From malicious hackers to viruses to privacy concerns, using the Internet is “risky behavior,” but generally abstinence is not an option. While most people are familiar with some of these threats, even those in tech-savvy circles are quick to admit that they are not taking sufficient precautions to protect themselves. The harm reduction framework — initially created to reduce the health risks associated with drug use — is an intervention strategy that has been shown to encourage individuals to make safer choices when engaging in risky behavior. Adopting this approach would allow members of the technical community to help a broader range of people employ safer tools and smarter behavior in their Internet use. By shifting away from a false dichotomy — “you’re either safe or not” — and instead offering non-judgmental suggestions to discretely reduce harms and risks, we can improve our collective digital health.
The Internet and the tools that are built upon it have revolutionized how connected users can communicate, share or access information, and socialize. Yet the rewards offered by these tools often come with risks. While technologists familiar with the diversity and nuances of these threats can decide what risks they are willing to take and which activities they will forgo, most Internet users have a harder time doing so. In an effort to provide accurate assessments of various digital security tools for these users, security advice from digital experts can come across as impossibly complex and fruitless. When the less-experienced find it difficult to adopt a suggested behavior change (like using a different username and password for every website) they can end up feeling helpless to protect themselves ― and, in turn, apathetic about security. It is unrealistic to expect an individual to move from doing very little to protect their digital security to constructing the intricate web required to manage their digital security across platforms.
Instead, we should gradually introduce at-risk users to the variety of different educational and digital tools for protecting themselves and keeping their communications or data safe. We can present these tools as a collection of safety gear that can be swapped out, combined, or disregarded depending upon context, behavior, and level of risk. As mentioned above, there is an established model that can inform how we educate and embolden individuals to minimize risk and reduce harms without causing them to feel overwhelmed: harm reduction.
The theory of harm reduction was articulated by intravenous drug users and their allies in the early years of the AIDS epidemic. Faced with messages that equated injection drug use with inevitable HIV infection and ultimately death, members of these communities demanded options for those who were unwilling or unable to stop. Recognizing that the complex social dynamics of drug use and addiction existed regardless of the risk of HIV, advocates for the harm reduction model proposed different interventions based on the principle of “meeting people where they are.” For injection drug users, these approaches took the form of peer education about the virus, instructions on how to clean needles with bleach, and syringe exchange programs. Harm reduction faced opposition from those who argued that providing safer strategies to engage in risky behavior was equivalent to condoning those behaviors. Although these attitudes continue to obstruct some harm reduction activities — such as syringe exchange— the theory of change of harm reduction has been adopted throughout the HIV and public health sectors, and applied across populations regardless of risk level.
Luckily, we fully condone the risky behavior of using the internet. In fact, we encourage it. What we want is to find a way for individuals to reduce the risks while enjoying the behavior. We are not the first to apply this framework to digital security — but we want to see it more widely adopted and better translated to non-technical users.
Hackers and human rights defenders are on the vanguard of such “digital harm reduction” and have applied the principles without the label for years within their communities. Violet Blue recently made the connection explicit by suggesting specific harm reduction strategies for hackers, a high-risk group. Reporting on or organizing against human rights abuses is one of the riskiest activities a person can do, but we don’t tell reporters, bloggers or human rights defenders to stop such behavior. Instead, groups like FrontLine Defenders, Reporters Without Borders, Internews, and Tactical Tech— as well as our organization, Open Technology Institute — work to help at-risk individuals evaluate possible threats and devise custom digital security practices that work for their particular circumstances.
The highest-risk communities of hackers and human rights defenders have created a framework that we, the technologically savvy, can draw on to reframe digital security for the broader population. Our community of the technologically adept needs to take the next step, translating for non-technical users what hackers and human rights activists already know about digital security: every individual requires his or her own set of interventions tailored to local settings and needs. By presenting easy-to-understand messages about the continuum of risks and array of digital prophylactics, users can change behaviors in manageable increments. Much like public health organizations — which offer crafted guidance in pamphlets, peer education campaigns, and workshops — our hackerspaces, offices, and digital haunts should provide clear, concise information for developing safer communication practices.
Harm reduction methods in public health have proven that supporting hundreds of people to make small, easy to implement behavior modifications can have far greater impact for a community than pushing individuals to make complete, all-or-nothing life changes. Widely applying harm reduction methodologies to transform the interventions we promote to the millions of users in our digital community will allow us to resuscitate our communities’ ailing digital health.