My career has been in audio/video in some form or fashion for over 20 years. I've done everything from live concerts and conferences to recording bands and podcasts to permanent installations. I've worked at Fortune 500 companies, was an A1 as a freelancer (that's the guy you see behind the sound board at a show), and was even acting project manager at one job.
But like most people, I had to work my way up. My first ever full-time AV job was a small dinner theatre. Because it was a small team, there was a lot of emphasis on saving money and doing whatever worked, so we used a private Facebook group for scheduling and communication.
This experience has shaped how I approach privacy because it's far from unique.
How Biases Sabotage the Community
In the privacy community, there's often an expectation that everyone should be doing the maximum possible to protect or improve their privacy. While I also encourage this, I think this mindset can backfire if we don't apply it carefully.
Nearly everyone reading this has a wide range of interests, but we're not active in all of those interests to the same degree. Most of us have just a few key passions where we watch and read everything we can get our hands on, while everything else is relegated to maybe one or two podcasts, YouTube channels, or something similar to keep updated with the major news in that space.
This means that when we're active in any community, the bulk of the other people we're interacting with are other hardcore enthusiasts, which skews our perception of what type of people are interested in that space. This is called the self-selection bias.
Self-selection isn't necessarily bad in and of itself, but it can become toxic if a community becomes too homogenous, potentially deterring new people from joining either because they're afraid they won't fit in or they actually do become ostracized and mocked for not being "up to par" with existing fans (ex: not being tech savvy enough).
The self-selection bias can reinforce an assumed similarity bias. Assumed similarity is when we assume that everyone must be like just like ourselves - same baseline of knowledge, same skill level, same threat models, etc. This one is fairly innate in people and thus I would argue is not caused by the self-selection bias but certainly exacerbated by it.
For example, in the privacy community we have a shockingly high rate of assuming that everyone must know about the parental controls on their devices, DNS-based ad-blockers, how to write a basic Python or bash script, or any number of other things. This where we end up with the belief that parents who struggle to police their children online are simply lazy.
Nathan Bartram
Because of the assumed similarity bias, we also have a bad habit of assuming that everyone has the same definition of "possible." There are some examples of this that seem obvious: are Pixels available in your country to flash Graphene OS? Can you afford one? These are barriers that make such tools inaccessible or "impossible" to some, no matter how much they may otherwise possess the desire, skills, or more.
Other obstacles are less obvious. Earlier I talked about how my first full-time AV gig used a private Facebook group to communicate among technicians. In the privacy community, this sort of requirement would not be received well. The more agreeable types would politely push back on the interviewer and ask if there was another option, while the hardcore purists would probably just turn down the job entirely and look into other companies.
But this is also a type of assumed similarity bias. These days, I have a nice resume. I often to have to decide what to leave out, but I have a list of certifications, references, and other letters and names I can insert that typically guarantee I at least get a first-round interview. As a result, I can get away with a degree of "diva" behavior such as "I won't put Teams on my personal phone" or "I'm not doing that task, get someone else to."
24-year-old Nate did not have that luxury. When I showed up to that dimly-lit dining room for my interview, I was excited at the idea of finally being able to tell people I was a full-time sound guy and to have coworkers who knew what an XLR cable is (and as a bonus: the difference between XLR and 3-pin DMX). At the time I hadn't yet seen the light of privacy and I already had a Facebook account anyways, so I agreed to the terms without much thought.
Even if I had been privacy aware, I'm not sure my prospective employer would've been willing to play ball. Sound guys are "dime a dozen," and at the time I had very little to prove my potential or talent. I probably would've had to pick between taking the job Facebook and all or finding another one, and when you're trying to break into less-conventional industries you usually have to take any break you can get.
The assumed similarity bias leads most privacy enthusiasts to assume that simply not taking the job is an option, but that's not always an option for everyone. Not everyone has the same impressive resume or set of skills, or funds to wait for a better job, or whatever. Assumed similarity removes compassion for those with different threat models, priorities, and resources.
The privacy community needs to change our philosophies.
Harm Reduction
There is a concept in public health called harm reduction.
