How to Convince Non-IT Friends that Privacy Matters?

mmtux writes: "As technology becomes more advanced, I am increasingly worried about privacy in all aspects of my life. Unfortunately, whenever I attempt to discuss the matter with my friends, they show little understanding and write me off as a hyper-neurotic IT student. They say they simply don't care that the data they share on social networks may be accessible by others, that some laws passed by governments today might be privacy-infringing and dangerous, or that they shouldn't use on-line banking without a virus scanner and a firewall. Have you ever attempted to discuss data security and privacy concerns with a friend who isn't tech-savvy? How do you convince the average modern user that they should think about their privacy and the privacy of others when turning on their computer?"

The nuclear option

Showing him his bank balance might work...

rj

the general rule...

Don't be helpful, be available.

If your friends want your expertise they will come to you and ask. If you offer it unasked-for, they will probably never ask and will go to someone else.

Probably better to talk to them about your other mutual interests. That way you get to keep your friends...

Re:the general rule...

On the other hand, when you see someone unknowingly driving toward a cliff, you don't wait until they ask for your advice to tell them. The submitter here is trying to help them about a problem that they seem not to have really grasped. I have had the same conversation as the OP with people. I can usually get it past the stage of treating it seriously, but come up against the wall of "there's nothing I can do" or simply that it appears to require effort to protect against.

It's something I'm still working on.

Re:The nuclear option

Showing him a ZERO bank balance might work even better. It'd help your own balance, as well.

Wireless

Start by explaining a real-world current personal problem. (I do not crack so showing his bank balance is not possible.)

A friend loves his wireless laptop. We encrypted router communication at both homes. Explaining why encryption is needed led to an explanation of the dangers of handling financial transactions while wandering NYC -- that any open router could record everything including passwords and perform man-in-the-middle attacks to bypass SSL. Anybody willing to capture his information could; expecting those people not to use the information maliciously seems silly.

Once those dangers were understood, my friend was eager to hear about more insidious problems such as government policies (telecommunication recording), other insecure devices (iPhone), and deliberately open websites (Facebook).

Re:Wireless

any open router could record everything including passwords and perform man-in-the-middle attacks to bypass SSL

It's that sort of misinformation that makes it hard to take valid privacy concerns seriously. How exactly would a router bypass SSL?

You could spoof DNS to redirect all requests to your own HTTP server, and you could dynamically fetch pages from the far end to convincingly fake the remote website. And while you could generate SSL certificates on-the-fly to make it HTTPS, those certificates could only be signed by a certificate authority you control, which is not one that's particularly likely to be present in the target's list of trusted authorities.

It's almost like the people designing SSL thought that the entire route between the two communicating hosts might be insecure -- including the first-hop router -- and therefore provided verifiable, end-to-end encryption and authentication that did not rely (at least at communications time) on resources beyond what is stored or can be generated on those hosts.

Beyond that, any authentication and encryption technologies that would commonly be considered secure by knowledgeable users -- SSH, Kerberos, most VPNs, etc. -- can provide similar guarantees. They all provide verifiably-secure authentication from any endpoint, even if the entire route is hostile, and even if the endpoints have bad DNS, untruthful routes, or totally fake traffic.

It's worth time teach someone the difference between HTTP and HTTPS, but pretending that SSL only works over trusted routers is counter-productive at best; if people feel there's no safe way they can use in the Internet they'll either give up on the Internet or give up on safety.

Different meanings of "privacy"

You may be conflating too many issues. There's a huge difference between warning people about info-stealing malware and saying "zomg ur real name is online!" Remember that most people still have the attitude that they have nothing to hide and so nothing to fear.

I say focus on the most critical issues, like not clicking stupid links, using IE, or falling prey to phishers. Nobody wants his bank account emptied.

Re:Different meanings of "privacy"

I agree. It appears that the op doesn't want to inform these people but rather indoctrinate them into a lifestyle. You can't force them to believe the same way you do, but you can tell them about the dangers that exist from their actions and hopefully give them the tools to think about potential visual consequences when it is time to make the decisions.

His friends are probably likening this constant warning and paranoia to "drugs are bad" and "if you do that, your going to hell". I'm not surprised that it is having much the same effects- people not caring about what the crazies tell them.

Simple!

