Learning to be helpless
In which non-privacy people kind of have a point
So it’s a common lament in the “privacy community” that “people don’t care about privacy”. It’s not true – people care deeply, in my experience – but it can sometimes seem that way. People use Facebook, they SMS deeply sensitive information, they refuse to use a password manager. And attempts to get them to do even basic things can be extremely difficult, and you’re more likely to be viewed as annoying or paranoid rather than trying to help. Are people just stupid? Do they not understand?1
There’s another “myth” that floats around sometimes2 that “privacy is dead”, or “there’s nothing you can do”. That tracking is inevitable, that criminals can get any piece of information they want, and identity theft is just a matter of time. Is that actually a myth? Well, sort of yes, sort of no. But the viewpoint it speaks to is definitely real, and honestly more grounded than most people think.
Let’s talk about learned helplessness.
Learned helplessness is a cognitive and emotional state created after an extended period of unavoidable aversive stimuli/responses from the environment in which a person basically gives up and just accepts the aversive stimulus. Basically, you are subjected to bad things that you can’t avoid, and you decide avoiding it is impossible and stop trying.
Prototypical example is; you put dogs on a platform (that they can’t get off) and give them occasional mild electric shocks 3. For a while they move around, try to find places in the platform where they aren’t shocked, but after a while they just stop and lay down. Interestingly, often the dogs will remain where they are even after they can escape the shocks – you open the gate keeping them in, for example. They’ve learned that nothing they do can stop the shocks, shocks are inevitable, so attempting to avoid them is pointless, so even if they went out the gate, they’d still get shocked so why bother.
Obvious connections to depression are obvious, but honestly I think the connection in any meaningful sense is tenuous. The behaviours might be superficially similar, but in the dog example the solution is much simpler – stop shocking the dogs – but that’s not feasible in depression because you are both the shocked and the shocker (well, your brain is, but let’s not get distracted by ontology). Of course, medication can help alleviate the symptoms, especially the depressed mood and ahedonia, which can then make it a lot easier to start boot-strapping coping strategies and lifestyle changes, but I think that’s sufficiently different so you can’t really connect the two in any significant way
Of course, humans display this too – part of what you can see with long-term abuse victims is they just kind of accept that their abuser is going to hurt them, it’s just how things are. And if they’ve been in multiple abusive relationships, it generalises further to that’s how people relate. Getting upset about it is like getting upset about sun spots – it’s not really going to translate to any actual change.
That said, one thing people are quite good at is compartmentalising – they might learn that, say, being spied on is just a normal part of work that they can’t help, but if they get home and I’ve placed a hidden camera in their bedroom they’re probably going to get really annoyed at me. So that learned helplessness doesn’t necessarily generalise (another reason I think the connection with depression is thin).
(Quick note; I found this neuroscience study which concluded the way we think about this is backwards – we have to learn to escape, with “inescapable” being the neurological default. I don’t know if I agree with this – if you apply a painful stimulus to an infant, they’re flinch away – but I wanted to acknowledge it.)
Application to privacy
I’ve been talking to a lot of people not in the privacy space lately4, and I’ve been confronted with a common perspective – people are generally aware that Facebook/Google/Microsoft/Apple/Amazon/whoever are sucking up massive amounts of personal information, and they generally agree this is bad. But they also note that the information being harvested is usually much the same (at least in terms of concern about things like identity theft) as you are often required to hand over to, say, telecommunications companies, or insurance companies, financial companies, or the government. And all it takes is one data breach, and it’s all out there, including information which you can’t easily change like your birth date, gender, name, address and suchforth. Further, these people perceive that these data breaches are common to the point of being basically inevitable (correctly so, I would say – it took me less than 10 seconds to find a breach affecting more than 1 million people for each of the categories above). So, they reason, getting worried about Facebook knowing they have a foot fetish is a bit silly, when your bank is selling your transaction history.
