Skip Navigation

Security and Privacy Theater

Most people have at least some level of concern about their individual security and personal privacy. However, most people also lack an understanding of how pervasive privacy threats really are in our modern society. Companies, salespeople, scammers, and even governments can prey on this lack of understanding to try to make a person feel better about their privacy while simultaneously collecting all their personal information. In this lesson, we’re going to look at this phenomenon in a bit more detail.

Page Contents

Security Theater

Security researcher and author Bruce Schneier defines Security Theater as “countermeasures [that] provide the feeling of security instead of the reality.”1 An oft-cited example of security theater in practice is that of airport security, which was significantly changed in the wake of the September 11 terrorist attacks in 2001 in order to make people less afraid to resume flying.2 The resulting system is inconvenient for travelers, expensive to operate, and has even led to the occasional x-ray for traveling children.3 However, there is not convincing evidence that any of the implemented security measures are really stopping terrorist attacks.4

The digital world is not immune to security theater. For example, it has become relatively common for U.S. Customs and Border Protection (CBP) to search through Americans’ laptops when returning from overseas travel under the guise of “detecting child pornography and terrorism,” even though the number of travelers with such content on their devices is small.5 Taken in tandem with airport security, it appears that the federal government is fond of justifying their invasive intrusions using these two politically popular categories of crime.6 Between 2008 and 2010, the government admitted to searching the electronic devices of over 6,500 people at the border, yet there were only some 280 data seizures disclosed during the same time period.7 Not all seizures result in criminal charges, as evidenced by the fact that CBP provides a letter to individuals whose equipment is seized for further inspection, advising them that their devices will be returned if they do not find anything illegal.8

Security theater is also especially common under the guise of cybersecurity measures. Poor mandatory training, a requirement for difficult-to-remember passwords, compliance-based policies, and the oft-repeated belief that antivirus software protects against most security threats are all examples of security theater in the information technology industry.9 Bastion firewalls and expensive security systems are yet another example, since these approaches to security only address some of the vulnerabilities that a system faces.10

Privacy Theater

In a similar vein to security theater, privacy theater refers to giving someone a “feeling of improved privacy while doing little or nothing to actually improve privacy.”11 For example, Google announced that they would remove support for third party cookies in their Chrome Web browser, a move which they hailed as a step toward improving online privacy.12 However, Google began to implement a so-called “Privacy Sandbox” that simply moves personal data collection from the server side and into Chrome itself.13 They then proceeded to force Chrome extension developers to move to Manifest V3, marketing this change as a way to “improve the privacy, security, and performance of extensions.”14 However, it is widely believed that Google made this change to reduce the effectiveness of ad blockers, since they designed Manifest V3 with both limited blocking capabilities and a requirement that block lists be reviewed and approved by Google before they become available in the Chrome Web Store.15 Google’s claim to be privacy-focused is further undermined by the fact that they settled a class action lawsuit in 2024 after it was discovered that Chrome tracked and reported user activity in Incognito mode.16

Malicious employment of privacy theater isn’t limited to Google, however. It is frighteningly common among most technology companies. Social media companies often provide users with various “privacy” settings that supposedly restrict access to personal information. Facebook is one such example.17 In 2009, a third party developer of Facebook platform games suffered a data breach in which over 32 million user passwords were stolen.18 Over the following decade, Facebook enabled a third-party company called Cambridge Analytica to collect psychological information about their users. This information could be collected about a person if any of their friends took part in Cambridge Analytica’s surveys, regardless of platform privacy settings.19

Privacy theater can also be implemented in ways that are more subtle. Reddit, for example, is well-known for having rules against revealing another user’s identity.20 However, Reddit has been found to be actively fingerprinting users to try to determine information about them, even if they don’t provide that information voluntarily.21 More recently, Reddit has also been found to be blocking VPN users, reducing the ability of a person to browse the site privately.22

Privacy Policies

Perhaps there is no greater example of privacy theater than that of corporate privacy policies. A great example is the Microsoft Privacy Statement, which begins with “Your privacy is important to us.”23 If this is truly the case, then why on Earth would they develop a Windows 11 “feature” that automatically takes screenshots of everything you’re doing on your computer and feeds those screenshots into an AI model?24 It is also telling that Microsoft Edge collects even more data than Google Chrome,25 and Windows now contains code that periodically resets the default browser back to Edge if the user tries to choose something else.26

In truth, just about every corporate privacy policy begins the same way as Microsoft’s, with some kind of assurance that the company that is collecting, harvesting, and selling your data actually cares about your privacy. They don’t, of course. They care about making money, and information about you is valuable both to the company and to any cybercriminals who steal it from the company.27 For these reasons and for regulatory reasons (in the next section), privacy policies are written to be dense and incomprehensible to the average user. Look at Apple’s privacy policy for a great example.28