Post some of their homemade porn online and then ask if they think privacy is important. I think they might.
Btw, don't forget to post the links to us. ;-)

.haeger

http://www.justfuckinggoogleit.com/

Seriously... Google them. Or somebody else at random. Show them how much information about them is already out there, and how easy it is to find. That'll convince them pretty quickly that they need to safeguard their information.

Re:http://www.justfuckinggoogleit.com/

It's probably advisable not to use this method on females that you have just met.

"Hey, what's a pretty girl like yourself doing on a google results page like this?"

Some are actually opposed to privacy

A lot of people are pretty self-righteous and tend to remark snidely "Why do you need privacy if you've got nothing to hide?" What are you supposed to say to someone that seems pretty opposed to privacy... they don't even care about your privacy much less their own. Now that 'terrorism' is a buzzword, people are even demonizing those who even bring up privacy as a concern.

Re:Some are actually opposed to privacy

Easy, tell them if they don't care about privacy then they won't mind installing video cameras in all rooms of their house. Or they wouldn't mind sharing their intimate details with anyone. Seriously, privacy is a basic human right, and it's natural to want some things private.

I do have many things to hide. Everyone does. Those things aren't necessarily bad.

Re:Some are actually opposed to privacy

"'I've Got Nothing to Hide' and Other Misunderstandings of Privacy" by Daniel J. Solove
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565 [ssrn.com]

not much really

for most people all you will do is alienate them from you if you lecture them.

it's like warning a girl that her new boyfriend is an @sshole.
tell her once, but after that she just has to learn on her own.

most people just don't care until it bites them.

Re:not much really

Some learn by study; some learn from advice; and some just have to pee on the electric fence for themselves.

rj

Re:not much really

A clever man learns by his mistakes. A wise man learns by the mistakes of others.
Watch someone else pee on the fence. Point, laugh, never do it yourself.

identity theft

i find that after a person is a victim of identity theft, they are far more likely to take privacy seriously.

As a true friend, the best thing you can do to encourage friends to take privacy seriously is steal their credit card info, buy yourself lots of nice things, steal some deeds and sell their house and cars. Sell their personal info to advertising companies, and send any material that documents your friends doing some suspicious or potentially illegal activity to the local authorities.

a few years later when they get out of jail and get their financial life back together, they won't take privacy for granted ever again.

Of course, there is no reason to let your friends know that it was you, who so lovingly taught them this valuable life lesson.

Start with the most obvious and ubiquitous

Email. Everyone uses it. Or some variation of it, such as SMS for the younger crowd.

Point out to your non-IT friends that sending an "email" is NOT like sending a "letter". It is like sending a "postcard". Any number of people you might not know can see the entire contents of your message along the way -- plus they can keep a copy of each and every one of those messages forever.

To take the analogy further, if they really want their "email" to be in an "envelope", use encryption!

Access Control

I generally remind them that privacy is not just from the government, but is a matter of having some control over who knows what about your life. You may not be ashamed about your partying, for example, but that doesn't mean that you want employers or parents to know too much about it -- definitely not to find out about it without you having the excuse to explain that you're careful and responsible. Political beliefs are also important, whether to avoid arguments with family members who disagree, or to avoid reprisals from a boss whose political persuasions are opposite yours ("If he has enough money to donate to that campaign, clearly he doesn't need a raise!"), or even from a government whose views you oppose.

And there are lots of personal details we're not ashamed of that we nevertheless would like to not be public. Vacation plans ought to be private from stalkers, ex-girlfriends, that really annoying friend from college who lives one town over from the hotel, etc. My sex life is nothing to be ashamed of, but nobody but my partner has any right to know about it.

Ultimately, privacy is not about secrecy, it's about personal sovereignty: who gets to say what people have what information about my life?

Lot's of hard work

You ask a good question...

No one really wants to be 'that guy' in the circle of friends. You know, the one that's always soapboxing about some sort of social injustice, evil corporations, or whatever. However, that's more or less what you need to do, because people MUST understand what is at stake when our rights to privacy are taken away.

Now, you can help your friends understand how their privacy is seriously at risk without being an asshole. It just takes time, and perseverance. I have alot of friends who have very uninformed political opinions. It's rude to just lecture them every time the subject comes up, but there's nothing wrong with speaking the truth to your friends in a palatable, positive way.

The more you mention issues of privacy, and the more well-informed YOU are about the issue, the more it will create top of mind awareness for them. In time, they will see your point. They will encounter a loss of privacy in their own lives, and because you were such a well informed friend, they will have the ability to make the mental connection. You really are doing them a favor.

