i dream of being possible

The privilege of privacy

The Push for Privacy

The related issues of privacy and security online and in tech are mainstays of the current discussions on tech. Something that seems to have been awoken with Facebook and its erosion of what privacy means over the years:

The rise of social networking online means that people no longer have an expectation of privacy, according to Facebook founder Mark Zuckerberg.

“People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people,” he said. “That social norm is just something that has evolved over time.”

Zuckerberg said that the rise of social media reflected changing attitudes among ordinary people, adding that this radical change has happened in just a few years.

Regardless of whether or not this is true – I don’t think it is – this perception is common enough. And while post-Snowden, many people became alarmed at the idea of government surveillance and this lack of privacy, scrutiny for tech orgs themselves tends to wax and wane.

The thing that interests me most about the conversations about privacy online is who discusses and how they discuss it.

As far as I can tell, many of the people who’re most concerned about privacy online appear to fall into two camps: white men (of varying priliveges and often techbr0s) and marginalized/vulnerable people. As far as I can also tell, very rarely two these two groups ever actually talk to each other – something I’m not terrifically surprised by.

It’s also very clear that the motivations and desires for privacy comes from very different places. Many of the marginalized people I know guard our privacy because we worry about our safety. Based on what I see white techbr0s write on privacy, it seems to be more a matter of principle (e.g. “I have a right to privacy, so I’ll fight any encroachment!”). It isn’t that I think the techbr0 reason is less valid, since I do think that the slow erosion on rights is something worth resisting, but rather that these varying motivations have real consequences for how privacy is enacted and understood online.

The relationship between privacy and security

While the concepts of privacy and security aren’t equivalent, online and in tech they are very closely related and mutually reinforcing. Such that the more secure your use of tech is, it is likely to also be somewhat more private. And that steps and actions taken to preserve privacy, will often have the benefit of increasing your security.

Take encryption and HTTPS, for example. The encryption given by the certificates (and their validation by an external entity) increases your privacy by encrypting your website activity. It also increases security because the encryptions means that any sensitive data transferred is much more difficult to expose (this is why pretty much every commerce site uses HTTPS). This generally applies to most uses of encryption, serving the dual purposes of privacy and security.

However, this relationship breaks down in some very important ways. While Facebook (and most other social media sites) will use HTTPS to encrypt your activity, very few people ought to consider this as increasing your privacy. Especially not when considering privacy from the tech companies themselves. Most of these companies will have varying tools for increasing privac of your account in relation to other users (or the web in general) but none, as far as I know, provide many tools at all for determining how much privacy you can expect from the company.

Now, this isn’t wholly true, but the cases are fairly limited and not necessarily the easiest things to implement. Google allows some level of privacy against them if you tell them not to use your search history to personalize your results or to deliver targetted advertising. Just as both Chrome and Firefox give you an option not to send anonymous data about your browser use. But note: many of these features are ‘opt out’ and turned on by default.

This problem I’m highlighting isn’t particularly new or all that interesting anymore. Not since the axiom of “If you are not paying for it, you’re not the customer; you’re the product being sold”1. My understanding of this, is that it is about data. You pay for online services either with money or your data. Whether or not this is true is probably debatable, but what matters is that many people see at least a grain of truth in this. Even more importantly, is that many people in tech see some level of truth in this.

The cost of privacy

I think the earliest post I read about privacy online was Marco Arment’s post from 2011 where he wrote a phrase that impacted many of my online behaviours since:

You must own any data that’s irreplaceable to you.

Now, he isn’t necessarily talking about security or privacy in this blog post, but rather the problems with relying on tech companies to provide us with critical services. His concerns appear to be more about data portability and safety. It still made a big impact on me.

So too would various things I’ve learned over the past four or so years. The biggest thing I’ve learned is that privacy and security are too expensive for most people. By ‘expensive’ I don’t only mean money but also skills/ability.

Based on current discussions over privacy and security, most solutions that exist either require you to pay money or have an above average set of tech skills (or some combination of both). Because of this entry cost, most people simply cannot afford to have secure and private online lives. Moreover, beyond a few initiatives, most tech companies and techbr0s seem generally disinclined to make security and privacy more accessible. Instead, most seem to point and laugh at the plebes who dumbly hand over our data (to them).

I’m sure its obvious where the conflict of interest is here. By and large, it would be a disaster for the tech industry if the bulk of the population where to implement many of the privacy and security tools used by the industry. Or even to talk Arment’s exhortation seriously about owning our own data. What if Facebook users, en masse, get tired of the privacy violations and start leaving the service? What if people get fed up with Google’s advertisements stop using its various services?

Fortunately for the tech industry, the cost of privacy and security is often too high for many people to pay. And so, even when we know better, we continue to give up our privacy and data to techbr0s who laugh at us for being ‘sheeple’.

