The cybersecurity expert SwiftOnSecurity, a decade ago, wrote a parable called "A Story About Jessica" and posted it to their (now-deleted) Tumblr blog. I found it moving and insightful. The consultancy Superbloom pointed to it as one of several "security-focused resources for building empathy".

I've been unhappy that "A Story About Jessica" was so hard to find, available only through other Tumblrs' reblogs and through archival copies in the Wayback Machine.

So, with SwiftOnSecurity's permission, I'm re-posting it to make it easier to discover and reference, followed by my present-day comments.

A Story About Jessica

(retrieved from the Wayback Machine, written by SwiftOnSecurity and first published September 28th, 2014 and licensed CC BY 4.0)

A story about Jessica.

I want you to imagine someone for me. Her name is Jessica and she is 17 years old. She lives in a two bedroom apartment with her mother and uses an old laptop she got from one of her mom’s ex boyfriends. With it, she browses the portals that serve as her connection to the community constructed around attending the same high school. She is concerned with boys and love and the next rent payment keeping her and her mother in the apartment.

She doesn’t have the money for a new laptop. She doesn’t have the money to upgrade it, either. She doesn’t even know how you do that. She has other interests, like biology. She just worries about how she would pay for college, if she can keep her grades up enough to get a scholarship somehow.

The only person she knows in her whole life that’s good with computers is Josh, in English class. She knows she needs an antivirus, so she asks him. He gives her an option that costs $50 a year, but he notices her sudden discomfort and kindly mentions about an antivirus that’s free. When she goes home she downloads and installs it. It took some effort and it seemed complicated and took awhile, but there was now a reassuring new icon in the bottom right of her screen that says “Protected” when she hovers the mouse icon thing over it.

Jessica hears on the news all the time about companies being hacked and photos being stolen. She heard on CNN you’re supposed to have a complex password with something special in it, like a dollar sign, so she does. At least on her Facebook account - she isn’t interested enough to find out how to change her other account passwords. That sounds like such an investment of time, and she is busy enough focusing on remembering abstract strings of equations in Math class. She doesn’t want to remember another abstract string of numbers and letters for passwords. Besides, she’s a teenager, whose brains aren’t very good at planning or compensating for risk.

She heard about something called a password manager, but she knows not to download things from the Internet. She doesn’t know what to trust. One time, she clicked the “Download Now” button for a program she heard about from the news, and it took her to a different website. She doesn’t have a community to ask for advice. And, besides, she’s trying to figure out what to wear to her date with Alex on Saturday. Jessica worries if he’s going to like her once he gets to know her better, sitting together and talking one on one for the first time. She also worries if he’s going to break her heart, like the others.

Sometimes, she gets prompts to update software. But one time, she updated something called Java, and after clicking the blue E that gets her to Facebook a new line of icons appeared. She doesn’t know for sure it was related, but she’s kind of suspicious. The computer still works, and she doesn’t want to break anything trying to figure it out. She can’t afford to pay Geek Squad $200. It’s annoying, but it’s still working. The next time something asks to update, she’ll say no. She doesn’t need any new features, especially ones that make her Facebook window smaller. And if they were important - wouldn’t they just install automatically? Why would it even ask?

One day, Jessica gets an email that says it’s an eviction notice. And it says it’s from tennantcommunication@hud.gov. She knows what HUD is by the forms her mother fills out to help pay for the apartment. But she heard about opening unknown files on the news, so she goes into detective mode. She types in hud.gov and it’s what she thinks it is. U.S. Department of Housing and Urban Development. She browses the site - it doesn’t look like anyone in Russia wrote it. So she opens the file. Adobe Reader opens, but the email plainly says that if the document is empty, there’s nothing to worry about. She tries to go to the next page, but there isn’t one. Oh well. She won’t mention it to her mother. She doesn’t want to worry her. It’s 7:40PM. She has to leave for her date.

What Jessica doesn’t know is the white light on her laptop that started coming on that day is the indicator for the camera that’s built in. She doesn’t even know it has a camera. But that camera started recording her. And the software recording her camera also started recording the screen. Including when she was emailing the pictures she took for Alex after she fell in love with him. At least when she types in passwords they always show up as black dots. Even if someone was behind her watching, they wouldn’t know the password. She doesn’t know her keyboard was being recorded, too. Nothing told her. Just like nothing told her the camera was on. Or the microphone.

