New Research: "Privacy Threats in Intimate Relationships"

I just published a new paper with Karen Levy of Cornell: "Privacy Threats in Intimate Relationships."

Abstract: This article provides an overview of intimate threats: a class of privacy threats that can arise within our families, romantic partnerships, close friendships, and caregiving relationships. Many common assumptions about privacy are upended in the context of these relationships, and many otherwise effective protective measures fail when applied to intimate threats. Those closest to us know the answers to our secret questions, have access to our devices, and can exercise coercive power over us. We survey a range of intimate relationships and describe their common features. Based on these features, we explore implications for both technical privacy design and policy, and offer design recommendations for ameliorating intimate privacy risks.

This is an important issue that has gotten much too little attention in the cybersecurity community.

Posted on June 5, 2020 at 6:13 AM • 29 Comments


RjJune 5, 2020 6:51 AM

Concerning "secret questions", like what was your favorite flavor, etc., one can always answer them in a manner you can remember, but that do not really pertain to the actual question, so for favorite flavor, I might answer "chevrolet", instead of "chocolate". The only way an intimate relation copuld know that is that I told them. This was Samson's mistake in Judges 14:18 [see]

AllenJune 5, 2020 7:25 AM

I think we all agree, intimate questions are a holdover from the early days of the internet and are a horrible means of two factor authentication. I hate them. I make up completely fake answers and write them down on a sheet of paper, and hope I don't loose the paper.

AllenJune 5, 2020 8:15 AM

I realized a threat this week that is obvious now, I am not sure why I didn't notice it before. Teleworking is new to me due to COVID-19. I have a work computer and a personal computer, but I use Chrome on both. I realized since I allowed Chrome to synchronize history and bookmarks, my personal and work history is available on both computers.

This is a variance of the intimate threat problem, but in this case the threat is my employer who has access to my work login and through Chrome synchronization has access to my personal life. I logged off all synchronization features as best I could find them.

Clive RobinsonJune 5, 2020 8:18 AM

@ Bruce,

Ww generally talk of external or internal threats the difference effectively being due to trust relationships and the information so gained. Thus we talk of "external threats" and "insider attacks".

In reality what is the difference between an "insider attacker" and an "intimate attacker"? Other than the level of betrayal felt by the injured party.

Clive RobinsonJune 5, 2020 8:40 AM

@ ALL,

This may not do your "intimate relationships" much good as many insist that you "share", but when wearing the green one fact was regularly drummed into our heads,

    Don't leave ammunition for the enemy.

The general rule of thumb is that more intimate relationships fail than succeed, what you might call a learning process. When intimate things fail it is rare for it to be amicable, thus you gain an enemy. As divorce lawyers will tell you intimate details can be used to gain advantage thus a better settlement. Which means you are effectively encoraged to be enemies for your own protection...

So remember as they used to say in WWII,

    Pillow talk costs lives

If you do not have a reason to trust then don't. And even at the best of times human emotions are very bad reasons to trust others as they are a form of chemical insuced self delusion. It's why the likes of Facebook etc are goldmines for material to exploit people by.

Oh and the worst offenders are those that "big up" their egos, on the "If you know what I know" idiocy principle. It's actually one of the reasons many criminals get caught, because they "mouth off" or "flap their gums" infront of others to "big it up" and thus one or more people who hear it convert it to material gain as Confidential Informants" (CI's).

As was once pointed out by someone way more famous than the rest of us,

"Three can keep a secret as long as the other two are dead."

bcsJune 5, 2020 10:31 AM

I suspect a major issue in the realm of intimate threats is that it is common, expected and reasonable for some intimate relationships to *want* a high degree of non-privacy; e.g. I'd be very reluctant to marry someone where we didn't feel comfortable enough with each other that sharing most everything becomes a non-issue.

But, fallen man being what we are, that can then somewhere down the line turn into an "intimate threat" situation and now you suddenly need to reverse course, and do that with a formally trusted advisory.

I don't know how to solve that flavor of the problem. The best I've got is don't let people that close (both in op-sec and in marriage) unless you intend to, and have reason to believe you can, make it work for the long term.

