[INAUDIBLE] I'm director of Discovery and Access here at Mount Holyoke College, and I am so excited to invite you all, and to welcome you all here at Mount Holyoke for this event. We're going to-- in a second I will introduce Noah Kelly, who's our speaker today, talking about DIY security, cyber security, solidarity through technology. But before I introduce Noah, I just have a few words of context and background about how we got here. So after the election, we here in lits, as well as many of us across the college, and many of us across the valley, and many of us across the country became really hungry for conversation about how we can engage in topics around the election with colleagues and with our community. And as we talked here in lits, so many of the topics that were raised around the election had to do with information and technology. So you know, I'm-- personally, I'm a librarian. I considered myself pretty information literate before the election. And then after the election, I was startled to realize how one sided the information I had been getting-- even though I thought I was information literate, really, really truly was. And so, when someone who calls herself a professional in information technology, it was staggering, it was startling. So we came back here, and a number of us-- and many of us are in the audience, many folks are in the audience, started having a discussion about what could lits do around information and technology to engage in these topics. And as you know, the media, the national conversation has recently started to seriously take up issues about how algorithms are affecting the news that we see, how social media affects what we see, and how we create silos and echo chambers that surrounded all the news and information that we were seeing before the election. News is obviously a hot topic in the media right now. It speaks to information literacy skills of folks in our country, and topics like big data, and polling and sampling, and how all of that played into the experience that we've all just been through this month. And then to lead into Noah's talk, conversations about how we create solidarity, how we protect our privacy and our safety online going forward. So we began engage in lits in these topics about how we could reach out to the community, and start to talk with you all. In the first days after the election, you might have seen, if you're here-- if you're a Mount Holyoke person here in lits, we put white boards in the courtyard and in the information commons, where we were soliciting just sort of thoughts and feedback. And you all filled them up. There was all kinds of stuff written on those white boards. We made safety pins available at the service points for people who felt that that campaign was helpful and comforting and supportive. The white boards down there started as this reflection of thoughts and feelings. The one down in the courtyard now has been repurposed to answer reference questions that we've been hearing, either social media-- on social media, or in person. So such things as, what does it mean to be a sanctuary campus? What is [INAUDIBLE]? How do I identify fake news? Is it true that Trump's sister really is a Mount Holyoke alum? That is true. So if you have questions related to the election, the electoral process, the transition, we encourage you to write them on the white board down there. If you have these questions, no doubt, other people do too, and we're really trying to amplify the practice of asking questions and getting information. And we'll have a library research guided launching soon. And then we decided to have a speaker series, this is our speaker series. This is the first time we've really done something like this in lit. This is the first time we've used this space for this purpose. So we're interested to see how it goes, on all sorts of information technology topics, from algorithms, to fake news, to big data. So if you have topic ideas, or even better, if you have speaker ideas for me, on any of those topics, happy for a conversation after this, with me or with any of the other lit folks who are here. If you're tweeting today, libraries nationally are using the hashtag, libraries respond. And it would be great if you could do that, and we can get a little library news amplification out of this as well. And then one more quick thing I want to do before I introduce Noah, I'm going to acknowledge that there's a village of lit folks who it took to do all of these things. I'm standing here, but there are a lot of people who have done a lot of work, a lot of planning, and a lot of thinking, and a lot of acting. So really quickly, I just want to particularly call out David [? Howicky, ?] Kristin [? Denal, ?] Rachel Smith, Kathleen Norton, Chrissa [? Lyndal, ?] Kate [? Sadepsky, ?] [INAUDIBLE] Garcia, Sarah [? Ocher, ?] Amy [INAUDIBLE], Ivy Tillman, Peggy Stevens, Alex Worth [INAUDIBLE], and the fabulous media crew who did the set up for us today. So with that as background, I am happy to introduce our first speaker. Noah Kelly is a software engineer, and is the creator of the DIY Guide to Feminist Cybersecurity. He's the founder of Hack Blossom, which is an activist organization fighting for the safety and autonomy of marginal-- and marginalized users and digital spaces. Noah's work facilitates the exchange of technical resources, activist initiatives, personal writing, and artistic projects that foster and inclusive culture of technology. I read an interview with Noah online, as we were doing the Googling before we invited him. And I really liked this quote. It feels particularly relevant for this intro today. The question that Noah was asked was, do you have any advice to share with people who are just learning about coding? And Noah's answer was, immerse yourself in websites and resources about programming, even if you don't understand them. You'll find that a year or two down the road a tool that was unfamiliar to you will now make sense. If you absorb and let information into your brain, you'll find that you know a lot more than you think you do. It's as if you have a tool box, and you just keep throwing tools in there. And while you may never use it, it's there in case you need it. So now we're going to let Noah's information be absorbed into our brains, so that we have the tools that we need to move forward. Thank you so much. [APPLAUSE] First of all, I'd like to extend so much thanks to Erin and Mount Holyoke for inviting me to speak here. In her email, she said that the librarians here were a big fan of my guide. And so that's probably one of the best compliments I've ever heard in my life, ever. To have the praise of librarians is so much of a wonderful thing, that I hope to hear more of it. So we're here today to talk about DIY cybersecurity, solidarity through technology. I already introduced my Hack Blossom outfit, which is where I do all this work under, so let's just get right to it. Everyone here in this room wants to be safe. You want to be safe online. You live your life online. You go to websites. You use your apps. You text your friends. You email your co-workers. These things are precious to the way that you live your life. You want these to be safe. In light of the election, a lot of people are not feeling safe. We've come to realize how exposed we are in our day to day activities online. We recognize that there is a massive cyber security infrastructure out there that allows for the mass surveillance of marginalized people online. For people who are undocumented, for people of Muslim descent, for the LGBTQ community, for women, for anyone who is marginalized in the US, you have to deal with the very real prospect that you could be targeted maliciously by the government, by private companies, or by trolls and harassers online. We are way past the point of just being able to think about these things as abstract issues. These are problems now, and we need to address them now. We need to create an infrastructure of security for ourselves, so that in times of crisis, we can rely on ourselves and each other to get through it. I'm pretty sure everyone here is motivated, otherwise we would not have such a full room. In order to discuss how to create this infrastructure of safety, I'm going to explore what cyber security is, and the economic, social, and political implications of it. There is so much material that could be covered in this short amount of time, that I cannot possibly hope to give everything it's proper due. But I hope by the end I can give you an understanding of what tools are already available to you today to start making a difference in your life. Meanwhile, how those tools can come together in community solidarity, to