Experiments in security

All of this sounds well and good, but do I even know what the fuck I’m talking about? Yes, I do. At this point, I’d say I have an above average understanding of tech and the web. I can deploy a lamp stack server (heck, even knowing what that is could be above average). I’ve even contributed to an open source project. My job is in tech. I run Debian 8 on my personal computer. So I’m not entirely ignorant nor am I on the skill level as your junior engineer. Something in between.

Domain names

So, Arment’s minimal requirement for ‘owning’ your data is to have your own domain name. While, I don’t think it actually counts as ‘owning’ if Fastmail is actually managing your email, the point is relevant as far as data portability is concerned. You have far more control over your web presence if you have a domain name (esp. if we are talking about ‘branding’).

Except… Domain names cost money. Depending on the day, I’ve paid anywhere from $2 to $15 for one year’s worth of registration. Especially in the low range, one could think that $2/first year isn’t out of reach for most people. Except… the low prices tend to be for a year and while you can get some savings if you register for longer periods, this drives up the initial cost.

Can a poor person afford to spend, say $30 for a three year registration? Maybe. But likely not. Would a poor person want to shift their online presence to their own domain name without knowing that they will have something like $10/year ever year to maintain the registration? Probably not (and I wouldn’t recommend it).

But wait, there’s a significant catch here. Domain registration requires the use of your legal name and your address. Information that can easily be found (since the registration is open to the public). Most registrars offer some kind of domain privacy (where they’ll act as a proxy). This can cost something like $10/year. Suddenly we are looking at something like $20/year in perpetuity.

The registration though… even if you pay for the domain privacy, don’t expect the registrar to go out of their way to actually protect your prrivacy. Moreover, there is a chance that domain privacy won’t be allowed in the future. Regardless of the status, the registration presents a real privacy and security concern for marginalized people. While I don’t experience the most vicious kinds of harassment, I get enough that having my personal information be this findable could be very dangerous.

Okay. But let’s assume that the poor person in question is my level of poor. I can afford to pay the yearly registration and privacy fees. Then the other cost comes into play: trying to figure out host records and actually doing something with your domain name.

Yes, tumblr lets you use a custom domain name for free. But doing this requires that you actually understand how to change the C-Name or A host records. Given that each registrar basically has their own interface, finding relevant documentation will take a bit of extra effort. You want to use your domain name for email? Have fun figuring out MX records.

As you can see, even following Arment’s fairly ‘basic’ advise for owning your data, is already inacessible to a bunch of people. People without either the money or the skills (or some combination) to actually implement this suggestion.

Email

For almost three or so years, I’ve been trying out different ways to get more secure/private email. It isn’t any kind of secret that Google scans your email in order to deliver advertisements to your inbox. At best, this is an irritation. But Google has never been all that trustworthy as far as privacy from them is concerned.

Not too long before they removed it, I managed to get a free Google Apps account (literally me trying to follow Arment’s advice above and use my own domain name, at the very least). After years of trying out various solutions, I’m right back where I started. I guess its good that, at the very least, I have my own domain name.

But I occassionally think about how much of my data Google has and I worry. I periodically try to reduce the number of Google products I use – on principle alone – since I was totally burned by the shutdown of Google Reader. Email would seem to be an ideal candidate, especially if you’ve been using your own domain. It means you can switch services without needing to change your email address. Fantastic.

Except. There are no good, free alternatives to Gmail. What is there? Yahoo!? Hotmail? Nothing that doesn’t have the same inherent problems as Gmail. I tried this with both Yahoo! and Hotmail. My issue quickly became the reality that neither email services has even close to the same features as Gmail. I also tried RiseUp, which I still think is great, but found the email unreliable and you can’t use your own domain name (which isn’t appropriate for my main email account).

I did try Fastmail, what Arment is using, and it is actually really great. They also have good policies for data. There were not Gmail features that I missed while using Fastmail. The problem? Cost. If you want to use your own domain name, it costs $40/year. After an honest assessment of my finances recently, I realized that it wasn’t sustainable for me. Simply too expensive. So now I’m back to using my Google Apps account and that’s that.

But say you do have the money to pay (like I thought I did a year ago). What of the tech barriers? Fastmail does make things easy because they have an important function so you can move all of your emails from another account over there. Arment makes it sound super easy to just pick up and change services. But it isn’t.

If you don’t have an auto-import option like Fastmail’s you have to move all the emails/data manually. Doing this requires some knowledge of how to configure email clients. At this time, I don’t actually know very many people who use email clients. In part because most people I know use Gmail and most people are happy with the web interface.

Even if you can get to this point, migrating your email is a non-trivial task. The first time I did it… it was a painful, time consuming process. I probably would’ve lost data if I hadn’t export a bunch of my emails as mbox files (which sat untouched for years because I didn’t know what do with them or how to use them – basically inaccessible during this time). Given how much many of us rely on email, this is a risky thing to do.

(And I don’t recommend migrating your email unless you know you can access support, understand what you’re doing, have an auto-import feature available, or are prepared to loose potentially valuable emails.)

