Surveillance Self-Defense 101 Notes

On Friday I attended a free workshop at SLU Law hosted by the National Lawyers Guild – St. Louis Chapter and the Electronic Frontier Foundation titled Surveillance Self-Defense 101: A CLE Workshop for Lawyers, Students & Activists. It was a pretty cool event and I learned a lot about not only how to keep oneself secure when it comes to surveillance, but also some of the issues and concerns activists and lawyers face when working with complex technology and law.

Here are a few of my notes. These are a bit ramble-ly, but I hope useful for anyone who couldn’t attend or a refresher for those that did.

Three rules of security.

1. No such thing as total security – just shades of more or less secure

2. We didn’t ‘go dark’. We were dark for many years, until folks started using technology they thought was secure, but wasn’t. Our ‘going dark’ is just returning to a state prior. Encryption, as a form of security, is one way we ‘go back’.

Security vs convince vs money – if you have more money you can pay someone to make something that is convenient AND secure. Less money often means less security at the cost of convince.

Https was an example that was secure, but not convenient and it cost money. Newer programs help to make the net secure, convent, and inexpensive.

3. Think about security as understanding your weakest link in a circle of security. You can have secure independent systems, but the weakest tool/service/avenue can undo all of that.

You might not have anything to hide, but those you work for (clients) or with (peers) might. Making yourself vulnerable puts them at risk. you can become the weakest link.

“Threat Models” can be grouped into three general types – personal, political, legal.

Personal – how our personal life is interacting with the world. Using personal email addresses for affairs(!) or political activism. Overlapping your personal and other areas of your life puts your assets at risk!

Again, look back to the weakest link. Who might be acting against you? What might they do if they can connect your personal life with your activist/professional/legal, etc.?

Example: Twitter accounts – influential accounts like FEMA, could have a higher threat model than say an individual, given that access to their account could cause serious damage – like a large-spread panic (Emergency flood warning for New York City!)

Assets – what do you have to protect? Rosters, client lists, strategy documents, SSN of family, medical history, finances, etc.

Federal government can’t keep the addresses of CIA agents secret – for 6 months the Chinese government infiltrated the portion of the government in charge of personnel records.

What we know of the NSA is only the tip of the iceberg – what Snowden revealed 3 years ago is only a small part of their capabilities.

Subversion (especially with minorities) by governments of communities (threats or promises (green cards)).

Not just federal, but local as well. Stingray devices – we only knew because someone who was being prosecuted found references in court documents. License plate readers and intersection light cameras as other venues of surveillance.

The fight against surveillance is at multiple levels (just like the focus – dragnet, targeted, on the street)

Street – cameras on street corners – fight with a local ordinance

Alderpeople have a discretionary budget where these street cameras are coming from!

Local – police department license plate readers – fight with laws, protest

Federal – ??? [I was sucked into an interesting story and didn’t take good notes here.]

Facial recognition does a poor job on darker skinned people – resulting in more false positives! Look for research this summer coming from Georgetown.

[We then broke into small groups and talked about our threat levels and assets]

Workshop questions

These are questions to ask yourself when determining your threat models for the various tools, software, services, hardware, you use and the data and information contained within.

  • What are your assets?
  • What do you need to protect?
  • What are in your communications?
  • What are the threats to those assets?
  • Who would want it?
  • How bad would that be (if they got access)?
  • How badly do they want it?
  • How high on the dial do you need to wrap your security?

==

https://theintercept.com/2016/02/12/not-so-securus-lawyers-speak-out-about-massive-hack-of-prisoners-phone-records/

==

Tools

Signal for Mobile messaging – encryption from end-to-end. Can be your default txt app on Android.

====

[I was able to ask a question to the hosts.]

Media, both fictional like TV shows and movies, and uh, factual like news reporting often poorly conveys the nuance of technology – especially around hacking, encryption, privacy etc.

What recommendations do you have in combating this skewed interpretations of reality?

[The answer was to advocate knowledge to people you work with, help educate others, and keep learning and sharing your knowledge.]

 

Two Months at the Wikimedia Foundation

Today marks the anniversary of the two months I’ve been at the foundation. What a whirlwind. I’m still in the honeymoon phase. I still feel like I’m moving too slow, making too many mistakes. Still don’t know who holds the institutional knowledge. 1 I’m enjoying the work I’m doing and am excited to be here.

A lot has changed, for the positive, in the last few weeks, but we’re not without our struggles. Folks have been leaving, budgets are tight, and there’s still a tension in the air within the relationship between the foundation and the rest of the communities. 2 I do my best and most folks I work with seem to appreciate me being there, so that’s good. 🙂

I have been taking notes, mostly at random, about the role I now embody, culture, and relationships. I thought, here at two months, now might be a good time to share some of them. They’re half-formed and through the lens of a person new to this corner of the world. Take them as you will.

