Tag: infosec

How to start a data privacy conversation in your city – a bulletpoint guide

This guide forms the end documentation for my recent Mozilla Open Leaders project which culminated in launching a regular data privacy email for Birmingham, UK. If you want to do this in your city or region, I hope it will be useful info to get you started. And if you have any follow-up questions as you go, email me at observedcity@pm.me and I'll do my best to answer and update the guide.

NOTE: You don't necessarily have to follow all the steps below but I really do recommend starting with an Open Canvas as a way to unpack the ideas in your head into something more practical and workable.

Image: (CC) Michael Coghlan/Flickr

Short term (research & development)

  • Fill out an Open Canvas outlining your aims for the project, the problem you are aiming to solve, the needs and resources, and target users and contributors. Here is an example showing the open canvas for ObservedCity
  • Content calendar – compile list of events and online activities in your area (data privacy, data research, art, tech, activism). Place events under each month on a calendar doc; extract interesting people and organisations for potential contacts. Subscribe to newsletters that are relevant to your project.
  • Contacts/network list – find everyone you should connect with in your area who are working with data/privacy in some way or run relevant events: university researchers and academics, privacy activists, digital artists, curators and galleries, a local Open Rights Group, Meetup.com groups, Chamber of Commerce, local government initiatives helping businesses with big data, 'smart city' groups, police and neighbourhood alerts, potential contributors, hacker groups, coding clubs, local Mozilla Campuses, tech drinks and meetups, open data groups, relevant social enterprise startups, ImpactHub, collectives and coops, event organisers.
  • Research email providers – how will you distribute your email? I looked Mailchimp and Tinyletter's pros and cons. I chose Tinyletter for a more personal curated feel and an easy introduction to email setup; I may move to Mailchimp if I change the tone or go in a new direction with the content.
  • Decide on the title of your newsletter – does it need to work across other platforms, such as a website or social media? If so, check the name is available for use in these environments. Look for a name that suggests the content, eg, Observed.City suggests surveillance, privacy and that I'm looking at what is happening in my city. Try to choose a memorable and engaging name – maybe avoid the word 'data' as this can make for a dull word that turns people off subscribing. If you want to keep it hyperlocal, add the name of your area or city into the title of the newsletter; if you want to potentially reach a wider audience, this may be limiting. Sometimes you don't know what your project is going to be until you start – it's ok to change the name later; the important thing is to start!
  • Decide on regularity – this will depend on your resource/time but you could do a shorter email weekly, a medium email monthly, or even quarterly. I'm aiming for every 3-4 weeks and trying to keep it shorter
  • Expertise, experience and mentors – if you don't know how to start a newsletter or how to build a community of subscribers, find and talk to people who have done it. For example, I took the editor of IChooseBirmingham listings email (17,000 weekly subscribers) for coffee and learnt more in an hour than I ever could have learned online (thankyou Tom!). You may even be able to find a mentor of whom you can ask questions as you go along. Meeting people in real life both helps build community and gets experienced people on board with your project.

Medium term (set up, soft launch)