create points of resistance over the next four years. I hope anything that I say today can stick in your mind, and you can throw it in your mental tool box, because someday you may need that tool. The first point I want to make is that you are constantly exposed. To be perfectly honest, there is no privacy anymore. Think about when you go on a website. You're using an operating system on a phone. You are clicking a piece of software on that phone. It is sending a signal to a cell phone tower. It is traveling through telecommunications infrastructure. It is landing at a corporate server somewhere. That server is accessed by programmers, by systems administrators, by marketers, by data analysts, by managers, by executives. Every piece in this puzzle belongs to a different company, a different government entity. It is very difficult, if not impossible, to ensure that all of your data being transmitted can be protected at every point along the way. It can be very well that your software is monitoring your activity of it. It could be that your phone is monitoring its activity of it. It could be that government officials are monitoring that transmitted signal through the telecommunications infrastructure. When I speak about exposure, I truly mean it. And so I'm not going to give you any solutions that promise perfect secrecy, because there is no such thing. However, you can still build defenses that buy you time and can protect access, so that despite the exposure you experience on a day to day basis in your online activities, you still have weapons at your disposal. The first subject I want to talk about is something you may not be familiar with. This is the subject of the data brokerage industry. If you're not familiar, the data brokerage industry consists mostly of selling consumer information as a product. You can sell names, email addresses, cell phone numbers, and any amount of personal information. This is an unregulated industry. It is massive. It is a $150 billion industry. To put that in perspective, that is twice the amount of the US intelligence budget in a given year. This is the amount of money that is being made from the data that you produce every day. When I speak about exposure, this is what exposure looks like. The company I want to focus on right now is something called MedBase 200. This is a data brokerage company based in Illinois that sells lists of names and email addresses to pharmaceutical companies. On their website in 2013, they had an offering for a category of people that they called rape sufferers. This is the description on their website. These rape sufferers are family members who have reported, or been identified as individuals affected by specific illnesses, conditions, or ailments related to rape. MedBase 200 is the owner of this list. Select from families affected by over 500 different ailments, and/or who are consumers of over 200 different medications. Lists can be further selected on the basis of lifestyle, ethnicity, geography, gender, and much more. Inquire today for more information. Quick perspective. It would cost $79 to buy 1000 people from this list. The data you're creating unknowingly day to day, is what creates lists like this. From the websites you visit searching for personal questions, whether it be medical, or for community support, that can be tracked. And that information can create profiles about you. They're associated to your name, and that can be sold and packaged to other companies without your consent. The fact that you can search through people based on ethnicity, geography, gender, highlights the fact that this is a intersectional issue. This is just one company selling to pharmaceutical companies. Imagine if you could select this list for malicious purposes based on a region, based on gender, on ethnicity. The ability to commit racism, sexism, and bigotry becomes incredibly easy for only $79 for 1000 names. This company was subjected to a massive uproar at the time, and so they removed the list. But they continue to sell lists such as HIV sufferers, alcoholism sufferers, and erectile dysfunction sufferers. These data brokers do not exist solely to sell to other private companies like pharmaceutical companies. They can also sell this information to you directly. Many of you have probably experienced harassment online, and are concerned with the phenomenon of doxing, of having your personal information revealed to the world. This website, Spokeo, describes itself as a person searching database, meaning that you can search for people, and collect public information about them in one easy place. To provide an example, I searched for myself on Spokeo, and this is what you can learn about me. You know that I'm a male, age 26. You know that I have lived in Somerville, Massachusetts and Brookline, Massachusetts. You are given a map of the location of where I live. You can have my relationships status. You can have my family members, relatives, and spouses. You can have my phone, my email address, my business contacts, my social media profiles, photos and videos, and any court and historic records associated to me. To buy this information, you just to spend $5 a month for access to this program. If you have ever wondered how someone can be doxed on the internet, this is the sort of software that makes it possible. I did not choose to buy my own information, because I think that's absurd. The point of talking about data brokerage is that the internet leaks. Information is being spread everywhere, without your knowledge, and without your consent. This happens in the forms of posting things on social media. If you do not have your privacy settings in check, that means that any private entity could collect your public posts and create elaborate, long demographic profiles on you. When you go to websites, advertisers that inject their code onto the pages can track your movements across websites, seeing what you click on, what your social media profiles are, and create entire demographics of your interests and activities. The software you use, the apps, they can identify your device. Using location services, they can see where you live. They can look on that map and know that you spend most of your time at one location, so it must be home. This is the default my life. It's the default of your life. And before we can even begin to speak about cybersecurity, we need to realize the parameters of this problem. This sort of technology does not occur in a vacuum. It is immensely profitable. The reason so much data is out there is because at some point people decided that they could make more lucrative advertising profiles based on this information. If you can understand someone's interest are, what their demographics are, you can provide them advertising more likely to buy products. You can use data mining and algorithms to see the sorts of trends that they're interested in. And you can accommodate them accordingly. This is pervasive throughout most of the internet. The free websites you enjoy, this is how they make their profit. The internet isn't expensive. There is nothing free. unless you are hosting it, or something is open source, created by community for the betterment of other people, it is safe to say that there is someone that has a financial interest in your information being available. I can show you video of what you look like to these companies. The interesting thing about evil people, is they generally like to tell you what they think, and how they do it. Donald Trump has never shied away from telling you what he plans to do, or what he feels. The same can apply to the sorts of people that are tracking people online. Play this video right now. This video is part of Adobe's Marketing Cloud, which is available to anyone. And this is a video that they like to present to show the power of their Adobe Audience Manager. [MUSIC PLAYING] Build, tests and activate high value audiences based on a set of traits. With Adobe Audience Manager, you can divide millions of records into trait specific categories, allowing your business to narrow data down to an exact target. Segments make it easy to find new prospects, allowing you to take high performing groups and find prospects with look-alike modeling. So when you've found one high value audience, you've really found many. Adobe Audience Manager also lets you pinpoint your most frequent users, as well as how recently they've interacted with your marketing. Now brands, publishers and agencies can transform millions of records into high value audiences with ease. That video may sound very strange. Much of the language they're using is dehumanizing, so I will translate a little bit. A prospect is you. An audience is a