This entry is part 1 of 1 in the series OPSEC Objections and Answers
  • Do You Need OPSEC if You Have Nothing to Hide?

We talk a lot about OPSEC and PERSEC, as well as how you should be communicating with and protecting your group—or yourself.

One of the biggest objections we hear about OPSEC or see posted by people on social media is that OPSEC is unnecessary because “we have nothing to hide.” This article will answer that, and is the first in a series where we’ll explore those objections in detail.

OPSEC and Chess

The Cryptosphere has a fantastic explanation of why you do have something to hide. All of you. And you very well SHOULD. To paraphrase for the folks who don’t spend their days dealing with game theory:

Imagine you’re playing chess. You see the whole board, you see all the pieces, and every possible move and rule is available to you.  People involved with game theory call that “perfect information,” or “the same information to determine all of the possible games (all combinations of legal moves) as would be available at the end of the game.” When you’re playing chess, all possible moves are right there. The other player isn’t hiding the board, they’re not hiding their pieces, they’re not suddenly changing the rules (hence the phrase “above board.”).  Chess is chess. Now, this would be a situation of “perfect information” except for one problem.

Most humans don’t possess the cognitive processing paths allowing them to treat chess as a game of perfect information. We’re simply not primed or trained to see all those possible moves from all sides.

Why do you think it was such a big deal when Garry Kasparov beat Big Blue the supercomputer at chess in 1996? Because computers have perfect information. Your brain usually doesn’t have the capacity to gain it, even if it’s available to you.

Tic-tac-toe is another game he mentions, to break it down further. If you put a 9-square TTT board, you could use a decision tree to plan out every possible move by both players throughout the game. You could literally have a blueprint for how to win because in any given board configuration you would know all possible moves by your opponent. That is called having perfect information.

How does this apply to you? Now imagine playing chess when your opponent decides midway through the game that the rules changed. He hid his pieces, and then suddenly has extra. Then you realize you don’t even know how many pieces he’s playing with. He’s hiding half the board, and changes which half he’s hiding at any given time. How well could you play?

Guess what? That’s exactly the kind of chess game you’re playing right now, whether you like it or not.

The Game is Stacked Against You

Before saying “I have nothing to hide” I’d have to say that I possessed perfect information in the context of making that decision. That’s perfect information not only about every past move leading up to this decision but every future move after it. It assumes that all “pieces” are above the board and that I know all the rules to this game. And that’s demonstrably incorrect.

Let’s take the assets and programs of the National Security Agency as some of our game pieces. For them to be above the board we’d need the government to be both honest and accountable about them. Instead, NSA Director Keith Alexander has repeatedly lied to the public about every aspect possible. So has Director of National Intelligence James Clapper. They’ve lied to us as individual players and Congress as what we might call a Superplayer; about buildings, assets, programs, collected materials. Everything we’d need to get a good idea, no less a complete idea, about the pieces on the playing board.

Now, that’s just the pieces. Let’s look at the board you’re playing on.

In order to play chess you’ve got to abide by certain rules, but there’s a trade-off: the rules are all made plain beforehand. You’re not going to get midway through the game and then be challenged about the legality of your opening move, either due to a rule that was hidden from you or due to a new interpretation of an old rule. But in the game model we’re dealing with here, government in general and intelligence agencies in particular have established exactly this possibility. As one example: the very court opinions and administration interpretations of the Patriot Act allowing the government to order telecommunications companies to collect and provide massive amounts of data on US citizens are secret.

…once you seemingly violate a rule that you’re not aware of, or once the administration alters its interpretation of the rule to make you a violator, they can now go back through every communication within their grasp and piece it together in any way they desire in order to make you appear guilty as sin. [emphasis added]

Without you knowing, at any step of the process.

What’s It All Mean?

This all adds up to a very simple bottom line. By saying “I have nothing to hide,” you are making very dangerous and false assumptions.

Both players in the chess game (you and the government) are in agreement as to the rules of the game, and those rules won’t change. We have seen plenty to know that we are all most definitely NOT in agreement about the rules, and those rules change at the opponent’s whim–or even after the fact.

Both players know how many pieces are on the table. We also know this is false; your opponent has pieces you aren’t aware of, many of which are deployed against you and others like you. They swap those pieces out at will, upgrade them when possible, and even stack their pieces in ways that violate whatever rules it previously agreed to.

Both players are playing openly. Obviously this is false as well. While you’re playing “openly” and claiming you’re pure as the driven snow, your opponent is playing the game at a whole other level—a level you don’t see. When it moves pieces, you don’t know. When it changes the rules, you don’t know. When it decides to add a host more pieces or even have one of its pieces pretend to be one of yours, you don’t know.

Your moves only affect your own game. If you truly believe this, then you are the worst kind of security risk: the person who thinks he can act how he wants and it doesn’t affect anyone else. Your moves affect every game being played around you; your opponent is able to play many, many games simultaneously, and has no problem taking strategy or information from your game and using it to beat another player. Your arrogance, lack of understanding, and refusal to comprehend the “game” can and will get someone else killed or arrested.

“I have nothing to hide” means you’re playing an asymmetric information game like other players would want you to: poorly. Out of some mythical principle you’ve chosen to tie both hands behind your back in order to play a game that the intelligence agencies won’t even tell you the rules to. This is a game you will lose every time. Because not only do other players have more information than you, they also have just about all the power in the situation. And remember what I said above: strategy in asymmetric games is dictated by power imbalance between the players. Relinquishing both your power and your information is not a strategy, it’s a suicide.

The thing about suicide is, it affects everyone around them. It’s not a solo activity. So next time you shrug your shoulders on Facebook and turn your nose up at protecting your own information and that of your group, remember this: You don’t have perfect information and this game isn’t being played fairly. If you want to play that way anyhow, then others will pay the price for your actions.

Clef two-factor authentication