Privacy Theatre

I really wish I could take credit for the term, but Jürgen points out he coined the term way before me, in German: Datenschutztheater. I still like to think that the name fits many behaviours I see out there, and it’s not a coincidence that it sounds like the way we think of TSA’s rules at airports, security theatre.

I have seen lots and lots of people advocating for 100% encryption of everything, and hiding information and all kind of (in my opinion) overly paranoid suggestions for everybody, without understanding any threat model at all, and completely forgetting that your online privacy is only a small part of the picture.

I have been reminded of this as I proceeded sorting out my paperwork here in Dublin, which started piling up a little too much. My trick is the usual I used in Italy too: scan whatever is important to keep a copy of, and unless the original is required for anything, I destroy the hard copy. I don’t trash it, I destroy it. I include anything that has my address on it, and when I was destroying it with my personal shredder, I always made sure to include enough “harmless” papers in the mix to make it more difficult to filter out the parts that looked important.

As I said in my previous post, I’m not worried about “big” corporations knowing things about me, like Tesco knowing what I like to buy. I find it useful, and I don’t have a problem with that. On the other hand, I would have a problem with anybody, wanting to attack me directly, decided to dumpster-dive me.

Another common problem I see that I categorize as Privacy Theatre is the astounding lack of what others would call OpSec. I have seen plenty of people at conferences, even in security training, using their laptop without consideration for the other people in the room, and without any sort of privacy screen. In one of the past conferences I’ve seen mail admins from a provider that will go unnamed, working on production issues in front of my eyes: if I had mischievous intents I would have learnt quite a bit about their production environment.

Yes I know that the screens are a pain, and that you have to keep taking them in and out, and that they take away some of the visual space on your monitor. Myself, for my personal laptop I decided for a gold privacy screen by 3M, which is bearable to use even if you don’t need it, as long as you don’t need to watch movies on your laptop (I don’t, the laptop’s display is good but I have a TV and a good monitor for that).

But there are tons of other, smaller pieces that people who insist they are privacy advocates really don’t seem to care about. I’m not saying that you should be paranoid, actually I’m saying the exact opposite: try to not be the paranoid person that wants everything encrypted without understanding why. In most cases, Internet communication needs to be encrypted indeed. And you want to encrypt your important files if you put them in the cloud. But at the same time there are things that you don’t really care about that much and you’re just making your life miserable because Crypto-Gods, while the same energy could be redirected to save you from more realistic petty criminals.

3 thoughts on “Privacy Theatre

  1. You advocate shredding harmless papers to make it harder to target what was valuable in the shreddings. Surely the same ought to apply to encryption – don’t necessarily encrypt everything, but do encrypt enough unimportant stuff to hamper targeting in case your chosen crypto algorithm is later found to be vulnerable to brute-forcing.

    Like

  2. That vastly depends on what your threat model is, essentially, as I said above. And giving absolute on things to do is, in my opinion, stupid.I don’t destroy harmless papers *now* that I use shared shredders with the office. But if I were to shred only the really important stuff back home, I would shred maybe two pages a week, that’s way too little to make shredding effective.If you’re an international spy that does not want some files to be targeted, sure go for full disk encryption. If you’re a common user who is just trying not to get scammed or have their identity stolen, do whatever makes sense to you.Shredding and encrypting are fundamentally different problems for their own different fields.

    Like

  3. re privacy screens: I personally stopped using them. I would rather just don’t do anything private in public environment. Privacy screens don’t give 100% protection (e.g. from people behind you). We’ve seen stories of privacy violations when using privacy screens, so I feel like they just give false sense of safety.Also, they make screen much darker.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s