Conflating too many Issues

In this case we are talking about 2-3 different things:

First, the problem of formerly private information that your friends have willingly made public, either because of convienience (information given to a website that they use for shopping) or on a social networking website.

Second, the private information that they are unwittingly making public, or leaving themselves at risk of making it public.

Third, that governments may be helping themselves to information thought to be private.

The first is a cultural difference, the third is out of your control, and the second is the really important one. You aren't going to win the debate on the first one. We've seen this debate before, on anonymity for BBS users, later on the rise of cookies. On one side were the forces of good, arguing that these changes were very real invasions of privacy and made your computer do things you didn't know it was doing and wouldn't want it to do if you did know. On the other side was convenience. It sucks to have to log in to slashdot every time I open a new browser window. It's kind of nice that Amazon can make recommendations to me. Cookies let that happen and the public debate, for what it was worth was won pretty handily. Now, that doesn't mean that companies started using cookies as an outgrowth of the democratic will of internet users. It just means that the level of outrage was muted over cookies enough for image conscious companies to get by with using them.

the same thing is going on w/ facebook/myspace/etc. The tables may turn on them (and will probably turn on facebook soonish), but for now we like the fact that others can see our name/face/job/school more than we dislike that these things are no longer private. Part of that outlook comes from the fact that we are limited in imagination. We see facebook one screen at a time. We can't look at people who aren't in our group (I think, haven't used it in a while). It takes a non-trivial amount of time to look through information. Consequently, we see that as the ONLY way to grab data from facebook. We don't connect (or at least the non-IT ppl) the fact that someone broke down anon/aggregate survey data from aol and netflix to get private information automatically. We don't think about scraping programs that read sites like myspace/facebook and correlate names and zipcodes with other sources of inoformation on the web.

The last part of this failure of imagination is that there is a cost to privacy. If I want my personal information to be private wholly from facebook, I can't be on facebook. Relatively speaking, that is a large cost. There is no 'maximum privacy' level for facebook where you can post pics of you and your friends and make comments and it won't be recorded somewhere. That product doesn't exist.

Ok. I won't touch on the third point because that is a flame war waiting to happen. Needless to say, it is out of your direct control.

The second point. My advice is be direct when the situation calls for it, but don't bother when it doesn't. If you are out at a baseball game, don't strike up a conversation like "Gee bob, I noticed that your password for your computer is 1 2 3 4 5 and that you sure do have an awful lot of sensitive info on there. Don't you think that you ought to change that?".


And then just tell them to get a mac. If they aren't security conscious enough to get a virus scanner while running windows then they really should be using an OS that does everything for them.

Re:Well, the following approaches are hit or miss.

"Food for thought: when we get all riled up about privacy, are we any better than the crazies who rail about pedophiles on the internet and make it seem like there are bogeymen around every corner?"

No, because in the case of privacy, people are constantly trying to pry into each other's business. Speaking personally, I have had it confirmed at least once that an email sent to me had been maliciously faked in order to manipulate me, and I have had some circumstantial evidence that someone was reading email conversations I had with someone else. I've been approached by people who know that I am a programmer, and want to know if I could "hack into" someone else' email account so that they could read through it. This stuff isn't about the boogeyman government, it is about ordinary people who actually do have no respect for the privacy of others.

Here's another angle to consider: sometimes, a message is easily misinterpreted when read by an uninformed party. When I was in Junior High School, I was once accused of plotting to blow up the school because of a note I had written to a friend, which had been misread by a teacher who found it after class. It isn't so uncommon. There are a dozen different situations like this, where some message is ambiguous and should only be read by someone who is fully informed on the context.

There's no better way...to lose friends

Attacking your friend's accounts is a good way to lose your friends. Most people don't take very kindly to that sort of practical demonstration without first giving their permission.

How to convice a non-Christian that Christ matters

IT people tend to be pretty security focussed with borderline paranoia. That is healthy because that's there role in society.

Talk to a dentist. You'll hear a whole lot about how important it is to floss your teeth for 15 minutes a day. A fitness nut will tell you how you need to exercise an hour and a half a day. The house painter told me I should wash the house once every 3 months to preserve the paint. A mechanic friend told me to check my car's oil every week. etc etc.

Most people just don't have the time/energy to do everything they're told so they ignore most advise.