JonKnowsNothingJune 5, 2020 10:35 AM

I play MMORPG games.

Passwords and account access restrictions are important because people do link CCs for on-line in-game purchases and getting the CC removed the account isn't half as easy as might be, so most/many/some/few actually remove the CC after they buy up a load of In-Game-Store-Tokens. In addition, losing your account to a hack means: You lose everything.

Security features though are only as good as both ends make them. If the game servers are breached and data stolen, there's not much a player can do.

Some games are notorious for "Gold Sellers", these are professional companies that rank up a character and outfit it with the latest max armour and weapons and then sell it for real money. These are outside the game transactions and generally Not-Allowed but Real Money vs a phalanx of prisoners spending 18 hours a day running a min-max script is an never ending EULA/TOS enforcement issue.

Most games have a Do Not Share Your Password/Account protocol. If your account is hacked (verifiably), the game company "may" give you enough stuff to restart at L0. Many won't because it opens up too many "false claims".

The really tough situations aren't were you shared your account with a significant other or business associate, but where you share an account with siblings and family. Many games have a family subscriber tree with a main account at the top and sub-accounts for family members. When these accounts encounter an unhappy parent or sibling that learns your password, maybe because the parent wants to log in an make sure your chats are within parental parameters so everyone has the same or similar password, and then removes or deletes things, the entire server knows with collective "oh noes"....

Some games have a recovery option if you want to "undelete" and rage-deleted character. Most games cannot help you at all if your account it taken, your password changed and your email contact is altered. When a high level account is worth $$$,$$$ (depending on the game), the bad folks are looking for ways to get it. Family isn't motivated by money but by spite. And no game company can help you there.

AlanSJune 5, 2020 11:41 AM


That's what I do as well. If my password is a randomly generated 20 character string, I use different randomly generated 20 character strings as answers to each personal question and store all the questions and the responses in the password manager.

RobWJune 5, 2020 12:05 PM

So Bruce, no ORCID number to identify you in your academic works?

Just not set one up, or a security concern? If the latter, I'd love to hear your view!

(And now I'll go read the paper itself... sounds fascinating.)

caryatisJune 5, 2020 12:18 PM

I'm really glad to see smart people addressing these problems and I agree that they have not gotten enough attention in the past. One reason for that is that the media likes to frame domestic abuse as a "woman's problem"—in fact it's a potential threat for all of us.

I've noticed that secure messaging apps put in a lot of effort to secure messages against outside attackers, and not a lot of effort into ensuring that your correspondent cannot share your messages without your permission. Why isn't screenshot protection and exploding messaging routine on every app?

NoahJune 5, 2020 1:24 PM

I like the concept of deniable hidden content, like how Veracrypt can have sub-containers that open with a 2nd password. You could imagine this working in other situations, like conversations that are invisible by default in a messaging app, etc. This way even if someone (partner, border security, abductor, etc.) forces you to "unlock" everything, the most private stuff stays hidden, and it's existence can't be proved. Fake security answers and such assume the person can't just say "tell me the answer or I hurt you".

NorioJune 5, 2020 1:25 PM

Thank you for the very timely article about "intimate threats." In these times of pandemic lockdowns, the frequency of domestic abuse, and one assumes, the frequency of threats to privacy from intimate associates, is displaying explosive increases:

NoahJune 5, 2020 1:28 PM

One more thought, what about hidden accounts? I already have a dummy account on my phone, but you can see that there is a 2nd account. What about an account that doesn't show up, and you have to enter the username as well to get in? It would be separately encrypted, and all the apps/accounts would be invisible to an attacker without considerable technical resources. If I give you my unloked phone in my primary account, you have no way to know about the 2nd one.

DougJune 5, 2020 2:22 PM

JonKnowsNothing's descriptions of similar problems in the MMORPG space makes me think of problems in the corporate space that are a different side of the same coin. We have employees who want to share their passwords with co-workers so they can back each other up.