collection of you. A segment is a demographic collection of yous. When they talk about activity, about audiences, they're talking about users interacting with their advertisements across the web. And from that, being able to predict your activity online. The software is available to anyone. You can go buy it right now. You can put it on your own website, should you so choose. Much of this technology relies on the fact that we have a very distorted idea of what constitutes public. For the kinds of people that encourage these surveillance technologies, as soon as you put something on the internet, it is public, and it is fair game, even if you have never consented to being watched. Just this week, I was down at City Hall in Boston to protest a piece of funding that the Boston Police Department is currently fighting for. They want $1.4 million to monitor public Facebook, Instagram, Twitter, Snapchat and other social media platforms. Their argument is that by being able to conduct massive surveillance of the public in real time, they'll be better equipped towards protecting the city from unpredictable danger. They chose not to sit around with the public afterwards for public comment or inquiry. They left immediately after they made their case. A lot of us are afraid of things like the NSA, or the CIA, because their travesties are well known. We know that there is immense software, telecommunications tapping, and extensive databases that can monitor any citizen, practically, on the planet, and that is not an exaggeration. That seems like a very abstract problem, and it's a problem that really exists for a good number of people that are being targeted maliciously by governments across world. But surveillance is not just an issue of the federal government. This is local police that want to monitor people in real time. This is popular across the country. There was a company called Geofeedia that was in the news recently, that was leaked to have been having private access to Facebook's stream of posts, that could be narrowed down by key words or topic, to Instagram feeds, to Twitter. This was Facebook, Twitter, and Instagram creating tailored access for private companies to have access to your data. This software is explicitly advertised as being able to monitor activists and political dissidents. They were not looking to stop terrorists with this software. They're looking to stop people that could agitate the status quo, people that are organizing and exercising their right to assembly, because those people are deemed as a threat. In the case of Boston, it was known that in 2014, the Boston Police Department was using extensive surveillance software in order to monitor activists from such extremist groups such as Veterans for Peace, Black Lives Matter, and Code Pink. The precedents set by the surveillance are already there. We know that given the options, law enforcement will want all of that open data, the same way that private companies will want open data. They just simply want to take it. You have economic threats to your data from private companies like Adobe Cloud Manager, or from Medcom 200. You have threats from a legal perspective, and a political perspective, from law enforcement, and malicious governments. But also, many of you in this room have probably experienced cyber harassment. You've had people attack you on your most intimate moments, on platforms like Facebook and Twitter. I already showed you how doxxing can happen, how easy it is to identify a person. And many of the platforms where this abuse happens are not very supportive of people that experience harassment, and give you very little options. Often times, these threats come through the way of something called social engineering, where they can gain access to your most intimate details in life without needing any kind of code. Here's a video that gives you an example of a social engineering attack. [VIDEO PLAYBACK] [MUSIC PLAYING] - So I invited a few of the world's best hackers to try to hack me, and show me where my vulnerabilities are. And now, I'm going to meet them in Las Vegas for DEF CON, the biggest hacker convention of the year. They're going to hack me using-- - [INAUDIBLE] are terrible. - Which is actually hacking without any code. They just use a phone and an internet connection. - Do you want to do a sample phishing call? - What's phishing? - Phishing is voice solicitation, and basically what you do is use the phone to extract information or data points that can be used in a later attack. - Let's do it. Who are you going to call? - Maybe I'll call your cell phone provider, and see if I can get them to give me your email address. - I bet they're good. I bet they have my back, but yeah, go for it. - I'm going to spoof from your number, so it's going to look like it's calling from you. - OK. - Hi. I'm actually-- I'm so sorry. Can you hear me OK? My baby-- I'm sorry. My husband's like, we're about to apply for a loan, and we just had a baby, and he's like, get this done by today, so I'm so sorry, I can't call you back. I'm trying to log in to our account for uses information, and I can't remember what email address we used to log the account. Can you help me? Awesome. - In just 30 seconds, Jessica gets access to my personal email. - Now, if I needed needed to add our older daughter on our account so she could call in and make changes, how would I need to go about doing that? You would have to send me a secure PIN through a text message? Well, the thing is I don't think I'll be able to receive a text message if I'm on the phone. Oh. I'm not on there either? I thought when we got married he added me to the account. - Jess uses my girlfriend's name and a fake social security number-- - 5127. - To set up her own personal access to my account. - Wait, I'm sorry. so there's no password on my account right now? Can I set that up? - She even gets the support person to change my password. - Thank you so much for your help today. - So she just basically blocked me out of my own account. - I'll get her fed after this. All right, thank you. - Holy shit. So they just gave you access to my entire cell phone account. - You're going to have to go on and change your password now because it's Jess, my name. - And all it took was a crying baby and a phone call. - Yes. [END PLAYBACK] It's a funny video, but it highlights the fact that although many of the threats that we're discussing involved technology, you do not need technology in order to hack into someone's life. so the most common means of social engineering are as simple as sending a legitimate looking email, with a link to a fake website that wants you to change a password. It's a very common tactic that even the most technologically advanced people can fall prey to. Because as soon as they click that link, and enter that information, that password is given to the hackers, at which point they can access anywhere that uses that personal password. I think I've probably scared you all thoroughly. So obviously, the sheer scope of these problems seems overwhelming in that you have immensely profitable industries, corporate infrastructure, and government infrastructure, and malicious trolls and hackers. They all want your data. And you may not feel like you have any options. I want to emphasize that you have a right to exist online. You have a right to be safe. You have a right to live your life. And this is non negotiable. Despite all the money and all the power that can come from having control of your data, that is not how it has to be. Your first reaction may be to adopt cyber security to protect yourself. That is a band-aid. The problem we want to solve is the fact that you should be able to go online without even having to worry about any of this. You should not be tracked. You should not have your cell phone information hacked by a crying baby video. You should be able to do everything in your life without that fear in the first place. Unfortunately, it's going to take some work to get there. Community resistance is what will build a safer online world, and a safer offline world. Cybersecurity is a tool, but this is the movement that will change. You, organizing together as communities, as activists, as artists, as educators, and striving for values of safety and inclusivity online-- that is what is going to make a difference. That is what will apply pressure to the people responsible for your technologies. This is the fight that all you have to take up, and I'm sure many of you are taking up right now. Given the political climate that we are living in, we don't have time to waste on this front. Organization and resistance needs to happen today. There is no time to waste. It's a good picture. If you can't