I read a blog post from Graham Cluley recently about a T-Mobile hack:
It got me thinking about the data sharing between WhatsApp and Facebook and other situations that aren’t necessarily hacks but, as a customer/user, are things I consider.
I hear a lot of people say “I’m not worried about my data being breached, it’s probably already out there somewhere anyway”.
And I’m wondering, at what point do you feel that a company doesn’t take your security seriously? And what do you do in that situation?
This is a question that gets right to the heart of information security, in my opinion. How much is enough? How many incidents are too many and how much usage of your data is acceptable?
That’s really going to depend on what the risks are to you, and how much risk you personally are willing to tolerate. For example, you’d probably respond differently to someone who wants to steal your data and use it for identity theft, and someone who wants to use your data to show you personalized ads. Figuring out which actions you care about is an exercise in building a threat model.
If I don’t like a company’s security practices, I try not to use it. Unfortunately, the ideal and the real sometimes don’t match - I dislike Google’s habit of siphoning all the data it can, but still have a gmail account. I like data privacy, so I try to keep sensitive information a long way from Google and Facebook; I’ll be migrating off WhatsApp (which I already used only for non-sensitive personal conversations) before the start of February.
It’s an interesting thing to consider. What’s your personal threat model? And, how much friction are you willing to put up with to mitigate the possibility of a company being breached or misusing your data?
Very much so! I want to migrate off WhatsApp but have family members who won’t and who solely use that for their communication.
I think personally using my data to better target ads to me, for example, is not as bad as say using my data to impersonate me and run up debt under my name.