There is a war between the ones who say there is a war
And the ones who say there isn’t.
Online Security in the Age of Hacked Elections
Herd immunity is how vaccines stop contagious diseases. If enough of the population is immune, typical individual infection runs its course before it had a chance to jump to another vulnerable host, and even unvaccinated individuals are protected. Without herd immunity, even vaccinated individuals are at risk.
It works the same way in politics and in computer security. Hackers advance from one system to another, from webcams to routers and laptops and smartphones, from email to cloud storage and social network accounts, using each as a staging ground for their next attack. Information operators connect to people on social networks, create and hijack groups and hashtags, and use their access to people's attention to scare people into questioning their reality and to make them more susceptible to the next wave of fake news and propaganda memes.
If you don't vaccinate your kids, don't keep up with security updates to your computer systems and apps, and don't critically filter what you read and who you follow online, you become a vector, a danger to yourself and to the entire population.
In 2016, Russia exploited our lack of herd immunity against propaganda and computer intrusions to score two major victories in its information war against the West: the Brexit referendum in UK and the presidential elections in US. In less than a year, the two most stable and influential political entities on Earth — European Union and United States of America — went from projecting global influence to struggling to survive. Russia’s success will inspire other countries to use information operations to punch above their military and economic weight. Once distant and theoretical, cyber wars have now become a part of our lives.
I don’t mean to alarm you, but it is all up to you now. Herd immunity only works if enough of you are vaccinated. Time to learn some social networks hygiene.
Safety online, just like safety in the physical world, is not an effort you can ever complete. You can't just pick a stronger password and be done, you also have to mind your privacy, physical security, financial solvency, etc. You can protect yourself against some threats for some time, but not against everything, and not forever. Forget about even trying, you'd just waste your energy and paralyze your ability to do anything useful.
To make the most of the limited time and resources you can afford to spend on security, you have to prioritize: keep track of your threat model and protect the most vulnerable surfaces of your most valuable assets from biggest threats.
Let me unpack this sentence. Assets are the things you want to protect: your own life, health and freedom; wellbeing of your loved ones; integrity of your finances; privacy of your home and your personal life; control over your computer systems and online accounts. Surfaces are how your assets are exposed to the world: accounts have passwords and password recovery tools, finances have sources of income and methods of spending and transferring your money, home has a street address. Threats are how these surfaces can be exploited to compromise your assets: passwords can be stolen or guessed, bank account can be frozen or emptied, a street address can be doxxed.
Read the Ars Technica article on threat modeling, then come back to see how it can be applied in a modern information war.
Your most critical asset is your mind. The surfaces that expose your thought process to outside influence are facts, logic, and emotions. If you act on bad information, or use faulty logic in your reasoning, or allow your emotions to be manipulated, anything you do can harm your community instead of protecting it.
A less obvious surface of your thought process is how predictable your reactions are. Learning, shaping, and exploiting people’s responses is the basis of a Russian military tactic called reflexive control. For example, consider how Facebook’s inaction against fake news in 2016 was a response to accusations of suppressing conservative news, or how Comey’s letter to Congress was a reaction to threats of leaking the contents of Anthony Wiener’s laptop from the FBI office in New York.
Get into the habit of asking yourself a few basic questions about your responses to external stimuli. When was the last time something like this happened, and how did you react then? Who controls this event, and are they aware of how you react to events like these? What side effects of your reaction may be beneficial to your adversaries?
Thought process is not the only asset that determines your ability to protect your other assets. Key part of threat modeling is understanding these kinds of dependencies and focusing your security efforts where they make the most impact.
For example, take privacy. You can afford to spend a lot less effort on operational security in the physical world if there is no way to connect your online activity to your real name and street address. But that means focusing on online security and maintaining a strict isolation between your online and offline contacts. If you are doxed, your threat model changes, and you have to redirect your efforts from maintaining your anonymity to protecting yourself and your home from physical attacks.
This kind of ongoing evolution of your threat model is why you should also practice another military tactic: defence in depth. Don't assume that any single surface you are protecting can be made impenetrable, plan for what you're going to do when it falls. If your password is compromised, a two-factor authentication key will still protect your account. If your laptop is stolen, full disk encryption will still protect your data.