  • Consider setting up a new email account if you want to keep your newsletter project separate from your personal/business email. I used Protonmail and the name of the project: observedcity@pm.me – unfortunately this caused some delivery issues in Tinyletter as Protonmail is very tight on its privacy and was triggering spam alerts, so I had to change it to an alternative email that did work.
  • Set up a newsletter account with your chosen service – go through all the account settings and fill in any blanks.
  • Set up related accounts, eg, a Twitter, Facebook page and website for your project – these may form your future discussion/comment/feedback areas and somewhere to upload blog content. You can keep it basic for now but it still takes some time to set up, to write the about/bios, add links to your project, upload a picture or logo, and cross-link between these different sites.
  • Decide on the format of email and content to include – what kind of things do you want to write, what does your target audience want to know, how will you make it engaging and easy to read, do you need images, do you want to have an informal conversation tone or a more professional corporate style, what do you like in the newsletters you receive, what makes you open these?
  • If working open (as I did on this project), create your Github repo or shared Google doc, and start to document your project – what it is about, how people can contribute, how the work is licenced, issues you need to resolve, etc. Here is the ObservedCity repo so you can see and fork/duplicate the content.
  • Start to build community – both users and contributors – start to connect and follow your contacts list through social media channels, subscribe to their newsletters, network at events, tell people about your project, email people directly if you think they will be interested, consider arranging a coffee meet with potential contributors.
  • Logo/header – basic design – there's a lot you can do with editing software, such as Preview and Photoshop, to get a look/feel for your newsletter's title. You can also source Creative Commons images for use in your headers/banners, for example, I used a great free image from Pixabay in return for buying the photographer a virtual coffee.
  • START! Do a first draft so you can visualise what your newsletter will look like and how much time it takes to create it. Send yourself a test email. Get a friend to read it over with their fresh eyes. Amend, check links work and finalise. At this point, if you like what you've done – why not send it out and start to get feedback and subscribers? You could also do a soft launch where you send it to a small group of people – friends/family – to get their feedback. Getting the perfect newsletter takes time – months and years even to build up a community of readers. Don't get too bogged down in the set-up phase – you can iterate and improve as you go.
  • Note: I have a background in publishing so I have a basic understanding of media law around issues such as copyright, plagiarism and defamation (libel), and data protection. I recommend you read up on these and your country's laws around publishing in order to protect yourself.

Long term (launch and beyond)

  • Update and monitor Github repo – submit project and requests for help to hackathons: the Global Sprint, Hacktoberfest, etc.
  • Logo/header – outsource design for a more professional look (try posting this request as an issue for open working during #mozsprint or other hackfests – that's how I got logo suggestions/design help).
  • Populate online content areas – ideas for content, attend and review events, seek editorial contributors, ask for help via social media, create original content.
  • Refine/improve launch email – ask for feedback and iterate.
  • Remember to thank your contributors!
  • Community building / outreach work – how can you get your newsletter to interested people and reach different communities in your city? Consider adding a guest section and asking for different voices and perspectives.
  • Scale – sign up for similar newsletters in other cities, start to connect as a network. Talk to local media, offer a help feature on data privacy.
  • Sustainability/governance – find guest editors and proofreaders, check resource/times, regularity of email.

Launching Observed City and learning to work open with Mozilla

Click to view (opens in new tab) – my short demo starts at 3 mins 20.

I'm very proud to say that I've just graduated as a Mozilla Open Leader. In a nutshell this means that I've spent the past 14 weeks learning how to work openly and inclusively as part of a cohort of 20 projects from around the world. The next round of Mozilla Open Leaders will be opening in June and I highly recommend applying if your project fits the criteria. Here's why…

For me, some of the best things about the programme were working with an experienced mentor (mine was a radio astronomer from Jodrell Bank!), dedicated access to experts in topics ranging from cybersecurity to community building, and being in online breakout rooms with other project leaders from North America, Europe, Asia and Africa.

There's really something quite humbling and amazing about getting feedback on your Github Readme page from a professor in Addis Ababa or an activist in Hungary.

Of course, it also provided much-needed forward momentum and weekly mentoring deadlines to bring my idea to fruition (background and how it all started here).

To that end, I'm pleased to say that Observed.City – a new data privacy newsletter for Birmingham, UK – is now up and running. If you're based in Birmingham or the wider West Midlands, working with data in some way as an academic, artist or activist, or just want to know more about data privacy and how to stay safe online, please subscribe here.

Observed.City soft-launched in March 2018, in the week of the Facebook/Cambridge Analytica scandal, just as the issue of mass data collection was propelled into the mainstream. It comes out every three to four weeks and highlights a small number of data stories and privacy issues of individual-local-national-global interest, as well as listing relevant events happening in the city.

I'm now working on Issue 4 and already have several contributors, as well as a guest section so that I can bring different people, experiences and voices into the mix.

