Is it safe? The internet is where we live, love, learn, and communicate freely. To be ourselves, we need to be able to trust the systems that protect.
As more New Yorkers access the internet, they share more personal information than ever before. This has created an urgent need for protections and, in NYC, there are two main approaches. The first is to help educate and train New Yorkers to effectively protect their personal information and understand emerging privacy threats. The second is to create new tools, systems, and policies that can protect New Yorkers overall, offloading some of the burden from the individual.
In an analysis of internet service providers in NYC, researchers at the New School found that the privacy policies of major telecommunications providers do not sufficiently inform consumers on how to protect their privacy. Further, the reviewed policies set forth language that opened up the likelihood of providers sharing or selling user information with consumer consent or even disclosure. This important, first-of-its-kind analysis gave NYC lawmakers key information necessary to introduce legislation to protect NYC internet consumers.
In NYC, unsecure WiFi is becoming one of the most important threats to privacy and cybersecurity. To address, the New York City Cyber Command created NYC Secure a free, easy to use app that that provides New Yorkers with the ability to identify and defend against mobile security threats. And to increase NYC’s overall cybersecurity capabilities, in 2018 the New Economic Development Corporation launched Cyber NYC, a suite of strategic investments to grow NYC’s cybersecurity workforce, help companies drive innovation and build networks and community spaces to support the cybersecurity ecosystem.
NYC Digital Safety: Privacy & Security is a program developed by NYC’s three library systems – Brooklyn Public Library, The New York Public Library, and Queens Library – and METRO Library Council . In this program, more than 1,200 library staff received in-depth training on digital privacy. Now, New Yorkers in all five boroughs can go to their trusted local library and be assured that a staff member will be able to help answer their questions. The training curriculum is open and freely available for any City looking to implement this kind of program.
To draw attention to libraries as a resource for New Yorkers looking to improve their digital privacy, in 2018 the City hosted the first ever Library Privacy Week, with over 30 events throughout all five boroughs designed to help us protect our digital privacy and security.
In 2018, the City of New York partnered with the Mozilla Foundation to launch Stronger NYC Communities, a holistic cybersecurity training program specifically designed for organizations that serve vulnerable communities. After a successful pilot, the City plans to expand the program to include twice as many organizations, and the curriculum is currently freely available to the public. The City also saw the appointment of the City’s first Chief Privacy Officer. The CPO role was created through local legislation and in April 2018, Mayor de Blasio appointed Laura Negron as the first CPO who is tasked with creating policies and protocols on information sharing throughout city government.
In the community, Crypto Harlem has run a public and free Digital Surveillance Clinics since 2013 for marginalized, aggressively monitored, and over-policed people. With a welcoming teaching environment, CryptoHarlem addresses issues from hardened security operating systems to surveillance technology, and has worked with thousands of participants over the years, building better local digital knowledge and capacity with Harlem residents.
“understanding the digital microcosm of libraries helps us understand the macrocosm of the internet”
Melissa Morrone is Supervising Librarian at Brooklyn Public Library (BPL), a landmark NYC institution that serves over eight million visitors annually. Every year, BPL hosts hundreds of digital literacy classes, facilitates over 350,000 user sessions on public computers, and supports over 500,000 connections on its free wireless network. For the past six years, Melissa has directed the Info Commons, a division of the library that addresses the diverse needs of Brooklyn’s communities with a range of programs that leverage digital technology, media, and culture. A digital privacy leader, Melissa works on efforts at BPL to improve internet health for all New Yorkers. People increasingly rely on their local public library to connect with internet services, so Melissa’s community-driven work directly shapes the digital and data capacities of connected NYers, making the internet more secure for users, wherever they access it.
Tell us about your work.
Librarianship in the United States has a decades-long commitment to privacy in the analog era, but it’s been a challenge to translate that ethic to the digital age. From 2015-2018, I managed a grant from the Institute of Museum & Library Services (IMLS) that created the Data Privacy Project, a large-scale digital privacy/literacy training initiative done in partnership with Seeta Peña Gangadharan when she was at Open Technology Institute and Bonnie Tijerina was at Data & Society, and with the Metropolitan New York Library Council (METRO).
Almost 400 Brooklyn Public Library employees and 200 library staff from around the city explored fundamental concepts of digital privacy as well as specific tools and tactics to protect our — and our patrons’ — data, such as using a VPN when connecting to free open wifi in the library. For example, patrons often come to fill out online applications for jobs. These forms prompt them to create a username and password, and then enter sensitive personal information. “How do you know if it’s real?” they ask, some having experienced ending up on some sort of scam website. We try to mitigate that.