It's not perfect, but so far, we're able to eliminate nearly every need for sharing passwords by implementing the appropriate granularity of permissions. For example, an old e-mail system didn't have a way to grant access to another mailbox or calendar, so the CEO (we'll call her Janelle) shared her e-mail password with her executive assistant (we'll call him Don). That way, Don could check e-mail for Janelle when she was away from the office, but could reach Don on the phone, but while she didn't have electronic access. And he could manage her calendar. It was a great day when that e-mail system added the ability to grant proxy access. (It was typically read-only; but even when it needed to be read/write, there would at least be an auditable record of Don sending the message on behalf of Janelle.) Another example is when Janelle wanted Don to be able to access her Home drive. Rather than sharing the password, we set up a location where she could store files that only the two of them had access to.

So, in the MMORPG case, if a parent needs to have parental control of the child's sub-account, that should be handled with granular permissions so that the parent can log in with their own credentials, and they can do what needs to be done. Whereas having the parent use the child's credentials, there is no way to limit what the parent can do, and no way to audit it.

(In addition to manager/employee and parent/child, other pairings with similar needs can be co-worker/co-worker, spouse/spouse, sibling/sibling, and friend/friend. They don't have to be hierarchical.)

Now, not all products have such granularity, but if those who care about such things push for such features, we can greatly reduce the temptation for people to share passwords. Sharing access to the information is one thing, but if it can be done through separate identities, that will reduce (but not eliminate) the risk of abuse. Let's make it easier to do the right thing.

Of course, intimate partners are a situation of a different magnitude than a parent/child MMORPG account. But many of the lessons carry over. Look for applications that allow both partners to see the same data, but using separate credentials. Strive for solutions that allow those you trust to share access to the data, but not share your identity.

(As I read through this, I realize that it is drifting away from the points of the original post regarding knowing the answers to secret questions and holding coercive power. But it seems at least tangentially related.)


JonKnowsNothingJune 5, 2020 3:46 PM



Eons ago, in a Earth far far away...

A prominent CEO of a mega corp, was accused of some nasty email exchanges. The proof was the emails making allegations of (fill in the blank). There was a lawsuit and the CEO was adamant that this never happened.

Once the email chain was forensically examined, which was new news in that epoch, it turned out that the emails were sent by the person who made the accusations. They had access to the CEOs office and sent the emails from there. They also had access to the passwords and logins as you described (backup redundancy).

Once it was proved that it was faked email chain, the lawsuit collapsed.

It was a nasty affair and cost a lot of money to fight, and reputations were trashed, and all sorts of fallout.

We were more trusting in those days.

UntitledJune 5, 2020 3:49 PM


What about an account that doesn't show up, and you have to enter the username as well to get in?
As in Windows NT, 2000 and XP (AFAIR). Now, convenience outweighs security.

lurkerJune 5, 2020 6:01 PM


This was Samson's mistake in Judges 14:18.

and again [!] in Judges 16:17.


But, fallen man being what we are...


And even at the best of times human emotions are very bad reasons to trust others as they are a form of chemical induced self delusion.

Samson's hardly a poster boy for this subject: he fell for every bit of passing skirt, and then gave in to pillow talk whining, twice. Even when we have technology undreamed of in Samson's time, the problems can still all be traced back to the meat-space.

myliitJune 5, 2020 6:30 PM

Our host in the making. From the OP.

“One of us (Bruce) remembers that as a child he once brute-forced a combination padlock in his house. A four-digit lock’s 10,000 possible combinations might be enough to keep out a burglar, but fail against a child with unlimited access and nothing better to do that day.”

Freezing_in_BrazilJune 5, 2020 6:36 PM

I'm glad to know that one of my biggest areas of both personal and professional concern has been addressed so nicely. Kudos.

When Alice takes an affirmative step to stop sharing her location information with Bob, Bob is explicitly notified in the iMessage chat that “Alice has stopped sharing location with you.”

Breaking up is hard to do.

Trust no one.

JonKnowsNothingJune 5, 2020 8:23 PM



Trust no one

This is not as easy as you might wish.

While the topic is how someone can gain access to your stuff because they know too much about you, your name, your first car, pet's name, date of graduation, favorite film, all of which any good friend might know from ordinary chats (back when we could have face to face visits), there is another group of that gains access without being a LEO is the UpSkirt groups.

These are folks ready willing and more than able to take images of people without them having the slightest idea they are being used for personal-gratifications.

