Mozilla Open Leaders: You're in, now what?

The next round (Round 6) of the Mozilla Open Leaders programme is now open to applicants. You can find out more about it and how to apply here. But if you want a more personal read, here's my experience of the ups and downs for the record…

First off, I heartily recommend it. I've recently completed what I call MOLP, launched my project (click the logo below to join my data privacy email) and received my certificate of achievement. It's given me skills in project launch and management, working open, Github, online and IRL communities, and mentoring.

Given my project idea, I'm also happy to hear that the next round will feature a 'Data and You' theme. So, if you’re creating tools or raising awareness about personal data, you should apply. You have a very good chance on being accepted.

I have to admit, I wasn't really sure what I'd got myself into before I started. I just knew I wanted to get my idea off the ground. So what was the MOLP experience like?

You’re in! Now what?

After the elation of having your project idea accepted by Mozilla Open Leaders Project comes the realisation that you have to follow through. Now comes the work: 12-14 weeks of commitment. That's always a tough moment. Ideas are easy.

I can’t start without a name…

Some names come quickly, some take forever, some are a compromise that sticks. Someone telling me ‘you can always change it later’ was very freeing. In the end the lack of a name was holding up the project and there came a point when it was all I could think or even dream about. Each week I promised my mentor I'd have a name. It was very frustrating not to click with anything but it also felt important to get it right. Ultimately, my project name (Observed.City) arrived about three weeks in during some date night banter. It was unexpected and perfect.

The long and winding roadmap

The name of the project wasn't actually holding anything up. I was. Procrastination is a given so at least try to procrastinate in useful ways. I read a book on data privacy. I went to some events. I started a data reading group. It’s amazing what you can achieve when you’re avoiding work.

Slay your demons

Start at the beginning – or the end – but just start. Listing your tasks and goals is useful but these can always change. Mine were too rigid: two weeks on finding contacts and doing research, two weeks on creating content, two weeks on infrastructure and set up, leaving two weeks to launch. No no no! This didn’t work. What worked was addressing my demons, ie, too much thinking and not enough doing.

So I turned everything on its head and put out the first issue of my newsletter within a week – for better or worse. I realised that it only needed to be basic because I didn't actually have any subscribers. I wasn’t launching a perfect product, I was launching a minimal viable product. The pretty pictures and structure and subscribers could come later, once I figured out what I was doing.

Under pressure

Fear of failure can stifle a project but just stick with it and something will happen. A few MOLP projects drop out because their scope is too big for a 12-week programme or people underestimate the time it will take – if it's too much, reduce the scale of it or shape it so it fits your time and resources.

One thing I realised from getting my minimal viable product out in half the time was that it then gave me the space to focus on learning how to work openly, improving my Github and being available for the Q&As and project demos.

The pressure also came off when someone said to me: “No one cares as much about this as you.” So very true!

Create serendipitous ripples

Early on in the programme, everything is in your head and there’s a lot of work in learning how to articulate your project and your mission to others. By the end, though, you’ll be so confident about your one-sentence elevator pitch, you won’t even have to think about it.

Just by talking about your project, you create ripples: your own and then those of the people you talk to. Be direct in what you want, tell lots of people, ask for help and connections, offer to help, let serendipity occur…

There are many mentors

Having a mentor was a new thing. I thought, what can I learn from a radio astronomer? But it’s not about learning, it’s about being mentored: having someone to be answerable to, to encourage and support you, to give feedback, someone to check in with each week and talk over any issues. You’ll always be the expert on your project but your Mozilla mentor is there to help keep things on track and get your project set up for open working.

In fact, there are many available mentors when you’re mid-project. There are others in your Mozilla cohort – an academic in Addis Ababa and a New York technologist helped me quite directly on my Readme file and other Github pages, for example. I got feedback from Birmingham Open Rights Group on my approach. Even my family were mentors because calls to action such as ‘Just get on with it because I’m sick of hearing about it’ are actually incredibly valuable in helping you get on with the bloody thing.

Just nod and say yes

I was pushed out of my comfort zone a few times, for example, when presenting an online demo of my project. This was optional and so I was very tempted to ditch out and just watch others. My mentor sent me a long and encouraging email telling me exactly what was involved and said we could rehearse the tech side if I tuned in early. She added that if I could face it it would be a useful learning experience that would make me feel so much more confident after.

She was 100% right and, despite getting quite anxious when public speaking, I’m proud to say that I’ve now done two webcasts talking to a potential global audience.

It's over!

The newsletter is out there, it’s set up on Github for collaborators to join as and when, and I fully enjoyed and will miss meeting and talking with others from around the world as we all went through our projects together. I won’t lie, I was also happy to get my Tuesday cohort time back.

I feel a sense of achievement and it was much more enjoyable to go through a project launch as part of a wider group. Would I have done this on my own anyway? Maybe, but it wouldn’t have had a deadline and could easily have lapsed. And I wouldn't have had a clue how to set it up for inclusivity and collaboration. And the positive vibes of the Mozilla community were great for encouragement during the down times.

I’m much more comfortable with working open now so the Mozilla open learning framework has opened up the options for collaboration as well as how to structure future projects. I also understand a bit more about mentoring and how to address bias and diversity issues. So it's all good.

A new hope…

This is a journey that started at Mozfest last year, which was an eye-opening event in many ways, particularly in how we can help each other and share knowledge with the aim of a healthier internet and inclusive society.

It’s an unusually positive environment, and one that I would recommend on to anyone thinking about attending Mozfest or applying to be a Mozilla Open Leader or who wants some positive feedback for a change.

So that's it. The link to apply for the next round, which starts in September 2018 is here. Applications open mid-June.

For more info, I've blogged a bit more about MOLP and my project here.

Thanks for reading.

Hire/commission me: fiona [at] fionacullinan.com

How to start a data privacy conversation in your city – a bulletpoint guide

This guide forms the end documentation for my recent Mozilla Open Leaders project which culminated in launching a regular data privacy email for Birmingham, UK. If you want to do this in your city or region, I hope it will be useful info to get you started. And if you have any follow-up questions as you go, email me at observedcity@pm.me and I'll do my best to answer and update the guide.

