It seems to me that as a society, we largely go on about our lives under the guise of one of two possible myths:
-
Digital privacy exists in a meaningful sense.
-
The lack of digital privacy isn’t meaningful.
Not too long ago, the digital dopamine slot machine informed me that almost all of the user data possessed by AT&T was leaked onto the darkweb, reminiscent of the very same level of event that occurred with Equifax a few years ago.
It will probably be thoroughly discussed in sub-sections of tpot, and cybersec Twitter for a while, and a passing news event for the rest of the population. People will complain amongst their friends, and relatives, and coworkers, before proceeding to go about their (digital) lives as if the aforementioned myths are true.
The sad fact of the matter, however is that those myths, while loadbearing, are as hollow as the holiday bedtime stories we provide to our children: this becomes dark when you realize we are the children to whom large private sector and governmental institutions provide fairytales.
The truth of our digital reality is actually expressed more accurately by a simple inversion of these myths:
-
Digital privacy doesn’t exist in a meaningful sense.
-
The lack of digital privacy is extremely meaningful.
Point number one can be split into two causes:
-
The companies that possess user data are often inept at and/or unconcerned with storing it securely.
-
There are large national and international apparatuses designed with the sole purpose of digitally surveilling individuals.
On point #1:
The Equifax data breach occured because the company simply failed to take advantage of a patch for a security vulnerability in Apache structs, which had been available for 2-3 months prior to the actual breach. The exfiltration of data occurred between May and July, which contained personal data associated with 143 million people. Even more egregious is the fact that the site Equifax provided for customer disputes had absolutely meagre security credentials: “admin/admin”.
The AT&T data breach, as well, was due to a flaw in 3rd party software, in this case, Snowflake. It’s yet to be revealed whether this was a case of patch negligence like Equifax, or a case of horrendous credentials, also like Equifax, but would it really be surprising if it was?
At this point I’ll shoot some bail to the companies that have been breached by hacker groups and state operations, because that’s a totally different ball game, and I’m not so naive or out of the loop to think such operations don’t occur. An simple fact of the matter is running a business requires attention to be divided amongst many things, only one of which is security, whereas compromising a company only requires being focused on that. The energy and attention asymmetry here isn’t to be laid at the feet of a company as a fault of theirs. It’s the nature of the game.
On point #2:
The champion of this story, is by far Edward Snowden, who heroically nuked his life to bring the public the truth about the inner workings of the NSA. By revealing the nature of the Five Eyes, PRISM and their assistance from telecommunications companies, and the interlinking of three letter agencies in the global surveillance operation, it became public knowledge that individual privacy was, in reality, rather flimsy, and highly disregarded by the powers that be. Almost every majory technology company/platform had/has some agreement with government, either at home or abroad, to fork over user data.
The degree to which information and data that we assume is private, is hard to grasp. Phone numbers, emails, social security numbers, addresses, health records, and more, are generally available to individuals who have a modicum of technical know-how, some curiosity, and a bit of time on their hands.
Despite this being public knowledge, we seem to really not have internalized it: companies get fines that register as blips in terms of their revenue, and governments invade the private lives of citizens with impunity.
While some data may be private, it seems to me reasonable to assume that it’s actually private between you and some three letter agency, and that beyond that, it will only stay private for so long, due to data breaches.
The issue is that, this lack of digital privacy has much more potent implications than a nosy neighbor peeking through the blinds while you have an argument or intimate moment with a spouse. The situation at hand allows for anyone who gets on the wrong side of an individual, group, corporation, or the government, to be burned at stake, by way of their private lives being publicized, as a way to keep them inline, or draw attention away from whatever point they’re making, or trying to shed light on.
Very few of us lead squeaky clean digital lives, and most of us have conversations about salacious, hot-button, sensitive topics with individuals, wherein we express opinions that we wisely do not publicize, due to the controversial nature of them. Generally, this isn’t done to keep covert some abhorrent opinions, but as a way to respect the fact that we share a digital commons, and to avoid polluting them with personal opinions that may be detrimental to the community we share digital space with.
Of course there are ways to clean up ones digital footprint, and the decentralized application ecosystem of web3 certainly does a lot to move in the right direction, regarding the ownership of user data, so credit to that technological movement is warranted, but it doesn’t put the nail in the coffin. Bitcoin is pseudonymous, not anonymous, the technology is prone to users who are not technically savvy exposing personal details, and the bedrock role of I/DSP’s, and the gritty internals of internetworked computing, still allow for privacy/anonymity (a type of privacy), to be compromised, or entirely degraded. Were this not so, ZachXBT wouldn’t be able to do the world class sleuthing to trace hackers and bad actors based on the information available from their digital footprints.
What do we do about it?
Truth be told, I’m not entirely certain: most users of digital technology will never be arsed to engage in meaningful opsec practices, and the sheer size of the groundswell of politically, financially, and technologically driven push-back required to incentivize better handling of user data by companies, and respect for individual privacy by government at home and abroad, is not something I expect to see be generated any time soon.
For now, it seems that those who are concerned enough about digital privacy will practice opsec, and lean into technologies that provide control and opaqueness to their data, with the hope that, in the event that they become a target, they’ve done enough to distance themselves from their digital activities, to avoid having their life upended.
Those who aren’t concerned, will likely go on about their (digital) lives, according to whichever of the two myths of digital privacy they’ve settled on.
By the way, I’m no slouch, but my opsec is most certainly not military grade, so this isn’t a post from on high about how everyone should navigate digital landscapes like me. I navigate under the banner of inverted myth #2, that digital privacy simply doesn’t meaningfully exist (and hasn’t for a while), which is by no means something I’m okay with, but as of yet, my contributions to the good fight are writing articles like this, and supporting technologies and political movements that oppose the digital panopticon, and slop tier cybersecurity measures.