71

The layman's counter-argument I run in to for any complaint about inadequate security seems to always take the form:

You don't need security if you aren't doing something illegal.

This kind of response is frustrating to say the least. In part because it's not constructive, but also because it's blatantly false.

How do you deal with these kinds of responses from people?

I'm looking for concrete examples that can be presented that show the need for strong security when conducting perfectly legitimate activities. Examples in the areas of trust worthy encryption on end-to-end communications for cellular networks, network identity obfuscation services like Tor or VPNs, complete and total data destruction, and so on are what I'm after.

I'm always inclined to point to social uprisings in states like Libya and Egypt but these events tend to be presented to too many of the people I encounter that use this argument as "things that happen on TV" and not real things that have any effect on them or their personal liberties. So counter-arguments that keep it squarely in the first world, it-could-hurt-you-or-your-grandma kind of are really valuable here.

This question was IT Security Question of the Week.
Read the Oct 10, 2011 blog entry for more details or submit your own Question of the Week.

Ian C.
  • 820
  • 6
  • 8
  • 41
    That must mean the President is doing a LOT of illegal things... look at all the security he has. – WernerCD Sep 25 '11 at 21:10
  • 8
    This is an aside but how do you know if you are doing something illegal? Without even counting treaties, city laws, county laws, state laws and tribal laws, the United States Code alone (ie, federal law) contains over 27,000 pages in 50 titles (of which 4 more have been proposed). The Congressional Research Service stated that it's unable to count the current number of federal crimes. – Andreas Bonini Sep 25 '11 at 22:15
  • 7
    we **just knew** that all presidents are corrupt, and all banks steals, and all those online merchants that uses HTTPS must be selling overpriced items. We also knew that online merchants that transfers your credit card data in the clear must be honest. – Lie Ryan Sep 26 '11 at 02:31
  • 22
    You could also refute it with “You don’t need security if *nobody else* is doing anything illegal.” – Jon Purdy Sep 26 '11 at 22:38

17 Answers17

68

You don't need to lock your front door unless you're a thief.

It's the same idea in all relevant respects.

Each person needs to take reasonable measures to protect himself and his property from those who would harm him or his property, in accordance with his best judgment of the risks.

You buy a lock and lock your front door if you live in a city, in close proximity to hundreds of thousands of others. There is a reason for that. And it's the same reason why you lock your Internet front door.

smokris
  • 199
  • 1
  • 2
  • 5
yfeldblum
  • 2,817
  • 21
  • 13
  • 4
    Ask to see their payslip or health records; personal data is all about legal data that should be kept private. – Unsliced Oct 01 '11 at 14:04
30

My first thought is to ask, “Do you have anything valuable that you don’t want someone else to have?”

If the answer is Yes then follow up with “Are you doing anything to protect it?”

From there you can suggest ways to protect what is valuable (do threat modeling, attack modeling, etc.).

Tate Hansen
  • 13,794
  • 3
  • 41
  • 84
  • Also very good. Combined with @Justice's front door lock this is something that a layperson could readily digest. – Ian C. Sep 25 '11 at 18:49
  • 1
    Bejtlich posted good information on the differences in modeling: http://taosecurity.blogspot.com/2007/06/threat-model-vs-attack-model.html – Tate Hansen Sep 25 '11 at 20:07
28

As the Miranda Rights say: "anything you say can and will be used against you in a court of law". Right after the police finish giving you the Miranda rights, they then say "but if you are innocent, why don't you talk to us?". This leads to many people getting convicted of crimes because it is indeed used against them in a court of law. This is a great video on YouTube that explains in detail why you should never talk to cops, especially if you are innocent: http://www.youtube.com/watch?v=6wXkI4t7nuc

One of the more common crimes in America is "conspiracy". Hackers frequently don't get convicted of the actual hacking activity, but of conspiracy. That's because the police have chat logs of them discussing the attacks. Even if you aren't really involved, have no intention of participating in the hacking attack, and even tried to discourage your friends from doing it, you can get convicted of "conspiracy".