NOTE: You don't necessarily have to follow all the steps below but I really do recommend starting with an Open Canvas as a way to unpack the ideas in your head into something more practical and workable.

Image: (CC) Michael Coghlan/Flickr

Short term (research & development)

Fill out an Open Canvas outlining your aims for the project, the problem you are aiming to solve, the needs and resources, and target users and contributors. Here is an example showing the open canvas for ObservedCity
Content calendar – compile list of events and online activities in your area (data privacy, data research, art, tech, activism). Place events under each month on a calendar doc; extract interesting people and organisations for potential contacts. Subscribe to newsletters that are relevant to your project.
Contacts/network list – find everyone you should connect with in your area who are working with data/privacy in some way or run relevant events: university researchers and academics, privacy activists, digital artists, curators and galleries, a local Open Rights Group, Meetup.com groups, Chamber of Commerce, local government initiatives helping businesses with big data, 'smart city' groups, police and neighbourhood alerts, potential contributors, hacker groups, coding clubs, local Mozilla Campuses, tech drinks and meetups, open data groups, relevant social enterprise startups, ImpactHub, collectives and coops, event organisers.
Research email providers – how will you distribute your email? I looked Mailchimp and Tinyletter's pros and cons. I chose Tinyletter for a more personal curated feel and an easy introduction to email setup; I may move to Mailchimp if I change the tone or go in a new direction with the content.
Decide on the title of your newsletter – does it need to work across other platforms, such as a website or social media? If so, check the name is available for use in these environments. Look for a name that suggests the content, eg, Observed.City suggests surveillance, privacy and that I'm looking at what is happening in my city. Try to choose a memorable and engaging name – maybe avoid the word 'data' as this can make for a dull word that turns people off subscribing. If you want to keep it hyperlocal, add the name of your area or city into the title of the newsletter; if you want to potentially reach a wider audience, this may be limiting. Sometimes you don't know what your project is going to be until you start – it's ok to change the name later; the important thing is to start!
Decide on regularity – this will depend on your resource/time but you could do a shorter email weekly, a medium email monthly, or even quarterly. I'm aiming for every 3-4 weeks and trying to keep it shorter
Expertise, experience and mentors – if you don't know how to start a newsletter or how to build a community of subscribers, find and talk to people who have done it. For example, I took the editor of IChooseBirmingham listings email (17,000 weekly subscribers) for coffee and learnt more in an hour than I ever could have learned online (thankyou Tom!). You may even be able to find a mentor of whom you can ask questions as you go along. Meeting people in real life both helps build community and gets experienced people on board with your project.

Medium term (set up, soft launch)

Consider setting up a new email account if you want to keep your newsletter project separate from your personal/business email. I used Protonmail and the name of the project: observedcity@pm.me – unfortunately this caused some delivery issues in Tinyletter as Protonmail is very tight on its privacy and was triggering spam alerts, so I had to change it to an alternative email that did work.
Set up a newsletter account with your chosen service – go through all the account settings and fill in any blanks.
Set up related accounts, eg, a Twitter, Facebook page and website for your project – these may form your future discussion/comment/feedback areas and somewhere to upload blog content. You can keep it basic for now but it still takes some time to set up, to write the about/bios, add links to your project, upload a picture or logo, and cross-link between these different sites.
Decide on the format of email and content to include – what kind of things do you want to write, what does your target audience want to know, how will you make it engaging and easy to read, do you need images, do you want to have an informal conversation tone or a more professional corporate style, what do you like in the newsletters you receive, what makes you open these?
If working open (as I did on this project), create your Github repo or shared Google doc, and start to document your project – what it is about, how people can contribute, how the work is licenced, issues you need to resolve, etc. Here is the ObservedCity repo so you can see and fork/duplicate the content.
Start to build community – both users and contributors – start to connect and follow your contacts list through social media channels, subscribe to their newsletters, network at events, tell people about your project, email people directly if you think they will be interested, consider arranging a coffee meet with potential contributors.
Logo/header – basic design – there's a lot you can do with editing software, such as Preview and Photoshop, to get a look/feel for your newsletter's title. You can also source Creative Commons images for use in your headers/banners, for example, I used a great free image from Pixabay in return for buying the photographer a virtual coffee.
START! Do a first draft so you can visualise what your newsletter will look like and how much time it takes to create it. Send yourself a test email. Get a friend to read it over with their fresh eyes. Amend, check links work and finalise. At this point, if you like what you've done – why not send it out and start to get feedback and subscribers? You could also do a soft launch where you send it to a small group of people – friends/family – to get their feedback. Getting the perfect newsletter takes time – months and years even to build up a community of readers. Don't get too bogged down in the set-up phase – you can iterate and improve as you go.
Note: I have a background in publishing so I have a basic understanding of media law around issues such as copyright, plagiarism and defamation (libel), and data protection. I recommend you read up on these and your country's laws around publishing in order to protect yourself.

Long term (launch and beyond)

Update and monitor Github repo – submit project and requests for help to hackathons: the Global Sprint, Hacktoberfest, etc.
Logo/header – outsource design for a more professional look (try posting this request as an issue for open working during #mozsprint or other hackfests – that's how I got logo suggestions/design help).
Populate online content areas – ideas for content, attend and review events, seek editorial contributors, ask for help via social media, create original content.
Refine/improve launch email – ask for feedback and iterate.
Remember to thank your contributors!
Community building / outreach work – how can you get your newsletter to interested people and reach different communities in your city? Consider adding a guest section and asking for different voices and perspectives.
Scale – sign up for similar newsletters in other cities, start to connect as a network. Talk to local media, offer a help feature on data privacy.
Sustainability/governance – find guest editors and proofreaders, check resource/times, regularity of email.

Launching Observed City and learning to work open with Mozilla

Click to view (opens in new tab) – my short demo starts at 3 mins 20.

