|
|
|
|
|
|
by harimau777
545 days ago
|
|
|
My theory is that most people think about data misuse, perhaps unconsciously, from the viewpoint of your average good person. E.g. "if I got a hold of a stranger's bank information, then I'd be tempted to steal from them." Instead they should think from the perspective of an evil person. E.g. "how can I proactively use whatever data that I can get to hurt someone." For example, at a previous job I went to my managers and pointed out that every developer working on our system had access to our user's names and their involvement with racial justice programs our client was running. By guessing someone's ethnicity from their name, a bad actor could target minorities involved in racial justice. The response I got was not to fix the security issue; instead it was horror that I would ever conceive of such a scheme. |
|
|
From experience, they usually come up with some variation of "If you have nothing to hide, you have nothing to fear" [1]. And even those who buy the idea that private information could be used against them, most of them don't believe that someone would do this to them. What seems to be missing is understanding of how scalable and automated these attacks can be in the digital world.
[1] Amusingly enough, one of those "I have nothing to hide" people was pretty shaken when they asked me to take a look at a scam email that said "Hello <firstname from leaked database>, we have photos of you watching porn. Pay us or we'll post them on Facebook."
Has anyone had success with informing people about these types of abstract dangers? I find that people either get it almost immediately, or they never really get it until it happens to them.