Jillian C. York

Jillian C. York is a writer and activist.

Page 2 of 185

Notes from a talk at WerkstattB, Berlin

This is a loose talk that I wrote for a Women’s CryptoDinner at Thoughtworks’ WerkstattB in Berlin, February 4, 2015. I deviated considerably from the notes, but thought I would share them anyway.

I don’t believe that we’re doing enough right now to ensure that everyone out there has the ability to take responsibility for their online security and safety.

I’m guessing most people in this room understand why surveillance is terrifying and encryption is important. But just in case, I’m going to go over this for a few minutes.

Here’s the short version: We’ve reached a point in time where states and corporations are working together to spy on every one of us. What my government is doing, in cooperation with other governments, is mass, dragnet surveillance. There are mass amounts of data being collected on each and every one of us that uses the Internet or a mobile phone. And even for those rare few who don’t, the fact that our contacts are using or carrying these tools or devices means that you too are vulnerable.

Now, I am pessimistic about the state of governance in the world, but nevertheless, I believe that this is an issue that we have to tackle from a number of directions:

-Policy work

It’s that last one that I want to talk about right now. Technology isn’t more important than those other fights. It’s not our sole savior. The amount of funding we have for privacy and security tools is nothing compared to the amount of funding our governments have put aside for spying on us.

But, the one thing technology has that those other fights don’t is that it’s the only element of the fight against surveillance that allows us to take personal responsibility for our actions. We can’t engage in the policy fight alone, as individuals. Litigation takes an army. Education is a slow struggle. But by using privacy-enhancing technologies, each one of us can take responsibility for our own safety.

In a talk I gave with Jake Appelbaum last year, we likened this to using a condom for safer sex. The analogy is imperfect, but the idea behind it is the same: Harm reduction. In using condoms, we are minimizing the threats that sexual contact can pose. The same goes for privacy-enhancing technologies: We cannot protect ourselves perfectly, but we can minimize the threat of surveillance.

So let’s talk about harm reduction for a minute. Harm reduction is typically defined as a set of practical strategies and ideas aimed at reducing negative consequences. When we talk about HIV, this means educating the public on the risks of unprotected sex and how to mitigate those risks. But it also means being realistic about human behavior: we know people will continue to engage in sexual activity, so we must meet them where they are and offer them practical solutions to avoid infection.

This is also true for digital security, though it hasn’t always felt that way to me. In 2009, I was attending an event, a training, and was spacing out a little bit when a guy walked up behind me, showed me a piece of paper and asked “Is this your password?” It was, indeed, and not only that, but it was a rather embarrassing password made from someone’s name (they were in the room) and some numbers. The password was for my Tweetdeck installation, and at the time, Tweetdeck wasn’t using SSL, so my password was available in plaintext.

That event scared the crap out of me. For me, a naturally competitive person who likes a challenge, that was a good thing: I quickly read up on encryption, attended a training, and learned how to use OTR. But that sort of strategy doesn’t work for everyone, and for some it can be counterproductive: There are many who understand the risks and choose to ignore them (just as some choose not to use condoms or get tested, out of fear).

And so I’ll say it again: We need to meet people where they are. This means, first, not scaring them. It also means helping them to understand the threats they face and respond appropriately.

Sure, I wish that everyone would be concerned enough about the NSA’s surveillance that they would adopt these technologies and fight back. But the truth is, there are a lot of people who just aren’t going to care about that to the same degree. There are people who aren’t concerned about their devices being searched at borders. In this age, that doesn’t mean they have nothing to hide, but it may mean they perceive the NSA to be less of a threat to them than I do.

If that doesn’t sound right, think about a different example: Coca-Cola has successfully protected their recipe for more than a hundred years. That’s a company that, for better or worse, takes information security seriously. Now, I suspect that the recipe is somewhere in a vault on a piece of paper, but disregard that for a moment. The point is: They have a vested interest in caring about security.

Now, there are other companies that care less. Converse is a great example: There are thousands of companies ripping off their brand, and Converse doesn’t give a fuck: They just keep making their iconic sneakers, and people keep buying them.

This is going to be true for individuals as well. And that’s why threat modeling is important in security: Just like a doctor shouldn’t prescribe antibiotics for every person who enters their office with a cough, neither should we prescribe the same solutions to every individual who expresses concern about their safety. Instead, we should guide them through asking themselves some questions, to understand their habits and their risks:

What do you want to protect?
Who do you want to protect it from?
How likely is it that you will need to protect it?
How bad are the consequences if you fail?
How much trouble are you willing to go through in order to try to prevent those?
Asking these questions helps us prescribe solutions to people.

