Ask HN: What's a good response to “It's fine, I've got nothing to hide online”?

46 points by DavidPiper ↗ HN
Whenever I try to explain my concerns about online data privacy to other people (family and friends, mostly), the most common response I get is:

"Oh it's fine, <Facebook/Google/etc> can collect whatever they want, I don't have anything to hide."

I try to explain that the kind of data collection (and use/sale) we see from these businesses can be a much bigger concern than just "Facebook knows where I work", but I can never really articulate my thoughts well.

What are some good ways to explain to (primarily non-technical) people why it might be worthwhile being more aware of what data is being collected on them?

86 comments

[ 4.9 ms ] story [ 161 ms ] thread
"You're not just sharing your data with Facebook. You're sharing your data with Facebook and anyone Facebook subsequently gives access to that data. That's companies, governments, and individuals. You may trust Facebook, but do you trust everyone?"
I've often found that people don't fully understand the staged process. The fact that, most of the time, it's not what you directly supply to a 3rd party (as that's often innocuous) But the fact that this can be used as a stepping stone to gaining other, more private details.

The example I often use (as it's actually happened to people) is the different usage of the last 4 digits of a bank card.

Some companies will freely throw this info around, as a convenience to the user. In emailed order confirmations, etc.

Other companies, however, use the last 4 digits of a card as a security measure To confirm you are the account holder, please supply the last 4 digits of the card used, or whatever.

Using social engineering, you can play these 2 companies off of each other, and possible gain some extra information A name, a billing address, or whatever.

I try to emphasis that you, the user, are not involved in this at all This is a person going back and forth between various company's call-centres using the info to gain more It's a to-and-fro, initially with only the innocuous information, but by the end you possibly have the authority to order something using the legit card and billing address but delivery to a PO box (sorry, UK terminology here, unsure what the US equiv. of a PO box would be, but delivery to a post office for collection)

I try to steer away from the more outlandish stuff (while true, and in use, people seem to dismiss them - like the recent psychological manipulation used on Facebook) I try to keep it simple, someone ordering some jewellery on your card and collecting it from a PO box, all completely without your knowledge

I also try to emphasis the importance of securing your email account. As someone with access to your email can run through the "I forgot my password" things on various popular sites.

I like the "last 4 digits of a card" thing, as most people have come across this difference User convenience vs. security measure But it's never registered as a potential problem

>I like the "last 4 digits of a card" thing, as most people have come across this difference User convenience vs. security measure But it's never registered as a potential problem

As someone who is against the facebook data slurp, this is something I'd never really noticed till just now either.

"I do."
yeah, pretty much this. The problem with people willing to share everything is that they don't realize they're also sharing data about other people. Classic example would be address books that many apps are allowed to read.This can be dangerous for journalists or whistle blower as it becomes easier to infer their whereabouts.

The more general problem is that social media gives away a high resolution model of how a certain society is functioning. The danger here is that someone else knows more about a group of people than the members themselves. Anyone who gets hold of the data can use it as a great foundation for social engineering. Be it rulers of countries that slipped into dictatorship, black hat hackers or terrorists.

One might have nothing to hide from one's neighbor either, but one might wonder why he is keeping a detailed log of one's comings and goings, visitors, the times the bathroom light is turned on etc, as well as attaching tracking devices to one's car, bike, skis, and even clothing. One might get really uneasy if one finds out he has been collecting detailed information about one from the grocery store, gas station, movie theater, and restaurants etc.

Even if one is not doing anything wrong, one might feel uneasy about having a "permanent record" of all one's movements tied to one's full biometric information.

Ask them if they are comfortable sharing their private facebook messages, emails, snapchats, contacts, map locations, and pictures with you upfront to look at.

Then show them this: https://youtu.be/TX8MSZy5I3I

Facebook, Google, Snapchat and other services that are "free" are doing this with your personal information for profit. If the CEO of Facebook doesn't want to give out his personal information carelessly, why should you?

I remember seeing a documentary featuring Edward Snowden, where he said something along the lines:

"Saying "I do not care about my privacy, because I have nothing to hide", is like saying "I do not care about freedom of speech, because I have nothing to say""

This explanation stuck with me, because I find it extremely useful in situations when explaining the importance of privacy online to non-technical people.

I use this same example, and it works well.
I don't think the analogy sticks perfectly unfortunately.

I might still care about freedom of speech for the freedom of others which I value. I may not agree that I find value, assuming I have nothing to hide, in other people's privacy.

Not taking a position on privacy here, I'm just stating the analogy doesn't stick.

While a nice quote, It's not addressing why privacy matters. Most people already have an understanding of why freedom of speech is important, but might not think privacy is as important. They could easily call this "comparing apples and oranges", a similar scenario to the one in the original post.
"Ok, then please tell me your pin code.", "How many times a week do you copulate?", "Can I take a look inside your house please".

