I have been looking at the cyber-security space for quite some time now. I have been myself a victim of my own inability to protect myself online, a mistake that I am still paying for. On the other side I have accumulated increasing frustration towards the freedom online movement, freedom of the internet, cybersecurity/digital security kind of community (I know they are not all the same thing, but for normal people, yes they are).
I am no expert to be able to teach lessons and to point fingers, but I have been both a “mentor” and a “user” of circumvention and privacy tools, so I believe that I have gathered quite some knowledge regarding what is working and what it is not working in that space, and why I am still looking at the digital security movement as a fundamentally big failure. Granted, I am not blaming anyone, but rather trying to investigate why we (and yes I put myself into this) have not been able to achieve what we wanted, which was indeed a more open and free internet and more security and privacy for everyone.
The all NSA issue, and the Snowden endless story are a good example of the fact that all in all, we have failed as a community. And not only as a community of practitioners, but also as a community of citizens.
The first reason where I see this failure is how little people are really adopting and using tools that can protect themselves. The reason behind this is as simple as it is stupid: there are too many, no one agrees on their degree of security, and some of them make your life a living hell. Let’s take TOR as example. It has been advertised and taught in all possible ways and almost in all the parts of the world. The TacticalTech guide for digital security has the best and most complete instructions on how to use it, in several languages. Lot’s of people agree it is the best tool available right now to protect yourself online.
Even an extract of a Top Secret appraisal by the NSA characterized Tor as “the King of high secure, low latency Internet anonymity” with “no contenders for the throne in waiting”. On the other side, if you google it, you will also find lots of articles claiming that TOR is not safe, and that you should not use it. To add more confusion to this, you can also find out that TOR has been funded/supported by the US State Department – indirectly, but still, the same USA government that created the NSA. Add to this that if you try to use TOR in places like, for example, Niger, you will not be able to access the internet 8 times out of 10. The other two times, you will had to wait for about one hour before any page can actually load. When I was there I asked a friend to help me out: she walk me through how I could make it faster. It did not really worked (mostly, I guess, because I could not even understand what she was asking me to do). After the second day I gave up.
I remember once talking to a friend of mine, a University professor and PhD, specializing in crisismapping, so all in all, not an expert in cybersecurity but also not a newby to the internet and technology tool. She looked at me and said: “I gave up, I assume that all I do online is traceable and detectable, an that if I want it to be private or secure I just should not use the internet”. Back then I thought she was exaggerating.
The first time I attended a cybersecurity training I ended up coming out so confused and so overwhelmed that I could not remember one single software they though me to use. I ended up installing more than 16 different software on my computer which slowed it down considerably and gave me back a range of 4 to 6 pop ups window for every page I was browsing. Not ideal.
Thinking back, in fact I really did not needed all those software but only a few. According to the risks I was most likely subjected to, I really only needed to change some of my behaviors more than install a million software. The focus of that training should have been my vulnerabilities and my risk assessment, followed by a training on secure habits on the internet. Not how to install and run TrueCrypt.
And this is where I see one of the biggest problem of the digital security community – and their funders: the obsessive focus on the tools and on the training, rather then on the habits and on assessments. People all over the world are being given a one block solution for all – including almost always the same tools – and expect to start using those tools, regardless if this is really what they need.
In addition to that little or no focus is given to habits and to how you make sure that people pick it up. A very good friend and a digital security trainer a couple of weeks ago showed me this amazing advert (see below), one that is considered to have been one of the most effective sensitization campaign ever done against smoking. The point of the advert was to make people realize how ridiculous is the concept of “social smoker”, without telling them that they should stop doing it, but simply making them realized how ridiculous that is.
Why we have not been able in the past 5 years to make people realize how important is to protect themselves online? Our advertisement strategy is often just based on hacking people’s Facebook or identity thefts stories, but those have not been enough apparently.
And then there is the last issue that bothers me a lot: aside from the quite disturbing and annoying fact that a lot of the US based cybersecurity movement is, directly or indirectly, being supported by the US government, being it DRL, State department, USAID or other collateral agencies, this movement has badly failed in educating people about their risks. We have been so focused on the tools and on battling on who is the most hardcore internet freedom activist (not worries, they are all Americans and almost all men: we are safe!!) that we have kinda of lost perspective on where the real danger is coming from.
At the freedom online conference in Tunis, earlier 2013, I also realized how the language is a barrier. The majority of the conversations I had a with people at the conference where almost surreal. I consider myself a pretty smart girl: I have two masters degrees and have been working on technology related stuff for the past 4 years. Despite this though, I could not understand more than 80% of the conversations happening in that conference: people talked using lots acronyms and ONLY (yes ONLY) using technical language. There was not one single person there that bothered to explain in plain English what they were talking about. Granted, I guess that the Freedom Online conference is only for “already experts in the subject” people, but if this is the language used to communicate in this space, not freaking wonder no one else outside that community has clue of the all digital security issue.
In that same conference Google organized a Google Tend. More then 80% of the delegated decided not to go, in protest against the company being one those who gave data to the NSA under their request. Instead we all went to Nawaat, where several digital security activists/experts etc from the USA organized a meeting to discuss what they could do to protect their privacy in their country. During the meeting a tunisian activist, that had been fighting against the censorship of the internet in his country for years, came close to me and asked me “Why are the Americans so shocked about this? Did they really not know that this was happening? Really?”.
I remember thinking that this was a great thing, highlighting how much trust American citizens have in their government. On the other side I realized how little are we prepared to really take actions against the real threats to our online freedom and privacy: the government agencies, the internet/mobile/ISP providers and the tools manufacturers. We have been focusing so much on the users – overwhelming them with tons of information and tools to use – and very little on the main producers and managers of the system.
What the NSA did to me, was not to show that the USA government, together with many others, does not care about privacy at all, but to show that we are unprepared and have ignored the bigger problem: the fact that the all infrastructure of the Internet is still managed and controlled by few, and those few are linked strictly to (or bossed round by) governments. While we were wasting out time measuring our dicks over the most hardcore encryption system, we forgot to invest in what the real deal is: the infrastructure and the laws regulating its use and access.
As I said I am no expert. But I am worried that even the experts here have not been that useful so far. I hope that the NSA issue will not be confined to the usual USA centric discussion based on “can the government spy on its own citizens” but moves a bit towards the fact that our digital security and online freedom strategy has been a huge a failure. We have failed as a community and we need to make up for this. We need better trainings (and tailored to real risks), better strategies for risks assessments, better sensitization campaigns, better understanding of the issue, better communication skills.
We need a much broader advocacy strategy that starts from obliging, for example, all companies to write in plain English their Term of Reference; mobile providers to give instructions to each of their customers about where and when their communications are recorded, stored and kept; make compulsory to attach to each mobile handset sold an “instruction sheet” that explains to people how their device can be tracked; all providers to have self encrypted systems where they DO NOT have access to the data, they just act as the means to move the data. We need a much stronger position not just against the NSA, but as a community on what we did wrong and how to do it better. Demonstrating or collecting signatures, I am sorry, it is not a strategy, it’s the last resource of an already failed movement.
We need to re-group, re-focus and start everything all over again.