Violet Blue, The Smart Girl’s Guide to Privacy: Practical Tips for Staying Safe Online (No Starch Press: San Francesco CA, 2015) Digita Publications
Writer and journalist Violet Blue is working on a new edition of The Smart Girl’s Guide to Privacy. So even though its a little bit late for Data Protection Day on 28 January, I think its time to dust off my review. Her book has a clear and distinct vision of its audience, and avoids the traps which most writers on security and privacy fall in to.
This is a book for everyone, but in practice people writing a book for everyone usually have someone more specific in mind. In the case of most writing on security and privacy, that audience is a geeky techy American or European man who may hypothetically have been involved in some geeky-young-male shenanigans. For this book, its a woman between 14 and 24. That means she considers readers who don’t have full control over their computers and cell phones, but she sees many other things differently too:
One of the major obstacles we face in protecting ourselves is that most social media websites are not designed to safe-guard people who are targets. While there are a lot of amazing female programmers and powerful women working in the security and technology sectors, most sites and social sharing apps are designed by men who don’t take into account that half the users will experience particular kinds of predatory behaviour. Thus the rules and structures of these online tools permit them to be used for evil. … The most important problem with modern privacy discussions is that we aren’t addressing the critical difference between how men and women perceive privacy- most men aren’t targets, but most women are. When the agenda of privacy discussions is set by men like Schmidt, Kutcher, and Zuckerberg, they sound completely crazy and disconnected from reality. They don’t understand what we experience every day as targets. (pp. 2, 6)
I also think its fair to say that this book is aimed at the kind of people who hear something is very dangerous and do it anyways, not the kind who hear and go do something else (thanks Eleanor Saitta). Violet Blue spent time homeless because her mother was a drug abuser and drug dealer.
Violet Blue spends quite a lot of time on inspiring her readers to take action to protect their privacy, even if they have not in the past. And that makes this a hard book to talk about, because in security the mathematical side is tractable, the emotional side is harder, and organizing people so they don’t leak your private information just by trying to get through their day is the hardest of all. You can say that nobody should type anything into a computer or cell phone or take a digital photo which they would not be willing to see on the front page of the local paper. That is as correct and as essential for life in the digital age as “entropy increases in a closed system” and “if it sounds too good to be true it probably is.” But if that message makes someone so ashamed that they can’t make themselves check whether they have shared something they don’t want shared, it failed. Effective security requires learning a simple list of rules which most people can follow: pilots and surgeons use checklists because they work. But the security world has completely and utterly failed to build an evidence-based consensus on what those rules should be (although this book comes as close as a book can: not everyone shares its position on Tor or VPNs or her current position on AdBlock Plus, but she had to say something about all three). Topics like trust are wicked problems, and the spooks and the data-brokers and the crackers have spent 40 years sowing fear, uncertainty, and doubt.
What would I like to see in a second edition? The section on personal data brokers and people-search sites (ch. 7) is a bit US-centric, most countries have privacy laws so people have to go through one or two more hoops to get the dirt (serial partner-abusers cultivate cop friends who can make one or two database queries for them, political dirty-tricks experts know a guy who knows a guy at a large American IT company). On the other hand, most European governments have banned burner phones, Skype phone numbers (p. 5, 123), and other ways to give people a phone number without giving them the key to where you work, live, or are located. I would love to see her best practices work-around. Many people need advice on how to back up their iOS or Android devices to a hard drive belonging to them in their own home not someone else’s hard drive in another country which does not consider foreigners people. And I might work in Alexiares’ idea of social media as peer pressure, and the ways which closed social media are designed to create emotionally abusive relationships. These tools are like the lottery on George Orwell’s 1984: they lure people in with stories that someone somewhere is getting amazing rewards that don’t actually reach anyone you know face-to-face. They train people to expect immediate emotional rewards, and sometimes grant them, sometimes respond with violent rage. They constantly change the rules which they demand users follow, while breaking them whenever they feel like it; they gaslight users with shadow-bans and suggestion algorithms. The ‘adults in the room’ are hanging out on birdsite and LinkedIn because they feel like its expected of them and it might be good for their careers, sending nudes to strangers from the House of Parliament washroom, then going home to share fake news on bookface while they watch TV. The adults in the room are not, they are the ones who built these awful systems which the rest of us have to navigate while we figure out other complicated things in life.
Whenever I look at the security-and-privacy world, I find myself in a maze of arguments by assertion, people who clearly know far more about the topic than I do yet completely misunderstand a basic concept (no, “horse battery staple” passwords are not constructed by picking a phrase out of a favourite book or song, and they are so simple that they can be explained in a comic and generated with 4d20 and a ten-page word list), and people who have no interest in ranking threats and making tradeoffs. As Quinn Norton put it, everything is broken … modern digital systems are such a tangle of kludges and legacy protocols that a sufficiently determined attacker can always find a gap (but Terrorists Don’t Do Movie Plots, and by extension Spooks Don’t Use Backdoored Chips when they can just scoop your messages off your Internet service provider’s router). Or as Violet Blue put it, in another book which I suspect she is hoping to sell:
Its tough to tell the good advice from the bad when it comes to privacy, security, and things like surveillance. These topics come with complicated technical aspects that not a lot of people know and understand. Which makes it a ripe area for exploitation by people who mean harm, or just want to look like they’re ‘experts.’ … And the trendy anti-surveillance crowd tend to be people who haven’t endured a genuine risk in their lives, with little inclination to empathy for people who can’t afford an iPhone. (HTBADR ch. 6)
Most writers on privacy in the digital age slip into one of four tired genres: the Sourceless List of Rules to Follow, the Very Abstract Discussion of Threat Models, the Academic Computer Science Paper, and the Person With an Interesting Handle Explaining They Demonstrated That Attack Mode in 1996 and Should Totally Get the Credit if They Wanted It They Mean Not That They Do and Anyways the Cool Kids Know They Did It. And with respect, each and every one of these genres is worse than useless. People who want to manage risks need a bit of theory, some clear rules to follow, and a lot of organizing to replaced these awful systems and laws with something humane.
Given that unless you are an expert in this field, you just have to decide whose assertions to trust, doesn’t it make sense to follow the advice of someone who has faced stalking and censorship, and does her best to organize what she knows in books with bibliographies?
Earlier drafts of this post were written between 2015 and 2019. If you want to see more reviews like this, please share them with your friends or provide a donation