Better digital security isn’t that hard. We just aren’t used to it

http://www.theguardian.com/commentisfree/2015/jul/29/digital-security-encryption-for-everyone

Version 0 of 1.

Science journalist and friend Rose Eveleth recently described her experience being targeted by members of trash factory 4chan, which randomly fixed its misogynistic eye on one of her tweets last fall. Her harassers found her home address and her phone number, and used them to send threatening texts, incessant phone calls and an influx of nuisance mail. Similar cases have involved false calls to police, trying to induce Swat teams to terrorize the targeted address on behalf of angry internet scum. (You’d think the police would object to being manipulated by pissy teens, but if there’s anything we’ve learned in the last year, it’s that a lot of police basically ARE pissy teens.)

Rose’s article about her experience, published in journalism magazine Nieman Reports, explains in depth what journalists and editors need to do in order to protect themselves and their employees from this kind of terrible experience. But when she posted it on a few Facebook groups for editors, she got several responses complaining that her advice was too time-consuming. Couldn’t she write another article with simpler advice, for people who kind of cared about security but not enough to do stuff?

Related: Ashley Madison was just the beginning: my dad's secret life of online infidelity

A few weeks ago, hackers obtained personal information on a reported 37m users of adultery hookup site Ashley Madison. Writing on Medium’s tech collection The Message, writer and programmer Paul Ford noted that it’s possible to build encrypted databases that would make this kind of hack pointless – you’d be able to steal the information, but it would be meaningless junk. It’s not a perfect solution, and it takes some extra planning because it’s not the way things have always been done, but it’s possible, and inexpensive, and doesn’t affect the utility of the database.

And yet nobody really does it, partly because companies want unencrypted access to their users’ information for marketing purposes, but partly because it’s hard.

And yes, being a little more secure with your data – building a different kind of database, for instance, or encrypting your W-9 before you email it or accepting encrypted W-9s from your writers – does take a bit more effort.

But sending email at all is a little hard. Just ask my grandma. Setting up a database at all is a little hard. Everything we do online has a learning curve; doing it the careless, trusting, unencrypted way just feels easy because the challenges have become transparent through familiarity. We put a little effort into things we really care about, things that matter. And then once we put in that effort, they become the way things have always been done, the transparent way, the way that looks easy. It happens all the time. For things that matter.

Conclusion: most of us don’t really care about security. We care enough to wave our hands about it, but not enough to overcome the threat of mild inconvenience. I’m as bad as the rest of you here. (Well, most of you. Obviously some people really do prioritize personal security and do the work necessary to maintain it.) As a freelancer, I frequently have to send personal information through email, and until Rose’s ordeal, I hadn’t even thought about encrypting it. (That’s a pain in the butt on both ends, since you have to encrypt the document and the publication you’re sending it to has to be willing and able to decrypt it.) I only put a password on my computer fairly recently, because ugh it’s such a hassle to type it in every time. So I’m not lecturing – I’m just curious about the disconnect. What cognitive bias makes us say we value security and privacy, but be unwilling to put the most basic effort into maintaining it?

In the aftermath of the massive theft of nude celebrity photos last year, victim-blaming rhetoric centered not on, “Why didn’t they enact better security measures?” but, “Why did they have nude photos online in the first place?” For the Ashley Madison hack, the rhetoric is similar: they’re cheaters, so they got what was coming to them. Journalists, feminists and others targeted by mobs like 4chan get a different variant, since what’s being exposed is not their wrongdoing or their private pictures but simply their whereabouts. But they are still often treated as complicit in their own persecution: “What did you do to make them mad?”

This leads me to suspect that our blasé attitude towards security is the result of that classic delusion, the just-world hypothesis. Humans, even humans who know better, tend to assume automatically that people reap what they sow – if you experience negative consequences, you must have done something wrong. It can’t truly be that important to protect your personal information, therefore, because who would misuse it? Who would target you? Security is a real concern, we think, but mostly for people who have something to hide.

Related: #TheEmptyChair: New York magazine's Cosby cover ignites dialogue on rape

In fact, of course, misfortune is chaotic. (Even if hackers and griefers really did target only those who they thought needed retribution, they’re not always in touch with reality; just this week, a hacker took down the site for New York Magazine right as a big story on allegations against Bill Cosby dropped, reportedly because he simply didn’t like the city of New York.)

Basic security hygiene is necessary even for the pure of heart. But here’s the good news: like anything else we spend a little extra effort on because it’s important, better security practices will eventually become second-nature. Just care enough to put in a tiny bit of effort, and soon it will stop feeling like effort at all.