Difference between revisions of "Digital privacy 101 for activists"

From DevSummit
Jump to navigation Jump to search
(Created page with "==Themes from intros:== * Improving privacy unintended bad results * Technology challenges, beyond CRM or website * Security of data for community orgs * Anonymizing tracking...")
 
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
==Themes from intros:==
+
=Lowest hanging fruit=
* Improving privacy unintended bad results
 
* Technology challenges, beyond CRM or website
 
* Security of data for community orgs
 
* Anonymizing tracking information
 
  
==Ideas/guiding questions:==
+
Be stingy with your information. Ask “why do you need XYZ sensitive information?
How we can do both?  Be respectful of people’s data & do business in a viable way
 
What conversations must we have in order to do this well?
 
  
==Basic needs of data privacy, user agreements==
+
Evaluation your own risk
Individual privacy – only protected type of privacy – but creates “small harms to large groups,”  (e.g. differential privacy = de-identifying data.  Can’t use race or gender for certain types of analysis (e.g. health). 
 
  
How can we do analytics on data in safe way?)
+
Change your philosophy: doing the obvious “pre-digital” security practices
  
Some of these things already happen…
+
Know where your phone is
  
Advertiser cannot target “African Americans,” but they might target a particular neighborhood, income bracket, etc. 
+
Lock up your laptop
“I can look at a population and determine a connection between smoking and cancer, without knowing whether any particular individual smokes or has cancer.”
 
  
EU law forbids storage and collection of information with personal identifyers – potential starting point for discussion
+
Be sensitive to the information in your wallet or personal bag
  
How does anonymity effect equity? 
+
=Physical Security=
 +
Internal needs assessment “Threat Profile” and explore security trade-offs or compromises
  
Aggregation is one way to de-personalize data
+
Be aware of the items that can help “GEO locate” you
  
Relational database
+
Ex: License plate
  
==What do we want to do with data?  What are threats to storing data?==
+
Activist Framework: Be sensitive to WHAT YOU ARE DOING + WHO YOU IMPACT + Level of RISK you create or contribute to.
  
# can sell them
+
Implementing security options and the RISKS you can still experience
# can be stolen
 
# company can use data in malicious ways
 
  
==Data minimization==
+
Ex: You may use an encrypted email but the accounts you are receiving messaging may not – this means you are still at risk.  
open-whisper systems : app developer, were asked by federal govt for IP addresses, but they did not have that info on their server.
 
  
Data travels – has a journey – need to consider threats at different moments in that journey.  When doing a survey, sharing data, etc. 
+
SINGNAL Messenger
  
==Storing data in encrypted form, encryption key stores separately,  data is only un-encrypted when its going to be used.== 
+
SHARED via SIGNAL = When sensitive information is share
In EU, many companies having these conversations – impact assessments, data flow tools,
 
We should all be analyzing our use of data, privacy threats, etc.
 
  
Privacy badger – EFF browser anynomization tool
+
BROKEN SIGNAL
 
 
Will be interesting to see how corporations will conform to new regulations
 
  
Non-profits have cause for concern in protecting the privacy of their data, especially if they work with vulnerable populations
+
CARTOON EXAMPLE:
  
Can we use this event to have new discussions about the ethics of data privacy, there are some large companies that all of a sudden have interest and resources.
+
How to protect specific populations such as children and elderly?
  
Development of new tools that are being used by companies – some are crap, but there are some good tools also.
+
DON’T EVER TRUST A COMPANY TO PROTECT YOUR IDENTITY
Non-profits can use these tools as well, should also assess threats
 
  
Data brokers – share data amongst companies
+
Your relationship with Facebook : you are the product
  
==Analytics==
+
Any time you get a free service, you are the product-information that will be sold for a profit.
Website developers offer it, don’t want to use Google Analytics, but there are few other options
 
  
Many forces are pushing nonprofits to risky practices (such as Google)
 
  
Some might that storing data without a clear agreement should be illegal…at least start the conversation here
+
=Balance between privacy and convenience=
Foundations and funders should also understand how they might be compromising the communities they are wanting to support – pushing for greater data gathering, analystics, etc.
 