read it, it says, if I had a hammer, I'd smash the patriarchy. She found the hammer, hint, hint. Cybersecurity is your defense. This is a starting point where you can begin to take control of your digital spaces. This will give you the means to start protecting yourself so that you may organize collectively as communities. These are all the tools at your disposal, so that in the times of crisis, you will be prepared to handle whatever kind of threat you may be faced with. I cannot tell you how to organize as communities, because each and every one of you has a different passion that you want to pursue. So for the rest of my talk, I'm going to talk about what cyber security measures you can take, and how they can inform your community organizing. The little picture of my cyber security guide, shameful plug. There are three strategies that you can take to start securing your digital life and fighting for something better. They are to secure, to obscure, and obstruct. If you can remember these three words as you go about your daily online habits, you will start to recognize all the ways that you have more power over your data than you realized. These private companies, these governments, they all assume that you are not paying attention to what you do online. They're assuming that you will just use their technologies without any kind of critical thought. That does not have to be the case. If you can identify the technologies that mean the most to you, the technologies that are causing you pain, or the technologies that you're using begrudgingly, you can identify what you can secure, how you can obscure yourself for safety, and how you can obstruct predatory technologies. The first thing I want to discuss is security. There are probably a lot of things in your day to day life that you don't think about that you need to be secure, those little things like your passwords to your email accounts or to website accounts. It could be your phone, making sure it's secure. Start looking at these things, and start investigating what tools are already at your disposal to secure them. So at least from the outside, you have some means of protection to stall any kind of malicious force that wants access to your data. This is a picture of an app called Signal. Signal is an encrypted messaging system. Much like the iMessage on your iPhone, or the messages on Android, it's just for texting. That's it. The difference here is that the program will encrypt your communications mathematically, through an algorithm, so that only the recipient on the other end can read the contents of your messages. Everything else you do on iMessage you can do here. It's the same. You can send silly memes. You can send annoying group texts. All it is still available to you. But the difference is that there is an open source community that makes this product specifically for your privacy, so that you have a way of protecting the secrecy of your communications, so you don't have to worry about someone being able to see what you're talking about. If you are doing anything of a political nature, if you're an activist, if you're someone that has reason to believe that you could be targeted for surveillance, this is the kind of app that lets you communicate with your friends, your family, and your coworkers safely and privately. And it's a free app you can download today. You can do it right now, as I'm speaking, even if you don't want to pay attention to me anymore. You'd still end up stronger by doing it. This is a picture of a piece of software called Last Pass. Last Pass is a password manager, meaning you can store all your passwords within this software, and it will keep them safe for you. It is encrypted. So unless you have vast, vast technical capabilities that do not currently exist as we know, no one can hack into your password manager. But as you use websites online, or go buy your apps, it will automatically fill in the passwords for you. The power of the software is that you do not have to remember any of your passwords, and it can generate secure passwords up to 100 characters long for you. You can create a unique and secure password for every website you use, and not have to remember it. This is one of those powerful things you can do today to secure yourself online. If you're using a password manager, let's say one of your favorite websites gets hacked and your password gets leaked. It doesn't matter. All of your other passwords are different. It's not going to get used against you. If you're anything like I was two years ago, all your passwords are roughly the same, slightly different, but pretty easy to guess. I'm sure it wouldn't be hard for a computer program to guess the common words in your password to get access. If you use a password manager, using randomly generated passwords saved within the app, you will have an immense amount of cryptographic and software security behind you. This is a picture of an app called Authy. Authy manages something called two factor authentication. If you've ever used a bank, and they've ever texted you a number that you enter in order to log in, that is two factor authentication. The idea is that you can prove that you are who you are by a second piece of information. This is important. Think about the video of the guy who got his cell phone account hacked. She got password access to his account. If he was required to enter in a second piece of information, like a code generated by two factor authentication, they still would not be able to get it. It is your second line of defense for all of your important accounts. And almost all of your favorite providers, such as Google, Facebook, Twitter, etc. they offer some sort of means of two factor authentication. They may not be able to live inside the software, though many of them do. But between the secure passwords, and the two factor authentication, you can rest assured that your accounts online are safe and protected to the fullest extent that you can hope. There is a number of security technologies that you can enjoy, but there's not nearly enough time today to discuss all of them. In my DIY Guide to Feminist Cybersecurity, I outline all the important ones with more details and links to installation guides. So that way you can take your time, get things installed on your own time. The second strategy I want to discuss is how to obscure yourself. Oftentimes you find yourself using technologies or platforms that you don't really want to use, but you have to. And so, if you're creating data on this platform just by using it, you're not obliged to tell the truth. You can lie as much as you want online and no one's going to come for you. There's no one trying to see whether or not your name is your real name, or if your email address is your real email address. One of the most rebellious things you can do right now is start lying your ass off online. It can make a difference. Not only does it protect you from having misinformation attached to you, by stopping data brokers that rely on real names and real email addresses, but you also undermine their algorithms. If they're getting crappy data fed back to them, and they're trying to make decisions based on it, it completely screws with them. Can you imagine being government surveillance, and everyone's talking under a fake name, and weird codes and crap? They won't know what's happening. All the public monitoring software in the world won't be able to make sense of that. And that is an immensely powerful tool that you can start doing today. This is a picture of an app known as the Tor browser. The Tor browser is a web browser just like Chrome, or Firefox, or browsing the internet and doing your internety things. The difference about the Tor browser is that it works through something known as the Tor network. The Tor network is a series of nodes spread across the globe, so that when you send an internet request, rather than just going to a website, it gets bounced between up to three or five different nodes in the system before making its way. Every single hop on those nodes gets encrypted, so it becomes like an onion of encryption, meaning if someone malicious wanted to intercept those signals, and try to see what you were accessing, and what the contents of your web activity were, they wouldn't be able to do shit. This is immensely powerful software. It was originally founded by DARPA, the same people behind the internet, as you know it. So they clearly have a vested interest in the strength of this technology. Right now it's run by a community non-profit. It is open source. It is available for everyone to download and use. There's no profit motive behind it. It is purely for the advocacy of privacy and anonymity