The images and videos can capture everything about you, if you are accessing a device, talking with friends, typing on that mini-self-correcting-wrong-word-selector-AI keyboard.

LEOs do something similar but in theory, they are not supposed to "cross that line". They do so regularly and every spy movie has a least one honey-bear in it.

So, if are really trying to Trust No One, you may need to be around no one and live where not even a Recon Satellite can spot you. The satellites are doing a great job of spotting 3,000 year old Mayan ruins, so I'm not sure how successful that strategy is.

You cannot hide. Honey-Bears are everywhere.

ht tps://

Upskirting is the practice of taking non-consensual photographs under a person's skirt or kilt,[1] capturing an image of the crotch area, underwear, and sometimes genitalia. An upskirt is a photograph, video, or illustration which incorporates an image made by upskirting.

The practice is regarded as a form of sexual fetishism or voyeurism and is similar in nature to downblouse photography. The ethical and legal issue relating to upskirt and downblouse photography is one of a reasonable expectation of privacy, even in a public place.

ht tps://
ht tps://
ht tps://
ht tps://

it was disclosed in UK media that a number of undercover police officers had, as part of their 'false persona', entered into intimate relationships with members of targeted groups and in some cases proposed marriage or fathered children with protesters who were unaware their partner was a police officer in a role as part of their official duties. Various legal actions followed, including eight women who took action against the Metropolitan Police and the Association of Chief Police Officers (ACPO), stating they were deceived into long-term intimate relationships by five officers, including Mark Kennedy, the first officer to be identified as such, who was publicly identified on 21 October 2010[1][2] as infiltrating social and environmental justice campaigns,[3][4] and Mark Kennedy himself who claimed in turn that he had been incompetently handled by his superiors and denied psychological counselling.[citation needed] According to The Guardian,[5] Kennedy sued the police for ruining his life and failing to "protect" him from falling in love with one of the environmental activists whose movement he infiltrated.

ht tps://
(url fractured to prevent autorun)

myliitJune 6, 2020 5:03 AM

Perhaps, not OT

“An oversharing grandma’s court case offers lessons on setting boundaries for kids’ online privacy

A court in the Netherlands recently ruled that a grandmother had to take down pictures she posted on Facebook of her grandchildren. The children’s parents did not give the grandmother permission to post the pictures, and her daughter, the children’s mother, sued to have the photos taken off social media.

The court sided with the mother and required the grandmother to take down the pictures.

... When parents post about their children, kids sometimes are upset about it, but kids generally have no right to control what their parents share about them online, a phenomenon known as “sharenting”. However, parents sometimes have control over what health-care providers, schools and businesses post online about their kids. It gets much more complicated, though, when someone else shares — like a grandparent, friend, sibling or stepparent. ...”

Clive RobinsonJune 6, 2020 7:00 AM

@ mylitt, Bruce, ALL,

    "A four-digit lock’s 10,000 possible combinations might be enough to keep out a burglar, but fail against a child with unlimited access and nothing better to do that day."

They used to say that,

    Necessity is the mother of invention.

However "Curiosity" is the fundemental reason we learn about our world.

I remember learning not only to undo combination locks by "feel" at an early age, but also how to pick simple bike locks and desk/cupboard locks with home made skeleton keys and later picks. And at some point learning again self taught how to do what is called in the profession "impressioning".

My parents used to tell other adults as a precautionary tale about "curiosity" of certain bad habits I had when younger than four, that I don't remember. Apparently my little fingers had learnt some technique for "worrying" nuts and bolts, such that given time I could undo them without the need of spanners etc and amongst other things had taken the bolts out of a set ot wooden step ladders much to my fathers anoyance when they fell appart on him one day.

However I think he was only briefly annoyed, because unlike my mother he actively encoraged my curiosity and tinkering. It occasionally went wrong like when I chopped the corner of my index finger off with a "Stanly knife" (modeling knife, like an up market box cutter). But it grew back so nothing real lost and a lesson learned... Which is not so much cutting yourself hurts, which it does, but it carries on hurting, then itching, and finally is to soft for half a year, which when you are eight is a very long time :-(

My curiosity with locks taught me not just to impression keys but how to cut keys on sight, which later gave rise to me about using photographs for cutting them. Which supprised our host Bruce when I first mentioned it, but then enabled us to all have a good laugh at the TSA for being idiots when they published a photograph of all the TSA approved luggage lock keys.

