“Privacy threats in intimate relationships,” written by Karen Levy and Bruce Schneier, and published in the Journal of Cybersecurity in May of 2020, presents the results of their study on the relationships between intimate threats and their implications on technical privacy design and policy. The main research questions this article seeks to answer are how privacy threats emerge within relationships, what the common features of intimate threats are, how we can assess the risks of intimate threats, and what potential solutions are available. The hypothesis is that human-focused system design changes will protect against cyberattacks committed by other people that an individual is close with.
In the article, Levy & Schneier (2020) explain how a person in an intimate relationship can violate the privacy of someone they’re close with. This is because we tend to trust our family and friends, which causes us to overlook the possibility of an information security risk associated with them. This could include activities such as a person using another individual’s phone without their permission, checking their browsing history, phone records, and text messages, tracking their location, and more. For the sake of this article, they acknowledge that all relationships are different, so therefore they decided to characterize the most common types of relationships that could potentially be vulnerable to security threats. These include intimate partners, parents and minor children, adult children and elderly parents, caregivers and their patients, and friends.
Within these various relations, there are features of intimate threats, which describe the type of risk that people could be vulnerable to. The first feature they covered focuses on attacker motivations. This may include motivators such as money, love, jealousy, obsession, or desire for control. The second feature emphasizes the potential risks associated with copresence, as opposed to the attacker and victim being in separate physical locations. They inferred that being in separate locations “helps to ensure that authentication mechanisms and access credentials create security” (Levy & Schneier 2020). The third feature focuses on the variations in the amount of power and control that someone has in a relationship. This could be due to a difference in age, forms of dependency (such as legal & financial), social norms, or reduced physical capabilities (such as children and people with disabilities). The fourth and final feature describes the technical and relational complexities. Privacy violations don’t have to necessarily be technically advanced if the attacker and victim live in the same household. As a result, the more advanced aspect of intimate threats is the amount of relational resources that the attacker can use to their advantage. This is due to the increased likelihood of an intimate attacker having more knowledge about the victim than a distant hacker would have.
The authors then cover what potential solutions are available to help address information security within intimate relationships. They provide a figure which lists the four features of intimate threats, as well as which solutions they think would most likely be suitable for each type of threat.
Figure 1:
Source: Levy & Schneier 2020
The first implication suggests that there should be a balance between monitoring the people we care about, and giving them some personal space. This could be achievable by monitoring in a way that doesn’t reveal too much personal information. An example they provided was an app called License+, which is a driver monitoring app that provides parents with enough information in a way that doesn’t reveal their young driver’s exact location. The second implication highlights the importance of deciding what types of information are more sensitive than others. This could possibly include personal information related to financial accounts and health information. The third implication focuses on how information is displayed on the screen, whether it’s a mobile device, or a laptop or desktop computer. Topics covered include app notifications, as well as targeted online advertisements. The fourth implication considers the default values of privacy settings, and whether people should change them in intimate contexts. The fifth implication is valuable because it considers privacy and sharing preferences to be the opposite of static; they’re dynamic, so system designers should provide flexibility in these settings. The sixth implication suggests considering whether a device or service is intended to be shared. If it isn’t, then it should provide the ability to create individual password-protected accounts.
The topic covered in this article relates to some of the principles of social sciences. For example, relativism is directly acknowledged by this study, when it states that “addressing these threats not only extends the field of cybersecurity”, it also “requires an integrated sociotechnical approach to understanding privacy” (Levy & Schneier 2020). That is to say that the social system is continuously changing with behaviors that are driven by technology. The ethical neutrality principle could be used in the first implication because of how it emphasizes a balance between being monitored and having some privacy. In the example the article provided, it essentially addresses the question of whether parents should use digital technologies that track their young driver’s location. The determinism principle could even be used as it mainly focuses on behavior as being caused by preceding events. The article states that people sometimes share access to devices and accounts for a variety of “social, cultural, and economic reasons” (Levy & Schneier 2020). Therefore, deterministic ideals could be used to answer why some people are choosing to share their login information.
Within the article’s introduction, it states that intimate threats are difficult to quantify. As a result, the types of data they used in their study consisted of data from several public surveys, which were outlined in the article’s introduction. Additionally, they studied a review of academic analyses. Using this information, the authors determined that there was little evidence of domestic abuse being considered as a smart home security threat, which further supported their concerns about the presence of privacy threats within intimate relationships.
The article emphasized the importance of considering marginalized groups in this study. It was stated that intimate threats often impact some of the “most vulnerable and least powerful people”, which includes women, children, the elderly, and people who are either physically or cognitively impaired (Levy & Schneier 2020). Within the third implication (which is to account for visual transmission), the article describes examples of contexts in which focus was placed on visual privacy invasion on certain devices to prevent information from being revealed to bystanders, while simultaneously focusing on the usability of the device. One example of this is the development of security mechanisms for the visually impaired, which consists of multi-touch authentication.
One of the overall societal contributions of the study is the fact that as more cybersecurity professionals become aware of this topic, further research and development towards resolving these concerns can be performed over time as other disciplines or systems focus on it too (such as the social system, criminal justice system, etc.). Another contribution is that as we begin to address concerns that are less commonly discussed, we can initiate the process of forming design principles that will improve personal privacy, both online and offline.
References
Levy, K., & Schneier, B. (2020, May 31). Privacy threats in intimate relationships.
Academic.oup.com. https://academic.oup.com/cybersecurity/article/6/1/tyaa006/
5849222