ICYMI: Important insights from Nate Bartram

Did you know that my The New Oil blog used Google Fonts until recently? Decentralize Today, the site you’re reading this on, uses FastlyCDN and other JavaScripts. Even the legendary and soon-to-be-rebranded PrivacyTools.io uses Bootstrap and links to Facebook, Twitter, and LinkedIn. The point is that trackers are everywhere no matter how hard we try, and that even those of us who focus on privacy and security are not immune. We try our best, but sometimes we have to pick the lesser of two evils – for example, by disabling Javascript DT would lose their search function. You can certainly message us and suggest alternatives, but I think there’s something to be said for personal accountability and action.

Threat modeling is something we come back to time and time again in the privacy community, and for good reason. No two people have the same threat model, which means that no two people worry about the same things. Additionally, people have different priorities. If you’re reading this, you likely care a lot about privacy, but not everyone does. Most people have some kind of social or political issue they feel strongly about, but not everybody feels as strongly about the same issue. This is why many of the people reading this may do really advanced things like disable JavaScript or attempt to live completely Google-free lives. There’s absolutely nothing wrong with that and in fact I am quite jealous of the people who can abandon their smartphones or live without a smart TV.  But it is because of this wide variety of concerns and interests that you should take it upon yourself to protect yourself.

At the end of the day, your digital protection is your responsibility and yours alone. It is unwise on my end and unfair on The Tor Project’s end for me to sign into my bank account over Tor and then get mad at them if I get caught dealing drugs or laundering money. An issue I’m not sure we’ve ever addressed before here (but definitely should) is the idea of using the right tool for the right job. You’ve likely heard the phrase “bringing a knife to a gunfight.” It’s not just about being underequipped, it’s about being equipped wrong. Suppose I did bring a gun to a gunfight. The type of gun matters. Bringing a six-shot revolver to a fight against an AR-15 is still wrong, but so is bringing a rocket launcher in close-quarters combat. “The right tool for the right job” is a spectrum: you can use a tool that doesn’t do enough but you can also use a tool that does too much. In the digital realm, the “too little” tools are generally easy to spot as they’re so common. For example, a recent article talked about how Taiwanese officials suspected their LINE accounts got hacked; LINE was never meant to be secure, it’s not even end-to-end encrypted. The “too much” tools are typically harder to spot because they don’t really become “too much” until they start negatively impacting us: losing a job because you don’t have a LinkedIn, being lonely because you won’t do online dating, or getting paranoid by the overwhelming amount of tracking out there.

Having said all that, I think the problem starts when start expecting others to meet our threat model. There’s certainly something to be said for hypocrisy. It would be pretty hypocritical of me, who has on-record said many times that Facebook is one of the worst things ever invented, to then make a Facebook page for The New Oil. And while I think all of us privacy-promoting websites, myself included, should do our best I think sometimes it’s on the reader to remember that their data defense is ultimately in their own hands. Sometimes we make mistakes. I mentioned at the top that until recently I used Google Fonts. That’s because I didn’t realize until recently that the theme I was using was built on Google Fonts. Upon realizing, I immediately reverted back to the default theme to remove that piece of tracking. I wasn’t trying to let Google track my readers, I made a human mistake. In some cases, it may be an issue of funding. It’s a lot of money and time to ask someone to self-host a service; privacy is unfortunately a financial luxury in today’s world that’s just not always feasible for everyone. Additionally, there’s the threat model argument above. I strive to protect my readers from tracking as much as possible out of principle, but at the end of the day I make it very clear that my site is aimed at normal people, the same people who may not be willing to give up Facebook or self-host an email server. As such, one shouldn’t be terribly surprised that a Privacy 101 site isn’t catering to the Edward Snowden threat models of the world.

There’s a lot of nuance to this discussion. As I said, I’m trying to be as privacy-friendly as possible with my own site, that’s why I went through great pains to remove all JavaScript some time ago and why I removed the theme on my blog recently. In the future I hope to self-host everything for maximum control. But ultimately, at the end of the day, there’s still only so much I can do. I can’t self-host out of my home, and even if I could I can’t pick a more privacy-respecting ISP or control the hardware and companies of the Tier 1 Networks that the traffic will inevitably travel through. Consider this: as a citizen in the real world, there’s lots of things I can do to defend myself from crime - I can lock my doors, take all my valuables out of my car, not take shortcuts through dark alleys at night, etc. But at the end of the day, if a criminal attacks me, it’s still on me to fight them off and defend myself. I can’t expect a cop to be on every street corner or to arrive before the burglar is done robbing me. I’m not trying to be political, I’m just being realistic. We should all strive to do our best to be respectful of everyone’s privacy, but at the end of the day we have to remember that mistakes are made, that trackers are virtually everywhere on the internet, and that ultimately it’s up to us to take matters into our own hands, to know the risks, and to determine if we’re okay with them. Be defensive and proactive. A few months ago on Surveillance Report, we discussed how the police were attempting to obtain all the IP addresses who had read a specific USA Today article in 30-minute time window. Henry said it best when commenting on that story: “I would never expect just reading an article would be something that could be in any way incriminating. I wouldn’t have thought about reading a paper online privately, but luckily I already have a good browser that handles that stuff, I’m constantly connected to a VPN, so I would’ve been fine.” It would be nice if USA Today didn’t record my IP address and didn’t turn it over to police, but ultimately it’s on me to defend myself from that kind of invasion. I can’t depend on them. Most digital services make no effort to respect or protect your privacy, and even those of us who do make mistakes. Be proactive. Take control of your data, and take personal responsibility for it. You’ll thank yourself in the end.