One Size Does Not Fit All: Why Privacy Is Not a Checklist

Any color the customer wants, as long as it’s black.

So said Henry Ford when speaking about his famous Model T car. In business, this quote is sometimes used when talking about not overwhelming the customer with too many options, which leads to decision paralysis. In privacy, it seems to be the approach used by many hardcore enthusiasts.

Most of those who are deeply passionate about privacy often mean well, but end up carrying some fatal mentalities into how they interact with others (particularly newcomers) in the privacy space. I like to call this mentality One True Wayism. (Note: I didn't coin this term, it appears to have originated in the tabletop RPG space).

One True Wayism is the idea that there is only one right way to do a given thing, and that any other way is inferior, incomplete, flat-out wrong, or some combination thereof. Some examples you may have seen include that the only acceptable Linux "distro" is Qubes (or Arch or whatever), the only acceptable phone is Graphene, and the only acceptable messenger is [insert obscure user-unfriendly messenger of choice here].

Of course, One True Wayism causes far more harm than good. In this week's post, I'd like to walk readers through why this attitude is so harmful and how to avoid it.

Privacy Is Personal

People are unique. We each have different musical tastes, cultures, spiritual beliefs, goals, values, and more. We do share commonalities with each other to various extents, but nobody is 100% identical to anyone else.

This extends into privacy by having different threat models. Here's a few of my main threat model considerations:

• I don't have kids, so I don't worry about protecting my kids from online predators or cyber-bullying.
• I am a public figure, so I place extra emphasis on data removal and preventing doxing/harassment.
• I am married, so I have to make sure that anything I do that impacts the entire home (such as putting a VPN on the router) is user-friendly and won't negatively disrupt my wife's autonomy or lifestyle.
• I try to avoid general, broad, automated mass surveillance techniques like fingerprinting, advertising, data breaches, and more.

You, dear reader, probably don't share that exact same combination of concerns. You probably relate to some of them, but you probably have additional priorities that I don't. That's the point of a threat model. "What is my unique situation, combination of threats, and resources to combat them?"

The New Oil | Threat Modeling

Data is the new oil

Threat ModelingNathan Bartram

Humans rely on a lot of cognitive shortcuts to save mental energy, and one is to assume that everyone shares your beliefs and views, or is just like you in other ways.

However once we know that the other person is not like us, continuing to behave the same is where things go wrong. Insisting that others share your threat model is incredibly disrespectful to that person. It strips them of their individuality and freedom and demands they be exactly like you: same interests, same concerns, same resources, same priorities, same skills, etc.

Suppose someone came to me and asked for help setting up parental controls for their child's phone and my response was to suggest they give their child a Graphene phone. Graphene has no parental controls, so they'll need to resort to a third-party parental control service (which may not even work with Graphene's strict security features but will probably sell your child's private data). That person probably wouldn't come back to me for more advice, and I can't say I'd blame them. I ignored their concerns, failed to solve their problem, and tried to force my priorities onto them. In doing so I might've turned them off privacy entirely, since the message they might've heard is "the answers you seek don't lie here" and "privacy or parental controls. Pick one."

Speaking of:

Privacy Is a Spectrum

Many hardcore privacy enthusiasts subscribe to false dichotomies.

Before getting into privacy, I was primarily a Windows user. My top reasons were gaming, audio/video production, and price. Windows computers typically enjoy the best gaming compatibility, Linux is missing support for many of the proprietary plugins I use for production, and Windows devices cost a fraction of a Mac with comparable specs. This line of reasoning led me to continue using Windows even after I got into privacy (though these days I'm fortunate enough to also have a Linux machine so I can restrict my Windows usage to only gaming and production).

Still, as someone who values my privacy, I'm very interested in finding ways to make Windows suck less.

Even though I recognize it will never be perfect, many hardcore privacy enthusiasts would tell me to not even bother. They'd argue that Windows is such a mess that it's not even worth the effort. Just go straight to Linux, or at very least Mac.

First, see my earlier point about disrespecting the other person. Telling me to move to other platforms ignores the reasoning I set out above and disrespects that I have very specific and valid reasons to use Windows.

Second, it also ignores that it is possible to make Windows suck less. Again, you can't make it perfect, but there's a number of changes you can make to reduce how much Windows invades your privacy. With a little elbow grease you can install it without a Microsoft account and from there you can change the settings, install a firewall, swap some default apps, and uninstall the bloat. All these changes work together to reduce analytics and telemetry. (I list all these suggestions and more below.)

The New Oil | Privacy/Cybersecurity: Securing Desktop

Data is the new oil

Privacy/Cybersecurity: Securing DesktopNathan Bartram

The point is that privacy is not binary, there's both a spectrum and other choices. I won't have the same level of privacy by staying on Windows, and that's a valid thing to point out. But presenting it as if I only have two choices - give up or make the switch - is a false dichotomy.

At this point, we come back to the first point about threat modeling. Is hardening Windows enough to satisfy my threat model? If not, then some hard choices need to be made. But if it is, then there's no reason to take it off the table.

Telling people to "go hard or go home" ignores the in-between phases, and honestly probably discourages them. Which leads me to my last point:

Privacy Is a Journey

Last night I opened up YouTube and got presented with this absolute gem from Louis Rossmann on my home page:

In this video, Louis rants about how he's trying to jailbreak his robot vacuum to make it more private. He found a project online that explains how to do it, but in the instructions the developer got aggressively preachy about how it's imperative that you do this process yourself instead of simply buying a pre-jailbroken circuit board online and installing it.