Harm reduction is a set of principles for how to approach drug addiction and treatment in America. Here's a few of their tenets that are relevant to this blog post:
- Accepts, for better or worse, that licit and illicit drug use is part of our world and chooses to work to minimize its harmful effects rather than simply ignore or condemn them.
- Understands drug use as a complex, multi-faceted phenomenon that encompasses a continuum of behaviors from severe use to total abstinence, and acknowledges that some ways of using drugs are clearly safer than others.
- Does not attempt to minimize or ignore the real and tragic harm and danger that can be associated with illicit drug use.
Put simply: harm reduction is about accepting that addiction is complicated and that you can't always force people to change. It recognizes that people have to want to change and tries to focus on reducing the negative impacts of addiction - both in the individual and community - until that person is ready to clean up.
I believe that the privacy community can benefit greatly from applying this philosophy to the privacy journey, particularly the lower levels and early stages.
Numerous studies have been conducted about what it takes for people to implement major changes in life - such as losing weight or becoming financially stable.
There's a surprising number of factors that go into it, such as when you start these changes, why, and how fast you implement multiple changes. I made a video about this if you want to learn more.
The New Oil
There are two main factors I believe are applicable to this discussion though: motivation and pacing.
Motivation
There are basically two types of motivations for any action you take: intrinsic and extrinsic.
- Intrinsic means internally-driven. An example would be learning a language because you someday want to emigrate to that country.
- Extrinsic means externally-driven, and a common example is your doctor telling you that you need to lose weight.
The vast majority of effective, lasting life changes are intrinsically motivated. They come from a person having a realization and having and internal, emotional connection to the end goal.
Humans are far more emotional than we like to admit. Nearly all of our behavior is emotionally driven in one way or another. In some cases, finding systems that bypass emotion is the most effective plan (ex: automatic transfers from each paycheck into savings) but when that's not possible the goal is to create an emotional connection between yourself and the behavior you want. That will keep you far more motivated for longer.
One of the absolute worst takes I sometimes see people say online is something along the lines of "I want to hack my friend to show them why cybersecurity matters."
What someone thinks will happen is that you'll hack your friend's phone, and they'll go "oh wow, I had no idea I was so vulnerable. Show me how to fix this!" What will actually happen 99 times out of 100 is that your friend will view this as a massive betrayal of trust, curse you out, and never talk to you again.
I know it doesn't make sense. People know that Discord can read their messages and are totally okay with that. But if you download the entire history of the server and create a word cloud just for fun to see what topic you guys discuss most, a lot of your friends would find that very invasive and weird (allegedly true story I saw on Reddit a long while back). It's called the Privacy Paradox, and it deserves an entire blog post of it's own.
How is this related to harm reduction? Because it's about acknowledging that people will change at their own pace. We can't force extrinsic changes on people. We can (and should), of course, try to make them aware of the tools available and how they'll benefit. But we have to recognize that trying to force them to use privacy tools typically results in incomplete adoptions, poor adoption, or eventual abandonment.
Pacing
Another top reason people fail their goals is by trying to do too much at once. Rarely does someone say "my New Years Resolution is to switch to diet sodas instead of regular." Instead it's more like "I'm gonna quit sodas entirely, run a mile every day, and learn French, Chess, and guitar." In theory these are totally doable changes in the course of a year, but trying to make so many new changes all at once is a recipe for overload and disaster.
Once someone does decide to start taking their privacy seriously, it can be very exciting for those of us watching. Most people are starting from a position that could be generously considered "abysmal" by privacy and security standards, so usually once someone takes the first step it's tempting to try to tell them all the other ways they can improve. We mean well, but the resulting deluge of advice can be overwhelming (and often conflicting).
Once again, effective change for most comes from a slow-but-steady pace. Make one change, give it time to become a normal part of your life, then add another. Rather than switching to a password manager, a private browser, and an encrypted email provider all in the same day, a user a can space those changes out over the course of 4-6 weeks for more manageable, bite-sized changes that are more likely to stick.
If we expect people to do everything at once - switch to Linux, self-host their own email server, throw away their phones, etc - most people will become overwhelmed and give up. (That's not even accounting for the idea that things like self-hosting may be above someone's skill level or threat model.)
