Today we’re constantly asked to make decisions that have security and privacy implications. Most of the time these are individually innocuous, but collectively they present significant risk. All too often, we simply click yes, plug in the cable, share the wifi password, or give up personal information. Instead, before even asking if it’s secure, ask “Why?”
Here’s some examples:
- Why does my refrigerator, dishwasher, vacuum cleaner, lightbulbs, or child’s teddy bear need an internet connection?
- Why does the social media site need my real birthday or current location?
- Why does the doctor’s office need my SSN (unless you use Medicare)?
- Why does the retailer need my email address for a receipt?
- Why does that website have 42 trackers (seriously, just saw that today)?
- Why does that app need access to my microphone, contacts, or music library?
- Why does my TV need an internet connection? Why does it have a microphone?
- Why do I want that technology vendor listening/watching everything I do at home?
- Why should I always use my primary email address for sites that aren’t important?
- Why does my bank need my mother’s maiden name?
For many of those, the answer is: to provide some functionality I desire and in exchange the company can exploit and sell my personal information. For others, it’s inertia (like the Doctor with SSN), or poor security question design (like mother’s maiden name).
We all have different tradeoff points – I essentially answer no to them all (or give false information – or a junk email address), others may say yes across the board. Of course, once you decide it’s worth the tradefoff, before you actually do, then the ‘is it secure’ question needs to be answered. One quick thought on that – if it can’t be patched, it’s not secure.
So the next time a waffle iron, toothbrush, or coffee maker asks for your wifi password, stop a moment and ask ‘why’, then make a conscious decision about the tradeoffs.
[…] recently wrote a post suggesting that folks ask ‘why’ when their toaster asks for internet access. That’s a plea to assess risk and actually make a decision; to not just accept risks by […]