  
==Sharing best practices by nonprofits:  e.g. Archive the Internet, bay area nonprofit, anonymizes their data, lots of it==
+
Evaluate individual risk and make a decision to protect privacy or engage with convenience.  
  
Not every nonprofit can hire someone with a professional understanding of data, but there should be a list of best practices, including risk assessments, etc. 
+
Simple Tools: Privacy Bagger, Ad Blocker
  
Do we trust large companies who are making promises about data privacy?
+
Ask yourself: Does this entity NEED to know XYZ information
  
MailChimp, for example, have expressed that they will voluntarily comply with GDPR (General Data Protection Regulation), but will small organizations be able to legally challenge if they don’t??
+
Low hanging fruit: Birthday (re- establishes your identity)  
  
What do we do to remain functional as nonprofits?
+
Example: Adopt a  fake birthday
  
In EU there are email providers that are showing up as viable alternatives
+
Know how much data they are collecting and where they are collecting it from.
  
==List of basic resources for data privacy==
+
Advice for Non-profit youth media organization: Explore all the WAYS your ORG. puts your CONSTITUENTS at risk.  
* Data Ethics – nonprofit that consults around ethical data storage
+
 
* EFF – “Who Has Your Back” Report: 5 questions for service providers that rate their stance on data privacy. Also * Report on Data anonymization
+
Establish shelf life for data: What types of data do we collect and how long do we need it?
* Privacy Badger
+
 
* “Road map” webinars and toolkits for nonprofits and grassroots groups, how to create threat assessment, etc.
+
What will it COST to keep it secure? Can we AFFORD IT?
* Data Ethics canvas (similar to business model canvass) tool for thinking about what data you have, how you store it, what is the data’s life cycle, etc.  Creative Commons licensed.
+
 
* Connecting more nonprofits to resources like Capital One? 
+
 
* Tactical Tech (Europe), Engine Room, consultants that will help non profits with issues of data, analytics, etc. 
+
Existing Question:
* Digital Society Lab, Stanford, help for organizations that want to set up ethical data usage.  E.g. use agreement templates, etc.  [https://Digitalimpact.io https://Digitalimpact.io]
+
What should I accept with COOKIES?
* British govt has survey on data usage that provides recommendations
+
 
 +
How much do I trust Encrypted Email?

Latest revision as of 23:32, 28 November 2017

Lowest hanging fruit

Be stingy with your information. Ask “why do you need XYZ sensitive information?”

Evaluation your own risk

Change your philosophy: doing the obvious “pre-digital” security practices

Know where your phone is

Lock up your laptop

Be sensitive to the information in your wallet or personal bag

Physical Security

Internal needs assessment “Threat Profile” and explore security trade-offs or compromises

Be aware of the items that can help “GEO locate” you

Ex: License plate

Activist Framework: Be sensitive to WHAT YOU ARE DOING + WHO YOU IMPACT + Level of RISK you create or contribute to.

Implementing security options and the RISKS you can still experience

Ex: You may use an encrypted email but the accounts you are receiving messaging may not – this means you are still at risk.

SINGNAL Messenger

SHARED via SIGNAL = When sensitive information is share

BROKEN SIGNAL

CARTOON EXAMPLE:

How to protect specific populations such as children and elderly?

DON’T EVER TRUST A COMPANY TO PROTECT YOUR IDENTITY

Your relationship with Facebook : you are the product

Any time you get a free service, you are the product-information that will be sold for a profit.


Balance between privacy and convenience

Evaluate individual risk and make a decision to protect privacy or engage with convenience.

Simple Tools: Privacy Bagger, Ad Blocker

Ask yourself: Does this entity NEED to know XYZ information

Low hanging fruit: Birthday (re- establishes your identity)

Example: Adopt a fake birthday

Know how much data they are collecting and where they are collecting it from.

Advice for Non-profit youth media organization: Explore all the WAYS your ORG. puts your CONSTITUENTS at risk.

Establish shelf life for data: What types of data do we collect and how long do we need it?

What will it COST to keep it secure? Can we AFFORD IT?


Existing Question: What should I accept with COOKIES?

How much do I trust Encrypted Email?