When Does Privacy Protection Become Futile Paranoia?
At what point does sensibly protecting one’s privacy become paranoia or worse, simply pointless? We talked to security expert James Bore to find out.
A conversation with security expert James Bore on assessing privacy threats and what to do when they do actually exist.
In a digitized world rampant with phishing schemes and the (rather overblown) specter of AI-generated deep fakes hovering on the horizon, privacy feels ever elusive. Cameras are ubiquitous in both private and public spaces. Getting a tank of gas involves a request for your email address. Anything online that claims to be free extracts a tax of time, attention and - almost always – personal information.
In this environment, privacy can feel less like common sense and more like an essential protection. In personal lives, basic cyber hygiene may protect against identity theft and fraud. On a societal level, privacy measures allow a person to believe they’ve lessened exposure to nefarious governments at worst and maintained personal sovereignty at best.
But at what point does sensibly protecting one’s privacy become paranoia or, perhaps even worse, simply pointless? We all know the person at the party who ducks out of the family photo lest it be posted on social media, or the spouse who shops only in cash or crypto, regardless of any inconvenience or potential strife doing so entails.
More importantly, how does one determine what actions – if any – a person can or should take to maintain their privacy? And how private does one’s life need to be at all to remain reasonably safe from harm?
Threat Acceptance
It is absolutely true that in today’s world privacy practices are protective measures. However, to effectively protect oneself from harm, a person must also have a realistic and true sense of the threat facing them. Bear spray will do no good when what is actually needed is a floatation device.
In the digital realm this is a daunting task. Every day, the hapless regular computer user is inundated with a firehose of terrifying information: new scam alerts, cybersecurity professionals’ dire warnings on social media, and frantic news coverage of corporate data breaches. Logging into an email account or swiping a credit card at the store can feel as fraught as walking through a rainforest with fresh meat strapped around one’s neck.
Others simply bury their heads in the proverbial sand, downloading a password manager and assuming “the IT department” (whatever that means) will handle any issues.
Regardless of where one falls on this spectrum, society in general understands the basic idea that bad actors use good people’s credit card numbers (or other personal data) to do bad things if given the opportunity.
So what to do?
Security expert James Bore advises accepting this fact of life. Instead of futilely attempting to avoid inevitable cyberthreats, he says, a better course of action is to learn to respond to them.
When it comes to identity theft and data breaches, basic cyber hygiene is generally sufficient. For everything else, however, it’s best to accept these are the waters in which we swim.
“My biggest threat is not a nation-state targeting me,” Bore said. “My biggest threat is Facebook trying to manipulate my behavior. And there is nothing I can do about that without going and becoming an off-grid, self-sufficient locust farmer.” (Locusts are one of the most nutrient-self-sustaining crops that exist.)
This is especially true when it comes to AI-generated deep fakes, or fake video, audio or images of real-life people. As Bore is quick to point out, at the time this article is being written, deep fakes are extremely rare, particularly those sophisticated enough to be successful in even simple social engineering objectives.
For those still concerned about this new, AI-based cyberthreat, Bore has bad news.
“It’s not something an individual can protect themselves against unless they are going to completely shut themselves away,” Bore said. “It’s a depressing thing, but the reality is this is the world we live in now.”
The best one can hope for in the case of a deep fake attack is a good response to it, and that would most likely fall under the capability and purview of law enforcement, school administrations, or other organizations. Effectively responding to a deep fake would not be something that can be effectively achieved by an individual acting alone.
Threat Assessment
Still, identity theft and fraud do exist and harm many people and businesses annually. It makes sense to protect oneself against real danger. But the necessary measures required to achieve a sufficient degree of protection will always be generally reasonable and not require any extreme actions.
That can be a difficult perspective to maintain in a media environment that frames every cybersecurity story as if it was the most dire outcome imaginable.
For example, Bore cited an oft-cited statistic that approximately 70 percent of cybersecurity attacks impact small businesses.
“Which sounds horrific,” Bore said. “Until you realize that 99.9 percent of businesses are small businesses, so of course they’re going to get the majority of attacks. And if they’re only getting 70 percent, that is a vanishingly small fraction.”
A more recent example is a parking meter scam in the United Kingdom. The scam worked through false QR codes stuck on parking meters. When people scanned the code they were taken to a fake website to enter their payment information. As of this writing, there were about 400 cases of reported fraud through the scam, which is unarguably a bad thing. However, in a country with a total population bordering on 70 million people, 400 attacks is hardly a national cybercrime crisis, which is how much of the media portrayed it.
And, Bore pointed out, it’s a threat easily avoided using basic measures and common sense.
“Yes, it’s good advice to people to not use QR codes, particularly if they look as if they’ve just been stuck on,” Bore said. “But the media attention to it was quite a lot, because it’s relatable.”
