Important

As with all of my long-form, well organized, (mostly) grammatically correct posts that I have been writing for over a year, no AI was used in the making of this post. Every word I write on my own, and I spend hours writing and editing these posts. One of my posts was removed for being “AI slop”, which hurt, because it was one I was most proud of writing. From that incident, I considered no longer posting on Lemmy, but I still felt my work is needed, so here I am again.

It’s very obvious that there are human mistakes and human additions to my posts that cannot be replicated by AI. It was not the first time one of my posts has been accused of being written AI, but I want it to be the last. There are people who enjoy writing and will put in the work to actually write a piece, such as me. I will prove that I am human by any means necessary.

The content I write is not designed to be short, nor is it designed to be summarized in a short manner. If you are not someone who enjoys reading long text, or prefers reading text with a more condensed meaning, this is not for you. I am also trying out increasing the number of references I use during the post, which is different from my usual style of only referencing more uncommon topics.

Thank you for your understanding.

Introduction

For the sake of people with whom I still keep in touch, I will avoid referencing too many anecdotes while writing this. These individuals have taken great strides in both privacy and security, even if they have a long way to go. It is not my place to publicly degrade these individuals and their experiences, especially knowing that they are reading this. It was wrong of me to have done this in the past, especially without permission.

The topic of this post will, however, cover some common experiences I have observed between numerous individuals, rather than singling out the stories of singular individuals. These stories will be used scarcely and only to help clarify the points I am making through examples.

Threat Model & Privacy Journey

My privacy journey officially started around 6 years ago as of writing this. It was when I was first introduced to the privacy risks of Google, as well as the privacy benefits of Firefox and Tor Browser. In the 6 years that I have spent learning about privacy, my preferences have changed between different extremes.

I used to be a die-hard user of Firefox-based browsers such as Mullvad Browser, and wouldn’t dare use a Chromium-based browser. I became obsessed with browser fingerprinting, and Firefox-based browsers seemed to be the only way to mitigate it.

Slowly, though, my views shifted. I became more security-oriented, and became concerned with the security of Firefox. (That topic is a whole can of worms that I have covered in the past. Please don’t fight about this in the comments.)

Eventually, I switched to Chromium-based browsers such as Vanadium and Trivalent. Even though I used to be polarized, I eventually switched sides as my threat model changed.

That’s where this discussion begins. I have never, in the 6 years I have researched privacy, made a proper threat model. This should not immediately discredit me. I have come to learn that a threat model is a good idea in most cases for most people, and if you haven’t made a threat model already, you should.

I have tried many times before to define a concrete threat model, without success. The reason I have not been able to is because of how my privacy journey went about. When I began my privacy journey, I had a goal in mind: “Make myself as private as I reasonably can first, and then work backwards to see what I am actually fine with doing.” It’s not a bad goal, just an incredibly tedious and difficult one. You first become very experienced in privacy by learning hands-on, and then you are able to make rational decisions after gaining experience and knowledge.

Of course, I never reached the point where I was fully private. Such a thing is not possible. Instead, I accidentally “ignored” some areas of privacy, or didn’t push further in areas that became too inconvenient. I essentially did a depth-first search to determine my threat model.

Once I was reasonably satisfied with my state of privacy, I worked backwards to restructure my digital life in a more convenient way with my newfound experience and knowledge. The way I discovered my threat model is extremely difficult and will bring you to extremely low points past privacy fatigue. I would never recommend anyone go through what I went through, which is the main reason I have devoted my time to ease the privacy journeys of others.

One thing I made sure to prevent while learning about privacy is forgetting where I came from and how I got where I am today. This comic illustrates why:

I want to remember all the pitfalls and mistakes I went through, that way I can present easy solutions and workarounds for those just starting their privacy journeys. Even still, I occasionally have to remind myself that not everybody knows what 2FA is, even though I have gotten so used to using it as a part of day to day life. As my threat model has changed, so too has the advice I have given.

Convenience vs. Everything

Convenience makes a lot of rich people a lot of money. If you can make something as convenient and addictive as possible, you gain the undivided attention of someone, and can dictate a lot about that person’s life.

Privacy, security, autonomy, and a few other categories are all subcultures of the same concept: freedom, especially digitally. The subcultures often overlap because they are all sides of the same coin.

Digital freedom is a broad topic, but being free digitally means breaking the chains of digital addiction and taking control over where you place your attention. For that reason, digital freedom will inherently feel less convenient. Giving yourself control over your digital life means that, in some cases, you will end up doing more work to manage it properly, but it means that you dictate how it functions, rather than being handheld by questionable entities.

In other ways, however, digital freedom is far more convenient. Take a password manager, as an example. Many people are prone to reusing the same, weak, memorized password for a multiple accounts. That means if an unsavory party gains access to one account (which is more common the more accounts you have), all of your accounts are compromised. Furthermore, remembering and typing passwords is cumbersome and prone to error.

A password manager is incredibly convenient because it fixes those problems. It generates strong passwords for you, changes passwords for every account, stores them all securely so you don’t need to remember them, and even types the passwords for you. This is one area where digital freedom is more convenient.

It’s often thought that convenience and digital freedom are at whits with each other, but it simply isn’t true. You trade convenience in some areas to gain convenience in others. Privacy activists can function the same as those who don’t care about privacy, the difference is how they go about it.

The Privacy Hump

“The first step is always the hardest” is a phrase used to encourage taking the first step towards a goal, because it gets easier after the first step. For privacy, this phrase is complicated.

Some steps towards privacy, such as switching your web browser, are very easy, can be done in under a minute, and have a large benefit in privacy. These steps can be first steps, and are not hard at all.

Other steps, such as fully switching to a password manager, are tedious and can get very messy very quickly. I had the displeasure of working for a company that stored all passwords in plaintext on a shared document. I immediately got to work transitioning these passwords to a proper password manager with proper access control, but it was an unpleasant and tedious task. Many of the passwords were incorrect, had multiple entries, or had unclear login pages. One login page was described only by the location of the browser bookmark on the computer of the secretary.

Even if a password manager is a tedious task at first, once your accounts are transitioned to a password manager it becomes infinitely easier to manage and use. These first steps can be the hardest, but provide even greater privacy and security benefits.

With that, I’ve found that privacy has a “hump”. The first steps are easy and can hook you on privacy, and once you are in a comfortable place with privacy the steps become equally as easy, but in between those points in a privacy journey are the hardest.

Conclusion

If privacy were more widespread (and it is becoming increasingly more common), there would be no need for a “privacy journey”, because privacy would be the default. Unfortunately, that utopian society currently resides only in the daydreaming minds of authors and privacy activists.

I could add more to this post, but I don’t want it to become unbearably long. If you want key takeaways while missing plenty of the interesting portions of this post, I will not deny you the satisfaction:

  • I don’t write using AI, even if my writing style is similar
  • Privacy journeys are long and difficult at times
  • Privacy is convenient in some ways, but not in others
  • The hardest part of privacy comes towards the middle of the journey

If you decided to read this post in its entirety, then thank you. As always, I had plenty of fun writing this. I hope it helps at least one person.

Cheers!