Rising authoritianism risk modeling

From DevSummit
Jump to navigation Jump to search

What brings us here?

  • What have people done in the past? What are people doing now? How do we get ahead of the game?
  • Doing opposition research and fieldwork – thinking about risk can feel abstract – curious to learn more
  • Important to educate people to use the right tools, but digital rights policy space has failed at getting the nuance right, not doing risk assessment first, very dogmatic policies that aren’t informed by understanding the nuance
  • Introduce both collective and individual risk assessments?
  • How do we avoid taking more risks by writing down the risks?
  • Share experience of doing risk analysis with feminist groups in Central America
  • Diigisec assessments for nonprofit organizations; more experience with organizational than individual, leftist progressive small-to-medium nonprofits, wants to learn more
  • Here to learn more about risk assessments, build that muscle, bring that back to their org
  • What do honest conversations about risk assessment look like? What is the fabric of care? Are we worrying about organizational reputation or actually caring about people?
  • Journalism covering human rights; every time there’s a a digisec workshop it’s always just a list of tools, “You have to use x tool” without understanding context; looking to implement new practices of digital care for journalists and their sources
  • Went to a lot of trainings like what was described, started developing processes that start with assessment first – pretty deep assessments – that get to what’s important for a particular organization and what they need.
  • Are there best practices for risk assessment?
    • Depends on the goal – is the goal the preservation of an organization or protection of individual staff/served communities?
    • Have trust – you won’t get answers if they don’t trust you with that information
    • In Honduras many years ago, a feminist group was doing abortion work. Came to me for digisec workshop – but I said it’s not a workshop, it’s a process. Let’s do risk assessment and come up with protocol. But what’s the protocol needed? Psychosocial? Medical? Etc.
    • Technosolutionism: here’s your solution and we’re done now. Working with groups along the Southern border, there isn’t the delusion that the org will protect them. In US nonprofits, people think the org will protect them.
    • Did consulting work for well-resourced nonprofits. Need an interdisciplinary approach. Maturity model: barely functioning to long-term plan/redundancy
    • There are models that can apply across the board for orgs and individuals if they’re tweaked well. I find that orgs are down to go with a full assessment at this point but now more and more folks are showing up knowing what an assessment is and how to go about.
  • Process for assessment:
    • What does safety and security mean to your group?
      • May not know digital security but they know what safety is to them.
    • Data inventory
      • List all the places you store data
      • List all the data you store in each place
      • Categorize by sensitivity (Public, internal, confidential)
      • Data integrity – how bad is it if this data gets corrupted?
      • Data availability – how bad is it if you can’t access the data?
    • Threat assessment, not risk assessment because a group said risk assessment is what cops do to assess their people
      • What are you doing to protect it already?
      • Who might want to get at it?
      • What would happen if they did get at it?
      • How might they get at it?
      • What’s the likelihood?
    • Looking at all of this different info we’ve gathered, what would I recommend to this group?
  • What’s the response like to this process?
    • If you do your risk assessment right, the people will trust you to use your recommendations
  • Need to meet people where they are in implementing solutions – if they don’t follow the protocols maybe the protocols need to change.
  • The buy-in is key. People care about the work they’re doing and the people they’re doing it for. “If you do this thing you might feel annoying, this is connected to the values you already have, not because I tell you to do it.”
  • When doing my own org risk assessment, I need another perspective from outside with other colleagues for their input.
  • What would a responsible community of practice look like?
  • It takes ongoing work to keep digital security practices in place

Story time!

  • After 2016 election, people went wild for digital security: what’s different about your work? If not let’s focus on core competencies
  • Only need new assessment if the work has changed.
  • Lesson from digital security workshop: take a break from the workshop, do self-care

Are there scalable solutions?

  • Creating a security mindset does scale. ActUp and Black Panthers knew operational security.
  • Scaling up a security mindset example: in 2015 after Trump announced candidacy, shared ideas of what might come up during a Trump presidency. Did some workshops with Signal and made commitment to use Signal. Didn’t respond to SMS. Once Biden came in people started defaulting to previous methods.
  • I like the practice of affinity groups. How do we think small about this? Small design is inclusive design.

Build relationships to