Why Should I Care, I Don‘t Have Anything to Hide?

The information you are protecting may not be your own.

If there is a common conception about information security in the modern world, it is the conceit that information is primarily about personal privacy. Information security professionals will provide examples of personal data leaks that could be embarassing, harmful or costly, but—as with so many things—the individual risks from bad information security is disproportionate to the aggregate risks. For most people in most situations, poor information security’s threat is not to them personally, but from aggregation, as a threat vector, and through weakened “herd immunity.”


Even embarassing or personally costly information is not nearly so dangerous to the person who might leak that information as similar information could become when aggregated. It is possible that you personally have a health condition or bad habit that you would prefer others not know about, but rarely will improved information security actually help defend against costs. Your health or life insurance will have better ways to find out about your congenital conditions than hacking your email. The government will have your tax returns, if it really wants to know about your gambling problems. People who don’t have access to privledged information like that, also will not benefit too much from acquiring it.

On the other hand, aggregated information is much more valuable to third parties, who may not be interested in you per se, but who can inflict severe costs. Aggregate information about communities could lead to certain areas being underserved because of aggregate behavior, creating a malicious cycle, for purely rational reasons. Large companies with access to information they might not otherwise have, could understandably decide that communities with high health risks and poor spending habits make bad locations for services and outlets that could improve the circumstances, reinforcing the health risks and poor spending habits. Overcoming institutional redlining is difficult enough without reinforcing it with high-tech justification.


Some individuals may have access to information, even if it is not their own, that is sufficiently valuable to warrant extreme measures to acquire that access, and if you have a relationship with one of those people you could be part of the attack vector. In 2016, John Podesta was only one in multiple chains whose information security failed, before his email was compromised. The antecedent persons included old emails from the 2008 Clinton campaign, who—though still involved in politics—had long since lost contact with Podesta, and nonetheless were a part of the attack vector.


Good information security is, therefore, like vaccination, where the more people who practice it, the less risk the community as a whole experiences. If everyone in your circle practices poor information security, then the information they leak about your information security hygiene less effective. By contrast, in communities where everyone practices good information security, even the periodic inevitable failure becomes meaningless. If the login information of one company is stolen, it does not matter as long as the passwords are properly hashed and salted, and even if not, that account is not at much risk if you use 2FA, and do not reuse passwords. If all your associates are similarly focused, the risk their assests become threat vectors to you (and vice-versa) is greatly reduced.

Information security is not just a personal problem, and the longer we think about it that way the longer it will take to find solutions. Not every solution will work for every person, so there can be not single mandated solution from “on high” but the lack of universal solutions only makes personal responsibility more important. Those unable to employ all information security techniques can only experience relative security when those around them, with more means use the tools at their disposal. You personally may not have anything worth taking, but if you protect what you have, you may just be protecting what others have, but cannot protect themselves, alone.