My theory is that most people think about data misuse, perhaps unconsciously, from the viewpoint of your average good person. E.g. "if I got a hold of a stranger's bank information, then I'd be tempted to steal from them."
Instead they should think from the perspective of an evil person. E.g. "how can I proactively use whatever data that I can get to hurt someone."
For example, at a previous job I went to my managers and pointed out that every developer working on our system had access to our user's names and their involvement with racial justice programs our client was running. By guessing someone's ethnicity from their name, a bad actor could target minorities involved in racial justice. The response I got was not to fix the security issue; instead it was horror that I would ever conceive of such a scheme.
> Instead they should think from the perspective of an evil person
From experience, they usually come up with some variation of "If you have nothing to hide, you have nothing to fear" [1]. And even those who buy the idea that private information could be used against them, most of them don't believe that someone would do this to them. What seems to be missing is understanding of how scalable and automated these attacks can be in the digital world.
[1] Amusingly enough, one of those "I have nothing to hide" people was pretty shaken when they asked me to take a look at a scam email that said "Hello <firstname from leaked database>, we have photos of you watching porn. Pay us or we'll post them on Facebook."
Has anyone had success with informing people about these types of abstract dangers? I find that people either get it almost immediately, or they never really get it until it happens to them.
I hate those management arrogance. Reminds me a teacher that amply mocked me in front of the class to have mentioned Light Pollution [0] (I heard about in a youngster science magazine) during a chapter about... "various pollution type"!
That's just bad opsec. I would have thought rule number one of soliciting was to be cash only.
Ignoring of course that the amount of aggregated surveillance makes it impossible to escape monitoring. Credit cards, license plate scanners, phone GPS, airtags, doorbell cameras, "Eye in the Sky" spy planes, etc
The exact example IS bad opsec... however assume some example fuzzing for good opsec.
Trip to McD's with a price of exactly happy meal + tax one day, and a recurring payment for XXX website OnlyFans access the next. Adjust the values to taste/theory. Sometimes a credit card is just a credit card.
Kindergarten transactions one day, escort payments on another.
It was — and still is — creepy. An average Joe like me shouldn't be able to pry into someone's private life like that.