If you put some effort into understanding your threat model, you will be able to keep yourself and your community safe. You don't have to make every surface 100% bulletproof. Just make enough of them strong enough to make attacking you not worthwhile.
Social network platforms can and would only do so much to shield you from bad actors looking to harm you or exploit you to harm others. If you don't understand the basics of social networks hygiene, you can become a vector: just as an unpatched router can become a part of a botnet spreading spam and taking down sites with DDoS attacks, an unaware social network user might facilitate fraud, reveal their friend's home address to thieves, expose their children's pictures to predators, or even get someone shot by police after a prank call by a psychopath who didn't like their comments in a video gaming forum.
There are many ways misusing social networks can put people in harm's way. Privacy is the big one, often underappreciated until it's too late, and impossible to fix once violated. You can't delete stuff from the Internet. You can't completely avoid exposing at least some details about yourself on the internet, either. The good news is that with a little mindfulness and with the right tools you can walk this fine line well enough. Let's apply some threat modeling to it.
First, sort your assets. Group your information into things nobody but you should have access to (your passwords, digital keys, banking data); only close friends and family can know (your home address, date of birth, kids pictures, anything about your family); things you share with business contacts (your phone number and email address, current job and resume).
Some assets are not so obvious. For example, the list of your Facebook friends: it is public by default, which is good for Facebook, but not so good for your friends. Respect your friends' right to keep their name safe from prying eyes and make your friends list private. Other ways you interact with online platforms, such as travel arrangements and event attendance, can also expose you and your contacts to unnecessary risks. When you share something about yourself, always pause for a moment to think about what else can be derived from the information you're sharing.
Consider how your evaluation of assets depends on what you do. If you are famous, rich, or politically active, this creates additional motivations for people to invade your privacy and that of your social circle. You may want to limit visibility of either your real name and what you look like, or places you go out to and other ways to find you. If you work for the government or a large corporation, that also can make you a target for people trying to attack your employer through you. If you work at a place like that, don't put it on your public profile.
Surfaces for any privacy asset are ways to expose them to other people. Obviously, watch what you disclose in your profile. Less obviously, a photo of your home can let people identify it on Google StreetView, especially if you've ever let slip the name of your home town or neighborhood. Even an indoors photo might include GPS coordinates in the image file's EXIF metadata. Document metadata can reveal your real name, your employer, or your IP address, which can be used to find out your location and, if your internet provider doesn't protect your privacy (most don't), everything else about you. A live video from a vacation spot tells people when your home is empty and vulnerable, so does a flight plan or an event check-in.
Organize your privacy surfaces into more grades than just personal and public. For example, you can decide that Instagram is your way to stay in touch with friends and family, and Twitter is your public soapbox. In that case, keep your Twitter free of any personal details, make your Instagram account private, and carefully curate your list of followers. Or, if you only use Facebook, alternate between public posts and friends-only, and, again, curate your list of friends. Keep your professional network on LinkedIn isolated from both your public and your personal profiles on other networks.
When managing personal connections, limit friend requests to only one degree of separation (friend-of-a-friend), and vet people you don't personally know with your shared friends. Don't hesitate to unfriend people you're not sure about, be it because you don't know them well enough, or can't trust them not to reshare your private posts. And definitely report and block people when you observe them doing something questionable, be it spam, harassment, or violating people's privacy.
Review your privacy settings on all your social networks. Especially those you don't use often. And do it again every month or so: platforms keep coming up with new ways to protect or to expose your data, and the defaults aren't always set in your favor.
Once you got a plan on how to protect your own privacy, get into the habit of looking out for privacy of your friends. Don't mention things they might want to keep private in places where strangers can see it. When you see someone else reveal something about one of your friends, make sure your friend is aware and has a chance to react. Warn friends who are too careless with their own data. When taking pictures that include people's faces, always ask for permission. Be mindful of identifying information in pictures you share: license plates, house numbers, id numbers on documents.