Likewise, Bore pointed out that for all the dire warnings against using public wi-fi and public charging stations, there has yet to be a recorded, verifiable attack against anyone using those mechanisms as attack vectors.
Even this article from Forbes has a subheadline that cites 40 percent of people getting their information compromised via public wifi. Beneath that bold-faced jolt of fear, however, any actual reporting is absent. The reader is urged to “imagine” a possible hacking scenario. But any actual relevant data or information is absent.
This includes information such as forty percent of how many public wifi users, and during what time period, and at what specific locations. There is no mention of what law enforcement agencies the alleged breaches were reported to, or whether and when these alleged breaches were being investigated. There is no analysis of if any such supposed compromises have increased or decreased over a period of time. Finally, the exact nature of the “compromise” is left to the reader’s imagination as well. Was it financial information? Identity theft? A ransomware attack? Malware?
None of these questions are even asked, let alone answered, but the reader is left terrified of checking their work email while waiting at Heathrow nonetheless. Never mind the professional team of cybersecurity experts that build and maintain those public wifi systems; the fact that their basic competence, expertise or professionalism is implicitly being questions is totally glossed over.
To be fair, the article isn’t wrong that these attacks are possible.
But as Bore points out, “possible doesn’t mean likely, and easy doesn’t mean likely, either.”
The mere existence of the ability to do something does not mean it is an inevitability.
“That doesn’t mean the Starbucks down the street has a compromised wi-fi,” he said. “Nor does it mean that you will be affected by it. The default security level on the internet is really pretty good so you’d really have to put some work in to get someone that way.”
Poor cybercrime reporting on breaches that did happen can be just as harmful because it leads to a false amplification of a person’s attack vulnerability.
“The cybersecurity media will talk about them because they’re exciting, they’re dramatic, they’re relatable,” Bore said. “What they won’t talk about is the actual numbers. It’s this disconnect from the reality of [cybercrime] compared to the possibility of it.”
Cybersecurity Professionals: Privacy or Paranoia?
Cybersecurity professionals tend to be especially prone to frantically shouting ominous warnings at everyday tech users. This makes sense. After all, they’re uniquely positioned to know all the ways a user can be attacked and, often, how to pull those attacks off.
Additionally, these are professionals who tirelessly labor against perpetually evolving attacks and threats just to keep the rest of us everyday tech yutzes safe. They are exhausted, burnt out, exasperated and feel underappreciated and undervalued. These feelings are not entirely misplaced, either. The fact that many cybersecurity professionals are left begging for funding and enough staff to do their job - protect an organization and its clients - is awful, and absolutely needs to change. But this also creates an environment in which every successful data breach or cyberattack serves as a validation.
It’s not surprising that the privacy protectors who take the most extreme measures are often also either working or aspiring cybersecurity professionals. These people become ironically conspicuous in their quest for ultimate privacy.
Whatever communication platforms they use certainly don’t use their real names. And rest assured, those platforms are little known, encrypted, and obviously delete messages automatically.
They pay in cash or use virtual credit cards, if not crypto.
This person will never remove their sunglasses if in a public place with cameras, so it’s easy to spot them at the cybersecurity conferences in Las Vegas, where the all-seeing eye of casino-level surveillance and security are ever present.
In the most extreme cases, some privacy seekers will use a false, legal name. Their friends and family may have even been vetted, unbeknownst to them, before the person attends a family member’s wedding (avoiding being in photos at all costs, lest the photos be posted on social media, of course). No one is allowed to visit their home, and the address numbers have been removed from the side of their house lest a spying Google maps car drives by. And so forth.
Is There Even a Threat At All?
There are, in fact, valid reasons to implement at least some of these practices, and not just for cybersecurity professionals.
A person may be hiding from someone in their past who recently escaped from prison. They may have recently escaped from a domestic violence situation. They could be under court order as part of a witness protection program. All of which are valid, credible, targeted threats. But in those cases, the privacy measures usually also involve external support from law enforcement.
But what about the people, frequently in cybersecurity, who aren’t in any such situation? The people who seem to voluntarily subject themselves to a lifestyle that can be onerous at best and nearly punitive at worst? What are they so scared of, aside from “surveillance” or “cybercrime”? Why are they so adamant we’re all in grave danger at all times?
Bore attributes this tendency to a combination of availability bias and a spotlight effect.
Basically, when a person spends most of their time at work, and that work involves learning about, fighting against, or preventing cybercrime, one will begin to see it looming everywhere, whether its rational to make that assumption or not. (A nontechnical example of this is a home inspector who begins to believe every structure they walk into is on the cusp of falling down around them at any moment.)