The project resulted in a nicely designed zine about privacy in the library space and helped BPL develop relationships with digital security trainers and advocates who now come in regularly to teach patrons about tech and privacy.
What are you proud of?
The Data Privacy Project helped make frontline BPL staff aware of our roles as “technology translators.” We may not be technologists but we have a responsibility to teach library users about technology and expertise to explain things in a way that people can understand. The Data Privacy Project was part of that wave of awareness.
On the community side, public libraries are highly trusted institutions, so it makes sense for us to adapt as providers of internet access, and to cover data privacy instruction. The foundational work of the Data Privacy Project has served as the basis for other digital programs, too – most recently the NYC Digital Safety: Privacy & Security initiative, which was launched thanks to City funding at all three library systems in NYC. Through this, library staff at each of the city’s 207 branches received specialized training in digital privacy through online and offline trainings, which are now freely available at https://nycdigitalsafety.org/.
What challenges persist to developing better digital privacy – locally and beyond?
With all this data churning on massive centralized platforms, everyone – from legislators to ordinary people, even to technologists – is trying to wrap their heads around it. But it’s not too late to take back control over our data. Privacy literacy impacts behavior and changes the way the data economy works. At BPL, we’re doing what we can to take back power through a data audit to assess where data lives within the organization, how third party vendors have access to it, and to re-negotiate with vendors so they live up to the library’s value of patron privacy. Hopefully, this produces a rubric for an informed, ethical stance for data decision-making throughout the library. Privacy is about control, meaning that we can share data with whom we intend to, in ways that we understand, and on platforms from which we can easily and permanently remove information if we change our minds.
How can NYC be an active partner in this work?
Cities need to set ethical standards, like data retention and usage policies, for how vendors participate in the market and are trusted with user information. The City can use its power and expertise to help libraries and other agencies negotiate terms of services with commercial platforms and ensure that we are using technology that is ethical.
The City can also work closely with library IT departments to harmonize tools and procedures. For example, the sort of open WiFi system that we offer in BPL locations is easy to join, but there are risks to users if they are not taking other steps to protect their data, like using a VPN. The City now has tools to help New Yorkers safely access WiFi, starting with the NYC Secure initiative, so they could also coordinate with public libraries to comprehensively train the public on data and digital privacy, and how best to use these tools.
Final Word
Digital privacy is large and complex. How primed you are to come to a training depends on how you use networked technology throughout your life—do you use a smartphone? Are you on Twitter? Do you have to use the internet at your job? For many library staff, digital privacy may still feel ancillary to our jobs, but it affects us as city residents, and more importantly, as engaged people. Understanding what’s going on in our microcosm of library vendors and platforms will help us understand what’s going on in the macrocosm of the internet.
“a community methodology of trust is more powerful than a recommended list of tools”
Sarah Aoun is a much sought-after and respected technologist who provides digital and data security programs and incidence response services for human rights defenders around the world. From international partners to philanthropy and movement activists, Sarah has trained countless organizations and groups seeking to improve their digital safeguards and knowledge. Applying a holistic framework, Sarah works to develop communities’ digital power through trust. As technologies are increasingly sewn into the fabric of how society and people function and live, Sarah creates spaces for collective, community-driven solutions that are grounded in shared purpose and struggle. The results range from conference tracks that engage thousands in upping their skills and awareness to co-developing and leading Stronger NYC Communities, the first city-based digital sanctuary training of its kind.
Tell us about your work.
As a holistic security practitioner, I help human rights defenders, civil society organizations, journalists, and high-risk communities use technology and the internet in safer ways. I do this by understanding what they need and the risks involved in their particular techno-political context, whether in NYC or abroad. Sometimes I am called on for rapid response to online harassment or doxxing (broadcasting private or identifiable information for hostile purposes), but this type of work is reactive and not optimal, because it doesn’t set up people or organizations to protect themselves. The heart of what I do is proactive, preventative work that decreases the probability of a digital threat, and then lowers its impact if it does occur.
What makes this approach ‘holistic’ is that it’s about much more than prescribing specific software or tools – it’s a whole set of practices that take into account the psycho-social emotional impact of being at risk of attack in the first place. For example, if you are an immigrant in the US, you face a different degree of trauma or threat than if you are a white man. Immigrant groups have been historically targeted by federal agencies and the government, and have faced decades of surveillance. One such instance is the 2017 announcement by the Department of Homeland Security about federal agencies’ intent on collecting social media information and search history from a variety of immigrant groups.
