Yesterday we had our monthly all hands meeting at my company. In these meetings we allocate some time to various things to increase our team’s knowledge and skills. This time we looked at information security, and I gave a little intro to start a more long term discussion and effort to raise information security in our company.

When people discuss information security it’s often along the lines of ‘if you want to do it right I’d have to go full paranoid, and that is completely over the top, so I won’t bother with it at all’. This is akin to saying that because it makes no sense to turn your home into an impenetrable fortress against invaders, you’ll just leave the door standing open. In practice you’ll do something in between those two extremes, and have locks on the door.

Impregnable Fortress The Magic Door
Fortress or open door? That’s a false dilemma. (fortress by Ryan Lea, CC-BY, open door by Hartwig HKD, CC-BY-SA and locked door by Robert Montalvo CC-BY)

You know the locks on your door won’t keep out very determined burglars or say a swat team, but it will raise the time and effort needed for less determined invaders to a point they will be discouraged.
At the same time keeping the door closed and locked isn’t just useful to keep out burglars but also serves as a way to keep out the wind, rain and leaves and dust blowing in from the street.
Similarly in information security you won’t keep out determined government three letter agencies, but there too there are basic hygiene measures and a variety of measures to raise the cost of more casual or less determined attacks. Like with preventative measures at home, information security can be viewed in layers on a spectrum.

I tried to tease out those layers, from the most basic to the most intensive:

  1. hygiene
  2. keeping your files available
  3. basic steps against loss or theft, also on the road
  4. protect client information, and compliance
  5. secure communication and exchanges
  6. preventing danger to others
  7. traveling across borders outside of the Schengen area
  8. active defence against being targeted
  9. active defence against being targeted by state actors

For each of those levels there are multiple dimensions to consider. First of all in recent years a new group of actors interested in your data has clearly emerged. The tech companies for whom adtech is their business model started tracking you as much as they can get away with. This adds the need for measures to all but the most intensive levels, but especially means the basic levels intensify.
Then there’s the difference between individual measures, and what can be arranged at the level of our organisation, and how those two interplay.

Practically each level can be divided first along the lines of our two primary devices, laptop and phone. Second, there’s a distinction between technological measures, and behaviour (operational security).

the list of levels, and the distinction in dimensions as I showed them yesterday

I provided examples of how that plays out on the more basic levels, and on the most intensive level. E.g. on the level of hygiene, technological measures you can think of are firewalls, spam and virus filters, a privacy screen, ad blockers and tracker blockers, using safer browsers. Behavioural measures are not clicking links before checking what they lead to, recognising phishing attempts, not plugging in usb sticks from others, using unique user names and passwords, using different browsers for different tasks, and switching off wifi, bluetooth and gps (on mobile) when you’re not specifically using them.

Over the years working on open data I’ve increasingly become aware of and concerned about information security, and since early 2014 actively engaging with it. I’m more or less at level 7 of the list above, and with the company I think we need to be at level 5 at least, whereas some of us haven’t quite reached level 1 at the moment. From the examples I gave, and showing some of the (simple) things I do, we had a conversation about the most pressing questions and issues each of us has. This we’ll use to sequence steps. We’ll create short faq’s and/or how-to sheets, we’ll suggest tools and behavioral measures, suggest what needs a collective choice, and provide help with adoption / implementation. I feel with this we have a ‘gentle’ approach, that avoids overwhelm that leads to not taking measures at all.

The first things people mentioned because they were worried about it are: usernames/passwords, e-mail, trackers, vpn, and handling copies of ID’s.
So we’ll take those as starting points.

If you want to read up on information security and operational security around your devices, dearly missed Arjan Kamphuis’s book on information security for journalists is a very useful resource. My approach as described is more geared to the actual context of the people involved, and what I know about their habits and routines, and to the context of our work and typical projects.

Late June, I will be contributing to a course of the The Hague Academy for Local Governance on Integrity and Anti-Corruption efforts. My part in this course will look at the role and use of open data and transparency efforts.

How open data helps create transparency, like public procurement data, land registry and land banks data, ultimate beneficial ownership data, public spending, (farming) subsidies, politicians expenses, etc. and the role of ‘many eyes’ in such cases.
I will certainly talk about how open data can create new agency, levelling the playing field between citizens and government entities (like local budget monitoring does). Also the role of investigative journalism (like Follow the Money here in NL), especially the cross-border variety, leaks, novel research groups like Bellingcat, and crowd sourced efforts to wade through large responses made to Freedom of Information requests, mapping impact of civil war, or detecting war crimes. All examples of, let’s call it ‘Data Driven Daylight’. I probably will also need to talk a bit about data provenance and data governance, as well as how understanding the basics of technology is a prerequisite if you have a role in preventing and detecting integrity and corruption issues.

My experiences in open data, work for the World Bank, and the UNDP (for which I contributed to an anti-corruption training a few years ago), as well as my role as board member of the leading Dutch transparency NGO Open State Foundation will be the basis.

Yesterday I realised once again the importance of watching how others work with their tools. During the demo’s of what people worked on during IndieWebCamp Utrecht I was watching remotely as Frank demoed his OPML importer for Microsub servers. At some point he started sending messages to his Microsub server’s API, and launched Postman for it. It was the first takeaway from his demo. I decided to look Postman up, install it, and resolved to blog about the importance about sharing your set-up and showing people your workflows.

Then Peter independently, from a different cause, beat me to it with “You do it like that?”.

So consider this reinforcement of that message!

Bryan Alexander writes a thoughtful post about media literacy, specifically in the US context, and in relation to the role of education, in response to an ongoing conversation on it:

How should we best teach digital and media literacy?  How can such teaching respond to today’s politically and technologically polarized milieu? Last week a discussion brewed across Twitter…

Towards the end of his critical discussion he makes

One more point: I’m a bit surprised to not see more calls for the open web in this conversation. If we want to get away from platforms we see as multiply dangerous (Facebook in particular, it seems), then we could posit some better sites. I’m for RSS and the blogosphere. Others may plump for Mastodon.

I think this an important aspect. To me the open web is about agency, the power to do something, to act. In this case to critically engage with information flows and contributing your own perspectives on your own website.

Every centralised platform or web silo you use means an implicit vulnerability to being kicked off by the company behind it for arbitrary and not just valid reasons. Even when using it, it means hard borders are drawn about the way you can share, interact or connect to others, to protect the business behind it. Facebook forces you to share links outside your commentary, and doesn’t allow inline hyperlinking as is actually the web’s standard. Your Facebook account can’t directly interact with my Twitter account, not because of technological limitations but because of both their wishes to be silos monopolising your online conversations.

On the open web you acknowledge the existence of various platforms, silos and whatnot, but the interaction circles around your own online space. Your own platform-of-1 that monopolises your own interaction but puts that monopoly in your own hands and that makes no assumption whatsoever about what others do, other than expecting others to use core internet standards and protocols. Your platform-of-1, is your online presence, like this website, from which you alone determine what you share, post, link-to, in what way it is presented, and who can see what.

This includes pushing things into silos. For instance I post to Twitter, and respond to others on Twitter from my own website, and reactions on Twitter come back to me on my website. (Not Facebook, you’re no longer allowed to post / peek over their fence).

This is a source of agency. For me as an individual, as much as for a group. There’s a marked difference between a protest group coordinating themselves on a Facebook group, and e.g. Edgeryders, a network of changemakers building sustainable projects for the common good, which runs their own group platform to interact using Discourse. A direct difference in agency to be able to shape the way you interact versus having to follow predefined common denominator functionality, and an indirect difference in resilience against push-back from others (does someone else control your off-switch?).

In media literacy, as much as in other, complexity-induced, aspects of our connected lives, agency of both you and yours, a networked agency is a key ingredient. Not to build your own competing platforms or media outlets to the existing ones, a common misconceived and unvoiced underlying assumption I feel (“we’ll build the perfect news platform ourselves!”), but to be in control yourself of what comes at you and what flows out from you. You still very well may end up in a bubble of uncritical bias, yet it will be one of your own making, not the making of whichever company happens to run the most popular platform du jour. The open web is your toolkit in gaining and maintaining this agency.

Replied to The powers of digital literacies: responding to danah boyd and all (Bryan Alexander)

Open Nederland heeft een eerste podcast geproduceerd. Sebastiaan ter Burg is de gastheer en Maarten Brinkerink deed de productie en muziek.

In de Open Nederland podcast komen mensen aan het woord komen die kennis en creativiteit delen om een eerlijke, toegankelijke en innovatieve wereld te bouwen. In deze eerste aflevering gaat het over open in verschillende domeinen, zoals open overheid en open onderwijs, en hoe deze op elkaar aansluiten.

De gasten in deze aflevering zijn:

  • Wilma Haan, algemeen directeur van de Open State Foundation,
  • Jan-Bart de Vreede, domeinmanager leermiddelen en metadata van Kennisnet en
  • Maarten Zeinstra van Vereniging Open Nederland en Chapter Lead van Creative Commons Nederland.

(full disclosure: ik ben zowel bestuurslid van Open Nederland als bestuursvoorzitter van Open State Foundation, waarvan CEO Wilma Haan in deze podcast deelneemt.)

Help jij ons mee organiseren? We gaan een IndieWebCamp organiseren in Utrecht, een event om het gebruik van het Open Web te bevorderen, en met elkaar praktische zaken aan je eigen site te verbeteren. We zoeken nog een geschikte datum en locatie in Utrecht. Je hulp is dus van harte welkom.

Op het Open Web bepaal jij zelf wat je publiceert, hoe het er uit ziet, en met wie je in gesprek gaat. Op het Open Web bepaal je zelf wie en wat je volgt en leest. Het Open Web was er altijd al, maar in de loop van de tijd zijn we allemaal min of meer opgesloten geraakt in de silo’s van Facebook, Twitter, en al die anderen. Hun algoritmes en timelines bepalen nu wat jij leest. Dat kan ook anders. Bouw je eigen site, waar anderen niet tussendoor komen fietsen omdat ze advertentie-inkomsten willen genereren. Houd je eigen nieuwsbronnen bij, zonder dat andermans algoritme je opsluit in een bubbel. Dat is het IndieWeb: jouw content, jouw relaties, jij zit aan het stuur.

Frank Meeuwsen en ik zijn al heel lang onderdeel van internet en dat Open Web, maar brengen/brachten ook veel tijd in websilo’s als Facebook door. Inmiddels zijn we beiden actieve ‘terugkeerders’ op het Open Web. Afgelopen november waren we samen op het IndieWebCamp Nürnberg, waar een twintigtal mensen met elkaar discussieerde en ook zelf actief aan de slag gingen met hun eigen websites. Sommigen programmeerden geavanceerde dingen, maar de meesten zoals ikzelf bijvoorbeeld, deden juist kleine dingen (zoals het verwijderen van een link naar de auteur van postings op deze site). Kleine dingen zijn vaak al lastig genoeg. Toen we terugreden met de trein naar Nederland waren we het er al snel over eens: er moet ook een IndieWebCamp in Nederland komen. In Utrecht dus, dit voorjaar.

Om Frank te citeren:

Voel je je aangesproken door de ideeën van het open web, indieweb, wil je aan de slag met een eigen site die meer vrij staat van de invloeden sociale silo’s en datatracking? Wil je een nieuwsvoorziening die niet meer primair wordt gevoed door algoritmen en polariserende roeptoeters? Dan verwelkomen we je op twee dagen IndieWebCamp Utrecht.

Laat weten of je er bij wilt zijn.
Laat weten of je kunt helpen met het vinden van een locatie.
Laat weten hoe wij jou kunnen helpen bij je stappen op het Open Web.

Je bent uitgenodigd!