But it’s also important for us to remember that those solutions aren’t always the best fit for everyone. PGP, for example, isn’t easy, and pretending it is serves no one. It took me two years of using it regularly to feel confident in my use, and I’m still learning new tricks all the time. Instead of starting with PGP (which is a bit like starting with calculus for someone who hasn’t yet studied algebra), we can start them with simpler tools like TextSecure and encourage them to have their conversations there.

One final note: One problem in the equation is that, for years, the field of digital security has been dominated by technologists. I mean, of course it has…but for many years, I felt that this community was rather exclusive. There used to be this feeling that if you didn’t protect yourself, then you deserved to get owned. Just last summer I gave a talk and said “PGP is hard,” and got verbally attacked afterward by a young man who thought that was too discouraging of me. He argued that PGP isn’t hard. I disagree.

This part of the solution isn’t personal: In order to reach more people, we must, we absolutely must make these technologies easier to use. There are a lot more folks thinking about this now than there were just a few years ago, which is great, but we have further to go. For those of us that have it, we can put money toward this goal by donating to organizations like Open Whisper Systems. For the designers in the room, you can offer your help to technologists, to make their products more easily understood by users. And technologists, you can do your part by remaining open to feedback, conducting rigorous user testing, and increasing collaboration. This way, we all win.

Which world leaders are *really really* committed to press freedom?

Yesterday, the Guardian asked a good question, which it then immediately failed to answer. The question was, in the context of the Paris unity march: “Which world leaders are really committed to press freedom?” Rather than answer it, however, the authors repeated the many articles and tweets of the past few days, focusing on the hypocrisy of leaders from countries like Saudi Arabia, Israel, and Turkey, who turned out for the march despite a track record of repressing speech at home.

But what would it look like to instead answer the question? Limiting the data set to those countries whose leaders* turned up in Paris, I shall attempt to do so. Since it is a rather long list (and this a quick and dirty blog post I’m writing in my spare time), I’ve eliminated countries designated by Freedom House** as “partly free” (Albania, Armenia, Kosovo, Lebanon, Turkey Togo, Mali, Niger) “not free” (Gabon, Russia, UAE, Jordan, Algeria, Palestine, Saudi Arabia), as well as those already eliminated by their presence Guardian piece (Israel). Remember, the goal is to find the countries that are really committed to press freedom, so elimination needn’t be an exact science.

The second step toward shortening the list was to consult Reporters Without Borders’ World Press Freedom Index. While the index has been criticized for playing fast and loose with data, it too is a good macro-measure of dedication to press freedom, at least in the manner in which I’m using it, which is to draw a solid baseline. By selecting only the top 30 of that list, we eliminate the UK, Spain, Latvia, France, Italy, Benin, Bulgaria, Malta, Romania, Croatia, Slovakia, Serbia, Senegal, Hungary, Greece, and Ukraine.***

The remaining countries, below, all rank within Reporters Without Borders’ Top 30, with the exception of Monaco, which isn’t included in the rankings. Now, as I said, Reporters Without Borders’ rankings are a great baseline, but I’m going to do my own super scientific**** analysis, awarding only one country the honor of being really, really committed to press freedom.


This country comes in 12th in the RSF index, but scored a 21 in Freedom House’s 2013 Global Press Freedom Rankings alongside the United Kingdom (which has been declining in freedoms for some time), so that gives me pause.  A deeper look shows that Austria has stringent criminal libel laws, so that’s no good. Nazi propaganda and anti-Semitism are prohibited by law (perhaps understandable given the country’s history, but not a good basis for press freedom). The country has also been ranked in the bottom 10 in a global study on access to information. Austria: Not today’s winner.


Belgium ranks 23rd on RSF’s index, but scored an 11 in the FH rankings. Like Austria, the country prohibits hate speech (but so does most of Europe, so it’s not really a factor). Belgium has solid source protection legislation (a huge plus) but awful copyright restrictions (less great). Verdict: Still in the running.

Czech Republic

Although this central European nation ranks 13th in RSF’s index and scores a 19 in FH’s, this sentence gives me some pause: “Freedom of the press is constitutionally guaranteed, though the Charter of Fundamental Rights and Freedoms prohibits speech that might infringe on national security, individual rights, public health, or morality, or that may evoke hatred based on race, ethnicity, or national origin. Libel remains a criminal offense, but prosecutions are rare.” That said, the last major incident (a 2011 raid of a television station for showing allegedly classified military documents on air) was four years ago, so the Czech Republic gets another chance.


