Mutual Aid for Privacy and Security
Published:
TL;DR: I know some stuff about privacy and security; privacy and security are more important now than ever, especially for targeted communities; so I want to share that I know with anyone who may need it, especially organizations that need to protect privacy but may not have the resources or on-hand expertise to do so.
This page is designed to be as transparent and thorough as possible, which also means it’s long as hell. Feel free to jump to:
Background
My Mutual Aid Principles
Resources for Organizations Resources for Individuals
Workshop details
About Me
Contact Contribute
Resources and Source Material
Background
We all have a right to be private and secure. Though it may feel impossible to protect those rights in the current environment, there are simple steps we all can take to keep our information, and with it our autonomy, safe. You do not need to be “a computer person” or “super technical” to securely and privately use your computer, phone, other devices, or the internet. I am not a fan of only listening to experts, but I have spent much of the past 4-6 years studying and working on privacy and security issues, and I want to share what I expertise I’ve acquired in the spirit of mutual aid with the community.
I have been hoping to start sharing what privacy and security knowledge I have with the community for a while, but have hesitated to take action so that I could learn more and spend more time understanding what the communities around me may need. However, these reservations are opposed to the principles of mutual aid, which reject the hierarchy of experts and embrace solving problems through participation. More importantly, the increasing threats to privacy, particularly the privacy to obtain an abortion, to receive gender-affirming medical care, to express or learn about sexual orientations, to exist as a Black or brown person in America, or to conduct journalism and advocate in civil society demand immediate action from all who are able to help targeted populations defend against these threats.
Since there an abundant amount of resources available about how to protect personal digital privacy and security, and given my experience in organizational security and privacy, I am primarily hoping to work with other organizations (ideally other mutual aid organizations and on-the-ground groups, though I am open to working with certain non-profits) to improve their security and better protect the security and privacy of the communities they work with. I am also hoping to provide small group workshops for individuals by working with you to understand threats you may face, identify different options to reduce those threats’ ability to cause harm, and implement security and privacy solutions that work for you. My intent is for this to be more useful and constructive than a twitter thread or website listing tools and resources.
Mutual Aid
I am motivated to share privacy and security resources in the spirit of mutual aid, and hope that any services embody mutual aid principles in their implementation. While I cannot claim that my actions are mutual aid just because I say they are, the following is more-or-less a mission statement I hope hold myself accountable to and that I hope others hold me accountable to. Specifically, as Dean Spade puts it in his book Mutual Aid, mutual aid projects:
Work to meet survival needs and build shared understanding: I will not patronize, or make anyone feel less intelligent for not knowing about an “obvious” security solution or knowing “basic” technical information. The state of privacy and security are the result of institutional and systemic shortcomings, and while I will hopefully help meet immediate privacy and security needs, a world that’s private and secure by default is possible.
Mobilize people, expand solidarity, and build movements: while I’m currently doing this by myself, I hope it does not remain this way and that others are motivated to expand access to privacy and security in their communities. I also hope to build solidarity with other movement organizations and groups in order to incorporate their knowledge into what I share, as well as to help connect individuals interested in privacy and security to other struggles around reproductive autonomy, labor, immigration, prisons, the climate, and more.
Are participatory, solving problems through collective action rather than waiting for saviors: You know your needs better than I do, and I will not tell anyone what to do. While I take time to read about the struggles and privacy and security threats facing specific communities, they pale in comparison to lived experiences, so I aim to work collaboratively to understand your needs and provide recommendations that fit your situation. I do not see my job as a lecturer, but as someone with useful expertise on how specific threats work, what tools and practices are available to reduce risks from those threats (including what certain tools protect against and what they don’t protect against), and making decisions that fits your risks, threats, and resources. To prevent gatekeeping and saviorism, and hopefully to give you resources to train others, I will always, to the best of my ability, share where I’m getting my resources from, share any resources I create, and help anyone in my network that wants to share security and privacy knowledge and resources.