online. It has been immensely popular in countries such as Turkey, where people have been targeted for their online activity. Oftentimes the ability to be anonymous online through this network can be the difference between accessing life saving information or being sent to a prison. That is not an exaggeration. These are the immense benefits that just using this browser can bring you, should you decide that you need it. This is a picture of a fake Facebook profile, called Zack Muckerberg. He looks like a goober. The reason I bring this up is because when you're using platforms that you don't need, you don't have to give them real information. I deleted my Facebook. I personally think deleting your Facebook is one of those wonderful radical acts you could do, but clearly it's not easy to do, and it can be very hard. In my case, I deleted my Facebook, but I still had to run my activists organization's Facebook page, because people like you use it. I'm stuck in the system. It sucks, but here we are. My solution was just to create a fake Facebook profile. I have no friends, and just a random assortment of likes. All I do is I manage my Facebook page. The benefit of this is that I'm doing immensely political activity through Facebook. Should this ever be targeted, they're not going to have a list of my friends. They're not going to have a collection of photos, or locations that I've been. They cannot derive any kind of personal information from that, and yet I get all the benefits of using Facebook. If I wanted to, I'd go friend other people, and still be able to interact with them, but there wouldn't be a real name associated with me. This is powerful. Those data brokers I was discussing earlier, Facebook is just as complicit. The fact that they have your demographic information, and your real name, and the ability to buy information from other brokers based on the details, creates an immensely powerful forum of being able to see what you are doing, who you are doing it with, when, and where. The fact that Facebook has worked with government officials before, through the NSA, through their PRISM program, means that generally speaking, you cannot trust them to keep this immensely valuable information secure. But, if you have to use the profile, make a fake one. If you want to keep yours, go lie about your demographic information. Say you live in a completely different place. Say your gender is different. Say your race is different. Say your home town is different. You don't have to be truthful to them. You don't owe Facebook anything. This can go for any number of platforms. I used to have a LinkedIn profile. It really bugged me because it's basically spam, and preys on people's fears of not having a job. So rather than just deleting it, I changed my profile to a bear, as in, literally, it's name is A Bear. It's a picture of a bear. My education was the woods. My hobbies include climbing trees and stealing picnic baskets. I pop in once in a while to spread socialist propaganda. I think it's very funny that people will be looking for jobs, and then see a bear talking about unionizing. That's how I mess with this platform. This is how I obscure myself and have fun with it. This can be enjoyable to bring obscurity into your use of these platforms. Get creative with it. You can make an art project out of it. You have so many different ways that you can screw with the people mining your data, you should really start drawing enjoying it. That brings me to obstruction. I sort of talked on this already. We'll dive more into it. Sometimes there are predatory technologies in your life that you just want nothing to do with. This is the surveillance software on websites that are tracking you. This is the things like LinkedIn and [? MyCase, ?] where I don't want to use it. At this point I say, just obstruct them. Bring their shit down. Put up a fight. You don't have to be complicit in anything that they do, and you are owed to them nothing. They do not ask for your consent when they track your data. They do not tell you when they sell your data. You owe nothing to them. So why not mess it up for them? Privacy Badger is an extension you can install in your web browser on Firefox. What Privacy Badger does is it stops all the tracking software that comes on most websites, so that way you do not have people tracking you across different websites building demographic profiles, and tracking your activity. It's also that cute little mascot character. It's pretty fun looking. It makes cyber security fun again. When you have this extension in your browser, you do not have to think about it. It's just going to do its thing entirely. With no effort on your part other than a basic installation, it obstructs all those shitty Adobe, and Spokeo, and Medcom 200 technologies from being able to track you on websites. And it's open source. It's created by the Electronic Frontier Foundation, a non-profit who's very invested in personal rights and privacy on the internet. They're not doing this just to make money. They're doing it because they care about your privacy and your right to have a free internet experience. This is a picture of another extension called Microblock Origin. This just blocks ads. That's good. Ads are terrible. Ads are one of the biggest threats to your safety online. When the NSA wants to get into someone's computer, it is easy for them to install malware through malicious advertising, that almost any other method. The greatest threats to your security come from ads that inject code onto your website. If any of these advertising platforms are hacked, they can spread this malware to vast numbers of people. it can also slow your page down by running all sorts of surveillance queries back and forth between their servers to keep track of who you are. It ruins your internet experience, while at the same time being annoying as hell, having to see all sorts of ads pop up everywhere and block your screen. Because as a user you don't have any say in your relationship to this advertising, you don't have any option to opt out, obstruct it. Take it down by force. Install an adblocker, and you will be immensely secure, with a better internet browsing experience, and your rights will be that much more asserted. Obviously, websites need advertising money to survive. But in order for there to be an amicable relationship between user and website, there needs to be a clear understanding of what data is being collected, and how it's being used. You're not obliged to make their profit for them. If they cannot find a way to monetize their work in a way that does not infringe on your rights, that is their problem, not yours. I want to stalk about strength and solidarity. These are cyber security tools. But it is community organizing and community resistance that is going to make the difference. I want to talk about some examples of people that are doing this work right now. They're creating their own platforms to fight for their rights and security online. This first one is Callisto. Callisto is an online platform for reporting sexual assault. It gives users the ability to file a report about their experiences, but gives them the choice of how to pursue it. Through the software, they can give it to a Title 9 coordinator at their college. They can create conditions like only report if my assaulter is also being submitted by another person on the platform. There is community support and resources. There are people that will talk to you. This is an example of taking is the real problem of sexual assault, but coming together as a community to create solutions through technology. They're not doing this for an advertising budget, or doing it because your addictive social media habits are somehow profitable. They have a problem they want to solve, and they're building something to solve it. And this is a wonderful app. This is a wonderful website for pursuing that need. This is the Crash override network. There's a woman names Zoe Quinn who was subjected to a massive harassment campaign about three years ago, where it launched something called Gamergate, a loosely affiliated network of trolls, misogynists, and abusers, who were doing everything they can to brutalize this woman online and off. They were tracking her on social media. They were calling SWAT teams to her home. It was an absolutely horrific experience. She started the Crash Override Network to give resources and help and support to people that go through these experiences just like her. It offers a crisis helpline. It offers monitoring by professionals to see whether or not you're being compromised online. It gives you access to a wonderful array of support, so that you can survive cyber harassment and