Thanks Carolyn! This was definitely an interesting read and I kept thinking back to our early discussions about “anything - even the smallest step - toward protecting yourself online is important.” It was promising to see that people do think about digital privacy and interesting to see what that actually manifests as in regular use. I also loved reading the comments from survey participants because they showed the contradictions between what people know they should be doing and actual practices and the thought process behind those practices.
As I am developing my talking points for privacy seminars at my library, I found the idea that “we should ensure that valuable user time is being spent on the things that would bring them the most benefit” (337) echoed my main concerns about presenting this information to patrons. I think the top three recommendations (installing updates, using a password manager, and using two-factor authentication) from this article are good, but four years later software has changed. My most recent experiences with a password manager and regular updates have been much more positive than in the past. Hopefully as an “authoritative” voice giving advice that these tactics work, I will be convincing to patrons.
Also interesting was that the top expert-recommended security practices were met with resistance from non-experts based on old threat models. I thought the best example was that non-experts do not trust password managers and a lot of this stems from stuff I heard growing up: “if stored or written down, passwords could be leaked” (334). Again, the software has changed and the threat models have changed: “As threat models are shifting from offline to online attacks and password reuse is becoming an increasing problem, using password managers or writing passwords down in a secure location seems to be a promising solution” (337). Being able to frame a conversation in a way that it starts with “what you’re doing is good, but here’s how to make it better” and using that as the jumping-off point for education will definitely be more well-received.