—-

A Few Random Thoughts

I left my stable career in IT (and healthcare, which, while going through the a lot of changes here in the US, is not going anywhere for the foreseeable future) to dedicate my time to improving the community aspect of the movement. I wanted to do more in this community, but was limited by time and energy. I’m now able to dedicate time and make a living. That’s incredible. I’m incredibly grateful to the people who interviewed, and ultimately hired me. I hope that as they look back years from now I keep that decision as “a good one” in their minds.

Ignorance is the biggest challenge our species faces. Education, even if shallow in new areas leads to better individual and group decisions. If you know X you’re more likely to not do Y. Empathy, again is critical to our future.

Individual contributors have motives, beliefs, concerns. These are amplified by the vocal members and can some times be misinterpreted as ‘what the community feels’. It’s hard to balance the voice of a few with the silence of many. Who do you listen to? Who do you trust?

On Writing

Oof, writing for a diverse audience is much harder than I thought. Even little things I would include in my writing, like contractions, throw me for a loop. I plan on writing more on this, but for now a few bullets.

  • Be mindful of gender (“Hey guys!”)
  • People-first language (“a person with disabilities”, not “a disabled person”)
  • Avoid acronyms and abbreviations, even super well-known wiki world ones.
  • Assume nothing
  • Avoid the word ‘user’ 3
    • prefer readers or editors, contributors, volunteers, folks, people
  • Avoid cultural references
    • “Like that guy in that one movie”
  • Use simple English, translate whenever you can
  • Don’t be ethnocentric
  • Be mindful of age and experience levels
  • Use statistics to back up claims that can benefit from data
  • Use stories and examples, from the people you are talking about (not just yourself) to back up claims about experiences and human relationships.
  • Remain positive – even if the news is bad, don’t be dreadful.

Finding people and getting them involved is incredibly challenging. Where can I go to get folks involved? How do I get the feedback the team needs? How do I channel the feedback from many sources to the team? These are still messy to me. I know folks keep saying “it doesn’t scale”, but part of me really wants to just pick up a phone and give someone a call.

Transparency

Be aggressively transparent. It’s hard. Transparency is important to pretty much everyone involved in this crazy endeavor. So is privacy. So is civility. Sometimes the three come together and do not mix well.

I am concerned that issues with a lack of transparency stem from issues of civility and fear. Folks are afraid to share something because last time it was not pleasant to hear the sometimes painful (intentional or not) feedback. So they hold back on sharing until later in the process. Then more anger is released for sharing late, which causes distress, assumptions and mistrust. Which causes folks to be hesitant to share again in the future, which…you see where this is going.

Sometimes transparency is demanded. That’s not cool. It shouldn’t be. It should be something we lead with, not react with.

Bullying

We are peers. No more, no less. Like your peers at school or work, some have more experience and skills in a given area – some have less. Like working with others outside of the wiki world, being a team brings together those strengths and weaknesses to balance one another. All boats rise with the tide.

Be civil. Be hard in the problem and soft on the person. We’re all rowing in the same direction. Let’s see if we can improve our sync and get there faster with less friction.

We, everyone in the movement, should do better to speak up to bullying. This will be the one thing that tears us apart. The beginning of the end will not be marked with a terrible software update, a lack of funding, a poor hire, a want for  contributors.  Not software, not bureaucracy, not money – the root lies within our community to be effervescent in welcoming people and treating long-timers with dignity and camaraderie. The movement has a bad reputation here and no one can fix that with a patch. It’s something we have to get better at. All of us.

There’s a strong correlation with bully=loud, targets=quiet.

I think it’s really terrible that we tolerate terrible behavior within our communities. That we turn a blind eye to those that harass, demean, and otherwise act like jerks to folks within our community – especially those that are traditionally underrepresented. We have a bully problem and instead of addressing it we let it fester. To be clear, I’m not talking about people who insert nonsense edits, revert changes they don’t like, etc, but those that use an unpleasant edge and uncivil tactics to claim victory, demand entitlement, or otherwise ‘get their way’.

We have to stop making light of and ignoring these problems areas. For example,  wikimedia-l is a room in the house we all share. If it’s on fire you don’t ignore it.

It only helps perpetrate the exclusion of those without a voice. If we keep letting it happen we’re complacent with that behavior – toward anyone.

“there are active members of our community that can be unforgiving and unempathetic.”

