- Which strategies and tools were familiar to you? Which were new or different?
- Which practices are you already doing? What tools are you already using?
- What threat models did you have in mind during this discussion?
- What resources (from our readings) were helpful?
- What frictions or difficulties came to mind when reviewing each strategy or tool?
It was great to both have reinforcement of some of the tools I’m currently using and learn about some new ones - I’m particularly interested in the Firefox extension that randomizes my browsing history that was on one of the EFF sites.
I left thinking about the upcoming workshop series I have coming up at Beloved Community, which is a village of tiny houses built to provide housing for folks experiencing homelessness. The biggest request from residents is to learn more about security and privacy - which is awesome! - but what tools will actually be useful here? Folks in precarious situations often lose access to devices or phone numbers - does 2FA or a password manager make any sense to suggest? We’re going to try and have people do some threat modeling and then build in a lot of time to talk 1:1 about which tools and practices make the most sense in people’s particular situations. If anyone has any experience tackling this subject with folks experiencing homelessness, I’d love to hear about it.
That’s awesome Nate, I’m so glad to hear that folks in that community are so interested in security and privacy. In terms of what would be useful, I agree that threat modeling and 1:1 convos will be the best route.
I think you’ll probably end up suggesting some lower tech solutions, like a password notebook. For added security, I suggest teaching a method where folks have a prefix to each password that isn’t written down in the notebook. That way, if someone gets a hold of their password notebook, they don’t actually have the full password. The prefix can be the same for each password so that it can easily be memorized. So that might look something like this:
In each case, the password is totally different, but the prefix in both situations is “elephant”. The password notebook would not have this recorded, it would just have the rest of the password. Does this make sense?
I enjoyed getting new information on many of the tools/strategies I’ve already been using. I didn’t know about a lot of the Firefox extensions that folks mentioned during the class, so it was helpful learning about things like FB containers and the other features Firefox offers. I also found the resources shared this week very useful.
The one friction/difficulty that comes to mind (and that I also experience) is just being overwhelmed by the number of steps or action items a person needs to do to be digitally “secure”. While I understand that something is better than nothing, it’s also easy to feel pre-emptively defeated and to think that it’s an all-or-nothing game. I think also having a level of flexibility or alternate options (like Alison’s suggestion of using a password prefix in her post) can also help people feel like they can apply these strategies in ways that make sense to them rather than making them feel like there’s only one way to apply a specific strategy and if that can’t be accomplished then it’s wrong. I also liked the approach (sorry I forgot who mentioned this in class) of doing some of these on paid time (if in a workplace setting) or in developing a workshop where attendees actually do one of these steps as part of the workshop so they can leave with something.
I agree, I was thinking in class about how many of these I apply at home but how few on my work computer because every time IT does an upgrade they seem to reverse everything… feels not worthwhile to constantly be re-doing it considering how many steps there are (not only for the basic tools, but also to make them work within all the work restrictions).
Yes, I agree 100% that the suggestion of doing workshops on paid time was a great one, and would be great to see more of. So much of this “training” at my workplace is done by emailing us PDFs and hoping for the best that we will act on them
So while ostensibly we are learning about it on work time it’s not very robust (and certainly doesn’t go as far as ad blocking or password managers; this is purely about making sure we use Outlook and OneDrive and avoid phishing attempts.)
@ajones that’s super frustrating that those sorts of things get undone when they run updates!!! And yeah, for folks who are mostly/often accessing computers that aren’t their own, on which they can’t install new software or extensions, the options are super limited. I was thinking when you mentioned Firefox Lockwise how it’s maybe a nice entry-level option for a password manager but I guess you’re out of luck if the public computer you’re using doesn’t have Firefox on it… tricky!
This is so real and so many people feel it. In my experience, the overwhelm feelings will always be there (I feel them too), but using threat modeling, a harm reduction framework, and the flexibility/options that you mentioned, it is possible to mitigate these feelings. Even just having strong passwords is such a big important step that helps with soooo many situations.
Yes, these are professional skills, and we should get work time to complete them.
As I mentioned I’m a big fan of sticking to no more than 3 tools/strategies per privacy program. That way, it’s not as overwhelming as trying to get to everything, and you’ll be able to budget plenty of time to the actual setting up and doing.
It’s easier on patron computers where we typically have programs like deep freeze installed, where the privacy tools can be added to the image that the machines reboot into every night, and then nothing gets deleted. But work machines definitely have their own frustrations. Hopefully next week when we talk about communicating about privacy, we can talk about the strategies that work for convincing IT that these things are important. My experience is that IT cares about security, and not making more work for themselves, so arguing for privacy tools from a security angle, and showing how simple these tools are, can help make the case for getting them on work computers and keeping them there.
I intend to come back and answer the prompt in full…but this couldn’t wait. OMG! NOW I remember why I’d put off resubscribing to ExpressVPN. Everything we do online these days is pretty much instantaneous; my VPN makes me feel like I’m on my old Tandy SX with dial up!! I end up disconnecting just to complete a task then reconnecting. Disconnecting to use your phone seems to cancel out all your privacy efforts. It’s like I’m saying, “well, the phone is only safe when it’s sitting in my office not being used.”
It’s true, VPNs have a tendency to slow things down. But they don’t all do this. I’ve had a lot of success with PIA for example. Also, it sometimes helps if you mess with the settings in the VPN a little. There’s usually an option to try a new IP address, and sometimes that can gain you some speed. But this is definitely a friction!!
Been thinking about this again since Google just announced they’re turning on 2fa by default: https://twitter.com/mrisher/status/1455584947402522627
This is good for a lot of people, but I wonder what their plan is for people who don’t have a reliable phone number or backup email.
Thanks for the settings tip, Alison! That helped tremendously with speed. I, now, need to Google differences in the VPN protocol choices to understand what I selected. whew.
I’m glad that worked! But yeah, you see the challenges with these systems. Making them work well can require a lot of input or prior knowledge, and that’s just not accessible to most people.
Time and energy spent on troubleshooting or finding workarounds can definitely be a deterrent.