It's also enabled some as we now know to use 3D Printers to automate the process of key cutting...

But curiosity also leads to reading, and when young I read adventure books and graduated onto detective stories and SciFi. I worked out by accident when very young how to make fake finger prints. From a very early age I used to collect the red wax from Edam Cheese, it had some nice properties that whilst fairly solid at room temprature it became nicely soft at hand temprature if you "worked it". The problem was in working it your fingerprints showed up. The only way I had to get rid of them at the time was to roll the wax into a ball in the palms of my hands. A little while after that in junior school I got to play with "Copydex Glue" it was the "Pritstick" of it's day and considered to be unhalmfull to very young children. Also known as "Rubber Solution Glue" it had an anoying property when it dried on your hands it made a transparent layer like a second skin. As kids we quickly realised you could use it to make "fake wounds" to scare other kids with, and was as much fun as the "finger in the matchbox trick". At some point I realised that you could make a mould of somebodies finger print with the warm Edam Cheese wax and then paint Copydex in it to make "fake fingerprints" all good fun. But it was not untill I showed other kids how you could use a little light oil or grease (fat from cooking a chicken works) to actually leave a fingerprint on objects, that my brain suddenly realised just how powerfull it was in that you could also put the fake skin with finger print onto gloves and leave false evidence.

I thought it was "pretty neat" but some time later on when reading a Sherlock Holmes Story about a crooked builder who faked his own murder that it mentioned using a finger print impression used in a wax seal on the back of a letter to make a fake finger tip to leave a finger print in blood to frame a solicitor.

However it sparked a life long interest in "faking forensics" and later "faking biometrics" which has led me down all sorts of twisty little passages of science most will never have heard of...

So if you have young children that exhibit "curiosity" I'd encorage it a lot, they might not be rich and famous but they will I can assure you have more fun in life than many many others as you will open their minds "To a World of Wonder". They will also learn the important lesson in life that too many people make assumptions and get led astray by them and what are little more than simple parlor tricks. The fact the average person does not know something is possible, should not be taken to mean that something is impossible or even improbable if not actually very easy to do. Most "Guild Secrets" were kept not because they were special or clever but because they enabled Guild Members to profit substantially by others ignorance. The only difference today is we don't call them "Guild Secrets" any more at best "Trade Secrets" or by a slang such as "The Knowing", "Knowledge", etc.

The classic example of this "Guild/Trade" secret is "Hotel keys", where there is a "Hotel Master Key" that opens all doors, "Floor Masters" that open all doors on a floor for cleaners etc and "Suite Masters" where several rooms can be turned into a suite of rooms for more well healed guests with their own servants, assistants, or family. The myth sold by locksmiths is that such mechanical lock systems are "more secure" than ordinary locks and keys, when in fact they make the locks easier to pick etc... This myth also alows them to charge between five and ten times as much for each lock, and ten to twenty times as much for each key, compared to an equivalently secure lock from your local large DIY store.

vas pupJune 6, 2020 5:13 PM

@Bruce: After attentive reading of the article, this part caught my attention in particular:
" in Norway, all salary data is public—but searches can’t be conducted anonymously, and people can see who has viewed their
salary [126]."

That should be basic principle for accessing your data in the public domain(financial, address history, other PII you name it). For sure LEAs and ICs find the way to bypass this indication of access, but it should supervising authority having access to information who actually did search, i.e. log should remains anyway.

@Clive Robinson • June 5, 2020 8:40 AM - 100% agree with every word in your post because they resonate absolutely with my thoughts as well.
Just sometimes it is your own choice to know truth (are you ready to handle the truth?) or otherwise.

@all: should kind of civil agreement (contract) define level of sharing of IT related information between partners? e.g. loving couple could have personal banking accounts + mutual account.