Add in a dash of spotlight effect, the fairly common presumption most everyone has that other people are noticing them at all times, and this can lead to some pretty eccentric behavior.
“All of the news in the cybersecurity world is about these big, exciting vulnerabilities and these huge breaches with millions of victims of identity theft and with people whose lives have been destroyed by one slip that they made,” Bore said. “The problem is we then start to think it's something that we can control. And we start to think our experience is typical and we lose sight of the actual numbers involved in this.”
It doesn’t help that in many cases cybersecurity professionals have the knowledge necessary to level the very attacks they work to prevent or respond to.
“It’s available to us, and we know how to do it, and we know it’s easy,” Bore said. “Therefore, everyone knows how to do it, and criminals know how to do it, therefore, they must be doing it.”
That still leaves out the crucial question of why someone would be targeting another person, however. Or, if a person believes they are under threat, by whom specifically and why?
“People lost track of that bigger picture that I’m just one among many, no one actually cares, and if someone does actually care, then yes, I’m probably vulnerable,” Bore said. “But unless there’s a targeted threat against me, it’s really just playing the odds.”
Ultimately, the measures taken by people focused on privacy protection wouldn’t prevent a targeted, professional attack in any case, and their privacy protections would certainly be pointless against a state-level attack or surveillance.
“If the threats that they are worried about did exist, the measures they’re taking wouldn’t be effective,” Bore said. “It’s risk reduction, not risk prevention.”
Further, it is nearly impossible for an individual acting alone to achieve and maintain a level of privacy that makes one immune to general cyberthreats, or even state-level threats.
“When someone’s trying to do it themselves without the support of a massive infrastructure to protect them, they are going to be very ineffective at it,” Bore said.
There’s a reason implementing a federal witness protection program for a single person or family requires dozens of officers and a lot of external infrastructure and resources. It’s also worth noting that witness protection is sometimes part of a plea deal and essentially exchanges one type of prison for what can be similar to a life sentence of house arrest.
Extreme privacy is, more often than not, punitive, not proactive or protective. Most political dissidents are forced to go underground and are pretty miserable when there, often cut off from family and friends. It can be baffling to see residents of first-world countries with no credible or similar threats implement similar measures voluntarily.
What One Can Do to Protect Their Privacy
All hope is not lost, however.
Again, no one is arguing cybercrime doesn’t exist or that people shouldn’t take reasonable measures to protect themselves.
So what does “reasonable” privacy protection looks like, especially in a world with AI deep fakes and ever-encroaching state surveillance in public spaces?
“There are reasonable precautions to take,” Bore said. “But they’re not build your house into a Faraday cage.”
Basic privacy practices include using a virtual credit card service to make purchases online. Common sense, such as not posting photos of credit cards or passports online, also helps.
For scams that may rely on social engineering tactics, Bore recommends not following one’s initial instincts to act.
“If an email, if a call, anything like that causes you to feel fear or anything like that and it’s not a well-established contact, that’s where you need to step away and contact the party another way, or ask them for a reference number, or whatever it is,” he said. “But whatever you do, don’t take any action or respond to any asks in that moment.”
That can be particularly difficult advice to take if one feels their safety is threatened. Yet again, maintaining perspective remains key.
“It’s when emotion is triggered, and it’s not for a good reason,” Bore said. “A good reason is someone you actually know calling you, and that’s it.”
A good way to maintain perspective is to be vigilant when not under immediate threat. When reading about cybercrime, take a deep breath and note how often and to what degree those attacks have been carried out successfully and, perhaps more importantly, against whom.
After all, a billionaire or high-ranking international official has far more reason to be worried about their children being kidnapped and held hostage than an average, everyday soccer mom in suburban America.
So stay common-sense vigilant and take a deep breath. Don’t post your credit card receipt for your Cancun hotel room on Facebook. Sign up for a virtual credit card service. Verify it’s the bank calling or texting you before doing anything involving money. Remember private VPN companies have a vested interest in you being terrified of your coffee shop’s wifi. But don’t panic if you’ve used the airport’s public phone charger, either.
James Bore is the author of The Cyber Circuit and founder of the Bore Group, Ltd, a security consulting firm based in the United Kingdom. He has written prolifically on cybercrime and security technology for the past 10 years.
Christina Eichelkraut is the founder of the Technology Education Collaborative (TEC). She was a print journalist and staff reporter for several general circulation publications in the Southwest before founding her digital communications and marketing company in 2011. She is also a ghostwriter who specializes in the technology and disability nonprofit sectors.
Edited on September 9, 2024 at 11:34 p.m. to remove two typos, adjust indentations for better mobile formatting, and expand on the very justifiable exasperation of working cybersecurity professionals. - CSE