This is obviously a complicated topic, and while I would like to do a deeper dive into it one day, in short I wouldn’t say I think they’re wrong. If someone is coming around to your house every week and hitting you with a big lump of wood, it’s hard to worry about small burns from oil splatter when cooking. If you have a terminal disease with six months to live, arguments about how you’ll get lung cancer in a few years are a lot less persuasive as to why you shouldn’t smoke.
Further, a lot of the time, people view this situation – where they are required, often legally, to hand over intensely personal or sensitive information to a company which you cannot trust to safeguard it – as basically unchangeable. Even if there isn’t laws mandating it – which there often is – if say every telecommunications company requires that you tell them your birthday, then you don’t really have a choice there. I need to be able to communicate with people, and these days that mostly means e-mail, some kind of SMS or messenger, or phone calls, thus telecommunications being basically necessary5.
So you have a state where:
People are constantly having to engage in behaviours that a blind, deaf idiot could tell you increases their exposure to things like stalkers or identity thieves or hate groups,
They can’t do anything about it because of factors outside their control (legislation or corporate policies or economic incentives),
Every indication suggests that this trend is going to continue or get even worse.
Sounds a lot like the conditions leading to learned helplessness, doesn’t it? And indeed, this is the behaviour we often see;
People just accepting the situation as unavoidable,
People viewing attempts to avoid it as being foolish or irrational
People not taking action which might mitigate the state of affairs, regardless of cost or actual impact, when offered
People defending it as necessary, probably in part because people pushing back against it inherently brings into question the inevitability of the situation
Locus of control
Learned helplessness research led to the creation of a psychological construct called “locus of control”. In case you haven’t heard of it, basically it describes how you view the cause of the situation you are in across two variables; location and stability.
Location
Location basically boils down to “is the situation because of your actions, or because of external factors?” Of course the answer is usually more complicated than this in reality, but the simple version is good enough for our purposes today. For example, was your Discord account hacked because your password was bad and you didn’t have 2FA, or was it because Discord has poor protocols in place? Remember, we’re not talking about reality here, but perception. Do you feel that you should have done more, or are you just angry at Discord?
This tends to hit people’s emotional buttons, so I want to be explicit – neither internal (your fault) or external (other’s fault) locus of control is necessarily better or worse. An internal locus can motivate you to do your best, to improve your situation. If you view your health as primarily controlled by your actions, you’re more likely to eat healthier, exercise more, and avoid unhealthy things like smoking. However, if you are in a situation where you literally don’t have much control, feeling like you do can lead to feelings of inappropriate guilt, which causes all sorts of problems – developing a genetic, congenital disease is almost certainly not your fault. Assuming you can control everything is a sign of either delusions or narcissism – neither of which are great for yourself or people around you.
Stability
Stability, on the other hand, is about whether the factors that led to this situation are stable – that is, more or less consistent over time and situations – or unstable and change over time. So if a person finds it hard to find shoes that fit them due to having big/small feet, they might view this as a state which is stable – because their foot size isn’t changing – or unstable – because shoe stores are following changing fashions. Or if I get into an argument with someone, it might be because I (internal) or they (external) am/are an argumentative person (stable), or in a bad mood (unstable).
The important thing to note here is that in theory these two dimensions are independent. Something can be my fault because of constant personality quirks, or my fault because I had a momentary lapse in judgement. It can be the fault of multiple variables just happening to collide in an unlikely way, or it can be a factor of how the world works. In principle, they are unrelated.
However, that’s not how it usually works in practice, because people are what we call “reflexive”, which means we’re aware of ourselves in a way that affects our behaviour, and our views of our behaviour. If I want to think of myself as a generally agreeable person, and I get into an argument, I’m not going to want to judge that as being because I’m disagreeable. So I might view it as either me just being in a bad mood, or maybe it was the other person’s fault. But if I did something I view positively, if I think of it as because of stable, internal traits, then that makes me feel good about myself, much more so than if I think I just happened to get lucky.
This is what we call the “fundamental attribution error” or “actor-observer hypothesis”. Basically, it means people tend to view bad things they do as being unusual and caused by the situation, but bad things other people do as indicative of their bad qualities (and the reverse for good things). If I underpay for a drink, it’s because I made a mistake because I was trying to carry on a conversation, if someone else underpays for a drink it’s because they’re cheap or dishonest.
