January 27 2022 GM

From TCU Wiki
Glitter Meetups

Glitter Meetup is the weekly town hall of the Internet Freedom community at the IFF Square on the IFF Mattermost, at 9am EST / 2pm UTC. Do you need an invite? Learn how to get one here.

Guest: Gus Andrews, Security in a Box

Security in a Box (SiaB) was radically transformed in 2021. Come learn about what has changed in this 24-year-old resource for the digital freedom community! We are hoping it is now a lot more usable, practical, localizeable, and easier to update than before.

Join us at the Glitter Meetup on Thursday, January 27th for an introduction to what has changed. Bring your feedback for Gus and Front Line Defenders, so we can keep making SiaB a more useful resource for you and the communities you work in.

Gus Andrews has been working in the digital freedom community since 2013, starting the first program to improve the usability of secure tools at the Open Internet Tools Project. She has since worked for Simply Secure, Internews, Tactical Tech, and Front Line Defenders. Gus is the author of Keep Calm and Log On, a book that summarizes advice from the internet freedom community about privacy, security, mindfulness, and disinformation.

Front Line Defenders was founded in Dublin in 2001 with the specific aim of protecting human rights defenders at risk, people who work, non-violently, for any or all of the rights enshrined in the Universal Declaration of Human Rights. Front Line Defenders provides rapid and practical support to human rights defenders at risk through advocacy, grants, trainings, rest and respite, and a 24-hour emergency hotline.

Date: Thursday, January 27

Time: 9am EST / 2pm UTC

Who: Gus Andrews, Security in a Box https://securityinabox.org/

Where: As a guest of the Glitter Meetup on IFF Mattermost Square Channel.


Community Updates

Topic of Discussion: Security in a box

  • Security in a Box is one of the oldest guides to digital security in our space. It was one of the most comprehensive guides, and a lot of us looked to it as the first guide that taught us how to do this.
  • However, it has largely remained the same in form up until now. It was very wordy, and written in narrative style. And since then, it has been passed around between a bunch of different organizations to maintain it. So it got sort of scribbled over and scribbled over and parts of it were out of date and others became hard to read.
  • Gus started working one year ago with Front Line Defenders to revise it. It has changed a lot, with the goal of making it useful for us.
  • The first thing you will see is that the updated version is much more action-oriented. It points readers at specific actions they should do, on specific parts of their devices.
  • A significant overhaul here came to the social media advice
  • Be aware the transformation of SiaB is not complete yet! We're about to reorganize everything here with more effective menu headers.
  • We're also going to have tool landing pages which act as catalogs of tools we recommend
  • Security in a Box is a community resource. Many groups in our space link to it. It's Creative-Commons-licensed, so anyone can build on it. But as I learned when I did a survey of guides in our space, there are HUNDREDS of digital security guides, and NONE of them build on each other.

Q: What challenges are you encountering? Updating a security guide is not easy to update or maintain. Any lessons learned or advice?

  • We changed the guide to be more action-oriented because the feedback we got from our digital security trainers at FLD is that it was too wordy and didn't point people at what they needed to do.
  • The old stuff about why they should do it is still there! It's just in a different form. Under each to-do, you will find a drop-down with the words "Learn why we recommend this".
  • You'll also notice the guide largely links to the documentation for a platform, device, or piece of software.
  • We did this for a couple reasons:
    • One, as nonprofit employees, we have a much harder time keeping up with changes to software than the people maintaining that software! In fact, I kind of wonder why we were doing that to begin with,
    • Two, the documentation for the software is likely to be localized, with screenshots, in other languages, by these tech companies that have a much better budget for doing these things.

Q: Are the screenshots still there? They're hard to maintain but they were mega helpful.

  • They are in some places. We point to the guides from the developers, which often have those screenshots.
  • Also, you will find that for basic security on most major OSes, I have made videos instead of images for the guides!

Q: How does FLD plan to maintain the localization and translation of the guide? Who is doing the work? Do you out-source it to translation agencies or work with local partners with digital security/tech background?

  • This guide took us a year to overhaul because as a nonprofit, we had not allocated the time or funding correctly to overhaul this in a way that was really useful to the community.
  • This despite the fact that we were all keen to make sure SiaB survived, because like I said, everyone links to it! If SiaB is crappy, there's a lot of upstream effects!
  • We were a team of three people.
  • You'll all notice that so far, this is only in English. We're shuttering the translations for a moment because some of them were dangerously outdated.
  • We wanted to make sure we had all the English changed first before we localized it.
  • This is where we get to questions of who maintains this, who pays for it, etc.
  • Currently FDL doesn’t have the budget to pay localizers.
  • There is more than one option here: Apps and OSes are getting a little bit better at developing their own documentation on privacy and security.
  • Apple, for example, has a really good guide on this.
  • Another strategy we could use is educating and organizing them to do this better

This is where Security in a Box needs your help

  • We could solve the localization payment issue by underpaying localizers. I do not want to do that.
  • We could solve the localization payment issue by localizing into fewer languages. That might work.
  • What would be ideal, though, is if we could, as a community, come together to source funding for localizing SiaB.
  • This may take finally educating our funders about what software development actually costs.

Q: Why do we need to invest in SiaB? Especially asking, since you have done so much research looking at so many guides

  • That is an excellent question. I think it should be up to the community to say "oh yeah, we link to this resource, we really think it is important!" Or to look at it and go "nope, this duplicates stuff that is done better elsewhere" and decide it's not important.

Q: Isn't it more viable than investing in one guide to concentrate on building each tools capacity to have a baseline quality of documentation and localization?

  • A lot of participants agreed with this idea and we had a little discussion about it.
  • A participant said that there will always be a need for someone to facilitate the documentation of knowledge around how to use these tools in the best way for human rights defenders, with tips, tactics, etc.
  • Another person added that overall, improving the quality of tools documentation is essential! At the same time, part of the great value they see in SiaB is knowing which tool to consider using in the first place.
  • Gus concluded saying that both of these were really good points. We need to support FLOSS tools in developing better documentation, and we need as a community to educate industry documentation people (who are usually really nice people!!!) how to build guides with at-risk users in mind. We should be holding this Apple guide up as the gold standard

Security Planner

  • Security Planner is the tool developed by Citizen Lab and Consumer Reports
  • Security Planner is drawn from open source projects, and it is a shape we should all be able to build on, but it's not entirely open source
  • We talked with their team and they'd like to help us fit the content of SiaB into Security Planner, HOWEVER they could only give us their older codebase, which is not as good as their current structure, AND I believe it's based in Contentful? Which is an industry-standard content management tool. For which we'd have to pay subscription fees. Which are... wait for it... billed at the kind of numbers the industry can pay for. Not us in NGOs.
  • With the right resources, time, and money, we could thread this needle and get SiaB content or other stuff we like into Security Planner's EXCELLENT interactive format.