Building security practices with communities requires shifting habits and adding capacities that address the roots of struggle in the context they are in. Across the globe, we are increasingly dependent on technology, and right now, especially in repressive societies, communication systems can be easily exploited to monitor people and to crack down on dissent. So I work with people to use these systems in safer, more secure ways to protect their privacy. My goal is to support community-building through long-term projects that embed security practices in a sustainable way.
What are you proud of?
At the international level, I’m proud to have helped plan for and advise the Bread & Net conference, which took place in Beirut, Lebanon in 2018 organized by SMEX (Social Media Exchange). It brought together technologists, lawyers, human rights activists, journalists, and artists to explore digitals rights and civic engagement. In the Middle East, it is rare for civil society to come together and to collaborate – in fact, civic society spaces are shrinking globally – so to have folks from a range of Arab countries come together was critical to strengthening regional ties and understanding at a time when a number of new cybersecurity laws have led to an uptick in activists being jailed for speaking critically of governments online.
Locally, I’m most proud to have led an initiative called Stronger NYC Communities that supported groups serving immigrant communities with digital security trainings. It was a partnership with Mayor’s Office of the Chief Technology Officer, Mayor’s Office of Immigrant Affairs, Research Action Design (RAD), and supported by the Mozilla Foundation. I worked with the RAD team and a cohort of select security practitioners from groups like WITNESS and New York Civic Engagement Table. Following an extensive needs assessment, we generated digital security trainings for 16 organizations to increase their capacity towards a secure digital infrastructure. The program had two components, first, a series of “Train the Trainer” workshops, and second, five half-day workshops to explore security tactics like password managers, encryption tools, two-factor authentication, and virtual private networks (VPNs). Importantly, trainers have long and shared histories with communities in NYC. A community methodology that encourages changing security practices through trust is more powerful than recommending a list of tools.
This model works because it builds trust over time and that is what changes practice, not just tips and tools. Over the course of several months, folks went from 100% of respondents relying on unencrypted email as a main form of communication, and 80% relying on public WiFi without using a VPN or any means of securing their network connection, to 100% indicating a new ability to assess and mitigate digital security risks. The simple act of witnessing people become more equipped to make informed decisions was beautiful. Collaborating, building trust, and establishing connections is powerful.
What challenges persist to developing digital privacy and security skills – locally and beyond?
There are three core challenges. The first is that digital security is a socio-economic and political privilege: having an encrypted iPhone, getting a VPN subscription, or encrypted cloud storage options can be expensive. And abroad, lack of access to certain tools due to internet censorship, shutdowns, and government surveillance make it hard to learn about VPNs or encryption, when the mere practice of it might put you at risk of prison sentences. The second is digital literacy. We need more training and support for these essential skills to be available and embraced broadly. And third is, honestly, people feeling overwhelmed. There’s so much to learn, the technology changes so fast. It requires us to be incredibly flexible and malleable. A tool you adopt today might have a big security risk tomorrow, and you might have to change your practices.
On an organizational level, it can be hard to make digital security a priority and carve out precious time for this. Many human rights and grassroots groups are already spread thin and overworked, so the goal is to bake better practices into the fiber of the organization, so it is an integral part of the work as opposed to something “extra.”
Where and how can NYC be an active partner in this work?
It’s fantastic to support immigrant groups bolstering their digital security practices, and if NYC really wants to address the power dynamics and inequalities of the internet, then we also need municipal measures that push for more public control and accountability of surveillance tech that police use disproportionately in communities of color. We need city regulation that responds to the damage of rapidly advancing technological threats (like drones and spyware), and brings an ethical framework to AI ahead. Without regulation or oversight, abuse will happen, mediated through business contracts that dictate the state of our human rights. NYC, as a sanctuary city with a solid human rights law, is in a good position to ensure policies catch up.
Final Word
One key struggle for me is to maintain faith in this political climate. Doing this work, you come across so many traumatic stories. Keeping hope that things are going to change for the better is a challenge. Digital threats easily transform into physical ones, and it feels at times like we are fighting against giants. It is overwhelming, but our strength lies in our communities and the bonds we share with each other. It’s important to remember that we do this work because it right, and not because we expect to see imminent results. Expecting change to be fast and simple can be discouraging.