Want to get a copy? Here is the sign-up link.

Want to contribute? Here is the project repository, which tells you all about the project in the ReadMe file and lists open Issues where I'm looking for help. Or you can email me about the guest slot or with any local event details at observedcity@pm.me.

The project also launched at Mozilla's Global Sprint hackathon/helpathon in early May, where people from around the world were invited to contribute to the project in a number of ways. As a result, I now have a logo design and am in the process of turning the experience in a more general how-to guide for kickstarting the data privacy conversation in other cities. Update: it is here!

Ultimately the aim is to keep working openly and perhaps start to pass the project on in a few months to other interested writers and editors who can help it develop in new ways. That should keep it interesting.

On becoming a Glass Room Ingenius

I RARELY LOOK at email newsletters, even the ones I've subscribed to, but in September I opened 'In The Loop' from a Berlin technology collective called Tactical Tech, and inside was a dream opportunity to build on work begun during my sabbatical.

BE AN INGENIUS FOR THE GLASS ROOM LONDON
The Ingenius is the glue that holds The Glass Room together. We're recruiting individuals who we can train up with tech, privacy and data skills in order to support The Glass Room exhibition (coming to London in October 2017). As an Ingenius you'd receive four days of training before carrying out a series of shifts in The Glass Room where you'd be on hand to answer questions, give advice, run workshops, and get people excited about digital security.

Having spent the first eight months of 2017 studying cybersecurity and cleaning up my own online practices, I had started offering free help sessions in our local café. Engagement was poor – it turns out that free infosec sessions aren't in demand because busy people tend to put these things on the backburner and just hope they don't get hacked in the meantime.

Francis Clarke, who co-runs the Birmingham Open Rights Group which campaigns around citizens' digital rights, warned me that topics like infosec and data privacy were a hard sell. Friends and family confirmed it with 'I don't care if I get sent a few contextual ads' or 'I have nothing to hide'.

So how do you get people to become aware and start to care about their online practices?

Answer: The Glass Room.

***

The Glass Room – presented by Mozilla and curated by Tactical Tech – in every way resembles a bright, shiny tech store inviting passers-by in to check out its wares. Yet another shop on a busy London street. But the items on show are not gadgets but exhibits that help people look into their online lives and think more critically about their interactions with everyday digital services.

To be honest, I mostly saw The Glass Room as providing a readymade audience who were up for talking about this stuff because talking would enable me to get everything I'd been learning out of my head and also level up on my own understanding of the issues.

I didn't think I would stand a chance of being selected but I applied anyway. I've listed some of the questions from the application and my (short version) answers for a bit more context on why I started on this journey – otherwise feel free to skip ahead.

Why are you interested in becoming an Ingenius? (provide 3 reasons)

Individually – I was blown away by Edward Snowden’s revelations and the Citizenfour documentary. I have been data detoxing and self-training in infosec, and I'm very interested in the engagement tools and workshop resources.

Locally – I'm involved in several campaigns. I want to help individuals and campaigners know how to keep their data and communications private and secure.

Nationally/internationally – I'm concerned with the normalisation of surveillance (both governmental and commercial) and how the line is constantly being redrawn in their favour. I would like to understand more about the politics of data and how to think about it more equitably in terms of the trade-offs concerned with policing, sensitive data sharing, commercial data capture and the individual right to privacy.

What do you think about the current state of privacy online?

I have concerns both about privacy clampdowns by governments and mass surveillance by commerce. I love the internet but find the fact that I have to jump through so many hoops to avoid being tracked or identified worrying. I feel I am part of some subversive resistance just to have control of my own data and this is intensifying as I have a writing project that I want to keep anonymous (almost impossible I since have discovered).  I'm also concerned that enacting the paths to anonymity may flag me on a list and that this may be used against me at some future point, especially if there is no context in the data.