I'm very proud to say that I've just graduated as a Mozilla Open Leader. In a nutshell this means that I've spent the past 14 weeks learning how to work openly and inclusively as part of a cohort of 20 projects from around the world. The next round of Mozilla Open Leaders will be opening in June and I highly recommend applying if your project fits the criteria. Here's why…

For me, some of the best things about the programme were working with an experienced mentor (mine was a radio astronomer from Jodrell Bank!), dedicated access to experts in topics ranging from cybersecurity to community building, and being in online breakout rooms with other project leaders from North America, Europe, Asia and Africa.

There's really something quite humbling and amazing about getting feedback on your Github Readme page from a professor in Addis Ababa or an activist in Hungary.

Of course, it also provided much-needed forward momentum and weekly mentoring deadlines to bring my idea to fruition (background and how it all started here).

To that end, I'm pleased to say that Observed.City – a new data privacy newsletter for Birmingham, UK – is now up and running. If you're based in Birmingham or the wider West Midlands, working with data in some way as an academic, artist or activist, or just want to know more about data privacy and how to stay safe online, please subscribe here.

Observed.City soft-launched in March 2018, in the week of the Facebook/Cambridge Analytica scandal, just as the issue of mass data collection was propelled into the mainstream. It comes out every three to four weeks and highlights a small number of data stories and privacy issues of individual-local-national-global interest, as well as listing relevant events happening in the city.

I'm now working on Issue 4 and already have several contributors, as well as a guest section so that I can bring different people, experiences and voices into the mix.

Want to get a copy? Here is the sign-up link.

Want to contribute? Here is the project repository, which tells you all about the project in the ReadMe file and lists open Issues where I'm looking for help. Or you can email me about the guest slot or with any local event details at observedcity@pm.me.

The project also launched at Mozilla's Global Sprint hackathon/helpathon in early May, where people from around the world were invited to contribute to the project in a number of ways. As a result, I now have a logo design and am in the process of turning the experience in a more general how-to guide for kickstarting the data privacy conversation in other cities. Update: it is here!

Ultimately the aim is to keep working openly and perhaps start to pass the project on in a few months to other interested writers and editors who can help it develop in new ways. That should keep it interesting.

How do you engage a city of a million people on data privacy?

Tl;dr:

I'm using my Mozilla Open Leadership Project to find activists, artists, data researchers and other collaborators in Birmingham, UK, to connect and kick-start activity around online privacy and security issues. The aim is to build a collaborative community offering citizens greater digital literacy so they can take charge of their online lives.

I’m working open so that the project can develop in new ways, scale and be sustainable. End documentation will guide other regions how to kick-start their own hubs of activity.

I'm also asking for help and subscribers. Update: project is now up and running here: Observed.City.

***

Mass data collection is a reality that many are not aware of. Through our daily digital interactions, information is being collected about us, stored, sold and used to profile us in an increasingly 'quantified' world. Humans and machines are making decisions about us based on this data – some benign, some dangerous. The details of what information is collected is buried in the small print of terms and conditions and gained through our ‘consent’. Our connections with the internet feel less open and healthy than they did.

What this means for us as individuals and as a society, both now and in the future, and what we can do about it isn't always clear. For most people, it isn't even a topic of conversation.

I'm an editor, not a technologist, but my own experiences with data privacy and cybersecurity projects over the past year have taught me that, for the average person, cybersecurity is at least on the ‘to do’ list, while data privacy feels like much less defined with less obvious impacts and, consequently, it is easier to push aside.

I've heard people say things like 'I'm not important enough to be surveilled', 'I don't want to live in paranoia' or 'I don't care if they read my emails and serve me some targeted ads'. At least these people are having a conversation about it.

I've also seen fantastic debates buried in Facebook comment threads – 'why do people willingly install commercial surveillance equipment in their houses?' and 'is it ok for parents to post pictures of their kids on Facebook without their permission?' and 'why does the Parkmobile app need my full name, gender, DOB and full address as well as my licence plate and payment card details?' – and I wonder how can we bring these discussions out into the open where more people can join in?

Raising awareness is a massive hurdle. Everyone is busy. Everyone is shouting. Everyone wants your attention. As well as the 'I don't have time' response, there is also the 'I don't care' factor. Data privacy needs to be a lot more engaging and a lot less overwhelming.

Much of this work is London-based with many free or funded talks, projects and exhibitions available for people to attend, and large privacy groups, such as Privacy International, Liberty and Big Brother Watch, based there.

In the Midlands, we have 2.5 milion population – 1.1 million in Birmingham alone – who would benefit from knowing how they are affected by the data economy and how to navigate it. There is some great work going on by the Open Rights Group and others but the topic is huge and outreach is hard for reasons already stated. How can we engage more people and build on this in the second city?

These are the questions that I've been thinking about since my training and experience working in The Glass Room London last October. Curated by Tactical Tech and produced by Mozilla, The Glass Room was a three-week pop-up store on the Charing Cross Road with a data privacy twist. It hosted over 40 objects in a gleaming white high-tech store, with an accompanying programme of talks, workshops, film screenings and tours attended by nearly 19,000 visitors. Physical and interactive exhibits let people come to the topic on their own terms and draw their own conclusions. It had people queuing to get in the door and look into their online lives more deeply, while most of the free talks and workshops ‘sold out’.

That level of engagement was a real eye-opener.

The experience made me realise that people DO care about their data privacy – if suitably engaged – and that there needs to be WAY more opportunities to have a conversation about this stuff and its implications.

So… I applied to Mozilla's Open Leadership Project with the idea of trying to find other collaborators, connect the dots and maybe try some new things in my home city. Two weeks ago, I was amazed to read an email saying I'd got a place on the programme.

I'm not a campaigner or an activist. I’m a communicator who is fairly average internet user and who just wants to ask the dumb questions about this stuff and hopefully, as a result, make better choices in my own online life.

To do this, my initial plan is simply to start gathering information and events around data, arts, tech and activism in the city, and collate them in some way, most likely as a regular email out to an online community. (UPDATE: the first issue has now gone out – see Observed.City for details] This will involve building connections with people who are working in this space and from there I hope ideas and collaborations may start to bloom and grow.

