Ask HN: What's a good response to “It's fine, I've got nothing to hide online”?
Whenever I try to explain my concerns about online data privacy to other people (family and friends, mostly), the most common response I get is:
"Oh it's fine, <Facebook/Google/etc> can collect whatever they want, I don't have anything to hide."
I try to explain that the kind of data collection (and use/sale) we see from these businesses can be a much bigger concern than just "Facebook knows where I work", but I can never really articulate my thoughts well.
What are some good ways to explain to (primarily non-technical) people why it might be worthwhile being more aware of what data is being collected on them?
86 comments
[ 4.9 ms ] story [ 161 ms ] threadThe example I often use (as it's actually happened to people) is the different usage of the last 4 digits of a bank card.
Some companies will freely throw this info around, as a convenience to the user. In emailed order confirmations, etc.
Other companies, however, use the last 4 digits of a card as a security measure To confirm you are the account holder, please supply the last 4 digits of the card used, or whatever.
Using social engineering, you can play these 2 companies off of each other, and possible gain some extra information A name, a billing address, or whatever.
I try to emphasis that you, the user, are not involved in this at all This is a person going back and forth between various company's call-centres using the info to gain more It's a to-and-fro, initially with only the innocuous information, but by the end you possibly have the authority to order something using the legit card and billing address but delivery to a PO box (sorry, UK terminology here, unsure what the US equiv. of a PO box would be, but delivery to a post office for collection)
I try to steer away from the more outlandish stuff (while true, and in use, people seem to dismiss them - like the recent psychological manipulation used on Facebook) I try to keep it simple, someone ordering some jewellery on your card and collecting it from a PO box, all completely without your knowledge
I also try to emphasis the importance of securing your email account. As someone with access to your email can run through the "I forgot my password" things on various popular sites.
I like the "last 4 digits of a card" thing, as most people have come across this difference User convenience vs. security measure But it's never registered as a potential problem
As someone who is against the facebook data slurp, this is something I'd never really noticed till just now either.
The more general problem is that social media gives away a high resolution model of how a certain society is functioning. The danger here is that someone else knows more about a group of people than the members themselves. Anyone who gets hold of the data can use it as a great foundation for social engineering. Be it rulers of countries that slipped into dictatorship, black hat hackers or terrorists.
Even if one is not doing anything wrong, one might feel uneasy about having a "permanent record" of all one's movements tied to one's full biometric information.
Then show them this: https://youtu.be/TX8MSZy5I3I
Facebook, Google, Snapchat and other services that are "free" are doing this with your personal information for profit. If the CEO of Facebook doesn't want to give out his personal information carelessly, why should you?
https://en.wikipedia.org/wiki/Nothing_to_hide_argument
"Saying "I do not care about my privacy, because I have nothing to hide", is like saying "I do not care about freedom of speech, because I have nothing to say""
This explanation stuck with me, because I find it extremely useful in situations when explaining the importance of privacy online to non-technical people.
I might still care about freedom of speech for the freedom of others which I value. I may not agree that I find value, assuming I have nothing to hide, in other people's privacy.
Not taking a position on privacy here, I'm just stating the analogy doesn't stick.
"No? Why not, you had nothing to hide? So an automated system is allowed much more detailed information about you and making money with that data? But I can't have a look inside your drawers?"
For me the turning point was when I realised that while I have nothing to hide from police or governments today I might have something I wish to hide from governments in 2030.
For a real world example of this, see Turkey - a country that was quickly approaching western standards but turned around in less than 2 years.
Also, while I trust local police that most of them will not abuse their knowledge I don't trust them to keep that data safe from hacking for decades to come.
Also, while I've used (local) police as an example of someone I trust i do not trust companies by default.
The things you freely discuss on on a platform today could become socially unacceptable tomorrow and evidence against you the day after that.
Shortly thereafter, Mao backtracked on the whole thing, surprising everyone, and labeled anyone who had spoken out as opposition; because people had publicly spoken out against the government, they were easily tracked down and imprisoned.[0]
What the government gives with one hand, it can easily take with the other. There is no reason to think such an event could not happen again, and that what you freely share today could be used against you at some time in the future.