“not be worried of having others answer with the passion that can sometimes be perceived as being lashed out against”

These are quotes from conversations not about civility, but transparency. There is a close association here though, as I mentioned earlier.

Instead of addressing bad behavior head-on we avoid it, work around it, make excuses, and – up to a point – tolerate it. 4

How much of this power we let jerks have over or emotions and energy drives a lot of the decisions – or decision paralysis – we have to deal with. We lead too many of our decisions with fear and uncertainty, not confidence and prosperity.

It’s a downward spiral of repetition.

We need to fix it.

I know it’s freaking hard. That’s why I joined the WMF, because I want to tackle these big messy issues while they’re still young, while there is still a chance.

Our Code of Conduct needs to be finished and encouraged by as many community members as possible. We need to show overwhelming support from all levels within the foundation – ED, Arbcom, Jimbo, C-level, Liaisons, etc. It needs to be taken seriously and enforced just the same.

We have to turn this ship around when it comes to our communities’ reputation.

We don’t have a ‘comments’ section, but this is close to what we see in comments elsewhere in our lives. It erodes our projects reputation and the incredibly amazing work of everyone involved.  You know when someone mentions a terrible corner of the web and you’re all like “Yuck”? That shouldn’t be the reaction when you tell people you’re a Wikimedian.

On Being Bold

One of the tenants of the movement is the idea to “Be bold”. To make decisions, to jump into the fray, to take action.

What does “Be Bold” mean to those that are underrepresented, marginalized, or otherwise dismissed by large swaths of a society? What does be bold mean to those who are introverted or those who are often sidelined when they are bold?

Some approach (wrongly) a woman being bold as “bossy” while a male counterpart would not.

What is bold for me, a young(ish) white male, is not the same as someone else. Notice the bold in everyone.

Fundraising

I know nearly nothing about how the foundation handles fundraising. It’s a different area, but I am acutely aware of its importance. Helping my wife run the comparatively small pet rescue make it apparent that it’s a constant balancing act.

It costs money to run one of the top 10 sites in the world. Storage and computing power need increase, hiring talented people to support the movement. Funding programs and initiatives to empower contributors and expand the movement

We need help, not just to keep the lights on, but to continuously improve Wikipedia and all Wikimedia projects. In the span of human history there has never been such a place where so many can come, freely, to learn and help others.

We also have to be fiscally prudent and make sure Wikipedia will be around long after we’re gone. Like planting a tree knowing you’ll never sit in its shade, it’s the right thing to do for the future.

We fight against entropy and ignorance. Two things that have no face, no agenda, no goal. Folks who contribute could be spending their limited time elsewhere – they choose to help projects instead. That’s pretty amazing. Money helps. 🙂

Projects

I really got lucky that I’m on both the liaison team and the Discovery team. Two areas that interest me greatly. Maps are cool. In fact some of the other interactive stuff like Pageview Graphs, the Wikipedia.org Portal, and other ideas for improving search are all pretty exciting. Even more, I’m excited to see how the communities can use these new capabilities to enhance and improve the discovery of  knowledge.

The teams I work on are made of some great people. Smarter, funnier, and far more gracious that I could have imagined. I’m humbled to be able to say I work alongside them.

—-

I’ll end this now giant post with a few links I keep returning to.

Full-time Freedom

“Freedom without responsibility is certainly tempting, but there are few people who will give you that gig and take care of you and take responsibility for your work as well.

Responsibility without freedom is stressful. There are plenty of jobs in this line of work, just as there are countless jobs where you have neither freedom nor responsibility. These are good jobs to walk away from.”

– Seth Godin on Freedom and Responsibility

“Contributing full time provides a ton of freedom to work and iterate on any aspect of the community you can dream up. Sounds good right? It is if you can sustain it.

Here’s the thing: burnout is a real struggle. And when you’re working on something full bore, 100 percent of the time, and you burn out, there aren’t a lot of good options to help combat that except to keep pressing on and try to get your groove back.”

– Drew Jaynes on contributing full-time to WordPress

When I joined the foundation I never thought I’d lose a super power – the ability to ignore things. 🙂 1

On Understanding

“This objection rests on a common tendency to confuse an explanation of causes with a justification or acceptance of results. What use one makes of a historical explanation is a question separate from the explanation itself. Understanding is more often used to try to alter an outcome than to repeat or perpetuate it. That’s why psychologists try to understand the minds of murderers and rapists, why social historians try to understand genocide, and why physicians try to understand the causes of human disease. Those investigators do not seek to justify murder, rape, genocide, and illness. instead, they seek to use their understanding of a chain of causes to interrupt the chain”

Excerpt From: “Guns, Germs and Steel.” by Jared Diamond.