One project has started already through discussions with music academic Dr Craig Hamilton – a data reading group called The Interrogang is starting at Artefact Cafe in Stirchley next Tuesday 27 February from 7.30-9pm. The next one will be held on 28 March, and at six-weekly intervals after that, each covering a different data-relevant theme. The reading for next week will be around the use of our data in advertising by services such as Netflix and Spotify – and has been posted up on the group’s Twitter: @theinterrogang

And if you are interested in the Mozilla project an new data privacy newsletter, this is now up and running. Info and subscribe details below:

Also:
Follow @ObservedCity on Twitter
Join the ObservedCity Facebook discussion group
Website (work in progress): Observed.City
Get in touch: observedcity@protonmail.com

Finally, in the Spirit of #WOLO (work open, lead open), perhaps you are interested in helping the project develop. This is the first week of a 14-week project so it is at an early stage but if you want to be involved, I envision needing some editorial help and people willing to attend and write up events. I'll also be collecting listings of data-related events in the city from April/May onwards so if you are involved in running an event, workshops, talk or other activity, please get in touch via Observed.city.

Mass data collection and surveillance is one of the biggest issues of our age – the least we can do as its key human products is have a conversation about it.

Photocollage: @editoriat

Hire/commission me: fiona [at] fionacullinan.com

On becoming a Glass Room Ingenius

I RARELY LOOK at email newsletters, even the ones I've subscribed to, but in September I opened 'In The Loop' from a Berlin technology collective called Tactical Tech, and inside was a dream opportunity to build on work begun during my sabbatical.

BE AN INGENIUS FOR THE GLASS ROOM LONDON
The Ingenius is the glue that holds The Glass Room together. We're recruiting individuals who we can train up with tech, privacy and data skills in order to support The Glass Room exhibition (coming to London in October 2017). As an Ingenius you'd receive four days of training before carrying out a series of shifts in The Glass Room where you'd be on hand to answer questions, give advice, run workshops, and get people excited about digital security.

Having spent the first eight months of 2017 studying cybersecurity and cleaning up my own online practices, I had started offering free help sessions in our local café. Engagement was poor – it turns out that free infosec sessions aren't in demand because busy people tend to put these things on the backburner and just hope they don't get hacked in the meantime.

Francis Clarke, who co-runs the Birmingham Open Rights Group which campaigns around citizens' digital rights, warned me that topics like infosec and data privacy were a hard sell. Friends and family confirmed it with 'I don't care if I get sent a few contextual ads' or 'I have nothing to hide'.

So how do you get people to become aware and start to care about their online practices?

Answer: The Glass Room.

***

The Glass Room – presented by Mozilla and curated by Tactical Tech – in every way resembles a bright, shiny tech store inviting passers-by in to check out its wares. Yet another shop on a busy London street. But the items on show are not gadgets but exhibits that help people look into their online lives and think more critically about their interactions with everyday digital services.

To be honest, I mostly saw The Glass Room as providing a readymade audience who were up for talking about this stuff because talking would enable me to get everything I'd been learning out of my head and also level up on my own understanding of the issues.

I didn't think I would stand a chance of being selected but I applied anyway. I've listed some of the questions from the application and my (short version) answers for a bit more context on why I started on this journey – otherwise feel free to skip ahead.

Why are you interested in becoming an Ingenius? (provide 3 reasons)

Individually – I was blown away by Edward Snowden’s revelations and the Citizenfour documentary. I have been data detoxing and self-training in infosec, and I'm very interested in the engagement tools and workshop resources.

Locally – I'm involved in several campaigns. I want to help individuals and campaigners know how to keep their data and communications private and secure.

Nationally/internationally – I'm concerned with the normalisation of surveillance (both governmental and commercial) and how the line is constantly being redrawn in their favour. I would like to understand more about the politics of data and how to think about it more equitably in terms of the trade-offs concerned with policing, sensitive data sharing, commercial data capture and the individual right to privacy.

What do you think about the current state of privacy online?

I have concerns both about privacy clampdowns by governments and mass surveillance by commerce. I love the internet but find the fact that I have to jump through so many hoops to avoid being tracked or identified worrying. I feel I am part of some subversive resistance just to have control of my own data and this is intensifying as I have a writing project that I want to keep anonymous (almost impossible I since have discovered). I'm also concerned that enacting the paths to anonymity may flag me on a list and that this may be used against me at some future point, especially if there is no context in the data.

I think our right to privacy is disappearing and the biggest issue is getting people to care enough to even talk about that. We seem to be giving up our privacy willingly because of a lack of digital literacy about how our information is being used, the dominance of data brokers such as Google and Facebook (for whom we are the product), the lack of transparency about how algorithms are processing our data, and so on. The issue feels buried and those who control information too powerful to stop.

How would you take the experience and learning as an Ingenius forward?

I’ll be taking it into my local community through advice surgeries in cafés and libraries. There seems to be little privacy/security support for individuals, activists, campaigners and small businesses. I also hope it will give me the wider knowledge to become more involved with Birmingham Open Rights group, which operates at a more political level.

Finally, I aim to connect more widely online around these topics and investigate options for setting up something to help people in Birmingham if I can find suitable collaborators.

***

I'M IN!

This is one of those things that will completely take me out of my comfort zone but will also likely be one of the best things ever.

***

THE GLASS ROOM when it ran in New York City saw 10,000 come through the doors. In London, on the busy Charing Cross Road, just up from Leicester Square, the figure was close to 20,000.

I was fretting about all sorts of things before my first shift, mostly about standing on my feet and talking to people all day – normally I sit at a desk and say nothing for eight hours that isn't typed. I was also nervous that despite the excellent four days of Glass Room training, I wouldn't know enough to answer all the random questions of 'the general public', who might be anything from shy to panicked to supertechy.

But it was fine. More than fine, it was exhilarating, like the opening night of a show you've been rehearsing for weeks. If anything, I had to dial it back so that visitors would have a chance to figure things out for themselves. The team were lovely and the other Ingeniuses supportive and funny. Most importantly, the visiting public loved it, with 100-strong queues to get in during the final weekend of the exhibition.

It must be a complete rarity for people to want to come in, peruse and engage with items about wireless signals, data capture and metadata. But by materialising the invisible, people were able to socialise around the physical objects and ask questions about the issues that might affect them, or about the way big data and AI is affecting human society.

