You wouldn’t share your bank details. You just shared everything else.
Why some data feels worth protecting and other data doesn’t, and why that intuition is mostly wrong.
This week I was thinking about text messages. The volume of spam is up. The quality is up too. The links sit alongside actual delivery notifications and bank alerts in a way that makes the line between real and fake harder to see than it was even just a year ago.
I was thinking about it because of a specific text message I received when we were first living in Sofia. I had ordered a vinyl pressing of a personal grail - “Zooropa” by U2. I had picked it up at a fraction of the Ebay price and was a bit worried about the cost of duty. The package was meant to arrive at any time. I was tracking it. A text came in saying I needed to pay 6.47 Euros to clear customs and that I could do it online. The text and link both looked real. I tapped through and entered my payment information, even though there was a voice in the back of my head saying something is not quite right. I did it anyway. I wanted that record.
Forty-five minutes later I got an email from my credit card company’s fraud center asking me to call them. I knew it immediately. I had screwed up. I called in, and sure enough, I had fallen for a phishing scam. The card was cancelled, the charges were reversed, and a new card was on its way.
I have thought about that forty-five minutes a lot. Not because anything bad happened in the end. The fraud team caught it. What stuck with me was the speed and intensity of my own response once the alert came through. I called the number on the back of my card immediately. I waited on hold without complaint and dug into three years of personal history to prove it was me. I did all of it without hesitation, despite the fact that an hour earlier I had voluntarily entered the card details into a phishing link.
Around that same time I had been working my way through a series of photo apps. One of them claimed to use AI to take an older photo and improve clarity, increase pixel density, and prepare it for large format printing. Too good to be true, I know. I have a stack of older family photos I would love to print at scale, so I downloaded it anyway. The app asked for access to my entire photo library. Not the photo I wanted to test on. The whole library. It also asked for my microphone, my location, my camera, and permission to send notifications. I tapped Allow on all of them in maybe twenty seconds, ran one photo through the tool, was unimpressed, and deleted the app. The permissions stayed active for a few years until I audited my signed-in-with-Google list.
Same person. Same story. Two completely different relationships with my own data.
We instinctively draw a red line at banking and finances. We don’t seem to do this anywhere else. The problem is the line isn’t where we think it is.
Ask anyone if they would share their full bank account number, their card details, and their security code with a stranger over email. They would not. The answer is immediate. They feel the line, they don’t think about it. Now ask the same person whether they have given a mobile app permission to access their microphone, their location, their photo library, their contacts, their face data. The answer is some version of yes, probably, I think so, or I don’t really remember.
The instinct says banking is more important. It isn’t. Banking just has a faster consequence. It also has a clearer recovery process. Banking has a fraud team and a phone number on the back of the card. Banking has a script. When something goes wrong, you know exactly what to do and the system has been built to absorb human failure. I know this because the system worked for me, even after I handed the keys over voluntarily.
Voice samples don’t have a fraud team. Photo libraries don’t have a phone number on the back of a card. So we don’t draw the line there. Not because we have decided that data is unimportant, but because we have no script for the failure. The harm is real. We just have not seen it play out.
Here is the reframe. The red line you draw isn’t tracking how valuable your data is. It is tracking how easy it is to imagine the consequences. Banking is easy. Photo libraries, voice samples, and location access are hard. The patterns a company can infer about you from twenty different signals you didn’t know you were giving off are very hard. None of that means those categories are less important. It means we have less practice imagining what might go wrong.
All data is valuable. The work of privacy literacy is learning to draw the line earlier, when the only thing you have to go on is reasoning rather than instinct.
I get it. The work runs into resistance. People are defensive. They don’t want to slow down. They assume things will probably be fine. I am the worry-wart in question. I also fell for a 6.47 Euro scam because I wanted a U2 record.
What I am asking, in every issue of this newsletter, is whether you can muster the same energy for the data points that don't come with a fraud line. The photo libraries. The voice samples. The location histories. The microphone permissions. The face data.
Not because something has gone wrong yet. Because the reason banking feels sacred is that we have practised imagining the harm. We just haven't practised it with everything else. Not yet, anyways.