Security Advice Is Never Neutral
I recently published some holiday travel security advice. I explicitly made the choice to write advice that was general and “neutral”, in order to not further endanger people who our societies choose to make vulnerable.
The result of that false neutrality was in fact to make advice that is only fully applicable and useful to the people who least need protection, people who look like me — the pale, male, and stale.
The disingenuous and self-evidently harmful nature of auto-proclaimed neutrality and objectivity have been known for a very long time in justice activism. A few examples:
“We must take sides. Neutrality helps the oppressor, never the victim. Silence encourages the tormentor, never the tormented.” — Elie Wiesel
“The hottest place in Hell is reserved for those who remain neutral in times of great moral conflict — who accepts evil without protesting against it is really cooperating with it.” — Martin Luther King Jr.
“Washing one’s hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral.” — Paulo Freire
“If you are neutral in situations of injustice, you have chosen the side of the oppressor.” — Desmond Tutu
I’m sure there are many more examples, still I hope you get the point — so-called neutrality is not neutral at all. This fundamental truth also applies to security advice.
Many populations have different and far greater risks when travelling — or when doing anything else for that matter — than the “default” cis-het white man. By not taking this fact into account, standard security advice puts large numbers of people in very real danger.
Women in every country face a constant risk of every shade from creeps to direct violence from men. Security advice that does not consider women’s physical safety puts half the population in danger.
In meat-space, researchers estimate around 2 thirds of violence against women is committed by a known man — “stranger danger” is the still far too prevalent minority. There is also a multitude of US-based research to suggest that women are at around 3-4x greater risk of violence if their partner is a current or former police officer. Unsurprisingly, violent and abusive men also use the digital tools available to control, mentally torture, and otherwise continue their abuse of those under their power.
There are examples in many countries of police officers using their access to mass surveillance databases to stalk and harass women. Similarly, there are many examples of abusive men purchasing new address information from police officers selling their access to the same mass surveillance databases. There is also major market of shady companies selling ‘legal’ malware, so called “stalkerware”, for abusive spouses and parents to install on their family’s phones in order to spy on and control them.
Similarly, there are enough cases of domestic abuse survivors who have escaped and yet continue to be harassed via control of IoT and smart home devices that helping these people recover is a specific area that cyber security professionals are having to work on. Meanwhile, simply being a public woman online often results in a deluge of intrusive, hateful, and violent messages from creeps, misogynists, stalkers, and everything between.
LGBTQIA+ people in every country face risks of every shade from cruel bigotry to direct violence, whether from ordinary people or from officers of the state. Security advice that does not consider both the vital necessity for LGBTQIA+ people to hide their identity in many situations, and the psychological toll this necessity takes, puts about 10% of the population in danger. It is also important to take into account that not everyone is even capable of “passing”.
In meat-space, LGBTQIA+ individuals are often similarly to women at risk from family members, especially when they are minors living at home. Even into adulthood, and even in our “liberal” countries, many individuals face assault and even murder when “outed”. Many face the risk of being fired or not hired by a bigot, with little recourse despite any laws in place. This results in the LGBTQIA+ community having higher risks of homelessness and a higher percentage turning to more dangerous forms of sex work.
Meanwhile in many countries, violence against LGBTQIA+ people is all but condoned by the state. Indeed, we do not need to look to exotic locations we hear about negatively in the news for examples — we can see the current daily drip of incitement to violence against trans people by many British media outlets and politicians, or the fact that even in 2019, the vast majority of US states have law making finding out that a person is trans a valid reason to murder them (the “trans panic defense”).
In this context, many digital footprints can put you in danger: do you tag your location on your social media posts? What about that post last night from a queer nightclub? Are you sure you trust everyone who is able to see your posts? Do you have Grindr installed on your phone? Beware opening your phone at the border. And beware using your phone in a country that is fully intercepting data traffic — the fact that you are sending traffic to Grindr is visible, unless you are using a VPN — and in some of the same countries VPNs may well be blocked in that country, or using one may result in unwanted police attention.