"No? Why not, you had nothing to hide? So an automated system is allowed much more detailed information about you and making money with that data? But I can't have a look inside your drawers?"

Shhh, adults are talking.
Using police as an example since I don't trust Facebook at all.

For me the turning point was when I realised that while I have nothing to hide from police or governments today I might have something I wish to hide from governments in 2030.

For a real world example of this, see Turkey - a country that was quickly approaching western standards but turned around in less than 2 years.

Also, while I trust local police that most of them will not abuse their knowledge I don't trust them to keep that data safe from hacking for decades to come.

Also, while I've used (local) police as an example of someone I trust i do not trust companies by default.

I usually reply with something similar to this. I try to remind them that the definition of "wrong" has evolved over the course of history - sometimes dramatically and quickly.

The things you freely discuss on on a platform today could become socially unacceptable tomorrow and evidence against you the day after that.

In the early years of Mao Zedong's China, the government appeared open and willing to listen to common people's ideas on how it should be run. Many, especially younger generations, were encouraged to openly express their opinions.

Shortly thereafter, Mao backtracked on the whole thing, surprising everyone, and labeled anyone who had spoken out as opposition; because people had publicly spoken out against the government, they were easily tracked down and imprisoned.[0]

What the government gives with one hand, it can easily take with the other. There is no reason to think such an event could not happen again, and that what you freely share today could be used against you at some time in the future.

[0]https://en.wikipedia.org/wiki/Hundred_Flowers_Campaign

I have nothing to hide about my bathroom activity, but I'd feel uneasy having a Dump Indicator Light installed above my front door.
A more aggressive example that seems to get the idea through to people:

> Would you be OK with the police installing a camera in your house? Don't worry, they'll only look at it if they think you've done something wrong, you can trust them on that. Totally. You've got nothing to hide, right?

I think non-tech people don't quite realise what sort of footprint they leave online, whereas the idea of a camera being in your home where someone may or may not be watching makes people feel quite uncomfortable. This is an opportunity to draw a parallel between the two.

I have found this argument to be effective in changing people's views on this topic.

I have found that many people are not really too concerned about it. There is a home security company here that sells an alarm system and one of the indoor movement sensor units has a built in camera.

No you do not have any access to the camera. No, there is no indication that it is active. No, you can not opt out. No, you can not see any source (I asked). "But it will only ever be used when there is an alarm to verify".

And most of the people go: "Sure, sounds reasonable!"

This feels maybe a little bit more reasonable because you installed the camera yourself and have contracted a company to monitor it. You can opt out by cancelling the contract.

In my example, the user has no choice, just as you frequently have no choice but to allow your web traffic or activity be monitored.

Ask them if they've read 1984 and would be comfortable with having one of those bidirectional TV's in their house.

...actually that probably doesn't work anymore, given how there's smart TV's, home assistants and smartphones with always-on cameras and microphones.

I have enough of other people's secrets to protect even if I've got nothing to hide. Other people's secrets are not mine to reveal.

Who is secretly pregnant, who is gay or bi and travelling in areas where that is bad, who is cheating, medical history, information about smaller law transgressions.. All of these topics and more are taboo on electronic media for me.

I usually ask "So, if you have got nothing to hide, would you shower naked on your balcony for everyone to see?"

Normally you wouldn't, because there could be effects you find displeasing in the best case and harming in the worst case, such as getting ridiculed/discriminated/ostracized/etc.

Collecting private data about you can get you categorized in a similar way, carrying the same potential ill effects.

I'd start with "it's not always about you" because it's likely to stop them in their tracks long enough to get a real explanation in. Stalkers, harassers, identity thieves, and other criminals routinely use perfectly innocent information about people to harm them. So do some parts of the government, unfortunately. Even if you are not a target (which is less likely than you think), others certainly are. Children have nothing to hide either, but we still take extra privacy measures to protect them.
This is the argument I am using most of the time. Most people agree that there are malicious actors out there, and that many would be able to exploit free access to a person's personal data in some way.

Would you trust a burgular with your location data when you're on vacation? No? Neither would I.

Would you trust a business you barely know anything about to keep your location data out of the hands of someone who commits crime for a living? In my case, not a chance.

This is maybe a controversial approach, but it works really well.

Agree with them and say it is fine you have nothing to hide at this moment, but you are not important now. There are politicians, high ranked officials and a lot of other people that impact your life without you knowing that they can be influenced/blackmailed because of the lack of privacy. Maybe your future self really dislikes your lack of hiding right now or some family member is becoming a public figure and you are a weak link because you can be blackmailed. You don't control the future, so you don't know what to hide.

This argument always worked/works for me :)

You could even paraphrase Martin Neimoller's well-known (if not the author himself, I didn't until I looked him up) poem[0]:

    First they came for the Socialists, and I did not speak out—

    Because I was not a Socialist.

    Then they came for the Trade Unionists, and I did not speak out—

    Because I was not a Trade Unionist.