Once in awhile, she hovers her mouse over the antivirus icon. It says Protected. It must be right. It’s the software Josh recommended, after all.

——–

What is Jessica’s sin in this story? Was it not educating herself on the benefits of Open Source philosophy and running Linux - which is free? Was it not having friends or family that know a lot about computers that she could ask for advice? Was it not befriending Josh? Was it being someone who has other priorities in life? Was it not knowing that the companies providing her software updates also try to screw her over with junkware, and she needs to uncheck it - every time? Was it stupidly not knowing the era that SMTP was designed in and that it doesn’t provide any authentication? Why didn’t she put tape over the webcam? Why didn’t she take apart the laptop to remove the microphone?

Maybe this isn’t her fault. Maybe computer security for the average person isn’t a series of easy steps and absolutes they discard from our golden mouths of wise truths to spite the nerd underclass.

Perhaps it’s the very design of General Purpose Computing. And who built this world of freedom, a world that has so well served 17-year-old Jessica? You did. We did.

So whose fault is it.

“A story about Jessica” by SwiftOnSecurity is licensed under a Creative Commons Attribution 4.0 International License.

Sumana's comments

SwiftOnSecurity wrote this piece in the context of blaming and shaming -- a context that has only somewhat changed in the ten years since. It's still too easy to find tech experts sneering when our neighbors suffer from malware, phishing, and data breaches, shaming victims for having inadequately protected themselves, as though the structural context is free of blame. Jacob Kaplan-Moss discussed this in his 2016 post "Psychological safety in the InfoSec industry", discussing "A culture of shame around personal security practices" and "A 'blameful culture' that focuses on individual failures rather than systemic ones."

I cautiously think that a "this could happen to anyone, even you" attitude is gaining popularity, at least in the bit of tech culture reflected on social media. It (unfortunately) helps when we learn that high-profile figures have gotten hit, such as Mark Cuban earlier this year. As Eva Galperin notes:

So I do think there's more of a compassionate counterculture today, at least in my circles, but the wider tech culture still has a nasty case of why-don't-you-just-itis. And this influences how we design and implement technology and how we react to incidents, which influences our neighbors' willingness to take our advice and to show us emotionally vulnerability by asking us for help when things go wrong.

That dynamic makes our neighbors more vulnerable to scammers who treat people nicely and make their (ineffective or even harmful) products easy to use. It's a bit like how the terrible user experience of formal healthcare in the modern US helps push patients into the arms of snake oil sellers, who at least have a nice bedside manner and whose sales process is reassuringly straightforward.

SwiftOnSecurity aims this parable at technologists, "we" who designed general-purpose computing, defended it, and "built this world of freedom". I'm reminded of Luis Villa's talk from early 2016, which proposes interrogating what we mean by "freedom" and asserts: "There are a bunch of ways that free software, as a movement, could refocus on liberating people, not code."

Jessica's story also reminds me of five other fictional composite characters a technologist created to evoke empathy: Jackie, Michael, Bill, Lillian, and Marcus from Mark Pilgrim's 2002 book Dive Into Accessibility. Pilgrim's original site is now gone and many of its mirrors are too (though folks have saved the contents in, for example, this GitHub repository, per its release under the GNU Free Documentation License). I particularly find his description of Lillian moving. Her vision has deteriorated, and some web sites are very hard for her to read, even with the help of an expert in IT:

Lillian likes Matt; he's the nicest of the bunch, and he even once set her text size to "Larger" in Internet Explorer, so now her daughter's weblog is actually large enough to be readable. She reads it every day. But when she asked Matt why she couldn't make CNN.com any larger, Matt launched into one of his geek tirades with lots of big technical words, got very frustrated, and finally said there was nothing he could do.

Lillian wishes she could read more web sites, but if Matt can't fix it, no one can.

I have also tried my hand at similar fictional composites, as in my tech conference plays (including last year's "Argument Clinic"). And I'm interested in encouraging more, and in reminding us of prior art.