Trust Issues

I have trust issues, and maybe you should, too.

In the cybersecurity world, we operate under an assumption of “zero-trust.” This means that my general operating framework for any website, application, service, or password request is treated as potentially hostile until it meets certain prerequisites. And while this could be considered a somewhat cynical view of the world, and sometimes proves impractical, it tends to serve cybersecurity professionals well when it comes to protecting data and privacy.

But there is a spectrum of trust, and this is where I might suggest we all would benefit from considering what our own personal boundaries are, and where we’d ultimately like to be on this spectrum.

Most of us tend to be a little too free with our online data. We willingly trade privacy and security for convenience, and in doing so, give away a lot of information. Think about those EULAs (end user licensing agreements) you have to accept that contain four pages of legalese that most of us can’t be bothered with reading. And while this click first and ask questions later approach gets us quickly into that new trial you’ll likely forget about, the website that tells you why your dog’s ear is itching, or that new cool thing someone told you to try (ChatGPT, for example), it’s the first step in a slippery slope of data leakage that tends to come back and bite us later.

There’s a saying in the cybersecurity world: “Convenience is a subscription service you pay for with privacy.”

When looking at trust through the lens of security, the “never trust, always verify” approach can prove cumbersome, so I’d like to suggest some nuances on how to sensibly approach the constant “asks” for more information every time we go online.

For starters, beyond the hard stop concept of never trust, is the idea of “minimum necessary privilege.” This is something our friends and colleagues in the military are quite familiar with and enhances our zero-trust baseline with the idea that incremental grants of permissions may still get us what we need, without giving away the farm.

One example that frequently comes up is related to that new iPhone app you have to have because you can’t figure out something, like how not to be bored for the next five minutes (happens to the best of us). Once you’ve downloaded that shiny new app, one of the first “requests” you’ll often get is to “allow” the app to access your contacts, so you can invite all your friends.

Let’s take a beat and see what it’s actually asking. In this example, moving your needle towards the zero-trust/minimum privilege idea means your answer is always “don’t allow.” Later on, when you find that you’d intentionally like to invite someone to the Wordle party, use the share-link option, and invite your Aunt Lydia, who you should probably call more often anyway, to a spirited game of online word search.

The other option we’re frequently presented with is the sign-in with Google/Facebook/ Apple option. When you take that route, you conveniently get in with one click, but you’ve now passed your entire Facebook profile including first name, last name and actual date of birth over to the new app, likely not having read the data use agreement they showed you earlier, and then wondered why you quickly get served an add to buy the very shoes you’re currently wearing. Creepy, I know.

In these cases, it’s usually best to avoid “Sign in with Google/Facebook” and sign up manually with an address you control — ideally a Gmail plus-alias or a Fastmail masked email.

A Gmail alias is the fastest way to tag where you used the address and to see if that service later sells or shares your data. Just take your base address — say jane.doe47@ gmail.com — and insert a tag before the @: jane.doe47+plantid@gmail.com (swap “plantid” for the app’s name).

Gmail ignores everything after the +, so the verification message and every future email land in your normal inbox. If you start getting spam to that exact alias, you know who leaked it.

Heads-up: a small number of sites still reject “+” addresses. When that happens, fall back to a masked email service or add a dot variant like ja.ne.doe47@gmail.com instead.

The bottom line is that “least trust minimum necessary privilege” should be the place we start. The next time a pop-up begs for your contacts, or a shiny app dangles a “Sign in with…” button, pause for three beats — long enough to ask (1) Do they really need that? (2) What’s the least I can give them and still get what I want? and (3) Will Future Me regret this?

Do that and you’ll start living a little closer to “zero-trust, minimum privilege,” without turning into a full-time cynic. You’ll still get the memes, the dog ear answers, and the two-minute boredom fix, just without paying the hidden subscription fee of your privacy.

Until the internet proves itself trustworthy, keep those trust issues. In cybersecurity — and, frankly, in life — a healthy dose of skepticism is the cheapest insurance policy you can buy.

Thad Dickson is CEO of Xpio Health, a Gig Harbor company focused on security and compliance for healthcare organizations. He lives in Lakebay.