    Then they came for the Jews, and I did not speak out—

    Because I was not a Jew.

    Then they came for me—and there was no one left to speak for me.
I think the message is just as relevant (and powerful) to personal liberties as it is to groups of people.

[0]https://en.wikipedia.org/wiki/First_they_came_...

I always ask them to give me their phone for a few minutes so I can check their messaging history, invariably they refuse. Just ask them why.
This always works best yes, up until a person doesn't mind and you get to see things you rather not.
Some ones I've seen and liked -

"If you're not doing anything wrong in your living room, why draw the curtains?"

"We should save paper by sending people their bank statements on postcards. If you're not doing anything financially shady, you should be okay with the postman seeing it."

"Bank statements on a postcard"...this is the first time i heard this one...but, man, its a good one!
When the nazis took power in some countries and they could just get out official lists about who is jew and who isn't.
May I suggest reminding people of Martin Niemöller's famous statement post WWII? It begins "When [they] came for the socialists, I remained silent. I was not a socialist." It ends, "When they came for me, there was no one left to speak out."

This exaggerates the downside of handing over lots of information to a third party to use however they please. But it points out the assumption that "I", whoever "I" happens to be, am somehow privileged above "them." It's remarkably easy for "I" to turn to "them."

Ah, you beat me to it, I quoted it as well.
I think the concerns over privacy online are overblown for many people but I try to be smart about what I do and put online. So I think part of it might be the framing of the situation. Rather than trying to convince them that they do actually have something to hide, it might be more effective to try to convince them that their attitude should be more like, "Don't put anything online that you don't want everyone to know" and also explain that there are people who do worry about things like people who have been in abusive relationships, people who might be in places where not being straight and cis gendered is not accepted and so on.

I think it might also be good to ask yourself, "What do I want to accomplish by convincing this person to be concerned about online privacy?" and think about ways to accomplish that goal.

I would ask to rifle through their phone right in front of them.

There's a subtle difference between something you'd want to hide (because it could be incriminating) and something you don't want made public (because it could be embarrassing). I have nothing incriminating, but I have embarrassing stuff on my phone that I would rather nobody looked at.

A phone is an intensely personal device where a lot of your private data resides, and it can reveal a lot of intimate things about you and your relationship with others. Many people do understand this (at least at an instinctive level) and would balk at the idea of someone invasively reading all this stuff on their phone.

It's one I plan to use on airport security if they ever order me to decrypt my phone without a warrant.

This is in my opinion the best answer.

You want something that causes a visceral reaction, not rational arguments.

The more disgust, fear, awkwardness you can cause with your action, the clearer the message you get across.

Absolutely. And once you get that reaction, all you need to do to drive the privacy message home is to ask 'and why not?'

No other words need to be said after that point, even if they can't come up with an answer.

Why would airport security care about your reasoning? They don't need a warrant when you're still outside the border, and they most likely are not in a position to bargain with you on what they may and may not do — and they probably won't respond favourably to any attempt to do so.
True on all counts, but it might make the person actually doing the search question their own motives for doing so. Just because they have the power to conduct random warrantless searches with no prior suspicion (which I totally abhor as it likely leads to racial profiling, like Stop and Search here in the UK), does not mean they need to use it.

Then again, I'm a university-educated white male. It'll probably never happen to me, but will disproportionately to others.

I'm not sure that security people have "motives" - I think they have jobs. If their job requires asking random people to decrypt their phones, then attempting to enlighten them is only going to annoy them.
Alternatively, depending on the situation, see if you have a personal conversation with them online, or whether you can get saucy stuff off their facebook.
This isn't a comparative response. Anything I put on Facebook is there with the full knowledge that it isn't going to be private, and that my activities there may be used for profiling purposes.

Anything I put on my phone is under a presumption of privacy except as I specifically choose otherwise.

And except when companies use deceptive tactics to extract information and photos that you thought had a presumption of privacy. People were alarmed to see Facebook had a log of all their calls and text messages.
That there is true. App permissions definitely need to be better explained during installation, and unless a permission is required for a fundamental function of the app, optional.
They may not care about their own privacy but they should care about privacy online as a whole because there are most definitely people who have legitimate reasons for privacy such as journalists, activists or politicians. If they don't care about online privacy ask them if they also don't care about racism because they are not black or a minority.
Ask them what do states have to hide by having stuff classified as "top secret" or why do they run secret services. And why should I, as an individual, be transparent with an entity that is not transparent to me?
> Ask them what do states have to hide by having stuff classified as "top secret" or why do they run secret services.

I’m as tinfoil hat wearing as they come but will still say that’s a terrible answer. States have intelligence agencies and maintain secrecy for both security reasons (nuclear codes shouldn’t be public right?) and privacy reasons of citizens involved (innocent till proven guilty).

> And why should I, as an individual, be transparent with an entity that is not transparent to me?

The first half of that is enough to stand on its own. You shouldn’t have to be transparent simply because that’s your choice to do so.