Day after day, people wandered in off the street and began playing with the interactive items in particular: facial recognition to find their online lookalikes, nine volumes of leaked passwords to find their password, newsfeed scanning to find the value of their data, the stinky Smell Dating exhibit to find out who they were attracted to from the raw exposed data of three-day-old T-shirts (c'mon people – add some metaphorical deodorant to your online interactions!).

They also spent time tuning into the trailers for highly surveillant products and brands, and watching an actor reading Amazon Kindle's terms and conditions (just under nine hours, even in the bath).

And they gathered en masse around the table-sized visualisations of Google's vast Alphabet Empire that goes way beyond a search engine, Amazon's future Hive factory run mostly by drones and other robots, Microsoft's side investment into remote-controlled fertility chips, Apple's 3D pie charts of turnover and tax avoided, and Facebook founder Mark Zuckerberg's House where you can buy total privacy for just $30 million.

***

THERE WERE THREE themed areas to explore inside The Glass Room, with three further spaces to go deeper and find out more:

Something to hide – understanding the value of your data and also what you are not hiding.
We know you – showing what the big five of GAFAM (Google, Amazon, Facebook, Apple and Microsoft) are doing with the billions they make from your online interactions with them.
Big mother – when technology decides to solve society's problems (helping refugees, spotting illegal immigrants, health sensors for the elderly, DNA analysis to discover your roots), the effect can be chilling.
Open the box – a browsing space on the mezzanine floor full of animations to explain what goes on behind the screen interface.
Data Detox Bar – the empowerment station where people could get an eight-day Data Detox Kit (now online here) and ask Ingeniuses questions about the exhibition and issues raised.
Basement area – an event space hosting a daily schedule of expert talks, films and hour-long workshops put on by the Ingeniuses.

During the curator's tour by Tactical Tech co-founder Marek Tuszynski, what impressed me most was the framing for The Glass Room. This is not a top-down dictation of what to think but a laying out of the cards for you to decide where you draw the line in the battle between convenience and privacy, risk and reward.

I handed out kit after kit to people who were unaware of the data traces they were creating simply by going about their normal connected life, or unaware that there are alternatives where the default isn't set to total data capture for future brokerage.

Some people needed talking down after seeing the exhibition, some asked how to protect their kids, others were already paranoid and trying to go off the grid or added their own stories of life in a quantified society.

***

THERE ARE THREE LESSONS I've taken away from my experience in The Glass Room to apply to any future sessions I might hold on these topics:

Materialise the invisible – bring physical objects (art, prototypes, kits, display devices) so that people can interact and discuss, not just read, listen or be told.

2. Find the 'why' – most people are unaware of, or unconcerned about, the level of data and metadata they produce until they see how it is aggregated and used to profile, score and predict them. Finding out what people care about is where the conversation really starts.

3. More empowerment and empathy, less evangelism– don't overload people with too many options or strategies for resistance, or polarise them with your own activist viewpoint. Meet them where they are at. Think small changes over time.

***

IT'S BEEN A MONTH SINCE The Glass Room and I'm proud of stepping up as an Ingenius and of overcoming my own fears and 'imposter syndrome'.

As well as doing nine shifts at The Glass Room, I also ran two workshops on Investigating Metadata, despite being nervous as hell about public speaking. There are eight workshops modules in Tactical Tech's resources so it would be interesting to work these up into a local training offering if any Brummies are interested in collaborating on this.

I wrote a blog post for NESTA about The Glass Room – you can read it here: Bringing the data privacy debate to the high street.

I did the Data Detox Surgery at an exhibition called Instructions for Humans at Birmingham Open Media, and also set up a mini version of The Glass Room with some pop-up resources from Tactical Tech – there's a write-up about that here. The Ingenius training gave me the confidence and knowledge to lead this.

Leo from Birmingham ORG has also had Glass Room training so we will be looking for opportunities to set up the full pop-up version of The Glass Room in Birmingham in 2018. Get in touch if you're interested– it needs to be a place with good footfall, somewhere like the Bullring or the Library of Birmingham perhaps, but we're open to ideas.

There's also a more commercial idea, which arose at the Data Detox Surgery, to develop this as an employee engagement mechanism within companies to help make their staff more cyber-secure. If employees learn more about their own data privacy and can workshop some of the issues around data collection, then they are more likely to care about company processes around data security and privacy. In short, if they understand the personal risks, they will be more security-conscious when working with customer or commercial data.

Update: In March 2018 I launched a data privacy email for my home city – you can read all about it here.

As ever, watch this space, or get in touch if you think any of this should be taken to a coffee shop for further discussion and development. You can also connect with me on Twitter if you want to follow this journey more remotely.

Thanks for staying to the end.

Hire/commission me: fiona [at] fionacullinan.com

How to make your cybersecurity event more engaging

I'm fascinated by how cybersecurity enthusiasts and organisers present and run their events, as that seems to be crucial in (a) getting people to come along, (b) triggering action.

I attended three cybersecurity events in September – Cryptoparty London, Cy3sec and Cybersecurity for 'Real People' – and learnt a lot from how they engage, or don't. Conclusion: Infosec events need to be a LOT more practical and engaging and to deliver on what they promise. Drinks/snacks also help with after-work events.

1. Cryptoparty London

Cryptoparty London

Organised by:

A tech consultancy and a civil rights group put together the London event but this is just part of a larger decentralized movement of CryptoParties with events happening all over the world. "The goal is to pass on knowledge about protecting yourself in the digital space. This can include encrypted communication, preventing being tracked while browsing the web, and general security advice regarding computers and smartphones."

https://www.cryptoparty.in/london

Approach

Put it in a bar, call it a 'party', have infosec-themed cocktails, offer interactive break-out workshops (on Tor browser, Bitcoin, email encryption and smartphone surveillance) and lightning talks with a stage and large screen, surveillance-based visuals, digital art and music. September was the tester – it went very well and is now going monthly.