The part relevant to this blog post comes around 14:19 where Louis talks about how for many people, getting a new hobby is fueled by small wins. If a person buys a pre-jailbroken board and installs it, watching the vacuum fire up might be the first time they've modified a piece of gear like that. Then next time, they might decide that they're interested in getting even more hands-on since it went so well before.

I can personally attest to this. I got into privacy after realizing that my entire life was in one basket with Google: Gmail, Chrome, Google Calendar, Google Drive, Google Search, etc. I realized that if Google ever had a data breach, my entire life could be exposed in one fell swoop.

Originally, my "privacy" journey was more about simply reducing risk by diversifying. I decided that if I was going to do a major overhaul to my life anyways, I should at least check out some of these new private services I had been hearing about like Proton Mail or Bitwarden.

When I started trying those services, I was shocked to find out how easy they were. Signing up for Proton Mail was just as easy as signing up for Gmail. Websites loaded on Firefox the same as they did on Chrome. DuckDuckGo's search results were just as good as Google Search once I got used to it. So on.

Those small wins gave me the confidence and the dopamine hit to want to start digging into more advanced stuff. After all, if those were easy, how hard could the rest of it be? I already saw lots of my peers doing it. This slowly led me to exploring Linux, self-hosting, and custom software on routers and phones.

Many people approach new skills as a journey. Few people take up any new hobby or skill by diving straight into the deep end. New skills improve step by step, piece by piece. Sure, some people are naturals and learn faster, but nobody starts off a world-class expert in anything. Imagine if X-Games BMX champions hopped on a bicycle for the first time as children and immediately started trying to learn the double backflip.

The ultimate irony of ignoring this fact is that purists and extremists end up insulting themselves. People who insist that skills like writing a script or self-hosting are easy and that anyone can do it overlook that these skills also took them time to learn, grow, refine, and master. Not a single hacker reading this post woke up one day like Neo in The Matrix saying "I know Python."

Also, if we're being honest, these skills aren't necessarily accessible to everyone. Not everyone has access to reliable, high-speed internet or a computer lab at school or a device they can tinker with (eg, not a phone, shared family computer, or school-issued laptop). Even then, those people can face an overwhelming amount of information that can make it hard to parse through, ranging from poorly-made tutorials that skip steps or don't explain things well to conflicting information to simply a paralyzing number of resources that make it hard to know which one is best for you.

Any color the customer wants, as long as it’s black.

The Solutions

The "One Size Fits All" mentality is an existential risk to the privacy community. When we tell people that they need to meet our threat model, that they have to go all-in, and that they need to enter the space fully formed and ready with no grace period for growth, we're inevitably going to drive them away.

Again, I know that most privacy enthusiasts don't do this on purpose. They're trying to be honest about what they believe the best tools are, and tone doesn't always convey well online (which is where most of these interactions take place). But most of the time, the input comes off as disrespectful, tone-deaf, demanding, and inflexible.

Here's some things to keep in mind or try when sharing advice about privacy online to help foster a more welcoming community:

1. Ask questions to understand. Remember that everyone has a unique threat model. Try to understand what the person is trying to accomplish before offering advice.
2. Meet people where they are. Respect where people are in their journey, even if you disagree with it. Someone may not be able to implement certain strategies due to financial constraints or life circumstances, but someday that might change.
3. Remember your own journey. I've fried multiple devices, spent weeks learning how to make Nextcloud stable, broken Yubikeys, had TOTP apps corrupt on me, and more. I know how hard it can be to learn this stuff or how painful mistakes can be. Remember to be patient with people still learning, and encourage them for stepping out of their comfort zone in the first place.
4. Keep your words soft and sweet. I'm not asking the community to coddle anyone but it's important to remember that online, tone is completely lost. Sometimes when we're being direct and to-the-point, it can come off as impatient, condescending, or hostile. Things like emojis, tone tags, or just explicitly stating your intended tone can go a long way.

Perhaps not surprisingly, a lot of this comes down to soft skills. For example, when asking someone questions to understand their threat model, you may notice an inconsistency in their actions. (Personally I'm always baffled to see people using dozens of browser extensions, especially when they're stacking ad-blockers.) It may not hurt to ask them about it and offer advice even if that's not what they originally asked about. It's very likely these people simply don't know that there's drawbacks to what they're doing.

Likewise, I understand the desire to make sure people have all the information available to make a proper decision. Someone who says "I'm trying to harden Windows" may not realize that even hardened Windows still contains significant privacy gaps. Again, how this information is relayed is what really matters here. "Windows can't be made private" isn't a helpful to their question. Try something more like "here's The New Oil's recommended changes to Windows, but just FYI this will only do so much. If you haven't already, you should look into if you're able to switch to Linux." This simultaneously gives the person the answer they came for while also providing a kind invitation to explore even better options.

You catch more flies with honey than vinegar.

We all want to make sure we're sharing the best information, but "best" can be subjective at times. There's a balance between "this tool is objectively the most effective at what it does" and "that tool will offer you the protection you need without diminishing returns." The best way to be private online is simply not to go online. Yet, everyone reading this has decided that the benefits of having internet access outweigh the risks and instead have decided to focus on how to use the internet in a more private way. If we take this mentality more often - the idea that there is no "right way to do privacy," only "right for specific threat models" - we'll probably have an easier time spreading privacy tools and getting people to care.