more initiative will we, as users, have to take in order to make sure that our important password, personal, and financial data is safe? What if, instead of more complexity, security could come from simplicity?
What if you only had ONE password?
“But Nic, isn’t that a bad idea?” Normally, yes! Securing each of your online profiles with a single password, typed verbatim, is certainly an insecure internet security habit, the very problem password vaults have been trying to solve.
There is another approach, however. Maartin Billemont, the mind behind Master Password, and now a new app called Spectre, has taken a fresh take on how to improve our internet security options. Rather than create Yet Another Password Manager, Billemont has instead created a paradigm shift.
Master Password and Spectre are not password managers. They are password ciphers.
The service uses your name, the domain of the site, a single passphrase of your choice, and an algorithm to calculate your passwords. The service does not store your passwords — they don’t exist as text until you direct the application to construct one for you. Users of Master Password cannot leak passwords to a specific site because their passwords to that website don’t exist unless they tell the app to generate it.
This blew my mind. Sure, internet browsers like Firefox can auto-generate and store complex passwords for you. But those passwords can themselves be browsed and read at any time, assuming an individual has access to your physical device and browser.
So why aren’t we all rushing to adopt this new paradigm? To begin with, change is hard. And most people have other things on their minds besides cybersecurity. Still, Billemont has taken a beautifully innovative approach, one that designers everywhere can appreciate and be inspired by.
Meanwhile, breaches and outages continue
As more of our online life is disrupted by data breaches and service outages, we’re forced to think more about privacy and security. A recent Facebook/Meta service-wide blackout affecting Facebook, WhatsApp and Instagram, demonstrated another version of the digital divide. For a lot of people, Facebook Messenger, WhatsApp, even IG messaging are their primary forms of text messaging. WhatsApp in particular is extremely popular globally, and millions rely on it for SMS communication. It’s a reminder that these platforms have more power than even they seem to fully realize — in a lot of places, for a lot of people, Facebook IS the internet.
During the service outage, a messaging app known as Signal experienced a tremendous increase in daily installs (Barry). Signal made a splash that day because it prides itself on a few core tenets: it is a Privacy-First messaging application, open sourced and peer reviewed; it’s built and maintained by a non-profit organization, funded only through grants and user-donations; and it’s free to download and use. We know through the release of the Facebook Papers and other information from whistleblowers and past Facebook employees’ that Meta/Facebook doesn’t share those values. It’s no wonder some users decided to try out alternative messaging platforms. Who knows how many have effectively switched?
These security and privacy breaches can send a shock to the system that forces a reckoning or two. The first is that Facebook is not necessary to virtually socialize — we have other choices, and we’ll go where our friends are. The second is that people are becoming more aware about their own agency in taking steps to ensure privacy and security. Though it’s unfortunate that it often takes drastic events for individuals to make drastic changes, it seems that these moments provide opportunity — for users, and for the brands and platforms they interact with — to reimagine their relationship to data privacy and security. If nothing else, when we come to a crossroads between continuing old behaviors or adopting new ones, we are confronted with a simple question: “What have I got to lose?”
Barry, Eloise. Signal Says Downloads Spiked After Facebook Outage. no. Nov 17, 6 Oct. 2021, https://time.com/6104151/signal-downloads-facebook-outage/.
International Telecommunication Union. Individuals Using the Internet (% of Population). https://data.worldbank.org/indicator/it.net.user.zs. Accessed 17 Nov. 2021.
“Updates on the Twitch Security Incident.” Twitch Blog, 15 Oct. 2021, https://blog.twitch.tv/en/2021/10/15/updates-on-the-twitch-security-incident/.