For more information on my inspirations and source material, see the resources and source material section below.
For Organizations
If you’re part of a mutual aid group, group directly serving your community, local labor union, on-the-ground organization, or cool non-profit* and you want to take steps to improve the privacy and security within your organization and for the communities you interact with, I want to work with you! I am just getting started with this effort, so what actual implementation looks like is largely up to us. As I mention under my mutual aid principles, I want this work to be participatory - which means working together to understand your needs and how I can work with you to help meet them.
That said, possible ways I may be able to help your organization include (in order of maturity):
- Holding an individual security workshop with your members (see below)
- Developing organizational risk and threat models
- Identifying tools and processes available to improve your security and privacy, including those that
- Enhance the security of existing tools and processes
- Replace current tools and processes with more secure and/or private alternatives
- Put mechanisms in place to detect and respond to a breach of sensitive information
- Discussing the pros and cons of different ways to reduce privacy and security risks
- Training members on specific tools or concepts (see workshops)
- Developing simple privacy and security tools for your specific situation
- Making it easier for individuals contacting or interacting with your organization to be private and secure by default
- Communicating to members and/or your target community how you have reduced the identified privacy and security risks and what risks remain
- Auditing your existing security and privacy protections (emphasized because it’s my job / one of my specialties).
- Simulating, through discussion, what to do when security or privacy is compromised
- Simulating, in real life, actions that would compromise security or privacy (advanced organizations only)
- Responding to a suspected or confirmed security or privacy compromise (likely only possible for organizations I have a pre-existing relationship with)
Each one of these bullets is very high-level, and what it looks like in practice is highly dependent on what your needs are. However, if any of what I mentioned sounds like it’s something you and your organization’s community need, or you just know you need to improve your security and privacy, contact me.
If you’re organization has labor-intensive needs, know that I have a full-time job and may not be able to meet all of them. I’m happy to have a discussion, but I may bring up a pay-what-you-can model if your needs blur the line between mutual aid and the work of a contractor / security trainer.
*I reserve the right to not work with non-profits that I do not think are cool. If you think your organization is cool and generally in-line with mutual aid principles, feel free to reach out.
For Individuals
If you (and maybe even your friends!) want to take steps to improve your personal security and privacy, or just want to better understand some of the concepts behind security and privacy, I am also happy to work with you to accomplish those goals. Like I mentioned for organizations, actual implementation is up to us, and I want this work to be participatory and empowering (refer to mutual aid principles for more).
Workshops
I imagine / assume that the best way I’ll be able to help groups of individuals, including many groups that may be with the same organization, is through participatory workshops. Again, the content and design of these workshops will be mutual, and the level of sophistication can vary based on the audience, but could potentially include:
Workshops on threat modeling. Everyone faces different risks and threats, and I can’t answer every possible question about technology. However, different privacy and security threats try to obtain or attack information in different ways, and learning how those threats work and how your information may get in their hands can help you make more informed decisions about what steps you can take to balance privacy and security with other priorities like accessibility, transparency, usability, effort, and cost.
Training on specific tools and technologies, such as learning how common tools like password managers, two-factor authentication, VPNs, TOR, Signal, and WhatsApp work; as well as what threats they help protect against and what threats they don’t. For users more comfortable using different technology or who face increased threats, this could include trainings on using less-known privacy-enhancing operating systems or the details of how and where information is stored and shared.
If you need immediate resources, see the resources section below. If what I’ve listed doesn’t protect you from what you immediately need protection from, I can try to help if you contact me, but cannot guarantee I’ll be able to do so. Many organizations exist to support individuals in immediate, pressing circumstances, but I am not one of them. I am hoping to help improve your privacy and security before a crisis occurs.