come out stronger. Again, this is a non-profit. They are working to solve a very real problem, cyber harassment, and trying to make the world better through technology, not just taking advantage of your data. This is a picture of a manifesto by an art collective known as site Cybertwee. Cybertwee is an online art collective that investigates the intersections of feminism, feelings, and technology on an explicitly fem basis. They like to explore this through educational means, because oftentimes they're working with technologies that they themselves are not very experienced with. I like to highlight this organization because not every solution to our world's problems is going to come through technology. It's going to come through art. it's going to come through people creating things, through asserting their values through collective organizing. And it's people like this that need to drive the internet. It does not need to be software engineers in Silicon Valley. It can be artists. It can be you. It can be you making things for the benefit of your friends and other people, and you can do it on your own terms and learn in the process. It's immensely powerful. You do not have to rely on programmers to fix everything. Lastly I'd like to address Mount Holyoke. Specifically, the staff and the faculty. Me, and much of the audience, we're millennials. We have inherited a shit world. We have a Trump administration. The climate is collapsing. We have a ton of student loan debt. I don't know if Mount Holyoke is better about that, but I have racked it the fuck up during my lifetime. Things are dire. We cannot wait for these crises, because we are impacted by them right now. All of you that are staff and faculty, you've likely lived through the Bush administration. You understand what happens when there is a-- when there is a political culture of hatred and militarism. Many of the problems we're going to see over the next four years will not be new. You had successes with your own activism, with your own careers. You had failures. That is valuable information that we the inexperienced are going to need. I strongly encourage all of you to get involved with us millennials, so that we may benefit from you experiences, that we can work together in solidarity towards addressing these issues. Not to mention, if you are older, chances are you have more money than us. If you want millennials to execute their visions, pay them to do it. It's a simple thing, but resources are needed. Servers need to be paid for. People need the ability to buy their art equipment and things like that. Giving financial support to millennials in their activities projects, in their art projects, in education, that's going to go a long way, because they have the ideas. The women in front of me are some of the most educated, ambitious, and empathetic that have ever lived. I do not say that in exaggeration. We live in a wonderful time where people are coming together because they truly care about values of safety, inclusivity, and love. Give them the means to make the world better, before it is too late, if it already is. Talking specifically to a library, there's already a wonderful activist project called the Library Freedom Project, started by Allison Macrina, that explicitly focuses on bringing libraries up to speed on modern security technologies. You have a lot of computers in this library. They can run the Tor browser. You have expertise in all of your librarians. They can learn about security technologies to share with students. Librarians are at the forefront of the relationship between users and technology. You have vast amounts of experience. You have infrastructure. You have resources. Put that to work to defend your students and give them the means to thrive. If you have data that you're collecting on your students, I highly encourage you to purge that data. Make sure you're not collecting anything that could be maliciously used against them. Unless you have a very good reason for keeping it permanent in your databases, make sure it is being wipes. We have survived for thousands of years with libraries without these systems. We will still be able to survive. I'm pretty confident in all of you. Thank you all for coming out here. I cannot appreciate this opportunity any more. We've covered a lot of ground today. We've talked about the economic, legal, and social implications of hacking, of surveillance, of data mining. We've talked about cyber security tools, like password managers, and two factor authentication, and ad blockers. We talked about strategies of securing your daily internet habits, of obscuring yourself on platforms where you need more privacy, and how to obstruct predatory technologies that are being used against you. Honestly, there's so much more work to do. But I hope I have given you a ground start, in being able to actualize your community organizing, for being able to put up a fight, and realizing that you have more tools and weapons at your disposal than you realize. I hope you leave here today stronger than when you came in. I wish you the best in everything that you do. Thank you. [APPLAUSE] So, questions? You look pretty shell shocked. Yes, you in the purple. So I'm curious if there's anything-- I know there's [INAUDIBLE] but I know there's Twitter bots, and I was wondering if there's something like a bot that can just google random shit off google, so that they fake different things about you, just feeding them garbage. I don't know if that exists, but you can easily make that. I've actually, personally made Twitter bots, and that is fully within the realm of possibility. That is an amazing example of creative ways to obstruct technology. It doesn't exist? Go make it. Not only would it be a powerful thing to design, because the learning process of figuring out how something that works will give you valuable skills that you can use in all sorts of walks of life. So built that Twitter bot. In a wonderful way. Yes, you in the turtleneck. You spoke about primarily internet. Is it possible to mine off of a Word document, or things like that that are not really connected? I think it would depend on where the document lives. If you are sending it in an email, for instance, an email doesn't have any kind of encryption or security behind it, yeah, it could be mined. I don't personally know how google handles their mail, but they already scan the contents of your email messages for keywords and for advertising purposes. It would not be very difficult at all to have software that also mines the attachments to that email. I mean, if someone had access to your computer, like say you had an evil Dropbox or something, that you're putting Word documents into. I mean, if that's on their cloud, they have access to it. They can do what they want with it. When it comes to a lot of these companies and services that you use, it's basically an act of trust that they don't misuse your information or your work. So ideally, they won't use it, but unless it's an open source product that other people are auditing and researching, you can't know for sure whether or not your material's being compromised. Yes, in the green. I have like six questions, but I'll try to contain them. If I'm using Tor, and I'm using Gmail on Tor, does the obscurity of the Tor envelope protect the Gmail? Do you see what I mean? I see what you mean. That's a wonderful question. So the Tor will protect you from people knowing where you are and who you are on the platform. That being said, if you're using your Gmail, you're still using your name and email address. So once that leaves the Tor network, that's just going to go out into the regular internet as it is. So if you are using your-- the Tor network say, to send harassing emails or something over Gmail, you'll be anonymous within that network, but as soon as that email goes to someone else, obviously, that's harassment email, and so they'll be able to be tracked back to your email address. Right, right. So, interestingly, Facebook actually offers something called a onion site, which is a website that can exist only on the Tor network. And so you can go use that, and use Facebook from the Tor network. It seems kind of superfluous but if you live in a country where they're monitoring access to Facebook, and don't want you to use it, it's actually a very powerful option for being able to get to your Facebook in a way that someone can't tell that you're accessing Facebook. But that's a special Tor only-- It's exact same as the regular Facebook website, but you just go put in a bunch of weird looking digits to get there. It's called an onion address. It's kind of strange. If you go look at my cyber security guide, the section on