RachelJune 6, 2020 6:00 PM

Appreciate the comments

Mental health is a part of security. Being able to trust and be trusted is an essential part of mental health. And part of the toolkit of an adversary is inflicting paranoia and psychological harm. I'm sure many readers here have suffered the paranoia of enforcing 'good enough' InfoSec/CompSec even when the threat model didn't require it. There's a bit of a learning curve there, a rite of passage if you will

I wish to contribute from the perspective of intimate relationships, it's not
a zero sum game. Casual encounters, okay, whether a honey pot or not you're an idiot if you pillow boast.

Long term relationships : there are things your spouse simply doesn't need to know. They don't need to know your passwords. Trust and intimacy can exist simaltaneously with boundaries. Provided you have integrity and don't abuse that ability to have boundaries, don't abuse it and then wonder why things fall apart.
(Pro tip: integrity is not a known feature of the sorts of people attracted to certain occupations = marriage failure. Integrity and trust is a two way street)

I knew a woman who kept her handbag in the front seat with her when driving no matter what, never let her husband touch it, never let anyone touch it. Never let the most trusted person know her PIN.
just certain bad exeperiences taught her so well, she knew she would NEVER cross certain lines again. And good for her. It's got naught to do with intimacy plus or minus, she was just street smart.

But please lets not go down the path of, oh well emotions are dangerous things so don't trust, and don't love, because there is that divorce waiting around the corner, and of course huamn beings aren't THAT important..

that's only if you want to be a reptilian brain sociopath like a Dr Strangeglove character. Or get cancer because your heart has turned to stone.
And its exactly the sort of soul destroying wreckage the adversary wants to impose. It's one of the first chapters in their manual.

Keep Secrets - and continue to LOVE

with love xoxoxoxo

JonKnowsNothingJune 6, 2020 8:42 PM


re: Mental health is a part of security

Some good insights in your post!

There is the other aspect of Mental Health were illness is a component. There can be physical and mental illness that has aspects that can be exploited.

There are relationships we have "expectations" of trust, family, lovers, doctors and clergy. In our current society all of these have been eroded until really there isn't any "trustable" left to trust.

It's not all one side of the equation, clergy doctors have repercussions if they "trust" their patients and something goes pear shaped and patients may find their health histories blabbed all over the internet because it was part of a Data-Exchange-Packet. Your stuff for their AI bot.

Globally, current events are demonstrating "who can you trust?". The results are not encouraging. As trust erodes it becomes harder to regain.

With COVID19 decimating populations, in the USA my health care provider is trying to replace Face2Face MD visits with video/internet ones. The provider seems to be completely unaware or ignoring that sending certain photos of one's body over the internet can and will run afoul of many Internet Laws in the USA, and many of those have draconian sentencing guide lines.

When your MD says send me a picture.... are you going to do that?

NorioJune 8, 2020 1:14 PM


What about an account that doesn't show up, and you have to enter the username as well to get in?
As in Windows NT, 2000 and XP (AFAIR). Now, convenience outweighs security.

You can set up more recent versions of Windows so it doesn't show UserNames (previous or list), by using local group policy. You can even set it up so the system doesn't show the username when coming out of a locked session.

gpedit.msc->Computer Configuration->Windows Settings->Security Settings->Local Policies-> Security Options->Do not display last user name

Right above that is "Display user information when the session is locked."

vas pupJune 8, 2020 1:23 PM

@Rachel and @JonKnowsNothing:
re: Mental health is a part of security

Security has so many aspects that is up to Moderator to decide what comments are actually related to blog and which are not. Hopefully, decision is made not on the blogger identity, but only on the content of the post itself.

I posted many times articles related to personal security in detention centers(prisons), in mental health facilities, during suppressing of mass protest around the globe (for both LEOs and protesters), national security related to newly developed weaponry utilizing drones, AI, but almost all of the were deleted by Moderator.

As Bruce suggested, host defines the rules for guests, not wise versa.

k15June 10, 2020 8:12 PM

Are the larger email&other service providers aware that their clients would pay for features that would allow detection of unauthorized access or other monitoring attempts? whether successful or not.

The Red Squid of PassionJune 11, 2020 12:48 AM

I would've thought that Intimate Threats are just a specialized form of Insider Threats, and both are a special case of Man In The Middle. For what it's worth.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.