I remember Y2K. I had a big fight with my wife over the fact that I had bought two 5-gallon water containers. She thought I was over-reacting to the slight possibility of the computer systems going down at midnight of the new millenium. Turns out she was absolutely right – nothing happened, and while I think we drank a little of one of them, the other was just dumped out.
That’s ok, though.
The Condom Principle
At the time all four of my daughters were living with us, in teen or pre-teen years. They were my responsibility. I later turned my feelings and fears about Y2K (and the preparations we made) into what I call “the condom principle.” It’s for when people go out and there’s the possibility they might end up in a sexual situation. You pack a condom, because:
It’s better to have it, and not need it,
than to need it, and not have it.
When I’m talking about various kinds of digital security on this blog, it falls in that category. It’s better to know about it, and never need to use it, than to be in danger and not have the resources to do it.
For example: do you use an iPhone? Want to quickly encrypt everything on it? Activate the passcode. That’s it! Unless someone can force you to reveal that passcode (which they can’t, legally) your data is so secure that it would cost $1,000,000 or so to get it cracked. Don’t think that your fingerprint makes it more secure, though. But look how easy that was!
If you use Android or Windows, it’s a bit more complicated, but there are ways.
Why Should I Worry? I’ve Got Nothing to Hide!
You may be completely right about that – although there are times when having nothing to hide still gets you in trouble (warning: that link is not for the faint of heart). But this is where the Condom Principle comes in: wouldn’t it be figure out if you are in danger, and know what to do about it, rather than finding out too late?
Enter the Electronic Frontier Foundation and the practice of “Threat Modeling”:
Remember that when I recommended the “Signal” app that I mentioned that you might not need it. I’ve been playing around with a lot of different kinds of security, and I can tell you that there is a price you pay for each, and it’s not always just monetary. For example, Signal makes my communications secure – but it means that I can’t include the nifty little stickers and reactions that iOS provides, nor can I use my Apple Watch to dictate responses. If I forego the encryption – sure, I can do all those things.
Right now, I’m not thinking that I’m in any danger. This is just me playing Jason Bourne, basically. It’s going to be up to everyone individually to do their own threat model for their own life. This consists of asking yourself the following five questions:
- What do you want to protect?
- Who do you want to protect it from?
- How likely is it that you will need to protect it?
- How bad are the consequences if you fail?
- How much trouble are you willing to go through in order to try to prevent those?
Now, the Electronic Frontier Foundation has their own version of doing this electronically, laid out nicely on their site. It includes the fact that your threat model may reveal to you that you don’t need to do anything.
…not everyone has the same priorities or views threats in the same way. Many people find certain threats unacceptable no matter what the risk, because the mere presence of the threat at any likelihood is not worth the cost. In other cases, people disregard high risks because they don’t view the threat as a problem.
Another way to look at this is to use the earthquake analogy. Is it acceptable to live in a high-rise apartment with children if there is an earthquake risk? The answer to that will be different depending on whether you live in San Francisco or in Madison, WI. Or maybe it won’t – I have a friend who literally makes a living determining acceptable risks, and he refuses to fly with his kids. Why, when airplane travel is statistically one of the safer ways to travel? It’s simple: there is no meaningful support for emergencies and he and his wife can’t keep the flexibility and resources they need available. That’s their threat assessment, and it’s absolutely valid.
Regardless of your position in life, regardless of demographic, regardless of the side of the political spectrum you fall on: doing a threat modeling exercise is worth it, because things are going to be changing. It’s better to be ready and not need to be than the other way around.
What are you doing to prepare? And when you reply, are you doing it anonymously through a shell account on a virtual private network? Or just via Facebook?
I’d like to know. And guess what? So would some other faceless agencies…