Contributors to Wikimedia projects
The easiest way to "unofficially" download a song from Spotify is to record the sound going to your speakers.
This applies to almost anything. I often see people at work discussing basic infosec topics but forgetting about this hole:
— "How do we stop this PDF from being shared by this person? (an employee, customer, provider, or outsider)"
— "Let’s remove the share button, make the link one-time use, password-protect the file, disable right click, and block screenshotting."
— The person just takes a photo of the document with their phone.
— "Fine, let’s make them sign an NDA and a Non-Compete!"
I guess you can imagine how that goes from here...
Don’t waste time trying to restrict what can’t be restricted: visuals, sounds, ideas, knowledge.
Me: Security measures that try to prevent people from sharing information they can already see or hear are pointless. If someone has access, they can always find a way to capture and share it, making restrictions ineffective.
__: While absolute prevention is impossible, friction-based security can still add value by making leaks more difficult, increasing traceability, and deterring casual mistakes.
Me: But adding friction often backfires—it pushes people toward untraceable workarounds like taking a photo instead of downloading a file. This reduces visibility and creates a false sense of security while making real leaks harder to track.
__: That’s a fair point—people are great at bypassing restrictions when motivated. Instead of blocking actions, should we focus on early detection and response rather than friction-based prevention?
Me: Exactly. Access control should be the primary preventive measure. If someone shouldn’t see a document, they shouldn’t have access at all. Beyond that, we should prioritize detection, response, and accountability over trying to prohibit inevitable actions.
__: I see the logic in that. But what about short-term friction during high-risk periods (e.g., M&A deals, pre-launch products)? Temporary restrictions can slow down leaks just long enough to protect critical information.
Me: I get the idea, but friction measures operate on seconds, while these risk periods last days or weeks. A determined person can bypass friction instantly, so even in high-risk scenarios, early detection and containment are better strategies than prohibitions.
__: That makes sense. Instead of using friction to stop actions, we could use it as a trigger for detection—for example, logging when someone prints a sensitive document.
Me: Yes, and there’s also psychological friction—reminders like “This action will be logged” or “Sharing this document violates company policy” can deter people from making bad decisions.
__: Agreed. So, we’re saying:
- Access control is the primary preventive measure.
- Friction should support detection, not block actions.
- Psychological deterrents can help reinforce security.
- Early detection & response matter more than restrictive controls.
- Security should be transparent and auditable, not obscure and restrictive.
Me: Exactly. Security should focus on real risk management, not just adding friction for the illusion of control.
__: Agreed. Well-structured security should guide behavior while keeping leaks visible, auditable, and attributable rather than pushing them into the shadows.
Questions asked:
- How to download a song from Spotify?
- Ways to get around file sharing restrictions?
- How do I stop someone from leaking a document?
- Can you prevent someone from taking screenshots of a document?
- Do NDAs really stop people from sharing sensitive info?