The Investigatory Powers Act 2016 was passed by both houses
of parliament and enacted by the Queen late last year. This act specifically
sets out the extent to which the government can interfere with the privacy of
people living and working in the United Kingdom. Internet providers will now
retain records of which websites you visited for the last year and will have to
provide these to government
officials without a warrant if asked to do so. For the first time it is now
a criminal offence for someone working for an internet provider to disclose
that information has been requested by the government. Icky right?
In libraries, a user’s right to privacy is one of the core
professional values. In 2015, among
other privacy-related recommendations, The International Federation of Library
Associations and Institutions statement
on privacy in the library environment recommended that;
Library and information services should support their users’ ability to
make informed choices, take legitimate actions and weigh risks and benefits in
their communications and use of services on the Internet.
Data protection and privacy protection should be included as a part of
the media and information literacy training for library and information service
users. This should include training on tools to use to protect their privacy.
The education of library and information professionals should include
data and privacy protection principles and practices in a networked
environment.
I felt that I had a professional duty to explore this
further and look at ways that I could empower the people I work with to take
the initiative for their own privacy and information security. So in December last year I began to think of ways in which I
could give the issue of privacy more attention in my professional activities.
This led me to consider hosting a CryptoParty as part of my wider library
training programme. CryptoParties are decentralised social events where participants can
explore different aspects of encryption and information security in a relaxed
and nonthreatening environment. Rather than being events for hackers,
pen-testers, cryptographers, and general tech-types, these events are for
people who maybe don’t know much about information security, but would like to
learn more.
I did a sweep of the information already available. It turns out we didn't have any official guidance on say, encryption, that could be readily promoted to a lay audience. So I had to draft an awful lot of help material from scratch. In doing this I found A DIY Guide to Feminist Cybersecurity, Security In-A-Box, and Me and My Shadow useful for plain-language descriptions of information security concepts. I've stripped any institutional info and uploaded them here so feel free to reuse/re-purpose;
The document about backups is entirely institutional, so I haven't included it here. After drafting all the material then we chose a date, organised catering, and set to promoting the thing.
When floating the idea, I was told in no uncertain terms that I would not be allowed
to discuss certain topics as they directly contravene my organisations various
information security policies – specifically anonymization. This meant that I
couldn’t talk about services such as Tor, or systems such as Tails. While understandable from an organisational point-of view, I felt hampered by this attitude. In fact, this was the first time I've ever felt that my professional values conflicted with those of my employer.
The people who have the most to gain for your good idea will
be the quickest to throw obstacles into your path. In a previous post I gave the following piece of advice; "Don't ask for permission to do great things. Ask for resources." Well, in this instance I felt compelled to ask for permission first. I work for an organisation
that has information security set firmly on the strategic agenda. There are
people in my department who are responsible for promoting issues relating to
information security to staff and students. I really didn't want to step on their toes. There are also student groups specifically dedicated to this issue so getting them involved made sense. And, hey, the more people involved the easier the whole thing would be, right? Wrong. Promised information never materialised. Quite a few folks pulled out at the last minute. While some of the interventions were helpful, others were not and in the end balancing everyone's differing points of view and commitments proved stressful. All in all, it took FIVE MONTHS to plan and deliver the event.
Will I do this again? Yes, but I think that making the next event localised will give me more control and bizarrely, less stress. In the end we had conversations with about 50 staff and students (mostly students) about privacy online and information security. It's a worthwhile endeavour, but just takes a little more effort than the other library skills development events.
No comments:
Post a Comment