Robert David Graham
  • 3,893
  • 1
  • 15
  • 14
  • 6
    This actually is a really good answer that doesn't require trying to change the other person's mindset. The fact is, having done nothing illegal is simply not sufficient to ensure you won't have massive problems. (Anyone who watches Law and Order knows what happens when an innocent person gets in the way of prosecuting a guilty one.) – David Schwartz Sep 26 '11 at 01:11
19

In various jurisdictions you are likely to be fined or put out of business if you don't secure your systems. Specific examples:

  • Holding personal customer data. In the UK, if you don't protect this data appropriately you can be fined.
  • If you handle credit card data and don't implement appropriate security you may find that VISA/Mastercard will prohibit you from using their services.
  • If you are an SEC registrant and fail to follow Sarbanes-Oxley guidelines, you can be fined or worse.
  • etc etc

Worth having a read of @Tate's question from November 2010 on topics to kick start conversations on security.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
  • 1
    Good answer, but I think the OP is more asking for answers that would have value to "Joe Home User". – Iszi Sep 26 '11 at 13:01
13

Simple examples:

  1. commercial confidential data. It's not illegal (or if it is, you should get a different job), but could provide competitors with an advantage in the marketplace if the confidentiality is compromised. If that's still too abstract, then consider the personal impact of being fired for being the person who leaked the trade secrets.

  2. identity theft. You might not do anything illegal, but can someone else do so in your name?

11

Security is not about doing something illegal, it's about someone else doing something illegal (that will impact you).

If you don't encrypt your phone calls, someone could know about what all your salesman are doing and can try to steal your clients. If you don't shred your documents, someone could use all this information to mount a social engineering attack against your firm, to steal R&D data, prototype, designs...

M'vy
  • 13,053
  • 3
  • 48
  • 69
8

Why do law-abiding citizens need strong security?

Individuals need to guard their information to maintain control over their own lives.

While this statement sounds extreme I believe can illustrate it with a few simple example.

Example 1:

Background: You are a former alcoholic. Although you no longer drink alcohol you have a tendency to be generous when intoxicated. You also typically carry a significant amount of cash with you.

Mallory knows: you are a former alcoholic, you are generous when drunk, and you typically carry a significant amount of cash with you. Mallory also suspects that it will take only two or three drinks to make you drunk.

Scenario: You meet some friends Alice and Bob, and Bob's friend Mallory at a restaurant that also serves alcohol. During your meeting Mallory gets soda for the table, secretly adding an undetectable amount of alcohol to your soda. Alice and Bob leave. Mallory stays telling a sad story about her need for cash. You give Mallory the cash and never see or hear from her again.

Example 2:

Background: You are a civil servant. The office in which you work has a strict policy against employees making negative public statements against current laws. You have a 12 year old child.

Scenario: A popular social networking site has a policy of not allowing children less than 13 years of age to have their own account. You decide to share your social network account with your child by giving them your password. Your child uses your social networking account to publicly post negative comments about a particular law. The local media discovers the posting and learns your real name and where you are employed. Due to the media coverage your supervisor finds it necessary to terminate your employment.

Example 3:

Background: Your ailing grandmother lives alone and has very little income. To help her save on expenses you replace her traditional telephone service with a cheaper VoIP service. Your grandmother does not have a computer and does all her banking by phone.

Scenario: An adversary monitors VoIP calls from your grandmother's service provider and targets calls which are destined for bank phone numbers. Your grandmother makes a routine transfer from her savings account to her checking account giving the bank agent her account numbers and her security code. The adversary records your grandmother’s unencrypted phone call and gets her bank account numbers and security code. The next time your grandmother checks on the status of her accounts they have zero balances and a credit card with a large balance has been opened in her name.

The 'nothing to hide' fallacy

There are three well recognized components to security: confidentiality (secrecy), integrity (has not been damaged, modified, or tampered with), and availability (you can get the thing when you want it).

The 'nothing to hide' argument only works against confidentiality. There are obvious cases where an individual wants a piece of information to be secret and not easily available to anyone who may want it. The single easiest example would be a bank card PIN number. Anyone who has your bank card and knows your PIN can steal your money.

Other obvious example are traditional security items like alarm codes, checking account numbers, and combinations to locks or safes. So the 'nothing to hide' argument is really targeting the information in activities which do not have obvious intrinsic value of and in themselves.