About Me
As I mentioned earlier, I’m not a fan of the idea that one must wait for experts to meet needs. That said, if you’re reaching out to someone else for security and privacy aid, you probably want to work with someone with some expertise. Here’s what knowledge and experience I bring to the table that may help your organization, as well as some things about me that may not be the best fit for your needs - all spelled out formally on my resume. Most attributes can be either a pro or a con depending on your perspective, so I’ll mention both angels and leave you to decide if you think I’m a good choice for you.
The Pros
I started learning about computers, particularly digital security and privacy, while getting my undergraduate degree in Computer Science at Georgetown University. I received recognition from the institution, I graduated Magna Cum Laude, received a government cybersecurity scholarship, and earned the Department’s top undergraduate award. I also studied political science, mainly technology and cybersecurity policy, so while I’m not a lawyer and cannot give legal advice, my technical considerations are informed by the laws and broader social concerns around technology, cybersecurity, and privacy. Along the lines of formal accreditation from institutions, I have a Security+ Certification, Cybersecurity Analyst+ Certification, and am an Offensive Security Certified Professional. In plain english, this means I can tell you the basics of security, identify and address security and privacy risks, vulnerabilities, and compromises on paper and in controlled lab environments, and can hack into weakly-to-moderately secured fake computers and networks. Do any of those things matter to you? Probably not, but other people have thought I’m decent with computers.
In the real world, I’ve built (and wrote about) privacy-enhancing technology that allows you to run any app on a computer without leaving sensitive information behind that you don’t know about (this also received a formal award from academics). I’ve also built / am working on other software hobby projects, and frequently participate in cybersecurity trainings, conferences, and competitions that don’t get me the formal certifications I can easily link to, but that help maintain and grow my skills.
For work, I’ve spent the past two years (plus an internship) as an IT & Cybersecurity auditor at the Government Accountability Office, where I conduct on how the federal government manages and secures the IT storing and processing much of our personal information. Some of my relevant work includes an audit of the National Institute of Health’s Cybersecurity, and an upcoming report on government-wide privacy programs. More importantly, this means I spend a lot of time learning about and examining how organizations should be protecting themselves and the information they hold.
I’ve also participated in movement work, especially labor movement work, since college. I was a member of a United Students Against Sweatshop local as an undergrad, organizing to build relationships with workers across the university and put pressure on the institution in contract fights (both with workers and suppliers) and other campaigns. I’m currently a steward and bargaining committee member for my current job’s union local, and am a member of a SURJ DC reading group. I attend various ad-hoc actions in solidarity with other D.C.-based community organizations as I’m able.
While I’m not an officially certified or trained facilitator, I have experience sharing facilitation responsibilities in group settings, teaching technical information to people with different levels of experience as a Teaching Assistant for university security courses, and presenting technical information at my job and to academics (see a talk I gave on ResidueFree). As you can tell by the length of this blog post, I don’t like to tell people what to do, and instead provide context for why some actions and tools may be helpful and how to make decisions to use them (or not).
The Cons
As I just stated, I’m a federal government employee. While my job is to provide independent oversight of the rest of the government and tell the public about government programs, no sweat off my back if that affiliation’s a deal-breaker. It also means I have to uphold pretty strict independence rules, so if you’re an organization conducting partisan electoral work, or have a strong relationship with a government IT contractor (or sub-contractor), then no dice (you wouldn’t be my target audience, so not terribly sorry about that). Most of my experience comes from academia, certifications, and looking over other organizations’ shoulders - not building or maintaining security and privacy solutions that are used on a day-to-day basis - which means that a lot of my expertise comes from theory and simulated environments, not the complexity of the real world.
Since I have a full-time job, I will not be able to help as many people as thoroughly as I would like. It also means I have to work around my job’s schedule to provide any assistance. If you’re part of an organization that’s looking for more labor-intensive support, I’m happy to have a discussion, but know that I may not be able to meet all of your needs.
So, I’m not the highest-caliber expert if that’s what your looking for, but I do have some expertise and I want to help. If you think I can still help with your needs, read on for contact information.
