Privacy can be overwhelming. It seems like every company out there is intent on collecting as much data as possible. For example, this morning I noticed that GasBuddy – the app that helps you find the cheapest gas for your car – wants permissions to access your Apple Health fitness data. Because apparently I plan to run to the gas station and carry the fuel back to my car, I guess? On top of that, we’re routinely subject to companies flat-out lying about their data collection and use policies – like when Twitter claimed they’ll only use your phone number for 2FA (spoiler alert: they used it for advertising) or when TikTok claimed they don’t send user data to China (spoiler alert: that was also a lie). And it’s only getting worse.
It’s for that reason (that privacy can be overwhelming at times) that I strongly emphasize a focus on mental health. The surveillance state wasn’t built in a day, and odds are that the mistakes you made in feeding data into it didn’t happen all at once either. It’s going to take time to climb back out of that hole, to erase any data you want to and find the right tools and techniques to protect yourself going forward. One technique I strongly preach to help manage the deluge of options and rabbit holes to study is to take it step by step. I also strongly encourage people to focus on yourselves. I’m not sure I’ve ever publicly issued this statement before except in response to forum posts and the like – such as the infamous “I can’t get my family to switch to Signal” (I’ve address that specific one before) – but this is one of those “more art than science” delicate balances we each have to find in our own lives. There’s nothing wrong with asking friends and family to use things like Signal or ProtonMail to contact you – maybe even offer to help get them set up with it – but at the end of the day we can’t force them to do anything. You may have heard the popular “Serenity Prayer”: “Grant me the serenity to accept the things I cannot change, the courage to change the things I can, and the wisdom to know the difference.” Good words to live by in almost any area of life.
Unfortunately, accepting that we are not in control of the actions of others (unless you’re in some sort of BDSM power dynamic) means that we are frequently faced with a choice: to accept it, or to walk away. (Technically “fighting it” is also an option, but I’m assuming you already did that in the form of asking people to make a certain privacy-oriented change, and if you push the issue too hard you end up pushing people away, ultimately resulting in the “walk away” option being chosen for you.) The real friction arises here when we realize that nothing happens in a vacuum. I strongly believe that everything is intersectional and causal. In other words: I don’t believe anyone just wakes up and does anything without reason, and in nearly every situation, whatever they do impacts someone else. Those impacts may be positive or they may be negative, but they’re still impacting someone somewhere to some degree.
And this brings us to privacy: when the people around you refuse to use encrypted messaging, or choose to use social media, or pretty much any other privacy-adjacent choice is made by them, this impacts you. Here’s an easy example: if someone you know downloads TrueCaller (or a similar robocaller-blocking app), your name and number will get caught up in that database without your consent. If my mom refuses to use Signal, I have two choices: I can accept that and text her anyways using insecure SMS, or I can simply stop talking to her. Now for the record, I am a huge believer that “family” is an overrated concept – the fact that you share some DNA with a group of people due to complete coincidence that was beyond your control or choice does not give those people the right to take advantage of you. If someone’s a toxic person who doesn’t belong in your life, you should cut them out like the malignant tumor they are regardless if they’re family, coworker, or other. But that’s not privacy related, that’s just called self-respect and knowing your worth. In my case, my mom is not a toxic person. She’s supportive, caring, and enriches my life by being part of it. So I don’t want to stop talking to her. But her choices are impacting my privacy. Her refusal to use Signal is leaving some of my communications exposed.
For the record, my mother is actually a consistent Signal user, she even got some of my other family members on it without me being involved. This was just a thought experiment. But these are the kinds of real choices we will all face as we try to protect our privacy in this world. And the extent of these risks vary. Most of the privacy enthusiasts I meet – likely including you reading this – generally have pretty good practices. We use strong passwords, we 2FA everything we can, we encrypt every text and email we can as well as our devices, we’re mindful of what we post and what we put online. Most of the people I talk to are either in a good spot or are on the way to getting where they want to be. Which is great! But you’re only as strong as your weakest link, and for many of us that means our family members. In some cases, this weakness may be trivial: maybe your boss doesn’t use Signal, but you guys pretty much only ever text to say “hey the meeting tomorrow got rescheduled for Friday” and other non-sensitive stuff like that. In more extreme cases, maybe your parents are posting pictures of your kids on Facebook despite you expressing your wishes that they wouldn’t. That’s a lot bigger of a problem, in my opinion.
This is one of my more “philosophical” posts in that I won’t be leaving you with any specific recommendations. That’s because the exact nature of your threat varies, as well as your threat model. I’m very fortunate. Last time my mother visited, she didn’t just visit me, she visited a lot of other family and friends in the state. Later when she sent the pics to the rest of the family, she explicitly wrote in her email “please don’t upload any pictures with Nate to Facebook or any other sites.” I didn’t even ask, I had no idea she was going to send photos to people. I’m lucky to have people in my life who respect my craziness, even if they don’t understand it or don’t care as much as I do. But I’m the exception. I’ve heard lots of people say things like “my parents uploaded pictures of my kids even though I explicitly asked them not to.” That’s rough. On the one hand, that’s a blatant disrespect for your wishes. But on the other hand, maybe they’re not actually “toxic” people and you don’t want to cut them off from their grandkids. These are choices you have to weigh. First off, what is your threat model? A lot of people – in my experience – don’t start there often enough. They seem to go straight to “this is a problem, how can I fix it?” Is it though? Maybe it is. Maybe you don’t want your kid’s face on Meta’s servers for the rest of eternity. That’s fair. If I had kids, I wouldn’t either. But as with any privacy hiccup, the threat model is a good place to start: “is this really an actual problem?” If it is, maybe you have to do the hard thing and say “you can’t take pictures of the kids at all anymore.” If it’s not that big of a deal – more of a preference – maybe a serious talk is in order. Or maybe some sort of compromise, like “you can upload pics but only if their face is obscured.”
This is all a hypothetical scenario for me, but I’m sure it’s not for many of the parents reading this. I’m sure you’ve all at one point or another had to sit down and explain to your family why you don’t want to post pictures of the kids on FB, or why you’ll only send pics via Signal or Proton or something like that (sorry I’m shilling those two so hard today, just using them as shorthand for “secure services”). There’s no easy answers here. Again, if someone’s toxic and only bringing negativity into your life, just cut them out. That’s a pretty straightforward, easy answer in my opinion. It may cause a drama storm, but eventually the storm will pass and your life will be better off for it. But if it’s someone you love who’s causing these vulnerabilities out of ignorance rather than malice, it’s a tough line to walk. Maybe you’ll need to be firm. “If you don’t start using Signal, I won’t reply to your texts.” Maybe you need to frame the problem in a way they’ll understand. “Hey, you know how the internet is a dangerous place and we want to keep the kids safe, right? That’s why I want you to keep pictures of the kids off social media.” There’s no easy answers here. But my goal was not to provide answers, instead it was to bring to your attention a weakness in our defenses that frequently doesn’t get properly addressed. These may not be pleasant conversations to have, but if you want to put yourself in the best privacy and security position possible, they need to happen.
Before I go, I want to reiterate two things. First off, your mental health matters. Do not cut off loving, supportive, well-meaning family members if your threat model doesn’t call for it. Second, and related, be sure to threat model. One mistake doesn’t mean you need to go nuclear, burn down the house, and move the family into witness protection (not for most of us, at any rate). Be patient with your loved ones if they’re trying, but be firm with your boundaries. Boundaries are really important, and people should respect them. Make them clear. I hope this has helped spark some thoughts.