Privacy Regulations

It might be tempting to believe that the government would regulate corporate data collection and give citizens the right to control the use of their own personal information. However, reality is far from this ideal. Governments – including the U.S. federal government – find private sector databases of personal information to be quite convenient. They can purchase or compel disclosure of this information without the pesky warrants and other legal hurdles that would be required to obtain data directly from individuals. Corporations are thus not discouraged from collecting more data than is actually necessary to provide a product or service, since those data can be valuable in a government investigation or inquiry later.29

That said, some jurisdictions do have privacy laws and regulations in place, and companies doing business in those jurisdictions must follow them. Notable examples include the European Union’s General Data Protection Regulation (GDPR)30 and the California Consumer Privacy Act (CCPA).31 Unfortunately, even these “strictest” of privacy regulations typically allow companies to collect data by default and put the burden to opt out of data collection onto the consumer. Thanks to carefully written terms and privacy policies crafted by lawyers, companies are able to skirt the intent of these regulations, creating yet more privacy theater.32

Notes and References

  1. Bruce Schneier. Beyond Fear. New York: Copernicus Books. 2003. 37-38. 

  2. Charles Mann. “Smoke Screening.” Vanity Fair. December 20, 2011. 

  3. Expert: TSA Screening Is Security Theater.” CBS News. December 18, 2008. 

  4. Bruch Schneier. “Beyond security theatre.” New Internationalist. 427: 10-13. November 2009. 

  5. Laptop Searches and Other Violations of Privacy Faced by Acmericans Returning from Overseas Travel.” Senate Hearing 110-589. Subcommittee on the Constitution, Committee on the Judiciary, United States Senate, 110th Congress. Washington, DC: June 25, 2008. 

  6. Department of Homeland Security. “Response to USA Today - Laptop Searches.” Email correspondence disclosed to the American Civil Liberties Union. July 14, 2008. 

  7. American Civil Liberties Union. “Laptop Search Analysis.” January 14, 2010. 

  8. U.S. Customs and Border Protection. “Inspection of Electronic Devices Tear Sheet.” July 19, 2022. 

  9. J.M. Porup. “5 examples of security theater and how to spot them.” CSO Online. May 27, 2020. 

  10. Esteban Borges. “Security Theater: The Illusion of Safety.” March 1, 2024. 

  11. Rohit Khare. “Privacy Theater: Why Social Networks Only Pretend to Protect You.” TechCrunch. December 27, 2009. 

  12. David Temkin. “Charting a course towards a more privacy-first web.” Google Ads & Commerce Blog. March 3, 2021. 

  13. Gilad Edelman. “Google and the Age of Privacy Theater.” Wired. March 10, 2021. 

  14. Google. “Manifest V3.” 

  15. Kevin Purdy. “Chrome’s Manifest V3, and its changes for ad blocking, are coming real soon.” Ars Technica. August 5, 2024. 

  16. Michael Liedtke. “Google will purge billions of files containing personal data in settlement of Chrome privacy case. AP News. April 2, 2024. 

  17. Facebook. Adjust your Facebook privacy settings

  18. M.G. Siegler. “One Of The 32 Million With A RockYou Account? You May Want To Change All Your Passwords. Like Now..” TechCrunch. December 14, 2009. 

  19. Sam Meredith. “Here’s everything you need to know about the Cambridge Analytica scandal.” CNBC. March 21, 2018. 

  20. Reddit Rules

  21. Having a battle with Reddit’s fingerprinting schemes.” Privacy Guides Community. January 2023. 

  22. Reddit blocks access for VPN users: what is happening, and how to get around the block.” AdGuard VPN Blog. April 9, 2024. 

  23. Microsoft Privacy Statement. November 2024. 

  24. Dan Sung. “Windows Recall sounds like a privacy nightmare - here’s why I’m worried.” TechRadar. May 21, 2024. 

  25. Dan Goodin. “Study ranks the privacy of major browsers. Here are the findings.” Ars Technica. March 17, 2020. 

  26. Keshi Ile. “Windows keeps changing default browser.” TheWindowsClub. January 3, 2023. 

  27. Ravi Sen. “Here’s how much your personal information is worth to cybercriminals – and what they do with it.” PBS News. May 14, 2021. 

  28. Apple Privacy Policy. September 18, 2024. 

  29. Christopher Soghoian. “Corporate Disclosure of User Data to the Government.” Minnesota Journal of Law, Science & Technology 12(1): 2011. 

  30. European Union. Regulation 2016/679 - EN - gdpr

  31. California Department of Justice, Office of the Attorney General. California Consumer Privacy Act (CCPA)

  32. Ari Ezra Waldman. “How Big Tech Turns Privacy Laws Into Privacy Theater.” Slate. December 2, 2021. 

Anti-Forensics and Digital Privacy

Introduction to Security and Privacy
Operations Security