Contact
If what I’ve described sounds right for you and/or your organization, please get in touch with some information about what you have in mind. For potential work, I am available virtually and physically around the D.C. area (presuming Covid-19 protections are in place). When you reach out, please include (to the extent you’re comfortable - I will do my best to provide resources with whatever level of detail you’re willing to share):
- Whether you are interested in something for an organization or for individuals
- If for individuals, specify whether you’re reaching out on behalf of a group of individuals or just yourself
- Any specific topics, technologies, tools, risks, threats, trends, or scenarios for your needs
- For organizations, any information about security and privacy changes you’re looking to implement
- Format details you had in mind (virtual vs. in-person, approximate days and times)
- Other information that would be helpful starting a discussion about how I can plug in
Contact Methods
(formatted oddly to prevent a bot from automatically reading)
email: workshops [at] [this website] / [my full name] [dot] com (PGP Public Key)
This email address is hosted by ProtonMail, which has security mechanisms in place to ensure that it cannot read any emails it stores. While mail from a non-ProtonMail account is briefly readable by ProtonMail, it is promptly encrypted (this does not stop your email provider from reading email you send). Mail sent from another ProtonMail account (create one) or an account using PGP encryption (using my public key) is only readable by the computers sending or receiving the message. I promptly delete emails after they’re no longer necessary to coordinate any work. While ProtonMail could identify me as the owner of an account using my IP address, those concerns don’t impact my threat model since the email address includes my name.
Contribute
I say I want to do this as part of mutual aid, yet this information is on my personal website and has a lot of “I”s in it. I would love to provide this support as part of a broader, collaborative effort, but part of the reason I’m doing this is because I don’t see anyone else in the D.C. area doing it and I think the current situation is too urgent to wait to find other people who I can do this with. If you think you can contribute, please email me using the above info! You don’t have to be technical to contribute - the intent of mutual aid is to work collaboratively to solve problems and reduce gatekeepers. If you think you can help and want to, get in touch and I’m sure we can agree on something. (Like with organizations, I may decide to not work with you for any number of reasons - most likely if I think that our values don’t align).
Resources and Source Material
The inspiration for providing mutual-aid-oriented community cybersecurity and privacy assistance comes from many theorists, organizations, and technical resources. (While I found the below sources to be helpful and worth drawing from, I do not necessarily fully agree with everything about an individual or organization. Listing a resource here is not strictly an endorsement of the resource source’s politics, policies, tactics, or leadership).
Primarily, credit goes to the Electronic Frontier Foundation’s Surveillance Self-Defense Guide and the associated Security Education Companion. While some of the technical resources are dated, I drew on much of their framework and approach to individual and community security when thinking about how I wanted to approach this effort. In addition, EFF’s Electronic Frontier Alliance (and their lack of D.C. chapters) first pointed me to the idea of community-based cybersecurity and privacy groups.
Speaking of community-based cybersecurity and privacy groups, CryptoHarlem is an inspiration not just for their organizational approach, but also their technical resources. I’m also inspired by how the Sylvia Rivera Law Project uses a collective, non-hierarchical structure to deliver technical (in their case, legal) services that are traditionally governed by people with formal education or advanced degrees. Not an organization, but Glencora Borradaile’s Defend Dissent also offers security and privacy resources targeted towards social movements.
For the details of facilitating community security discussions, I plan on drawing from EFF’s Security Education Companion and the Tactical Technology Collective’s Holistic Security Manual and other resources.
I’ve already mentioned some technical resources, and while most of the information I share will come from an ad-hoc mix of sources, I also find Washington Posts’s helpdesk to have usable information for individuals protecting their privacy, the National Institute of Standards and Technologies to have extremely comprehensive organizational security guidance, and the SANS Institute to have high-quality technical resources as well. Other resources that may be useful include Consumer Reports’ Security Planner
Am I missing something? Feel free to send me an email to the address above or make a pull request directly to this page’s GitHub repository.