We see this as well in the privacy space. Let’s say Facebook decides to change something to become marginally less invasive (and somehow doesn’t go broke in a week). If they announce this, we’re going to assume that it’s because they’re just trying to look good, or avoid some kind of lawsuit – the behaviour is due to external forces, rather than internal characteristics. While if Mullvad decides to hold less user data at the cost of some convenience, we’re maybe morel likely to assume it’s because of internal factors – concern for security, respect for privacy, whatever.
Now, this is not invalid. Facebook has illustrated numerous times that they view privacy as, at best, a necessary evil, and more likely something to be circumvented whenever possible. Mullvad, on the other hand, has consistently demonstrated a commitment to user privacy and security. But sometimes it’s not that clear – is Google stopping scanning e-mails for advertising purposes out of a concern for user privacy, or is it a token gesture with minimal actual impact because they harvest so much elsewhere? Does my bank require a phone number because of KYC laws, for security reasons, or because they want to sell that information onwards tied with my transaction history?
This is important – if I attribute the cause of a situation as outside myself and broadly unchanging, there’s not much I can realistically do about it. If the government requires me to give a blood sample to be able to have a bank account, well, I don’t realistically have a choice there. I need a bank account in modern society, which means I’m inescapably exposed to the problems it comes with. If rental agents are forcing me to hand over my entire life story to apply for a place, I need a place to live. True story; in my city, for complicated reasons, the rental market has become seriously borked over the last year or two. No places are available, rents are spiking, in some cases by 50% or more, and competition is so fierce that I have a friend whose family was looking for a new place to live, and despite starting six months before they had to leave their previous house, they barely made it (I think they ended up finding a place like two weeks before they would be evicted), and even then it was by pure luck. So saying “oh, then just don’t apply for those places” isn’t really realistic for most people – if you need to move, you need to take whatever you can get.
Back to learned helplessness. So we have a situation where a lot of people view their private information as basically inevitably compromised, and there’s nothing they can do about it. Everywhere they look, places are demanding more data, securing it poorly, and their exposure to things like identity theft just keeps growing. As a result, they’re less likely to try to do something which might have some marginal impact – rather than using Facebook Messenger or SMS, maybe something like Signal or Session6. Maybe they’re less likely to engage in some security-enhancing practices like putting 2FA on important accounts, or using a password manager, or things like that.
Take-away?
I usually try to have some kind of pragmatic take-away here, but I’m not sure in this case to be honest. Because, in a sense, they’re not wrong. If your insurance provider is going to firehose your information anyway, does it really matter if Facebook knows that you texted your friend a 245-character message on WhatsApp at 2:48pm yesterday? If your name, gender, birth date, address, ID numbers and health information is going to be just given away to any thief who wants it, it’s hard to get worked up about browser fingerprinting leading to targeted advertising. Yes, corporate tracking and that is creepy as hell, and I’m certainly not a fan of it – that’s the motivation for most of my privacy and security practices, after all. But in terms of day-to-day impact on my life? Way, way less than getting caught up in even one moderately serious data breach.
General guide: if “people are stupid” is your answer, it’s rarely the case. Sometimes it is, but even then there’s usually more to it
Although in my experience I’ve seen it disagreed with more than I’ve seen it unironically repeated. That could just be a result of the media I consume, though.
I’m not *saying* that all the good research was done in the 1970s and can’t be done these days because “it’s wildly unethical” or “what are you even doing”. There’s a lot of very cool work being done now. But it’s hard to look back to those days and not experience a kind of combination of admiration and horror.
Something more people in the privacy space should do, I think. Not in an “advocacy” way, but… look, it’s hard to see some of the things people say and not ask “have you ever talked to an actual human being?”
To the voice I have in my head who says “it’s not *necessary*, you’re *choosing* to”; try applying for a job, or engaging with government to get welfare because you can’t get a job, without a phone number. And to those people who say “just use MySudo” or whatever - if you’re not in the US, that’s not an option.