Are you a child searching for safe information or people you can safely talk to about your sexuality and gender? Your parents may have installed stalkerware on your phone, or be spying on your home WiFi, and react to their discovery of who you are with psychological torture and/or direct violence. There have even been cases of children outed to their parents via targeted advertising going to the parent based on browsing done by the child on the same home internet connection.
People of colour in many Western countries face risks of harassment and violence from agents of the state, as well as from radicalized white men. Security advice that does not consider the fact that people of colour are far more likely to be stopped and searched, and that their basic civil rights are far less likely to be respected, puts the vast majority of the world’s population in danger.
In meat-space, people of colour in colonial states (US, UK, France, Belgium, Netherlands, etc.), and states who have learnt from the bad habits of these states, run a significantly higher risk of interactions with armed officers of the state — whether from “stop-and-frisk”, “paper checks”, “driving while black”, “walking while brown”, or other paper-thin excuses for skin reflectivity based harassment.
Each interaction also carries a significantly higher risk of violence for people of colour, up to and including murder. Further, actions which are seen as completely innocent when done by a white person are taken as suspicious when done by a less reflective person, starting with phone calls from bigots to the police, and quickly leading to spiralling escalations of abusive force.
Unsurprisingly, agents of the state do not forego the available digital tools. For example a 2016 study showed that 90% of Baltimore police uses of ‘Stingray’-style tools, tools for mass surveillance of all mobile phones in a given area (allowing the police access to all phone calls, text messages, and browsing, as well as fine location data), happened on blocks with a majority of people of colour, despite 70% of Baltimore’s population living in majority white blocks.
You don’t need to listen to me, read the people who daily experience the full range from petty harassments to violent abuse of power — for example, you can start with the hashtags #travelingwhilebrown and #travelingwhileblack. You can and should do the same for any of these areas if you aim to be serious about cyber security — really listen to the people who are impacted.
None of the above risks can be entirely avoided, and some actions that avoid certain risks can in fact increase other risks. For example we can advise people to use a password manager so that they do not know any of their passwords, and to only take burner devices so they do not have access to any of their accounts. This is a good way to avoid giving information to border police when they force you to provide access to devices, social media accounts, and email, against all reasonable norms of civil rights protection. And yet, the fact that you have only burner devices can easily mean you will receive extra scrutiny from agents of the state, who are already looking for any excuse to mistreat a person “like you”.
It is also important to take into account the interactions of different risk factors — in other words, “intersectionality”. Many people combine two or more of the above risks and often the combination doesn’t only add the risks, the risks multiple.
Nor are the above 3 categories the only types of people targeted — in most Western countries, more than 50% of religious hate-crimes are targeted against Jewish people, despite their tiny numbers; both fat and disabled people are often targets of abuse by the public and Kafkaesque treatment by the medical system; living in low income circumstances and living with mental illness both can result in dehumanizing and violent responses; sex workers are harassed online and off, with measures such as SESTA/FOSTA that are fictionally supposed to “protect” vulnerable people in fact predictably resulting in a major increase in violence against them.
Unfortunately, there is no one size fits all security advice that can be given to everyone. Yes, advice that works for me is in most cases useful and safe for everyone. And still that advice is not sufficient to protect people who live with the systemic injustices our societies choose to maintain.
Giving security advice that works for people who our societies force to live with systemic injustice is to some degree impossible. The crux of what makes injustice injustice is that following “the rules”, including our security advice, can unpredictably lead to very different, and potentially catastrophically negative, results for people who are not the “default” cis-het white man — our security advice is not enough while the injustice remains.
We in the overwhelmingly pale, male, and stale cyber security industry must take this into account if we are ever to live up to our stated aim of helping to protect people. We must teach people to understand their specific risks and how to weight different bad options. And yes, we must also do our part to try to acknowledge, subvert, and dismantle the systems of injustice we are ourselves continuing to massively benefit from.
My version of Flavia Dzodan’s classic “MY FEMINISM WILL BE INTERSECTIONAL OR IT WILL BE BULLSHIT!” is my cyber security will include standing against injustice or it will be bullshit.