[0]https://en.wikipedia.org/wiki/Hundred_Flowers_Campaign
> Would you be OK with the police installing a camera in your house? Don't worry, they'll only look at it if they think you've done something wrong, you can trust them on that. Totally. You've got nothing to hide, right?
I think non-tech people don't quite realise what sort of footprint they leave online, whereas the idea of a camera being in your home where someone may or may not be watching makes people feel quite uncomfortable. This is an opportunity to draw a parallel between the two.
I have found this argument to be effective in changing people's views on this topic.
No you do not have any access to the camera. No, there is no indication that it is active. No, you can not opt out. No, you can not see any source (I asked). "But it will only ever be used when there is an alarm to verify".
And most of the people go: "Sure, sounds reasonable!"
In my example, the user has no choice, just as you frequently have no choice but to allow your web traffic or activity be monitored.
https://www.smbc-comics.com/comic/2013-06-10
...actually that probably doesn't work anymore, given how there's smart TV's, home assistants and smartphones with always-on cameras and microphones.
Who is secretly pregnant, who is gay or bi and travelling in areas where that is bad, who is cheating, medical history, information about smaller law transgressions.. All of these topics and more are taboo on electronic media for me.
Normally you wouldn't, because there could be effects you find displeasing in the best case and harming in the worst case, such as getting ridiculed/discriminated/ostracized/etc.
Collecting private data about you can get you categorized in a similar way, carrying the same potential ill effects.
Would you trust a burgular with your location data when you're on vacation? No? Neither would I.
Would you trust a business you barely know anything about to keep your location data out of the hands of someone who commits crime for a living? In my case, not a chance.
Agree with them and say it is fine you have nothing to hide at this moment, but you are not important now. There are politicians, high ranked officials and a lot of other people that impact your life without you knowing that they can be influenced/blackmailed because of the lack of privacy. Maybe your future self really dislikes your lack of hiding right now or some family member is becoming a public figure and you are a weak link because you can be blackmailed. You don't control the future, so you don't know what to hide.
This argument always worked/works for me :)
[0]https://en.wikipedia.org/wiki/First_they_came_...
"If you're not doing anything wrong in your living room, why draw the curtains?"
"We should save paper by sending people their bank statements on postcards. If you're not doing anything financially shady, you should be okay with the postman seeing it."
This exaggerates the downside of handing over lots of information to a third party to use however they please. But it points out the assumption that "I", whoever "I" happens to be, am somehow privileged above "them." It's remarkably easy for "I" to turn to "them."
I think it might also be good to ask yourself, "What do I want to accomplish by convincing this person to be concerned about online privacy?" and think about ways to accomplish that goal.
There's a subtle difference between something you'd want to hide (because it could be incriminating) and something you don't want made public (because it could be embarrassing). I have nothing incriminating, but I have embarrassing stuff on my phone that I would rather nobody looked at.
A phone is an intensely personal device where a lot of your private data resides, and it can reveal a lot of intimate things about you and your relationship with others. Many people do understand this (at least at an instinctive level) and would balk at the idea of someone invasively reading all this stuff on their phone.
It's one I plan to use on airport security if they ever order me to decrypt my phone without a warrant.
You want something that causes a visceral reaction, not rational arguments.
The more disgust, fear, awkwardness you can cause with your action, the clearer the message you get across.
No other words need to be said after that point, even if they can't come up with an answer.
Then again, I'm a university-educated white male. It'll probably never happen to me, but will disproportionately to others.
Anything I put on my phone is under a presumption of privacy except as I specifically choose otherwise.
I’m as tinfoil hat wearing as they come but will still say that’s a terrible answer. States have intelligence agencies and maintain secrecy for both security reasons (nuclear codes shouldn’t be public right?) and privacy reasons of citizens involved (innocent till proven guilty).
> And why should I, as an individual, be transparent with an entity that is not transparent to me?
The first half of that is enough to stand on its own. You shouldn’t have to be transparent simply because that’s your choice to do so.