Introclusion.

Poster-filled walls and corridors have been a staple of colleges for a long while. Anyone who has walked through a college campus has noticed them, maybe even was overwhelmed by the sheer volume that thin pieces of paper can take up in a hallway. And anyone who has walked through those places a lot of times has inevitably went numb to that effect. Information overload is the term commonly used for this effect , and it has been interfering so much that almost all industries that are focused on making products that can do everything, such as computers and phones, have now spawned side projects that are focused on making products that can only do one thing.

So amidst the bombardment of social justice posters, sign-ups for student worker’s unions, parties, etc, it’s easy to miss the humble posters about the important stuff. This happened to me, a single small poster about our IT department arranging a talk about cybersecurity and staying safe on the web in general. After contacting the IT department, I found out that the talk had very low attendance. Which is a shame, because I think it’s a topic that should be universally understood, possibly even taught in schools. Why did people not attend? Was it because they didn’t see the poster? Or because they don’t care enough about keeping their accounts secured? Is it both?

Rationalization vs Security.

I spent most of my life using the same passphrase for every single one of my accounts. I simply didn’t know that having a strong password was important, all I knew was that to make an account I had to fill in that little box with the *******s, and I should keep it secret. Makes sense, right? I simply didn’t bother coming up with a new one, since, I didn’t need more than one password.

The first thing that attempted to hinder my onslaught of password reuse was those pesky password rules. What do they know? I choose my own password, Mr. Form! You can’t make me change my password just for you. Oh wait, you’re not using JavaScript for form validation, ok, ok, well played, here’s the same password with a couple of numbers on it. So I made a ton of variations on the same password. Not as bad, but still horrible. But what did I know? I was able to do it, it was the path of least resistance, so I took it.

It took me 5 years of online life until I got to use a password manager. It was a slow burn, some info from here, some advice from there. I did not even have a huge “holy shit” moment that caused me to rush and secure my accounts. It was just a decision I made because a lot of my colleagues suggested it was good, I still barely grasped the importance of a weak link in my security compromising my whole identity.

Would better security education help this? Would we see less hunter2 and more Snowdens hiding under a blanket everytime they enter a password? It’s hard to say. What I know for sure though is that it shouldn’t have needed a CS education to get me to secure my accounts.

I accept.

In my mind, security and privacy are so tightly intertwined that they are one and the same. You should not be very careful about your account security without also reading privacy policies and documents of the services you use. The storage of even your meta-data by a company makes it so that you’re not in control of how well the data is secured, and how private it is kept.

So why had I not read Google’s privacy policy until 2015? About 3 years of having a Google account that represented me to the Whole Wide World, and roughly a lifetime of using their services, but I did not know or care about what all that data of me is doing up there. It’s not like Google hid it from me either, there were frequent pop-ups that informed me that the Google privacy statement has been updated, and that I should check it out. I dismissed them all.

I think part of it roots back to young me mindlessly speedrunning through old Windows install wizards, accepting the terms of agreement without reading a sentence. Well, to my credit, I didn’t even know English back then, so you can’t really blame me. But getting into high school and learning English didn’t stop me from checking that box without even thinking about it. To be honest, terms of agreement are so convoluted that I can barely follow them now. Privacy policies on the other hand are actually helpful, and many times well formatted, user friendly. Most (ethical) services do inform you that the way your private information is being handled has changed, and strongly recommended reading over the policy changes.

So there must be something more to it.

Endtroduction.

This ties back into the rationalization vs security concept. It’s easy to let yourself get lost in all the services that you’ve been using all your life, and to push your security and privacy to the back of your mind. Even after getting educated about privacy, it’s hard to face the reality of what your data has been used for for so long.

In a world of technology, young users start using email services, social media, and many other online accounts that are so essential that we are very eager to give up our privacy. Furthermore, we start owning accounts that must be secured way before we are educated with any proper security practices. Even when there are attempts to educate people, or get them to start inquiring privacy and security on their own, it’s easy to get distracted, push it back, and stop yourself from actually using the web safely and securely for you and your information. Much like the posters on my college’s walls, the plethora of other information drown out the important, hard truths that people should be required to know before they use the web.

Points can be made for security other than the password type. Encrypted email is fairly easy to setup nowadays, but only a small fraction of email users actually take advantage of it. Two-factor authentication is growing more popular, yet people are still surprised when they see me enter a password and then use my phone to log into any account on my computer. No matter what happens, the casual users will far outweigh the power users. But we sould raise the bar for casual users to be far more secure in their online lives.