I think our right to privacy is disappearing and the biggest issue is getting people to care enough to even talk about that. We seem to be giving up our privacy willingly because of a lack of digital literacy about how our information is being used, the dominance of data brokers such as Google and Facebook (for whom we are the product), the lack of transparency about how algorithms are processing our data, and so on. The issue feels buried and those who control information too powerful to stop.

How would you take the experience and learning as an Ingenius forward?

I’ll be taking it into my local community through advice surgeries in cafés and libraries. There seems to be little privacy/security support for individuals, activists, campaigners and small businesses. I also hope it will give me the wider knowledge to become more involved with Birmingham Open Rights group, which operates at a more political level.

Finally, I aim to connect more widely online around these topics and investigate options for setting up something to help people in Birmingham if I can find suitable collaborators.

***

I'M IN!

This is one of those things that will completely take me out of my comfort zone but will also likely be one of the best things ever.

***

THE GLASS ROOM when it ran in New York City saw 10,000 come through the doors. In London, on the busy Charing Cross Road, just up from Leicester Square, the figure was close to 20,000.

I was fretting  about all sorts of things before my first shift, mostly about standing on my feet and talking to people all day – normally I sit at a desk and say nothing for eight hours that isn't typed. I was also nervous that despite the excellent four days of Glass Room training, I wouldn't know enough to answer all the random questions of 'the general public', who might be anything from shy to panicked to supertechy.

But it was fine. More than fine, it was exhilarating, like the opening night of a show you've been rehearsing for weeks. If anything, I had to dial it back so that visitors would have a chance to figure things out for themselves. The team were lovely and the other Ingeniuses supportive and funny. Most importantly, the visiting public loved it, with 100-strong queues to get in during the final weekend of the exhibition.

It must be a complete rarity for people to want to come in, peruse and engage with items about wireless signals, data capture and metadata. But by materialising the invisible, people were able to socialise around the physical objects and ask questions about the issues that might affect them, or about the way big data and AI is affecting human society.

Day after day, people wandered in off the street and began playing with the interactive items in particular: facial recognition to find their online lookalikes, nine volumes of leaked passwords to find their password, newsfeed scanning to find the value of their data, the stinky Smell Dating exhibit to find out who they were attracted to from the raw exposed data of three-day-old T-shirts (c'mon people – add some metaphorical deodorant to your online interactions!).

They also spent time tuning into the trailers for highly  surveillant products and brands, and watching an actor reading Amazon Kindle's terms and conditions (just under nine hours, even in the bath).

And they gathered en masse around the table-sized visualisations of Google's vast Alphabet Empire that goes way beyond a search engine, Amazon's future Hive factory run mostly by drones and other robots, Microsoft's side investment into remote-controlled fertility chips, Apple's 3D pie charts of turnover and tax avoided, and Facebook founder Mark Zuckerberg's House where you can buy total privacy for just $30 million.

***

THERE WERE THREE themed areas to explore inside The Glass Room, with three further spaces to go deeper and find out more:

  1. Something to hide – understanding the value of your data and also what you are not hiding.
  2. We know you – showing what the big five of GAFAM (Google, Amazon, Facebook, Apple and Microsoft) are doing with the billions they make from your online interactions with them.
  3. Big mother – when technology decides to solve society's problems (helping refugees, spotting illegal immigrants, health sensors for the elderly, DNA analysis to discover your roots), the effect can be chilling.
  4. Open the box – a browsing space on the mezzanine floor full of animations to explain what goes on behind the screen interface.
  5. Data Detox Bar – the empowerment station where people could get an eight-day Data Detox Kit (now online here) and ask Ingeniuses questions about the exhibition and issues raised.
  6. Basement area – an event space hosting a daily schedule of expert talks, films and hour-long workshops put on by the Ingeniuses.

During the curator's tour by Tactical Tech co-founder Marek Tuszynski, what impressed me most was the framing for The Glass Room. This is not a top-down dictation of what to think but a laying out of the cards for you to decide where you draw the line in the battle between convenience and privacy, risk and reward.