Respect people's communication privacy preferences. If they tell you they want your chat to be end-to-end encrypted (e.g. Signal or WhatsApp or Telegram), figure out how use that or send them nothing at all over open channels such as Messenger or Slack. If they want PGP encrypted email, figure out how to securely exchange key fingerprints, or get your keys into the web of trust.
Be in control of your and your friends' information, and be mindful about sharing it.
Human is a social animal, our connections to others are a strength and a vulnerability. There are ways to use social networks that can be a major source of support and inspiration, and ways that it can be emotionally draining, irritating, or depressing.
An important part of making the positive effects of social networks engagement outweigh the negative is to focus on meaningful interactions. Comment a lot, look for ways to learn things from other people, and for ways to help them learn new perspectives. If you find yourself scrolling through the feed too much, stop. Pick a spot and engage. If your feed shows you content you don't want to engage with, fix it: unfollow people, leave groups, use "show less content like this" options to instruct the feed ranking algorithm.
Another surprisingly effective way to keep your balance is to look at yourself in the mirror more often. On social networks, this means reviewing your own timeline. See past interactions with your friends about things that matter to you, see your friends and strangers express support, see what works and what doesn't, and use that to validate yourself and inform your future activities.
Learn to recognize and disrupt manipulation and trolling. This by itself deserves an article of its own; luckily, there’s quite a few out there. I recommend “20 Diversion Tactics Highly Manipulative Narcissists, Sociopaths And Psychopaths Use To Silence You” and “The Psychopath Code”.
See how many of these behaviours you can recognize from your previous online interactions:
- Gaslighting: “that thing [that I just did to you] never happened, you imagined it.”
- Projection: “you are doing to me this thing [that I actually did to you behind your back].”
- Generalization: “you always do this”, “all sexual assault accusers are lying.”
- Mind reading: “you actually mean <the worst possible way to interpret your words>.”
- Moving the goalposts: “[now that you’ve proven X] this is not about X, this is about Y.”
- Distraction: “but her emails!”, “you keep talking about yourself, what about me?”
- Whataboutism: “Nazi war crimes? What about the firebombing of Dresden by the allies?”
- Tone police: “Don’t care about validity of your concerns, the tone you used to deliver them is the problem.”
- Word salad: an incoherent rant going in circles through the same topics, draining your energy in what looks like but was never meant to be a meaningful discussion of any of them.
- Sealioning: draining your energy and provoking irritation by feigning ignorance and demanding in-depth explanation and proof of your every statement.
- Shitposting: shutting down a conversation by flooding it with provocative or repulsive content.
- Name-calling: “libtards are political correctness nazis.”
- Baiting: “clarifying” other people’s words to make their positions look more confrontational.
- Conditioning: training you to be afraid of things that make you feel happy and proud.
- Threats: “stop bothering me [by calling out my lies] or I’ll ban you”, “in my time, people like you would be taken out on a stretcher”.
- Hoovering: being extra nice between slowly escalating cycles of abuse.
- Triangulation: “let’s ask Bob if he thinks what you’re doing to me is ok.”
- Brigading: coordinated harassing of an individual or a smaller community by a larger group of people.
Don't let people get away with it: if they can't be persuaded to stay civil and honest, block them and don't look back. There are many good people on the Internet, don't waste your life on those who mean you harm.
Finally, the most important bit: learn how not to be alone, and learn to be comfortable asking for help. Whether it's a mental disorder or an emotional discomfort, when you are having a hard time, it is tempting to lock everyone out and wallow in your pain alone. Which never helps. Best way to get through hard times is by being around other people.
Build up a circle of friends. Be mindful of your mental state, and that of others. Be there for your friends when they need you, don't hesitate to reach out when you need them, even if (especially if!) you feel like you need to be alone. Quality alone time is for when you're doing ok. Getting through hard times is what social networks, online and offline, are for.
It is easy to see privacy and peace of mind as assets that need to be protected from online threats. After all, everyone has things they don't want random strangers to know, and everyone has experienced feelings they don't want to ever feel again. It is easy to imagine what a loss of privacy or mental health would feel like.
There are also assets that are not that easy to internalize, and their loss can remain unnoticed for a long time. One such asset is essential to our ability to understand the world and make rational decisions, and yet, for many people, it has become a myth, something that never really existed. I am talking, of course, about the truth.
