## [t3_rcaji4](https://www.reddit.com/r/privacy/comments/rcaji4/if_you_have_nothing_to_hide_you_have_nothing_to/) *TL;DR: When someone suggests a specific countermeasure (i.e. software, service, encryption method, new device), ask which threat model it applies to. Ask what the risk is for yourself and your specific situation. Let’s raise the level of conversation in the privacy community by not supporting blanket countermeasures and paranoia-derived decision making.* *Assess your own threat model for your choices and your life.* [*Learn the opsec thought process*](https://opsec101.org) *and apply it for yourself. Say no to the* [*countermeasure-first fallacy*](https://opsec101.org/#dont-start-with-countermeasures-countermeasures-come-last)*.* --- ## Lots of bad advice The vast majority of security or privacy related posts and comments on reddit are asking for help or advice on or related to specific countermeasures, like how a cook might ask for help with a specific ingredient. It implies the cook understands the recipe. The problem is most people don’t understand the recipe of security or privacy for themselves (i.e. their own opsec threat model) and end up asking the equivalent of “how to properly fry an egg” for a cake recipe because “eggs” were listed. Efforts to educate the community to a proper opsec mindset are often met with resistance through these common pseudo-intellectual arguments: ### “a proper threat model isn’t necessary because everyone can benefit from extreme protections from everything no matter their situation” This is patently false, and easily demonstrated by trying to log into your bank account over Tor or VPN. Once your account is locked for suspicious activity, you’ll need to question if you should in fact “use Tor or VPN all the time for everything”. ### “we shouldn’t share any information with governments” This is mostly false. Try having a driver’s license and not sharing any data to get it. Try being a citizen of a country and asking for help overseas without proving your citizenship. Try running a legitimate legal business and hiring an employee and paying them anonymously. There simply is no getting around sharing information with government as a part of life. We can limit and push back on the types of information we share, but the idea that all information is equal and should be private is an anti-opportunity position, often based on paranoia and introduces complexity and inconvenience often for no real benefit. As for corporations, you can often limit the amount of information they collect through isolation in most cases, but even when you can't, the type of information they are requesting and how they use it may be completely acceptable in some limited cases (troubleshooting software, fraud and cheating prevention, providing access credentials, etc). It will always come down to a personal threat model as to whether the information shared is an acceptable risk or not. ### “if its free, you’re the product and you shouldn’t use it” This is mostly false. You can be the product even when you pay, and while many free (donation, tax, confused investor funded) services exist, the takeaway is that all users of a product or system are a product in one way or another— what matters is if the benefits outweigh the risks. --- ## If you have nothing to lose.. When someone says “don’t use \_\_\_\_\_”, ask them what you stand to lose. This forces them to define the risk — a critical component to a threat model. In most cases, you’ll deduce from their response that they are assuming a threat model of a spy, a victim of state persecution, a terrorist, or other very high value target which makes their advice akin to "you should never drive a car because people can die from car accidents". Let’s raise the level of conversation in the privacy community by not supporting blanket countermeasures and paranoia-derived decision making. When someone suggests a specific countermeasure (e.g. ingredient), ask which threat model (e.g. recipe) it applies to. Ask what the risk is for yourself and your specific situation. If there isn’t any, you’re probably wasting your energy at best, or at worst adding additional potential liability and vulnerabilities to yourself. Instead, assess your own threat model for your choices and your life. [Learn the opsec thought process](https://opsec101.org) and apply it for yourself. Let's say **no** to the [countermeasure-first fallacy](https://opsec101.org/#dont-start-with-countermeasures-countermeasures-come-last) in the privacy community. --- submitted to [r/Privacy & Freedom in the Information Age](https://www.reddit.com/r/Privacy & Freedom in the Information Age) by [u/carrotcypher](https://www.reddit.com/user/carrotcypher)