I handed out kit after kit to people who were unaware of the data traces they were creating simply by going about their normal connected life, or unaware that there are alternatives where the default isn't set to total data capture for future brokerage.

Some people needed talking down after seeing the exhibition, some asked how to protect their kids, others were already paranoid and trying to go off the grid or added their own stories of life in a quantified society.

***

THERE ARE THREE LESSONS I've taken away from my experience in The Glass Room to apply to any future sessions I might hold on these topics:

  1. Materialise the invisible – bring physical objects (art, prototypes, kits, display devices) so that people can interact and discuss, not just read, listen or be told.

2. Find the 'why' – most people are unaware of, or unconcerned about, the level of data and metadata they produce until they see how it is aggregated and used to profile, score and predict them. Finding out what people care about is where the conversation really starts.

3. More empowerment and empathy, less evangelism– don't overload people with too many options or strategies for resistance, or polarise them with your own activist viewpoint. Meet them where they are at. Think small changes over time.

***

IT'S BEEN A MONTH SINCE The Glass Room and I'm proud of stepping up as an Ingenius and of overcoming my own fears and 'imposter syndrome'.

As well as doing nine shifts at The Glass Room, I also ran two workshops on Investigating Metadata, despite being nervous as hell about public speaking. There are eight workshops modules in Tactical Tech's resources so it would be interesting to work these up into a local training offering if any Brummies are interested in collaborating on this.

I wrote a blog post for NESTA about The Glass Room – you can read it here: Bringing the data privacy debate to the high street.

I did the Data Detox Surgery at an exhibition called Instructions for Humans at Birmingham Open Media, and also set up a mini version of The Glass Room with some pop-up resources from Tactical Tech – there's a write-up about that here. The Ingenius training gave me the confidence and knowledge to lead this.

Leo from Birmingham ORG has also had Glass Room training so we will be looking for opportunities to set up the full pop-up version of The Glass Room in Birmingham in 2018. Get in touch if you're interested– it needs to be a place with good footfall, somewhere like the Bullring or the Library of Birmingham perhaps, but we're open to ideas.

There's also a more commercial idea, which arose at the Data Detox Surgery, to develop this as an employee engagement mechanism within companies to help make their staff more cyber-secure. If employees learn more about their own data privacy and can workshop some of the issues around data collection, then they are more likely to care about company processes around data security and privacy. In short, if they understand the personal risks, they will be more security-conscious when working with customer or commercial data.

Update: In March 2018 I launched a data privacy email for my home city – you can read all about it here.

As ever, watch this space, or get in touch if you think any of this should be taken to a coffee shop for further discussion and development. You can also connect with me on Twitter if you want to follow this journey more remotely.

Thanks for staying to the end.

Hire/commission me: fiona [at] fionacullinan.com

Since Snowden… a visit to Infosecurity Europe 2017

Fiona Cullinan, Infosec Europe 2017

'Since Snowden' has become a bit of a catchphrase for me after his revelations in 2013 about the mass government surveillance of our data. Since Snowden I've watched Citizenfour, read The Snowden Files, completed two OU cybersecurity courses, joined ORG Birmingham, learnt how to use PGP encryption, risk-audited my personal info and started putting some basic processes in place so I am more in control of my data.

This is something I hope to starting helping other people with, so if you have a question about passwords managers or how to risk-assess your info, for example, get in touch. I'm still learning so it's basic guidance only and probably best done at a friendly local level than in any official capacity.

Last month I also attended two days of Infosec Europe, the largest event of its kind in Europe featuring a conference programme, 360+ exhibitors and around 15,000 visitors. It was very much aimed at larger organisations and since I'm at the individual and SME level, there was some disconnect.

That said it was probably one of the best conferences I've attended outside of SXSW and I came away with a lot of info and contacts – enough to know that this is going to remain a definite interest of mine for some time to come.

So I've started a Twitter list of Women in Infosec because I missed that session at #infosec17.

And collected a few conference links for reading and reference:

Hello Infosec World.