Let’s take the example of a mobile phone conversation.

The surprise party

Alice has a friend Bob who likes surprise birthday parties. Bob's other friends include Carl and Evan. Carl likes to eavesdrop on mobile phone conversations. Alice calls Evan to plan a surprise birthday party for Bob and Carl listens in on the conversation. Before the day of the party Carl tells Bob about the plans for the party. The enjoyment value which Bob would have had if Carl had kept the party a secret is now lost. The disclosure of the secret between Alice and Evan by Carl has a negative consequence for Bob who was not party to the secret.

Typical 'nothing to hide' arguments usually imply that a secret is hiding something bad (illegal, immoral, or embarrassing) and that disclosure of the secret has negative consequences for at least one of the keepers of the secret. Some 'nothing to hide' arguments argue that disclosure of a secret doesn't hurt anyone. The preceding example shows that this is not always the case.

Now let’s look at an example of anonymity.

Anonymity

Alice is a wealthy individual who sits on the board of advisors of a university. The university is in financial difficulty and is allowed to accept private donations. Alice wants to make an anonymous donation to the university. Alice discretely discusses the possibility of an anonymous donation with Bob the university’s exchequer. Carol is another member of the university board who maliciously seeks to reduce Alice's influence on the board. Bob discloses Alice's discussion to Carol. Carol tells the other board members, excluding Alice, that Alice is attempting to gain favour with the exchequer without the board’s knowledge by making a large anonymous donation. As a consequence Alice makes a much smaller public contribution.

The 'nothing to hide' argument against anonymity implies that the person who wishes to remain anonymous must be doing so because the action they are taking when anonymous is a bad action (illegal, immoral, or embarrassing). The anonymous donation of money to a university in need is difficult to characterize as bad. Disclosure of the secret in this case hurt the university and potentially Alice. This example also illustrates part of the problem with excessive openness, the potential for third parties to misinterpret information or actions.

Dan Dascalescu
  • 1,955
  • 2
  • 15
  • 24
this.josh
  • 8,843
  • 2
  • 29
  • 51
8

Whenever anyone brings that statement I always reply with - "You can't trust all the people in the world are following laws".

Indeed, if everyone in the world is a law abiding citizen you can leave your front door open, but as we know there are criminals and whole lot of other people who may enter your front/back door with various motives - who knows what harm they may inflict.

Kromster
  • 183
  • 5
6

Perhaps you may think you have nothing to hide, and perhaps you actually have not done anything which is illegal, immoral, or embarrassing (thanks go to @thisjosh for the "something to hide" categories - good explanation there). However, that is your opinion. The opinions of others may not agree. Those others may be in a position to exploit your lack of security in order to gain information, to convince people of the same mind as them that you have done something reprehensible. This could, whether you agree with their stance or not, have an adverse affect on your life which may range from a minor inconvenience to extreme tragedy.

Also, even if all the people in the world currently agree with your stance on what is legal, moral, and pleasing, opinions do change - and so do laws and, in some cases, even widely accepted ethical codes. What you do now that seems to be just, fair, and fully within your rights, may later be considered an offense or affront to others. And these others may be in such positions of authority to write laws against those things, or sway public opinion to oppose them. Then, revelation of your past actions (or ongoing ones, if you continue under your own personal convictions) could indeed lead to embarrassment or even imprisonment or worse.

The bottom line is this. If you do not practice good security in protecting your privacy and anonymity, you are effectively trusting that all the people of the entire world (friends, family, governments, and general public - never mind those who might actually be out to get you), as it exists now and as it will be in the future, will handle your personal information and identity details in a manner which suits your best interests. Do you trust the world to do that now? Do you trust the world of 20 years from now to be the same?

Iszi
  • 27,027
  • 18
  • 99
  • 163
4

A lot of answers about why security applies to service providers - however it applies to all parties involved in the internet.

Should you be blameless if, as a result of inadequate security on your PC, it is rootkited and recruited into a zombie army? What if someone uses your WiFi router to make fraudulent transactions on an online bank account? AFAICS, it appears that in most jurisdictions you are.