Tor, you'll be able to find information about it. Cool, thank you. Yes, with the pen. A lot of us who are doing organizing around here are trying to figure out what to use-- the equivalent of Slack, which is not secure. Do you have any recommendations for a system where people can break into subsegments and have conversations? Absolutely. I love the fact that you are suspicious of Slack. I see a lot of activists using Google Docs. I'm like, for the love of God, you're just giving them everything. There's actually a fantastic project known as Sandstorm, and it's basically a cloud pro activity suite that prioritizes privacy and encryption. You can either host it on your own servers, or you can use them as a service. So you can host things like a Slack channel, shared documents like productivity boards for tracking projects and things like that. They have a wealth of apps that you can install, and you give access to the people that need to have access to it. So it's a wonderful thing to explore, because it gives you much more power and control over your resources and the tools that you need to rely on. It's also pretty fun to learn how to use. You go to the website and they have a free demo, where you can create one of these things and see how it works. So you can get a feel for what it actually feels like to use Slack on this kind of platform. So you actually use Slack inside of it? Use Slack inside of it? There's still access to the regular internet, but it's hosted privately on your own server. So unless someone's going out of their way to hack your sandstorm server, you're not going to have to worry about that. Yes, back there. You talked a lot about [INAUDIBLE] powerful. Do you have recommendations for how to connect with those people? Especially since so much of what I see is via Facebook, or via people sharing Google Docs. So do you have suggestions for how we can make those connections in other ways? So, I think one of the best things you can do is go old fashioned. So if there's someone that you are talking to on Facebook, or someone that you like on Twitter, just ask them for their email address, or ask them for their cellphone number. If they are someone that lives in proximity with you, go meet up with them in person. So the reason is that it's built a sort of resiliency in that if Twitter was to go down, if Facebook was to go down, you'd still be able to have a way of reaching out to the people that matter to you. Something like a email address, or using a cell phone, that's much harder to compromise, than, say making sure that Twitter goes down because of a bomb attack or something like that. My hope is to see more social networks emerge that prioritize user security and privacy, and those sorts of things. I have not personally seen anything that's very convincing. But as more people, like everyone in this room start looking for alternatives, there will definitely be development to that end, because it's a need that's not being met. And programmers tend to love meeting those sorts of needs. Yes. Can you talk about what happened at the Standing Rock [INAUDIBLE]? That seemed like an example of folks trying to whatever, secure, what you're talking about. But then we're seeing information, or you were seeing information as the day went on-- I'm actually not familiar with what explicitly happened, so could you give me a summary? I can help. So basically there was a thing that went around. And we're all kind of quickly responding to calls to activism on Facebook who are the same sort of bent. And there was this, hey, everybody check in at Standing Rock. It's going to confuse the cops. They're using some kind of social media tracking software. They were using-- What was the report that they were using? They were using Facebook to see who was at the location to then try and arrest people. So the call went out for people who weren't really there to check in there, so that they wouldn't be able to see who was actually there. And then what later came out was no one really knew where it came from, and then you were seeing information as the day came on about like, oh maybe it's easier to subpoena information when there's been a massive fake thing like this-- Yeah, I don't know that part. Getting to-- I guess what I'm curious about it, do you know if there's ways to stay up to date on legal intersections with tech? Because that's changing so fast. When I was reading response to this, it's oh, because so many people obviously checked in in a fake way, it will be easier for the legal system to ultimately subpoena information about who actually was there, and bypass more traditional security measures, I guess. So when it comes to the legality of the internet, electronic communications, all that-- it is a weird, Byzantine system that's hard to make sense to. As a layperson I do this through activism, and I still have a hard time wrapping my mind around it all. I have personally found that the ACLU of Massachusetts, they have a wonderful number of resources that tackles exactly this. They have an explicit technology project, with some wonderful activists behind it, who focus entirely on the sort of legal perspective of, what is happening with your data? What the current battles are, and things like that. As far as something like a mass action, like everyone check in at Standing Rock, it's hard to say with confidence what's effective and what's not, because unless you are privy to what's happening on Facebook servers, you are privy to the software that law enforcement is using, and all these different pieces of the puzzle, you're just going to have basically, an educated guess as to what they can do or can't do. My personal opinion is that you should worry less about the perfect efficacy of such an action, and more relishing the fact that all these people came together to do a mass action of obfuscation for a political purpose. And I think, we're going to have to start taking more creative risks in that regard, because we don't know what works until it actually does. Maybe it made a difference, maybe it doesn't. But until we start actually trying, and doing these mass actions, we won't know. So I say, when in doubt, unless you're explicitly committing a crime, go for it. If you are committing a crime, then talk to me after because [INAUDIBLE] And when law enforcement is trying to get that fast subpoena now, oh crap, we can't do this, our data isn't secured. It's ACLU and EFF that are getting in the way. Yeah, they're wonderful. And the Electronic Frontier Foundation is also at the forefront of fighting these legal battles, too. So they're another fantastic resource that you can look into. What are your thoughts on these companies that promise to renew your personal data, your home address, your children's names, spouses' names-- Yeah, I think that's snake oil. Because-- I was wondering that. Because your data lives in so many different places, and it's constantly being produced, that you can't have any guarantee that's wiped for good. For instance, that site, Spokeo, you can actually go there and request for your information to be removed, which is actually, if you're being doxxed or harassed, it's a nice first measure that you can do to protect yourself. But there are just any number of websites that serve the exact same purpose, and your data could still be living on those servers. And let's say in a hypothetical world, one of these companies actually got rid of all your data from the internet, as weird of a possibility as that is. You're just going to create more data. You're going to go tweet more. You're going to post more on Facebook. You're going to visit more websites. You're going to register for things. You're going to pay bills. You're going to be voting. There's so many different records out there that come out publicly that they can continue to draw from, that's not going to be a permanent solution. Yes. I have a quick question about job applications. There are backend systems that companies use, usually anybody over 50, I would say, employees, typically use something called an [INAUDIBLE] tracking system. And so when you apply for a job, or students apply for jobs, internships, or full time positions, their information from LinkedIn is sometimes being pulled into that applicant tracking system automatically. They actually have these little automatic connections. And so, what would you, if you worked for Mount Holyoke, and you were advising students around applications, or job applications. And they have an interest in security, and they have an interest in obscuring themselves, et cetera. How would you reconcile that with the fact that LinkedIn is being used in a much more sophisticated way when students apply