Not just the accuracy of facts, not just disinformation. The very idea of objective truth is under attack.
Before the age of mass media, the best way to make entire populations believe lies was to limit their access to information. Some countries, such as North Korea or China, still work this way, but advances in communication technology—from the printing press to radio to TV to the Internet to social networks to end-to-end encrypted messaging—make it an increasingly risky gamble.
When you can't count on stopping people from learning something that contradicts your lies, the next best thing is to stop them from believing it and caring about it. And that's how devaluing the idea of objective truth becomes an instrument of propaganda.
The core pillar of the Soviet—and now Russian—methodology for dismantling democracies and establishing authoritarian dicatorships is whataboutism: a train of thought that starts with deflecting accusations by pointing out misdeeds by the other side (“nevermind that Soviets put people in Gulags, Americans are lynching blacks”), then proceeds to declare moral equivalency between both sides, then extrapolates that to declare that all sides are bad and not worth supporting, that everybody lies, everything is subjective, morality is relative, and objective truth can never be found or doesn't even exist.
The end goal of taking people on this mind trip is to paralyze their critical thinking and numb their sense of justice, create political apathy that would allow bad government to become worse, all the way to fascism and genocide.
Whataboutism is, of course, a lie. The world is knowable, all you need to find the objective truth is curiousity, critical thinking, and the scientific method. And above all, you need hope. As Rebecca Solnit has put it, “be open to possibilities and interested in complexities.”
Appreciating complexity is key to protecting your understanding of the world from authoritarian demagogues. It may be tempting to look for generalized explanations and simple solutions, but these only lead to prejudice and despair. There is no one root of all evil, and social progress can only be achieved by improving a deeply interconnected web of social conditions.
One of my favorite sources of hope is Our World In Data project's “World as 100 People” report. It uses data going back 200 years to demonstrate how the key indicators of human development—poverty, literacy, child mortality, democracy, fertility, education—are all interdependent and all have been steadily improving since 1820 and still are getting better throughout the world today.
Lifting people out of poverty and providing their children with better health care reduces child mortality, which motivates people to have less children and to give their children better education. Literacy and education help people stay out of poverty, improve healthcare, and make democracy possible. Democracy broadens people's access to education, economic opportunity, and healthcare, lifting and keeping them out of poverty.
The nice thing about all this complexity is that much social progress happens through the butterfly effect of indirect consequences. The history of social progress is history of failures that have slowly shifted public debate until the advancements they sought became inevitable. Abolition of slavery, women suffrage, 40 hour work week, social security, gay marriage, public education and healthcare each took decades from being thought impossible to becoming expected.
Don't underestimate the value of slow change, and don't let all-or-nothing propagandists tempt you into the self-defeating rage that sacrifices small wins for a revolution that promises to fix everything by risking a dictatorship or an economic catastrophe.
Just like social progress, the quest for truth requires appreciation of complexity and does not tolerate simplistic solutions.
One more trick authoritarians use to destroy public trust in the truth is setting impossible standards of proof. Both science and crime investigation depend mainly on circumstantial—rather than direct—evidence. The fact that the Earth is round and goes around the Sun was established by drawing logical conclusions from indirect observations many centuries before we could send people into space. The fact that it was the Russian military that has shot down MH-17 over Ukraine was obvious years before the joint investigation team gathered enough evidence to prove it in court.
The way the MH-17 incident was covered in the media is a textbook example of another way the truth often gets concealed in the plain view of the public: bothsideism.
While the best journalists devote their lives to finding and reporting the objective truth, many news editors go for a cheaper way to claim journalistic integrity by seeking neutrality as a substitute for objectivity. When reporting on a subject of a debate between opposing opinions, they would offer equal coverage to both sides instead of doing the hard work of finding out how genuine and fact-based those opinions are. This practice inevitably gets exploited to dilute the truth by always offering an opposing opinion, no matter how ridiculous, even to established facts.
We can’t afford to be lazy about the truth. Learn to care. Nurture hope. Be wary of simple solutions. Develop informed opinions. Pass moral judgement. Call things by their true names.