Pros

Beginners welcome
Networking, sense of community, expert access
Top pedigree of speakers, eg, Silkie Carlo, co-author of Information Security for Journalists
A nice dark room and sociable vibe for tired people after work
Practical workshops, how-tos and Q&As
Stickers and swag on the tables

Cons

It's held in London – I'm in Birmingham
It ran way over time so I missed my second workshop
Logistics – bar noise/numbers made workshops hard to hear for some
Attendees seemed highly engaged and knowledgable already – bar too high for newbies?

Summary

CryptoParty's main objective is to "tear down the mental walls which prohibit people to even think about these topics" – on that aim, it was definitely the best for engagement and practical learning. I'm now set up on Tor Browser and just wish I could have stayed longer.

2. Cy3Sec

Organised by:

Fizzpop – a popular Birmingham-based maker/hacker group with its own workshop space. Its first cybersecurity workshop was set up on Meetup and is set to run monthly.

https://www.meetup.com/fizzPOP-Birminghams-Makerspace/events/243198601/

Approach

One presenter talking to attendees around a table, small group style. There was a tech fail on the projector front which didn't help. The speaker was a real-life locksmith so the focus was very much on how the hackers break in. The Meetup blurb said:

"The first hour will be on 'beginner' topics, then half an hour to chat, then an hour on a more advanced topic(s). If people want to do a short talk, great. There may be Bluetooth lock picking. There might be hacking a local server. A talk on decapping chips. If you've something to teach or explain about, please let us know."

Pros

Beginners welcome
Quiet workspace, easy to get involved
Unusual angle – locksmith/hacker, physical access to devices
Free-roam topics and tech nerd view (how to kill people and start wars through hacking) = an interesting experience!

Cons

Attendees were Fizzpop members, a brain surgeon and a someone with a Masters in cybersecurity – not exactly beginners friendly
Mostly a one-way talk, lots of assumed knowledge, and attack based with cybersecurity solution more an afterthought
Departed from promised structure and timings
Sense of being an outsider entering a tech nerd's member's club

Summary

I never knew where this session was going or what I was going to get or even when it was going to end. Some structure and communication would really help this session. The Fizzpop-style focus on physical hacking and USB baiting, and 'how stuff works' was way above my knowledge grade but learning how to hack could fill a useful gap if done at beginners level and with a sense of playful fun that is the Fizzpop way.

Despite the exclusive feel, I am tempted to go back – albeit with a flask of tea and some biscuits, and just enjoy the random weirdness of Fizzpop life.

3. Cybersecurity for 'real people'

Organised by:

The Open Rights Group Birmingham – which runs regular events on cybersecurity and data privacy for concerned citizens. It feels more political although the offer is also practical. It campaigns to protect and promote digital rights in Birmingham and beyond. It was also set up on Meetup:

https://www.meetup.com/ORG-Birmingham/events/242706511/

Approach

The purpose was to offer practical cybersecurity advice that ‘real people’, not just digital geeks, can understand and apply in their daily lives. There were two main speakers, a large screen, a Powerpoint presentation and chairs for the audience. Although it was billed as a workshop, it was really more of an advice session/talk, with little opportunity to interact – one of the problems of running through a set of slides.

Pros

Beginners welcome – had the most varied mix of people of all three events
Darkened room for viewing slides, the acoustics weren't great though
Practical advice on sending secure emails and messages, password managers, Tor browser
Beginners friendly – idea of just 'change one thing'
Friendly, open, inclusive vibe
Resources posted on the Meetup site (Update: more resources, tips and follow-up from the session have now been posted to ORG B'ham)

Cons

More political stance – which may put off some; would be good to know more about the trade-offs not just follow advice blindly
Tried to pack too much in – people asking more in-depth questions but no time to cover
Top-down talk – less engaging than a practical workshop

Summary

This was my first ORG session and the organisers obviously know their stuff, but it was a skim across the surface and felt like an intro session to a longer course. I think they could increase engagement with less content and more practical focus, and as the session started at 6.30pm, maybe see if they can get sponsorship for some refreshments as most people come directly from work.

The immersive option?

Data privacy is a hard sell, even though it's one of the biggest issues of our time with surveillance and data capture growing exponentially and often obfuscated and kept out of sight.

Most people know they should do 'something' but maybe think it's too techy, or a hassle, or like me, tell themselves that they'll get around to it one day and hope they don't get sprung in the meantime. In short, there are barriers for everyone to overcome.

This next event could be the answer… and I'm pleased to report that I've managed to get a spot helping out at The Glass Room London, which opens for three weeks at the end of October.

Curated by Tactical Tech and produced by Mozilla, The Glass Room, was attended by over 10,000 visitors in New York City last year.

It is ALL about the engagement, with people coming in off the street to an immersive, dystopian tech store that exposes the state of their data privacy. Data Detox Kits will be handed out. And there will be interactive exhibits.

It looks really really good, and will be blogged.

Seven ways the Bank of England encourages a culture of cybersecurity

Bank-of-England-culture-change-security

“What is important to you?” This is the first question to ask before planning any cybersecurity strategy, according to John Scott, Head of Information Security Education at the Bank of England, talking at the recent Cybersecurity UK Roadshow event in Birmingham (notes here). Because if you don’t know what a client or company values, if you don't understand their business priorities, you can only talk in absolutes.

As Scott gently points out, 80% of people working in the Security Awareness field come from a background in IT or security and there is tendency to talk in absolutes. While things are moving towards more nuanced conversations around risk, finding people who can both listen and communicate well on this topic can be difficult. The result in many large organisations is an environment of enforced compliance; getting workers to care and engage beyond that is a tough sell.

'From compliance to culture, awareness to action' was the title of Scott’s talk. He said compliance and awareness aren’t enough; it’s building a culture of mature security that is required to stay safe. Scott then rated security culture on a scale of -1 (negative behaviours) to 0 (compliance behaviours) to +1 (security maturity and positive behaviours), and outlined the Bank's encouragement of the following ‘cyber seven’ practices to move from compliance towards maturity (more of which below):

Bank-of-England-cyber-seven

1. Passwords

0 = don't share passwords

+1 = use a password manager

2. Phishing

0 = don't click on suspect email links or open attachments.