There's an idiom here: "progress over perfection." On the one hand, it means not to beat yourself up when you make mistakes. If you're trying to diet and you instinctively reach for a soda or bag of chips, don't throw out the whole diet. Accept you made a mistake, vow to do better next time, and keep going.
There's actually a bunch of idioms that could apply.
- "Rome wasn't built in a day."
- "The journey of a thousand miles begins with one step."
- "Eat the elephant one bite at a time." (My personal favorite, for some reason.)
The point is to accept that for most people, an instant overnight overhaul of their privacy isn't going to happen, and attempts to force it with extrinsic shame, pressure, or fearmongering will just cause them to give up entirely.
Instead, we should apply harm reduction to the privacy journey, especially for others. It took literal years of me talking about this stuff before my brother downloaded uBlock Origin, my mom started using Bitwarden, or my sister started using Signal.
It's critical to remember that once people start taking steps, they're already improving. Again, the average person's privacy and security is so catastrophically bad that pretty much any move in a positive direction already puts them lightyears ahead of the masses.
In America, only about 1/3 of people use a password manager at all, and globally that number sinks to a jaw-dropping 15%. Google Chrome is still the most popular browser in the world, roughly 56 percentage points ahead of the closest competitor. Less than 30% of internet users use an ad-blocker, despite ads being one of the worst (yet easiest to block) privacy invasions out there right now.
In such a dire state, it's hard to argue in good faith that switching to Brave isn't better than using Chrome even if you think Firefox is the better choice, or that using Bitwarden instead of KeePassXC doesn't move the needle, or any of the other dozens of gate-keeping, "one-true-wayist" demands that privacy purists make. At this point we should be celebrating that people have done anything at all, because literally almost anything is a positive step.
One more idiom applies here: "don't let 'perfect' be the enemy of 'good enough.'" It's okay to think that these solutions aren't ideal and that there are better options. But the psychological benefit for everyone of going "well, at least it's not X" is invaluable.
The New Oil is supported by our audience. If you're getting value out of our work, please consider supporting us. (It gets rid of this banner!)
The Reality Check
The third tenant of harm reduction I shared as relevant was "does not attempt to minimize or ignore the real and tragic harm and danger that can be associated with illicit drug use."
It's important to recognize that harm reduction (in the privacy context) is not advocating for people to use bad services or ignoring the downsides of those services.
If someone asks me for an alternative to Google Search, I'm going to try to push them toward search engines with their own independent indexes like Brave, Kagi, or Mojeek. But if they end up going for something like DuckDuckGo, Startpage, or Ecosia, I'd still consider that a win. We're reducing the harm caused by Google's tracking.
Now of course, in an ideal world, we would eliminate harm. And the harm reduction philosophy does allow for that. The second bullet point I listed mentioned "a continuum of behaviors from severe use to total abstinence." Harm reduction is not about settling or steering people toward subpar solutions without first trying the better ones.
It's about acknowledging that sometimes people will opt for the less-than-ideal options for any number of reasons, valid or not. Early-career Nate couldn't bargain to avoid Facebook at the time. Some people have close family members who will refuse to use Signal for any number of reasons. Many of us are forced to use a Windows or Mac computer for a job.
Harm reduction focuses on how to make the best of those crappy situations.
- Use Facebook in the browser (ideally Brave or hardened Firefox) instead of the app. Avoid posting.
- Use Signal with the other people who ARE willing to switch to it.
- Only do work-related activities on your work computer. Never sign into any personal accounts or load any personal files.
I've noted in previous blog posts that privacy is ongoing because life is ongoing. As long as you're breathing, there's always a chance that your situation could change.
Maybe someday you can leave the job that requires Facebook and negotiate another way to communicate or get updates. Maybe someday you'll get a job that doesn't require Mac or Windows.
And that's why harm reduction should be more adopted in the privacy community. It creates a welcoming atmosphere for people to grow at their own pace, acknowledging that virtually any changes are progress worth celebrating and that life changes. Privacy tools or strategies that may not be possible today - due to circumstances, education, or simple overwhelm - might be feasible tomorrow.
I find it hard to see a world where everyone using DuckDuckGo instead of Google Search isn't an improvement, even if I personally would rather they used something else.
Tech changes fast, so be sure to check out our website for all the latest recommendations, tools, services, and more.
