Opinion: Validate the positive steps people have taken to improve their security

I think that most of us in this forum are more likely to be understanding and helpful to someone who is just starting out in being privacy-conscious. We get that everyone has their own threat model and that pushing folks into something is not effective.

Another strategy I’d like to popularize, if we aren’t already doing this, is to simply acknowledge and validate the security and privacy practices people are already doing. And to do this without also chiming in with how they can do better.

For example, I know someone who doesn’t have a password on their phone (I know, I know). So I brought up how someone could get their phone and then access their bank. “But I’m not logged into my bank app - I don’t stay logged in,” they said. On one end, we know that’s not the only thing they should be worried about, but on the other, that is technically a deterrent. Whether they thought about it deeply or not, they thought on their own to at least raise a security barrier in the form of not staying logged into their bank app. So I told them so. “Good job!”

By letting this person know that they have taken a positive security step, I’ve hopefully done a few things.

  1. I’ve helped them see that they do in fact value at least some aspect of security and privacy. Otherwise, why not just stay logged in?
  2. I’ve shown how even something as small and innocuous as that is actually helpful to protect themselves.
  3. I’ve lowered the barrier to entry when it comes to the next practice they might consider by showing that they’ve already been doing some of the things you should be. They may see that other practices may not be as hard as they thought.
  4. I’ve given them a reason to feel good or better about their security situation. I understand not wanting folks to be complacent, but in a world where people feel like trying to be secure is futile, hearing that you’ve actually made a concrete step in your own life is validating.
  5. I’ve hopefully shown that I’m not some fanatical arrogant elitist who just goes around judging people for not taking my pet cause seriously. I will not constantly tell people about how they could be doing better. Rarely do people want to be nagged into changing. Not to say that we do this, but I think some of us have probably felt like we’re viewed this way occasionally.

I don’t think any of this is new at all. I just wonder how much success we could see by letting our strategizing take a back seat so that we can pay someone a compliment.


I think this is a really good idea, and a really important thing to do. Like many things, privacy and security is very much affected by the “low hanging fruit” phenomenon - some comparatively easy things can have quite a large effect. Like not re-using passwords on important accounts - yes, ideally we’d have very strong and unique passwords along with strong 2FA on all accounts, but I mean, does it really matter too much if your online chess account gets compromised, unless that helps them jump elsewhere?

Like, a couple of my friends have started limiting their use of Facebook, I believe in small part because I’m not there anymore. They still use it a bit, but hey, progress! Using it less makes it easier for them to stop entirely, which has to be a benefit, right? It’s a step in the right direction. Or a friend who has started using e-mail aliasing - yes, it’s mostly as a spam control measure (which, let’s be honest, is mostly what it’s best for), but it does limit their vulnerability to credential stuffing or e-mail tracking. That’s progress!

Sustainable improvement is slow and steady, and comes at different people’s comfort. I’d rather people take a year or two to reach their “coasting level” if it means they’ll keep it up longer, than them doing everything in a weekend but they drop 95% within a month because their life isn’t set up for it and they haven’t been able to make those sustainable changes. And doing that is way, way easier with emotional support and validation - something that I’m afraid is way too rare in the privacy-conscious community.

TL;DR - Yes, I agree :slight_smile: