I read Cory Doctorow’s Attack Surface in the past days. I bought it already late November, directly from the author’s website (I’m trying to avoid buying through Amazon when I can), but read some other books first.

Attack Surface is a fast paced action packed novel, and I enjoyed it a lot. It takes you on a tour of both general and targeted surveillance technology and discusses how and when you can expect to be able to defend yourself against it, and when not. Reading the book was much like being in conversation with Arjen Kamphuis a Dutch it security expert who went missing in Norway two years ago, and like reading the accompanying storyline to Arjen’s 2014 book Infosecurity for Journalists.

Doctorow doesn’t explain technology much in his books, on purpose. He uses his books to make people aware of the names and terms to describe current tech, to ensure they know how to search online for explanations of the technology. On the assumption that the lack of awareness about certain tech, and the social and political implications of that tech, stems from not knowing enough to be able to search for more information. His books fill that gap.

…when I sat down in 2006 to write the first Little Brother book, I realized that facts were now cheap – anything could be discovered with a single search. The thing in short supply now was search terms – knowing what to search for.

For Attack Surface, one reader took this notion to turn it into a ‘Mashapedia‘ (Masha is the book’s protagonist), to provide a chapter by chapter glossary with links to explanations of each technology mentioned.

Doctorow describes himself as a realistic techno-optimist, not a tech-utopian, and I’m in the same position. In the final chapters of the book the characters point out that resisting surveillance tech is not about winning against that tech and permanently becoming immune to surveillance, but to create enough space to win political momentum against surveillance or those who use it. To resist surveillance in order to work political change. This hews close to the type of conversation I had during the Cph150 I had last year.
Around that time I wrote “treating [my work] as a political endeavour in its own right is different. I realise I may be in a place in my work where that deserves to have a much more deliberate role.” Doctorow reminds me to think that through some more, also as it builds on his contribution to the SF writers and economists meet-up late 2019 in Brussels I took part in, and the conversation we had there beforehand.

Bell¿ngcat explains how Untappd beer check-ins can disclose more than you’ve thought about your work. Like how Strava running logs disclosed e.g. military camp locations, Untappd can be similarly used to surface the travel history, frequent locations and home location of sensitive personell. In short: sharing your location provides patterns to interested parties. Always, and everywhere. (via Roel)

I share locations sometimes, as it may help create meet-ups with people I know that happen to be near as well. It happens frequently enough to make it interesting to share location when I am outside my usual patterns and willing to be ‘found’. Inside my usual patterns it doesn’t help to share location, as it won’t create additional serendipity. At IndieWebCamp Utrecht last year, Rose worked on making location check-ins more ephemeral, meaning they are visible for a short specified time, and not available as a history of check-ins.

Yesterday we had our monthly all hands meeting at my company. In these meetings we allocate some time to various things to increase our team’s knowledge and skills. This time we looked at information security, and I gave a little intro to start a more long term discussion and effort to raise information security in our company.

When people discuss information security it’s often along the lines of ‘if you want to do it right I’d have to go full paranoid, and that is completely over the top, so I won’t bother with it at all’. This is akin to saying that because it makes no sense to turn your home into an impenetrable fortress against invaders, you’ll just leave the door standing open. In practice you’ll do something in between those two extremes, and have locks on the door.

The Magic Door

Fortress or open door? That’s a false dilemma. (fortress by Phillip Capper, CC-BY, open door by Hartwig HKD, CC-BY-SA and locked door by Robert Montalvo CC-BY)

You know the locks on your door won’t keep out very determined burglars or say a swat team, but it will raise the time and effort needed for less determined invaders to a point they will be discouraged.
At the same time keeping the door closed and locked isn’t just useful to keep out burglars but also serves as a way to keep out the wind, rain and leaves and dust blowing in from the street.
Similarly in information security you won’t keep out determined government three letter agencies, but there too there are basic hygiene measures and a variety of measures to raise the cost of more casual or less determined attacks. Like with preventative measures at home, information security can be viewed in layers on a spectrum.

I tried to tease out those layers, from the most basic to the most intensive:

  1. hygiene
  2. keeping your files available
  3. basic steps against loss or theft, also on the road
  4. protect client information, and compliance
  5. secure communication and exchanges
  6. preventing danger to others
  7. traveling across borders outside of the Schengen area
  8. active defence against being targeted
  9. active defence against being targeted by state actors

For each of those levels there are multiple dimensions to consider. First of all in recent years a new group of actors interested in your data has clearly emerged. The tech companies for whom adtech is their business model started tracking you as much as they can get away with. This adds the need for measures to all but the most intensive levels, but especially means the basic levels intensify.
Then there’s the difference between individual measures, and what can be arranged at the level of our organisation, and how those two interplay.

Practically each level can be divided first along the lines of our two primary devices, laptop and phone. Second, there’s a distinction between technological measures, and behaviour (operational security).

the list of levels, and the distinction in dimensions as I showed them yesterday

I provided examples of how that plays out on the more basic levels, and on the most intensive level. E.g. on the level of hygiene, technological measures you can think of are firewalls, spam and virus filters, a privacy screen, ad blockers and tracker blockers, using safer browsers. Behavioural measures are not clicking links before checking what they lead to, recognising phishing attempts, not plugging in usb sticks from others, using unique user names and passwords, using different browsers for different tasks, and switching off wifi, bluetooth and gps (on mobile) when you’re not specifically using them.

Over the years working on open data I’ve increasingly become aware of and concerned about information security, and since early 2014 actively engaging with it. I’m more or less at level 7 of the list above, and with the company I think we need to be at level 5 at least, whereas some of us haven’t quite reached level 1 at the moment. From the examples I gave, and showing some of the (simple) things I do, we had a conversation about the most pressing questions and issues each of us has. This we’ll use to sequence steps. We’ll create short faq’s and/or how-to sheets, we’ll suggest tools and behavioral measures, suggest what needs a collective choice, and provide help with adoption / implementation. I feel with this we have a ‘gentle’ approach, that avoids overwhelm that leads to not taking measures at all.

The first things people mentioned because they were worried about it are: usernames/passwords, e-mail, trackers, vpn, and handling copies of ID’s.
So we’ll take those as starting points.

If you want to read up on information security and operational security around your devices, dearly missed Arjen Kamphuis’s book on information security for journalists is a very useful resource. My approach as described is more geared to the actual context of the people involved, and what I know about their habits and routines, and to the context of our work and typical projects.