for jobs and internships? That's a wonderful, ethical question. So this is a quick anecdote. That company I was talking about, Spokeo-- they actually got a massive fine from the FTC for explicitly marketing to HR departments. So all that information you saw about me, Spokeo was trying its damnedest to make sure that HR people could also see that data. And they got a significant fine for that, which is weird, because you don't see that kind of justice that often. As far as for students and other people that are looking to apply for jobs and protect themselves online, you have a very difficult tension between your rights to privacy and your rights to live your life freely online, versus what could be used against you. And so that's going to be a personal decision. When I started doing activist work, I tried very hard to make sure that you didn't have much associate to me with everything I was doing of a highly political nature. After doing it long enough, I realized, I cannot possibly hope to hide that. I just need to embrace it. I put my full name on everything. I put my Twitter out there. I put my Facebook out there. And if that comes to work against me, so be it. I'll deal with the consequences. It's obviously going to be tough for new students, because they're in a vulnerable position. They especially want to be employed and hired, so I would say, follow the basic privacy settings on your social media profiles. Make sure that you can't see Facebook from-- publicly, that you Twitter is locked down, and those basic measures that the sites do offer for protecting your privacy. So basically you don't remove all information about you from the internet, but you make it more difficult to just do a Google search and find things that could be incriminating. But at the same time, I would also be deeply suspicious of a company that's using your personal history or interests or anything derived from the internet against you. You probably-- you wouldn't want to work for those people. They suck. This is going to be a personal decision that you'll have to make at the time. Yes. Can you talk a little bit about-- so in Europe, there's a lot of move for the right to be forgotten, to remove information about you from the internet. So libraries on the one hand are very much about reader privacy and trying to encourage people to protect their privacy. On the other hand, we're also very much about archiving, and keeping forever information about people who turn out to be famous, or have other reasons to have research done. So some of the concern about the right to be forgotten is that people may choose to remove factual information about themselves. So it's not about harassments. It's not about wrong stuff. But it's about actual factual information about you that you no longer want up there. So I'm not too familiar with the archiving process, so I'm going to make a counter question. How do you accumulate factual data before the internet about people of interest? So it was all very haphazard, right? So it was what people gave to an archive, what people-- what they happened to keep, what you happen to retain and what you happen to give. And so, in the big data world, there's a desire to that a little bit more systematically. So my first reaction to that as someone that's not involved with archiving or libraries, is that the key word in your description is given, and that someone made the choice to give that information to you, and that someone was able to donate the letters or correspondence of the deceased, or that someone made their artwork available for a gallery, or something like that. And so personally, from my perspective, as far as the ethics of it goes, there should be a consensual decision on part of the person donating that data. Obviously, that sucks because then you can't sweep up all of the data trail that they leave behind them. But you've survived without all that date before. I'm sure you will in the future. If they really are a person of interest, there will probably be many other ways for you to get that data, should it be really important. So, I would encourage you to forget as much as possible. I think amnesia is good. That's more of a question for you to fight over. Yes. For those of us who are responsible for other people-- I'm a teacher. I have children's full names in report cards and things like that all the time. You probably, if you don't already, many people in this room will at some point in their careers-- what do we need to know about protecting, specifically the names [INAUDIBLE] of people in our care. That's a wonderful question. So I'm not familiar with how education works these days, but I imagine there's lots of software involved, and lots of online communication. I know a lot of schools use Google as a platform for a lot of things, which scares the crap out of me. That's another discussion entirely. But I think that taking personal cyber security measures for yourself is the easiest and most effective course of action. Making sure that the passwords to your email accounts, and other places where that information may live are as protected as they can possibly be, making sure that you have encryption turned on on your computer. And then just generally being aware of where that data is living and how you are using it. I think that if you just take those basic cyber security measures, and you're not posting report cards and pictures on Twitter, I think you'll be as fine as you can reasonably expect. Because we're all going to make mistakes about cyber security. You can't be perfect, and if you try, it's just going to drive you insane. So as long as you just have those basic sort of habitual practices in place, I think that's the best you can do. Yes. What's your [INAUDIBLE] of the person who [INAUDIBLE] That's a awesome question. I could ramble about that at length for long periods of time. I guess my vision would be that a, most data would be ephemeral. Most things don't need to live forever. There's no reason that they should be. I don't think that the data should be associated to you in perpetuity. It's weird to me that a Facebook post I made 10 years ago will exist 40 years from now. It could be used against you in some manner. So having the culture that does not try to hoard data, that does not try to preserve every little thing, I think will be safer and more enjoyable as a person. I actually try to use this myself. I go on my Twitter, I delete old tweets all the time. And it feels kind of nice. It's like cleaning my room or something, in that all my old tweets are just gone. And it's like nice and open and fee. So ephemerality would be big. I think having explicit commitments of technology developers towards inclusivity and safety and prioritizing the safety of their users is huge. Most of the times, developers are focusing on what the business initiatives are. They're focusing on marketing, what product can they bring that will bring in revenue. There needs to be people int hat room whose job it is to think, hey, is this secure for our users? Will this expose them to harassment? Will this expose them to other threats? So having that at the point of development will be huge and important. There's a lot of strides being made to this end, but there's still a lot of work to do. I also think that a lot more government regulation of how data is stored and sold will be key. Right now, the internet, websites, apps are very unregulated, which is why things like the data brokerage industry can exist. I think that having more strict implementation in place as to what you can collect on a website, what you can do with it, should be implemented. And in addition to that, I had one other point, that is escaping me. Oh yeah. I think that we should foster a culture of community input into development, so that security researchers can audit your code or your platform to look for vulnerabilities or things that could hurt people. Bring in people like activists or educators or artists, or other people, who have some sort of stake holding in your product or your platform. And get their input into development to make sure that what you're doing is good for them, and is also good for people developing. A lot of the solutions I have in mind just come from the fact that you have to treat your users like human beings, not like numbers and data to be collected. Have conversations, respect their interests, give them the option to say no. I think just abiding by those principles will go along way. Anyone else? Great. Well thank you so much for having me. [APPLAUSE] [INAUDIBLE] be around for a little bit. So if you want to mingle around and there's food in the back. So get some food and continue to chat. Did the food go away?