Further complicating this is the “shifting target” nature of these things. WhatsApp used to be great, but that’s no longer the case. Signal seems good right now, but who knows what will happen in two years? Given the hassle of getting people to change, these are non-trivial concerns - even if Signal stays good, what if something better comes along?
Really interesting read! And sorry for the coming wall of text!!
I'm not sure if this is completely related, but as an average-jane who is interested in upgrading my privacy in whatever ways I can without sacrificing too much convenience or letting it hinder just enjoying and living life, I often find that a hindrance for me is knowledge and understanding about tracking and whatnot (what's the antithesis of 'privacy'...?? Surveillance??). It's hard to defend yourself against something you don't *understand* how it works. And if I don't understand how something works, and how to defend myself, it can be easy to... give up.
If I compare my current practices to my practices before I started my privacy journey, I've improved my overall privacy and security fivefold. I mean, I was *atrocious*. I used the same emails and passwords everywhere, for *years*, and all of it had of course been in literally hundreds of breaches. It's a miracle nothing terrible happened. So, going from that to where I am now is in and of itself an accomplishment.
But something that in particular tends to weigh me down is crosstracking and linkability (?). That's kind of where my morale starts to falter, and I feel helpless. Simply because I don't know how said tracking works. I don't know if clicking link X on website Y, taking me to website Z will link my advertising ID and whatnot. I don't even know what I don't know (https://gradecalculator.mes.fm/img/memes/i-dont-know-what-i-dont-know.jpeg). I guess that, in tandem to me being an average jane about privacy puts me in a stalemate. I want to improve my privacy, but I'm not one of those people who *enjoys* getting down into the nitty gritty details about privacy. I'm probably never going to learn how to use, say, Linux. Ideally, I want things that work seamlessly without me needing to tinker with it, which means I can only choose between Windows or Mac, which I suppose comes at a cost to my privacy. Anyway.
Like I said, I've improved my privacy greatly. I try to be mindful of what I share online, how I use the internet, my phone, apps... I use the webpage version of certain services instead of using the app version... But at the end of the day, I don't know if it makes that much of a difference? If my usage is tracked and linked between different websites and services anyway? If I don't know how effective it is, it's easy to slip up. Maybe in the heat of the moment, I would download an app or sign in to some website that I shouldn't have (at least on a device that I shouldn't have), and if you've done that once, are you already done for? Now that information is stored in some server regardless if I delete the app and never do that again, so would it make a difference if I started using that app indefinitely? I'm of course generalising here, but that's sort of the things that I think about in terms of tracking and feeling helpless and just, lost.
All of this said, I don't mind going the extra mile for some possibility of less tracking, and I'm probably not going to throw in the towel any time soon. There are still some things I'd like to try out in the future, like setting up a pi-hole (man, I've tried to understand how *that* works and... I'll just have to hope some techie friend will be willing to help me). Not fully understanding doesn't have to be a complete hinderance. But I think it affects people like me quite a bit, people who are interested in improving their privacy but are just not very knowledgeable, and maybe have other things in life they'd rather focus on.
I think part of the reason why I'm word vomiting on your post is that I'm too scared and impatient to share this sort of stuff on, say, r/privacy, because you're often met with unfriendlyness and black and white thinking. If you're using one "bad" service, like facebook, you'll be told that everything else you do for privacy is for nothing. It's easy to be discouraged from caring about or trying to improve your privacy at all, which further increases the feeling of hopelessness and helplessness. And why would you try to learn to understand something that you're told is a losing game from the start? And another variable for me feeling helpless about this is the way that the playing field is constantly changing and evolving... Everyday, it seems that corporations find new ways to harvest more data, so even if I were at the top of the privacy game *today*, who knows if that would matter in a year when they've found new ways to track you? That then also pushes the goal post of what you would need to learn about and 'understand'. These are the kinds of depressing and fatalistic thoughts I have about privacy 👍
Gonna shut up now!! Again very interesting read and happy that you're back.