+1 = report suspicious emails (whether clicked or not)

3. Document classification

0 = classify documents when saved into document management system

+1 = mark docs clearly, dispose of confidential documents safely

4. Clear workspace

0 = don't leave confidential material on your desk

+1 = also check printer, whiteboards, keysafe when you leave

5. Remote working

0 = make sure you are not overlooked when working on trains

+1 = keep your remote token separately from your laptop when travelling; report loss of devices immediately

6. Social media

0 = don’t post photos of the Bank on social media or get involved in discussions related to the Bank’s mission on social media without permission

+1 = audit your social media profile – make sure you’re aware of what you and other people are saying about you.

7. Report it

0 = if you see anything that worries you, tell us – 'See it, Say it!'

+1 = if you've done something yourself or caused a problem, report it

This final point raised a lot of questions in the audience – wouldn't a major breach be a sackable offence, for example? Why would employees admit their error? Scott suggested awareness and education, perhaps telling stories about how coming forward has worked and to try to build trust with your employees.

It's always better to know that a breach or a vulnerability has occurred so you can address it but you need people to feel secure in coming forward. As the Regional Organised Crime Unit noted in their talks at the roadshow, one of the biggest issues in cybersecurity is the lack of reporting.

Thanks to John Scott and Metsi Technologies for use of the slides.

Notes from Cyber Security UK Roadshow Birmingham

John-Davies-Cybersecurity A one-day event held yesterday held at Innovation Birmingham on the Aston Uni campus to help businesses get to grips with cybersecurity. It was organised by Metsi Technologies, and supported by the National Police Chiefs' Council and Regional Organised Crime Unit (ROCU) in the West Midlands. The Twitter account and hashtag was @cybersec_uk but the backchannel was pretty quiet. Here are my notes.

Cybercrime

The increasing threat of cybercrime runs across a range of levels from nation-state threats to ransomware to IP theft. There were various police chiefs in attendance and the main message seemed to be that cybercrime is massively unreported to police – with the result that sufficient budget isn’t being assigned.

Ashley Bertie, Assistant Police and Crime Commissioner for the West Midlands, sent out a plea to find out what your local police force is doing and engage with their agenda. One available resource that has just launched is the Digital PCSO (Sean Long in the West Midlands) who can go into business organisations, schools and the community and advise on security basics.

John Davies of Pervade Software then introduced the National Cyber Security Strategy, consisting of three main acronyms:

NCSC – the National Cyber Security Centre (at GCHQ) – pushes out national strategy.
CiSP – Cyber Security Information Sharing Partnership – a place to both get free advice and also report hacks.
CES – Cyber Essentials Scheme – certification scheme to show that a business has addressed basic cybersecurity.

Main cybersecurity threats for SMEs

Louis Augarde, lead pen tester for Omni Cyber Security, introduced these as:

Ransomware – disruption for financial gain
Credentials-based attacks – to gain an entry point
Breaches based on known vulnerabilities – often used as a first step to identify weak systems that can be exploited further
Phishing emails – to gain credentials and access
DDOS – freezes your system temporarily but can also be a smokescreen for more serious attacks

He also introduced me to the idea of baiting, a social engineering tactic to get hold of your personal info by leaving out a USB for people to pick up. Never plug an unknown USB found on the train into your computer!

Cybersecurity help for Birmingham SMEs

If there’s one thing for businesses to do now it is the Cyber Essentials Scheme, said John Davies. Participants address 68 questions on their cybersecurity systems around firewalls, patches, configuration, malware, user accounts and so on. The scheme costs £300 and provides an annual certificate.

The CES process is designed to prevent the vast majority of cyber attacks but also offers a badge to show that a business has made an effort to keep the supply chain more secure.

Other options mentioned include the 80-question IASME governance standard, costing £400, which also looks at data assets, risk assessments, people, policies and disaster recovery. Both CES and IASME were said to be a good foundation in securing businesses and a more achievable alternative to 500+-question ISO27001 international standard.

There is also the newly launched West Midlands Cyber Security Cluster, the 19^th in the UK, and people, businesses and organisations can tap into this to get help and advice in tackling cybersec issues. The website looks as if it has teething problems right now so check back later.

Takeaway quotes and stats

95% of all successful attacks are the result of well-known and entirely preventable vulnerabilities (various reports from 2011)

“Don’t buy the whole onion – security is best built in translucent layers” – Brian Chappell, Beyond Trust, introducing five main layers for organisations wanting simpler security (focus on the high risks, tackle lateral movements of hackers into your system, exercise privilege control, one standard user account for all, configuration management).

The first reported cybercrime was in 1820 – it was the sabotage of some newly invented tech – the Jacquard loom – that automated the weaving process. DCI Rob Harris suggested this was where the term ‘patch’ came from but I’m not convinced that is true.

“Why do they do it? I’ve sat opposite many cyber criminals in my job, some as young as 16, and their answer to this is ‘because they deserve it’.” – National Police Chiefs Council on cyber crime motivation.

“80% of people [in cybersecurity roles] have an IT or security background and they tend to talk in absolutes. You have to find people who can listen and communicate.” – John Scott, Bank of England

GDPR for businesses

Jane Burns of Anthony Collins Solicitors made a valiant attempt at an overview of this super-complicated incoming regulation from May 2018.

The EU GDPR, also being adopted in the UK despite Brexit, offers a whole different world of pain so I’m not going to get into it here but, basically, if you’re not already aware, businesses are going to have to get a whole lot better and more transparent in how they process their data, or they risk big fines, and even worse for some, being cut off from accessing their data for a period of time.

This photo may be useful…

Jane-Burns-GDPR

What does the Bank of England do?

What does the most secure place in England do to prevent cybercrime?

John Scott, Head of Information Security Education at the Bank of England, gave a great presentation on one of the biggest problems facing companies – that of lack of user engagement in an organisation's cybersecurity practices. He said compliance and awareness aren’t enough; it’s building a culture of mature security that is required to stay safe.

I enjoyed this talk so much I’m going to blog it separately.

