Securing Your Lawn
A neighbor in distress called me this past weekend trying to see if I had a key to our building’s tool shed so he could grab the lawnmower and cut the grass.  Evidently he lost his.  Although I had no key, I did have was a lock pick kit I acquired from Privacy Camp DC.  Lock picking just happened to be one of a few sessions I attended that day and the speaker, Deviant Ollam (yes that is his real name), sold kits for anyone wanting to pursue lock picking as a “hobby”.  Dashing off as if I were a Pink Panther gang member, I grabbed my tools and went to town on the lock.  My hope was to evade detection, cut the grass, and leave everyone wondering who the grass cutting vigilante was.  

Unfortunately after spending fifteen minutes playing with rakes and other lock picking essentials, I realized my skills as jewel thief were going nowhere.  So I turned to plan B, which was acquiring bolt cutters and cutting the lock off.  

While Deviant’s lock picking session was fun for everyone wanting to try their hand in thievery, it presented Privacy Camp attendees with a lesson in security that is invaluable for anyone working with agencies hosting sensitive data.  Break-ins occur quite often, and some go undetected.  Early detection of a breach enables organizations to quickly mitigate potential damage and take steps to ensure it doesn’t happen again.   

At the end of the day, my condo association was much better off knowing I had to hack off the lock.  They knew there was a break in.  They knew they needed to take new security measures.  And they knew exactly who was responsible.  Thus they would never have to become reliant on a lawn mowing crusader.

Privacy Camp 09
Though learning how to pick a lock was fun, Privacy Camp 09 had a lot more to offer.  The underlying theme of the camp was trying to find balance in managing security, privacy and transparency with existing technologies and data.  As private and public institutions implement processes that might affect one aspect, concerns are typically raised about how the other two are affected.  

Ari Schwartz from Center for Democracy and Technology (CDT) kicked off the day by saying a few words about ongoing trends.  In his message he mentioned many public agencies are risk averse to employing new technologies due to missteps that have exposed sensitive information in the past.  For example, the ramifications of the Social Security Administration’s boondoggle in the nineties that made public people’s personal earnings benefits statement still affect how some organizations adopt online tools.

Following Ari, would-be topic facilitators stepped up to suggest a session they wanted to facilitate.  Once the sessions were confirmed, an announcement went out and attendees flocked to a board to see the events of the day.  Below are some of the sessions my workmate, Brian Verhoeven and I attended:

Digital Signage
If you have seen the movie Minority Report, then you may be familiar with some of the innovations in play that can use facial recognition software to match a person’s profile and churn out a digital advertisement within seconds.  And the good news, depending if you are a fan of this type of technological marvel, is that they are already in use and many people are none the wiser.  What may seem like innocuous digital displays lined up in Times Square and in elevators across the county, are actually equipped with demographic profiling mechanisms that match advertisements to a person’s age, gender and ethnicity.  

Harley Geiger of CDT raised the question about private data collection in the public domain and unforeseen uses that could result.  In particular, there is no legislation that prevents commercial entities from sharing/selling data to each other.  Your profile could potentially be tied to your shopping habits, your passport (RFID) or surveys taken.  While some people might love the extra attention, it has many privacy advocates concerned.  Principally, there are no policies in place to notify users, and there are no guidelines to protect the data.  People essentially are at the mercy of the companies that are stockpiling the data.

Good Locks and Good Privacy
So back to the subject of lock picking.  When selecting this session, there was an assumption it would focus on online security and how hackers get around firewalls, steal your passwords, etc.  Wrong.  

Though Deviant Ollam is a skilled hacker, he is also a lock picker hobbyist.  And it seemed that lock picking made for a better topic than hacking that day.  Deviant, actually showed us the technique to pick physical locks.  We were even able to practice on padlocks, desk drawer locks, and the type used in standard household doors.  

His presentation would serve as an allegory of a cautionary tale that was oft repeated in Privacy Camp.  In the physical word, most criminals take a ‘smash and grab’ approach to stealing.  This is actually a good thing.  At least you have evidence that someone had broken in to your car, home, or office.  Online, however, it is not always clear who is viewing your data.  

Privacy vs. Transparency
In this session we discussed the difficulties involved with participating in online conversations. How much about yourself do you reveal? If you reveal too much, it may be used against you. If you do not reveal enough, as one participant has experienced,  it may be difficult for people to know who you really are.

Some of the take-aways from this session

1.    Don’t post anything online that you would not want your mom to read.
2.    You don’t want to be a web celebrity because it is too easy for people to tear you apart
3.    “The crimes are the same…” [the Internet] “…just decreases the transactional costs”

Government Use of Social Media
After the Social Security Administration fiasco, one understands government’s reluctance to dip their feet into the social media pool.  But, the new administration’s promotion of transparency in government and the effectiveness of these tools at communicating with the masses have agencies curious on their potential.  Some agencies are looking toward using social media tools run by the private sector (e.g. Twitter and Facebook), while others are looking to build their own organically.

While Twitter and Facebook have better reach than home grown communities, they also have issues government needs to overcome.  For starters, FOIA rules have no bearing on what is released on privately owned web sites.  Thus government data could disappear.  

Additionally, there are challenges in establishing a presence on privately owned sites.  How will government attain the type of following Ashton Kutcher has on Twitter?  Who is going to want to risk sharing college party pics with the Department of Homeland Security?  How do government employees converse openly on these tools without getting their employer in trouble?

While there were many questions asked and few definitive answers, the Federal Web Managers Council is at work drafting guidelines to address many of these issues.  Presumably a policy is coming in the near term.  

End of the Day
Privacy Camp either left people paranoid or interested in breaking in to their building’s tool shed.  I personally am curious to see how government engages in social media in the next two years.  As mentioned above, there are some hurdles it will need to overcome, but government can no longer afford to bunker down.