Notice how I have even said anything about email encryption? Do I not know or care? I do… in an abstract sense. While it is something I could figure out, who would I communicate with? About 99% of the people I talk to on a regular basis don’t use it and would likely have trouble trying to use it. Most of the people I know are disabled in some way and there are real cognitive barriers. Sometimes it isn’t even the case that people don’t know and don’t care, some simply are incapable of increasing their privacy and security because the tools are too complex and complicated.

Social media

It isn’t an accident that most of the vulnerable and marginalized people I know tend to stick with the social media sites that allow you to use pseudonyms and/or do not require your ‘real’ name. It’s funny. I always see tech thinkpieces wondering why Tumblr’s user base is younger and more diverse than most other social media sites. To me, the answer seems (on one level) pretty self-apparent: it doesn’t require your ‘real’ name.

Not that ‘real’ name policies keep people I know off of Facebook. I don’t think very many people I know are using their legal name on their facebook account (which, regardless of what Facebook says, is what they consider your ‘real’ name). Indeed, many are actually using their real names. But I have had people I know maliciously reported for using a ‘fake’ name and then needing to either abandon their account or provide legal documentation and start using their legal name to regain access.

But in the social media context, what does ‘privacy’ or ‘security’ even mean? Most things written about this will talk about the decisions individuals make to share or not share certain aspects of their life. As in ‘privacy’ from other users/people. Once in a while Facebook or Google will fuck up and there’ll be some discussion about privacy from the organizations themselves or how the companies handle your data.

The basic answer here is that so long as these companies rely on advertising to make a profit, we will never be truly secure from them or able to maintain anything more than a thin vaneer of ‘privacy’ in those contexts. Ultimately, your data is their business and they aren’t about to stop collecting as much as they possibly can.

This is an interesting situation too, since even if you have the skills or money to choose otherwise, there really aren’t any viable alternatives to using Tumblr, Facebook, Twitter, Instagram, Pinterest, and any other mainstream social media site.

Beyond this, though, there is another sense of ‘security’ that is difficult to manage in the social media context: harassment and abuse. Very few of the companies had effect means of blocking someone (ie, increasing your security) until fairly recently (and some still don’t, with some linking Twitter’s inability to do something about harassment and abuse to its inevitable demise2).

I honestly think that it is impossible to adequately assess privacy and security with social media because, by their very design, they intend to undermine both of these things. At the moment, there are literally no viable alternatives to using one of these sites and giving up some level of privacy and security. Mark Zuckerberg isn’t really wrong when he says that expectations of privacy have evolved. He is wrong, of course, about why this is happening. Slowly, over time, Facebook and other tech companies are training us into learned helpless.

Conclusions

So yeah. I think the way the tech world has designed things results in the most meaningful tools for privacy or security being inaccessible for the average user. Either in terms of financial cost or skills/time/ability (or some combination of the two).

I know I’ve basically thrown in the towel. Unless my income magically increases and I can afford to pay for things like email, it is just too much fucking money for me right now3. Sure, I have greater skill and ability to learn new tech stuff, so I’m somewhat better off than many of my friends, the problem is that pretty much none of them can follow. So I stay where my friends are because, who would’ve thought, I actually use social media to, um, you know socialize.

The other problem, with all of this, is how alienating the advocates for internet security/privacy are. Because, let me tell you, seeing a bunch of white techbr0s mobilize the exact same arguments that white men use to justify online harassment and abuse doesn’t incline me to consider the substance of their arguments. Nor is the fact that of the two communities who tend to care about privacy and security the most, these concepts have radically different meanings and implications.

That techbr0s often only talk about security in the sense of data and whatever, without thinking about security in the ‘omg am i safe?’ sense means that a lot of the people who could use their recommendations probably don’t even bother to look. The fact that techbr0s demand security and privacy while continuously building services and technology that undermines it for the people without their privileges is also… shall we say, off-putting.

I really do think that more people would do things like encrypt their emails or take other proactive steps to maintain their privacy and security if, for example, they were presented as “hey, if you do this thing, it’ll help prevent you from getting doxxed”. Increasing accessibility would also mean ‘do this thing’ is some relatively easy thing for many people to implement (something similar to EFF’s SSL certificate innitiative).

It would also be really nice if the tech industry would stop blaming the victims of data breaches, insecurity, and lost privacy. Every time something like the ‘fappening’ happens, there are all these privacy/security tech pieces that come out that are basically “lol, don’t take nude selfies. or if u take nude selfies they should only be viewed on a non-networked computer. why r u sharing these anyways????”. Sure, some companies are harmed by data breaches, but more often it is users who deal with the worst consequences (especially if we are talking about abuse and harassment).

  1. Attributed to Andre Lewis 

  2. Although I’m linking to this post, I don’t agree with it. Since it frames abuse and responses to abuse as the same thing. They aren’t. 

  3. It’s funny because I’m not the poorest of the poor. My situation is stable in the sense that my job gets me enough money to cover bills every month. Except that I have about $150 leftover to buy food for two people. So, yeah, even something like Fastmail which is about $3/month actually makes a difference, especially when you add in other costs.