Security for your organization
Security for your organization
- 1 Privacy and security breakout session
- 1.1 Current Initiatives/ideas
- 1.2 Issues with writing a code of conduct
- 1.3 What guides do we already have?
- 1.4 What about the International context?
- 1.5 Emotional aspect of the problem and solution
- 1.6 Language question - How do we talk about online harassment? What terminology do we use?
- 1.7 Issue of Behavior change
- 1.8 Main points that came out of the discussion
- 1.9 Action Items
Privacy and security breakout session
Create user guides (written, but also videos) for law enforcement about the laws that currently exist that can protect them.
- The same approach will not work for everyone. Not all users will feel comfortable calling law enforcement for help depending on race, sexual orientation, etc.
- Frequent problem with law enforcement: they do not understand what the technology is or how it works. This is specifically true for local level law enforcement as well as Federal agencies. Many times the cybercrime units only deal with fraud, not cyberbullying.
- A lot of education is providing a precedent or back up to confirm that they are doing the right thing, acting in the right way.
crowd source project discussing what policies should look like → a sort of code of conduct. Difficult balance between social norm and code of conduct → can be counterproductive in some circumstances.
Issues with writing a code of conduct
legal policies and setting a code of conduct seen as overlapping. Becomes nitpicking because of the question of the legal aspects involved. Legalistic approaches slows down the conversation and is all about the edge cases.
Better way to approach the situation may be to go with an affirmative approach → frame everything positively but the drawback is that this approach does not build in any consequences when the system breaks down.
Could allow the people in the conversation decide the best way to write a code of conduct. ex: the contributor covenant → special because people want to be involved, agree that an established set of norms is important, and want to be heard.
Possible Action Items: Guide for law enforcement, and should have a guide for users as well → Defend yourself.
What guides do we already have?
EFF (SSD) has scenario based guides, but does not have a gender perspective and does not encompass the international context. EFF is planning to have threat modeling (series of questions to go through, who are you, what you do, where you are from etc., that determine what issues you should be concerned about and what your resources are to defend yourself)
No law enforcement guides currently exist.
What about the International context?
- difficult for individuals to see that they are being harassed and what the threats are. Has to do with education and people feeling that it is ok to feel vulnerable and ok to be upset about it.
- Frequently a problem for women specifically. Women feel isolated, so they need local intermediaries.
People become more active about security when they a find a support network and no longer feel isolated.
Manuals need to be maintained by the community and need to train people how to use the technology.
Maybe the best solutions need to come from local communities. Ex: Free the library project (Alison Macrina)→ security tactics for librarians.
Emotional aspect of the problem and solution
- Best to go through a risk analysis before you are under attack.
- The norm is to be harassed, so people do not realize there is another type of experience possible. This is why collective action is important; to realize other people have had similar experiences.
- Need to acknowledge that harassment is happening to a person, in a lot of ways helping targets of abuse is more about social care and less about technological tools.
- People are not familiar with the different scenarios, so it is important to provide examples in public guides for users.
- Empowerment takes time.
- Victims frequently do not think their case is that bad or cannot compare to the few cases of online harassment that they are familiar with.
- Guides, especially regarding security, can be taken as victim blaming. “why didn’t you create a stronger password? etc. Also, not a good idea to insist that they are a victim. Not helpful to let the harassed person to feel like a victim → counterproductive to building confidence and empowerment.
One similar example that demonstrates how people feel when attacked, is bankruptcy
- people feel it is their fault and tend to avoid the problem.
- One helpful approach: self-affirming exercises before people need to go through a difficult experience (filing for bankruptcy; or in this context going through a risk assessment).
- Need to give people the tools to help them deal with difficult experiences → might need to be more of an emotional approach.
Language question - How do we talk about online harassment? What terminology do we use?
- Everyone is harassed
- How to make people feel that it is ok to talk about online harassment
- The more inclusive we get, how do we account for including the perpetrators? The reality is that the perpetrators were probably harassed at some point in their lives.
- risk assessment vs. threat modeling → why do we use this language? Because it is the term that was used in the technological sector when talking about security on the internet → originally was a military term. These are very intimidating terms --. better to ask questions like, “What are you worried about?” What are you afraid of?” etc.
- Language of forming questions and solutions can take on a militaristic bent, which can play out differently in different contexts.
- When people are under stress, they have a harder time absorbing information and have a tendency to shut down.
- We should move away from the term harassment because there are multiple forms of technological attacks → usually a security attacks: swatting, doxing etc., we really should talk in more specific terms.
Issue of Behavior change
Need to be integrated into the guides
Example from Shauna: game teaches threat modeling in a specific context → teaches users that security evolves with the evolution of tools and products.
Main points that came out of the discussion
Being intentional about language →
Talk about security in a global context, but need to implement at a local level
- Create a special slack account to continue the discussion
- Share lists of guides → spreadsheet to see where there are gaps in what guides are available.
- Create a new language → think about an alternative framework ex: holistic security, digital assault, information assault, target instead of victim?
- Address how to make guides global, but not US centric.
- putting guides in context → individual privacy and security
- Codes of conduct → try modeling that in our discussion group.