Next event: a London CryptoParty on 11 September, a mix of cocktails and practical workshops…

Tor's two sides, Amazon's offline surveillance and how to obfuscate

Interesting links I've read this week:

The dilemma of the dark web: protecting neo-Nazis and dissidents alike (Guardian, 23/8/17)

"Perhaps the most important use of Tor, for many of its users, is simply allowing access to the open web in a protected and private manner. The system works by bouncing a request through at least three relays, with each only knowing the positions next to it in the chain: the entry node knows who is asking for a connection, but not where for; the exit node knows what the connection is to but not who wants it; and the middle node only knows to connect the other two."

Silicon Valley siphons our data like oil. But the deepest drilling has just begun (Guardian, 23/7/17)

"For Silicon Valley, however, anything less than total knowledge of its users represents lost revenue. Any unmonitored moment is a missed opportunity.

Amazon is going to show the industry how to monitor more moments: by making corporate surveillance as deeply embedded in our physical environment as it is in our virtual one. Silicon Valley already earns vast sums of money from watching what we do online. Soon it’ll earn even more money from watching what we do offline.

It’s easy to picture how this will work, because the technology already exists. Late last year, Amazon built a “smart” grocery store in Seattle. You don’t have to wait in a checkout line to buy something – you just grab it and walk out of the store. Sensors detect what items you pick up, and you’re charged when you leave."

How to obfuscate (Nautilus, Issue 49, 29/6/17)

"The solution TrackMeNot offers is not to hide users’ queries from search engines (an impractical method, in view of the need for query satisfaction), but to obfuscate by automatically generating queries from a “seed list” of terms. Initially culled from RSS feeds, these terms evolve so that different users develop different seed lists.

… The activities of individuals are masked by those of many ghosts, making the pattern harder to discern so that it becomes much more difficult to say of any query that it was a product of human intention rather than an automatic output of TrackMeNot. In this way, TrackMeNot extends the role of obfuscation, in some situations, to include plausible deniability."

The dick* pic guide to government surveillance

* and boob

I had a conversation with a family member recently about my growing interest in cybersecurity and they responded with 'I've got nothing to hide so I'm not worried'. Basically, let the government watch them if it stops terrorists; it's all good.

For someone who grew up in the 1980s Cold War (but also basically made a second career out of Web 2.0), it's about how much they are watching, centralised files, a culture of fear, lack of freedom, potential abuse of political power – and trying to understand the trade-offs of privacy versus security when we put our info out there.

I don't think I have anything to hide either – except when I do – but it's not about having something to hide, it's about having something to protect. We're not just talking about status updates knowingly shared on Facebook, Twitter, etc; the info at risk is also the stuff you think you are keeping private: phone calls, files and photos stored in the cloud, SMS, email.

Getting people to care about surveillance and infosecurity is apparently an issue, with cybersecurity events often struggling to attract an audience. Calling it infosec or cybersecurity is a kiss of death, according to a friend who runs such events. (It's true: I'm going to an evening event in London because it's a CryptoParty in a bar with beer sponsors, etc, whereas a day-long 'cybersecurity roadshow' in Birmingham was a much harder sell.)

To help with the 'who cares' issue, I finally got round to watching John Oliver's 2015 'Last Week Tonight' interview in Moscow with Edward Snowden – a deliciously awkward affair in which Oliver played a rude, dumb American asking Snowden's nice, intelligent whistleblower to explain in layman's terms ('Can I share my dick pics or not?') why they should give a shit about increasing government surveillance powers and his 2013 revelations.

If you haven't seen it, it's well worth a watch. My notes below…

Notes: Government Surveillance: Last Week Tonight with John Oliver (HBO)

Section 215 of the Patriot Act (created post 9/11, and extended/renewed) requires businesses to hand over 'any tangible things'(eg telephone records) to protect against international terrorism.
Snowden in 2013 revealed this to be used for the mass scooping up of data.
Government says it doesn't abuse its powers + there are restrictions on how/when they can employ surveillance, eg, through the FISA Court, which grants surveillance warrants.
Reality is that FISA rarely rejects an application. From 1979 to 2013, it has approved 35,434 application for surveillance and rejected only 12.
Snowden: "NSA has the greatest surveillance capabilites that we have ever seen. Now, what they will argue is that they dont use this for nefarious purposes against American citizens. In some ways that is true but the real problem is that they are using these capabilities to make us vulnerable to them, and then saying, well, I have a a gun pointed to your head but I won't pull the trigger – trust me."
Is anyone having the conversation about where the limits should be, eg, reform of Section 215. Public debate not happening (that care issue again).
Oliver asks if it is possible for the public to have a conversation about something that is so complicated we don't fundamentially understand it? He shows Snowden a video that shows Americans getting upset about the government sharing and looking at their dick pics. The rest of the interview is framed through this simple analogy.

Can they see my dick?

Section 702 surveillance – yes – through bulk collection if an emailed image crosses a border in some way and is caught on a database.

Executive Order 12333 – yes – the NSA uses this order when others aren't aggressive enough, so if a Gmailed pic is sent even to a fellow American, it will be stored on Google server, and Google may move this data from data centre to data centre – the US government can capture that if it moves outside of US even temporarily.

PRISM – yes – it captures your info with the agreed help/involvement of government deputies/sheriffs such as Yahoo, FB, Google.

Upstream collection – yes – they can 'snatch your junk' as it transits the internet.

MYSTIC – if describing your junk on the phone, yes. Collects content as well in some countries, eg, The Bahamas.

Section 215 metadata – no, but can tell who you are sharing junk pics with (eg a penis enlargement centre).

So what next?

Snowden says: "You shouldn't change your behaviour because a government agency somewhere is doing the wrong thing. … If we sacrifice our values because we are afraid, we don't care about those values very much."

My take is:

Keep doing what you're doing but send/share your stuff via more secure platforms
Try to understand the lay of the political and digital landscape and don't give away freedoms that are at risk.
Figure out the trade-offs and fight back against government surveillance where it is an invasion into privacy/freedom – I'm not saying terrorist and other threats shouldn't be addressed, of course not, but scaling up government powers shouldn't be done thoughtlessly or in knee-jerk reaction to modern threats without a thought for historical ones that threaten all our civic freedoms. Debate publicly and find the line.