Introduction
In this article, I will discuss FUD, why it is a problem, how to identify it, and what to do about it.
So what is FUD?
FUD stands for Fear, Uncertainty, and Doubt, and it is a term for advice that does nothing but spread fear, uncertainty, and doubt. This is also sometimes referred to as fear-mongering.
When you encounter FUD, it presents as a bit of sage advice. Most of it was technically feasible, if not now, then at least 20 years ago. It is often something that isn’t relevant any longer or only to a very small subsection of society. In many cases, it is nothing but pure fear-mongering.
How do you deal with FUD?
When it comes to good security advice, as opposed to FUD, context and good threat modeling are critical. There are very few cases that are universal or one size fits all. Our article on the Ten Commandments of Infosec covers most of those, even those that aren’t always applicable. When I talk about threat modeling, I’m talking about a process that we all go through subconsciously a million times a day. We are all aware of what is and isn’t a threat to us. Threat modeling is the process of consciously and deliberately cataloging what poses a threat to us. Your gender, your occupation, where you live, and who you love all play a factor in this. As discussed in the article on Risk and threat management, this is unique to each person, and there is no right or wrong way.
Critical thinking is the most important tool in combating FUD while staying safe online. It is unfortunate that with all the threats out there, how hard it is to pick out the FUD. The best advice I can give is to use your gut. If it doesn’t make sense, ask for more details. Also, try to get your advice from more than one source. Those spreading FUD are typically very light on details and are overly simplistic and general. If they can’t explain why something is a risk, it’s likely FUD.
Popular FUD
The top two pieces of FUD advice circulating today are to always use a VPN and never use public charge stations. I’ll explain these two here.
Always use VPN, debunked
Let’s start with the FUD about VPN. Once upon a time, in a kingdom not so far away, all connections to websites were unencrypted. This made spying on your web traffic a trivial matter. One could see the exact details of your bank balance, the content of your emails, etc. It was even relatively easy to intercept and change your traffic. This was due to a flaw in the initial protocol your computer used to use for communicating with the web server. The name of this protocol is Hyper Text Transfer Protocol or HTTP. The only solution at the time was to use a service called VPN (Virtual Private Network), which created an encrypted tunnel to hide your traffic.
They solved this problem a decade or two ago with the advent of the HTTPS protocol, so now this advice is total FUD. This added security on top of the old HTTP protocol. Now, this level of invasion is much harder. Unless you force the connection back to the old protocol, which alerts the user, the best you can do is collect the sites the user is visiting. This can still be problematic for certain threat profiles. Regardless of your threat profile if you are surfing the web and get an alert that the site isn’t secure, be very sure you know what you are doing before you proceed.
Valid VPN use case
If your threat profile calls for diligence about who is collecting information about what sites you’re using, or you are just a very privacy-conscious person, a VPN can be a valid solution for you. You need, however, to be very sure that your VPN provider isn’t collecting any data on you. By using a VPN, you are simply transferring the trust boundary. If you don’t trust the network you are currently on, you can use a VPN provider you trust, and all the current network can see is that you are using a VPN.
The VPN provider, however, can see everything, and you wouldn’t even know it. This is why it is of the utmost importance to trust your VPN provider. The vast majority of commercial VPN providers have been shown to be nothing but data-gathering tunnels despite any marketing promises. There are exactly two VPN solutions I trust to deliver on their no-logging promise: Proton VPN out of Switzerland and a VPN server I personally built.
Another valid use case is if you need to mask your origin to get around geo-blocking. In this use case, the level of privacy required should match your daily privacy requirements. If you are fine with the VPN provider collecting personally identifying logs on what you are doing while connected to their VPN, you can use whatever VPN you want. Just know that the VPN provider could be selling those logs to every data broker in the world. For this VPN use case, I would still use a provider I know isn’t logging me, even though I’m not a very privacy-conscious person.
Public Charge Station debunked
The next FUD is regarding public charge stations. Which also begins with „Once upon a time, in a kingdom not so far away.“ In the early days of smartphones, some phones didn’t distinguish between power charge and data transfer. This made it possible to build a power station that was actually stealing all the device’s data. Both Android and iOS solved this many moons ago—we’re talking more than a decade ago. Now, if you connect your phone to your computer, the phone assumes you are just charging. If you actually want to do data transfer with your computer, you need to instruct your phone to change from charge mode to data mode.
What is sad about this FUD is that even the US FBI is spreading this. When challenged, they did not respond with details on why they were spreading this.
Other FUD
The last example of FUD I want to discuss sounds great on the surface until you start to think about it critically. That is, „don’t scan QR codes.“ QR codes are nothing more than a convenient way to enter URLs, aka links. Just as you should not click on links indiscriminately, you shouldn’t scan QR codes indiscriminately.
The advice of „never scan any QR codes“ makes about as much sense as „never click on any links“; it is simply not practical. This is where critical thinking comes into play. Additionally, your trust in the source of the link/QR code is important. If you are at a trade show and you accept and eat a cookie or candy from the vendor, but you refuse to scan their QR code, you are exhibiting very poor choices. You think the cookie isn’t poisoned, but the QR code is? It would be more consistent to refuse both or accept both.