Oddly enough, most jurisdictions would take a dim view of you leaving a loaded weapon around your house and not in a locked cabinet.

Similarly if you operate a website processing no customer supplied data, and that site is compromised then it may be used for purposes you never intended.

And that's before considering the Martha Stewart scenario.

symcbean
  • 18,418
  • 40
  • 74
  • Excellent argument applicable to the possessions of the "average Joe". Less so to not caring about [being tracked](https://www.privateinternetaccess.com/blog/2019/01/people-start-to-wake-up-to-the-pervasive-third-party-tracking-that-comes-with-90-of-android-apps/). – Dan Dascalescu Jan 23 '19 at 01:56
4

This shows a fundamental misunderstanding in security.

I expect security (any kind) to keep my 'stuff' safe from anything outside the defined boundary (firewall, fence, door). To say it's only used to keep illegal activities inside is fritzl-eqsue.

Dave
  • 151
  • 3
  • 1
    @woliveirajr - see http://en.wikipedia.org/wiki/Fritzl_case - notorious case where the criminal kept illegal activities inside. – Rory Alsop Oct 07 '11 at 12:37
4

Polemical response - put opponent on defensive ...

"Are you saying that we should also put all of our identity and financial information on the Internet?"

A softer response (for when you don't want to damage the personal/professional relationship) would be to make a joke out of it (to soften the jab, so to speak) ...

"You're an identity thief's best friend!"

Or, when expressing the thought more formally, and with minimal risk of offense (for eg, to your boss) ...

"We might expose ourselves to significant liability if our data is not comprehensively secured using strong but cost-effective encryption solutions."

OR

"We might fall in violation of pending legislation mandating the use of encryption techology to secure sensitive customer data."

Garrett
  • 324
  • 1
  • 4
3

I'd say "you make the rest of us less secure by being an idiot", and follow-up by referencing the LastPass fiasco where they had a small breach that would not have amounted to a hill of beans if everyone had a reasonably strong password. But because a few bozos had dictionary words, we all were at (slight) risk.

So if bad guys got the database, and if users had weak master passwords, then there's a possibility of doing, over some length of time, a brute-force attack. And so erring way on the side of caution, the LastPass guys said, okay, just change your master password. We're sorry to put you through the inconvenience. You don't have to change any of your other site passwords, just the one master password. That way nothing that might have been taken, if anything was, and we don't know that anything was, nothing that might have been taken would still be vulnerable even to a brute-force attack.

From: https://www.grc.com/sn/sn-301.htm

Rather than paste the whole transcript here, if you're interested, you can read more of it, or listen to the podcast.

The the idea I took away from the discussion was that if everyone had a strong master password, the brute-force attack would be infeasible. From a cryptographic theory standpoint, I don't have the skill to explain why that is so, but if you check out the link, that information may be in there.

Dale
  • 139
  • 2
3

You could ask, "Why do you have a pin code when using your bank account, when simply saying your name and account number would be enough?"

schroeder
  • 125,553
  • 55
  • 289
  • 326
woliveirajr
  • 4,462
  • 2
  • 17
  • 26
2

I would reply that it is the same (fallacy) reasoning as:

"You do not have anything to hide, do you?"

that is used by police to trick from you your own consent of police illegal actions against you.

Watch, for example: How to Refuse a Police Search

1

As Edward Snowden said (Video): "Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say".

papajony
  • 454
  • 2
  • 8
0

As a law-abiding citizen you usually make agreements with other people in which you promise to keep the secrets of other people.

Most employees let their employees sign forms in which the employee gets a responsibility to protect certain secrets from their employer. When the employee then doesn't fulfill that responsibility by handle information related to his employers in an unsecure way they aren't a law-abiding citizen.

In Europe, GDPR requires many people to protect information of other people to which they have access. It might be impossible to be a law-abiding citizen in Europe without caring about security because provisions of the GDPR are easy to violate. For many professional in the US there are also laws that require them to protect information.

In addition to legal requirements of secrecy, there are also social obligations about protecting secrets of your friends and family. If you violate the secrets of your friends and family you might not violate the law but you do violate ethical norms.

Christian
  • 1,876
  • 1
  • 14
  • 23