Coming in 7th on RSF’s list and scoring a 12 from FH, not much seems rotten in the state of Denmark; in fact this northern European nation looks poised to beat out Belgium.  A closer look shows that Denmark prosecutes somewhat regularly for violations of its hate speech regulations; about 50 people have been prosecuted since 2000. Like Belgium, Denmark has pretty strict copyright regulations that sometimes result in Internet censorship.


Estonia is ranked 11th by RSF and scores a 16 from FH. The country gets extra points for its track record on online freedom, but loses a couple for a 2010 law that could allow for prosecution of journalists who fail to reveal their sources in major crimes cases (note: no one has ever been prosecuted under that statute). Estonia: Possible winner.


Finland is like that kid that you wish would stay home sick because you know that if he competes, he’ll win. The Scandinavian country ranked first in both 2013 and 2014 on RSF’s index, and scores an 11  from FH. Its one disadvantage is its continued criminalization of defamation. Still in the running? Yes.


Germany comes in 14th in RSF’s index, and scores a 17 from FH. Despite overbroad surveillance, the country has a robust press and good (but costly) access to information. Germany also ranks highly in FH’s Freedom on the Net report, although its copyright regulators are so notoriously horrible that a book dedicated to understanding “how to be German” cites “hating GEMA” as a key step. Disqualified? No, Germany, you can stay.


Ireland ranks 16th in RSF’s index, and scores a 16 from FH. Blasphemy, however, is a punishable offence, thanks to a law that was enacted in 2009. Perhaps being eliminated from my Super Important Rankings will prompt Ireland to change that law – until then, bye, bye, Ireland.


Oh, tiny Luxembourg, bless you. Ranking 4 in RSF’s index and scoring a 12 from FH, Luxembourg is surely in the running, though it doesn’t seem quite fair given its size.


I reserve the right to eliminate Monaco at this stage in the game for not totally being a country.


The Netherlands comes in 2nd in the RSF index and gets a score of 11 from FH. The country has a good freedom of information act, no Internet censorship, and was the second country in the world to enshrine net neutrality into law. That said, the Netherlands is still working toward strong source protection laws. Definitely a contender, though.


Norway comes in 3rd in the RSF index and scores a 10 (the best) from FH. The country’s constitution guarantees freedom of expression, and the right to access government information, and there are no restrictions on Internet usage. It’s also telling that the Committee to Protect Journalists has absolutely zero articles that are about Norway’s press freedom. Norway: A possible winner.


Coming in 19th in RSF’s index and scoring a 26 from FH should eliminate Poland at this stage in the game. Sorry, Poland.


Similarly, Portugal’s rank of 30 (RSF) and score of 17 from FH eliminates it at this stage.


Sweden comes in 10th in RSF’s index and nabs a score of 10 (the best, alongside Norway) from FH. While Sweden’s press operates pretty freely, I found this line from Freedom House a bit concerning:”…most of the mainstream media view criticism of immigration and Islam as a form of hate speech.” Although I haven’t disqualified other countries from the running for hate speech laws (owing to the fact that they’re so common in Europe), this reeks of self-censorship and gives me pause, as does the existence of the Swedish Press Council, which “has jurisdiction over print and online content” and can levy administrative fines. Sorry, Sweden, you’re out.


Switzerland comes in 15th in RSF’s index but scores a 12 from FH, which warrants a second look. It seems that Switzerland prosecutes for hate speech violations (not a surprise nor a reason to eliminate) and for publishing leaked information containing state secrets (which disqualifies the small nation from this study).


And now, for the final reveal (drumroll, please). Based on my Super Scientific Analysis*****, I have made my final determinations. Coming in third place, thanks to that pesky criminal defamation law: Finland. Coming in at second: Norway. And coming in first, thanks to its proactive efforts to guarantee both a free press and a free Internet: the Netherlands. I hereby declare the Netherlands’ leaders to be really really committed to press freedom.

Edit: Parker Higgins reminds me of this 2012 debacle. Close one, Netherlands.

Disagree? Tell me in the comments.




*For the purpose of this exercise, I have defined “leaders” as “current ministers or equivalent.” I have excluded ambassadors; while their effort was surely appreciated, you have to draw a line somewhere.

**There is much to say about Freedom House’s biases at the micro level, but as a macro resource, it’s fairly useful.

***The United States, which was excluded for not having sent anyone higher-ranking than the ambassador to France, would have been eliminated at this point for coming in at #47 in the rankings.

****Not scientific.

*****Not even remotely scientific.

Some interesting reading on Charlie Hebdo

« Older posts Newer posts »

Creative Commons License
Jillian C. York by is licensed under a Creative Commons Attribution 4.0 International License.

Theme by Anders NorenUp ↑