Security and Safety

There’s something on my mind that’s been going on for a while. Well, another something going on in y mind.
And it’s about security and/or safety and how those concepts are used today. Or how they’ve been twisted. So, let’s start with what I mean by those terms. They’re often used as synonym for each other, but I keep thinking that they’re not meant to be.

Security, as I see it – at least in the uncountable use – is a concept related to peace of mind (even the latin form securitas is about peace of mind). It means it’s something you do not have to pay attention because it cannot hurt you. I think it’s linked to avoiding accident and incident, to put the potential cause of accident away. That’s the reason we have more and more automated features in cars, like ABS or ESC, who tries to manage traction for you to not care about traction loss (and control loss). They’re meant to avoid accident. Or to significantly reduce your exposure to the risk of an accident. Those are called securities for a reason, they make you able to feel secure while you drive half a ton of metal and plastic at high speed along other people doing the same thing while hopping no-one will fail to avoid collision with each others.
Peace of mind requires to reduce or negates the perceived risks to work. You must been aware that you were exposed to risk and then to be aware of something which allow you to think that perceived risk has been acted upon and that you’re now able to stop being worried about it. Feeling secure is something deeply rooted in most of animals, it meant to have certainty about the fact that you can eat, drink, and not being killed by something while your asleep. It means taking step to ensure that you’ll have that tomorrow, and the day after that, and the day after that, until your death.
Security is being addressed in our communities by laws and regulations. Whether they’re explicit or implicit doesn’t really matters. They’re made to ensure that, at the end of the day, all member of the community can stop thinking about the daily threats they’re facing daily. Security implies rules which purpose is to control behaviors that the community perceive as an existential risk, it also implies active measure to protect one self from them which leads to either individual arming themselves to defend themselves, or giving this power to a group of people devoted to maintain security and to control behavior. And this group of people must display that the rules are enforced, because if they’re not, then they’re not devices for peace of mind. To elaborate more on this, there’s whole segment of philosophy dedicated to it (Foucault’s “Surveiller et punir” being one of them, but 1984 by Orwell or Best of Worlds by Huxley do address this).

Safety is, on the other end, everything that exist to reduce harm done. It’s the plan B, it’s what happens when shit finally hit the fan. To stay on the car analogy, safety are safety belts and airbags. They exists only because there’s a risk of accident that have not been nullified by security measures (laws and regulations). And that is why self-driving cars is such a hard problem to solve, because you can’t have a null risk’s probability.
Safety is what allows Security measures to fail without doing much harm to everyone. It’s not really peace of mind systems, because they only exists because you’re exposed to a risk. When you put a helmet on before riding through whatever traffic with your bike, you become aware of the risks you take, and you try to reduce the harm you’ll suffer when someone you’ll eventually be thrown on the ground in the middle of a street because someone didn’t looked before opening their car door. Safety is knowing that if someone enter your house while you’re in it, you’ll have a place and space to recover and people to provides you what you’re missing.
Safety is not about control of behavior, it is about caring for others. Is is not peace of mind but it is acknowledging that you cannot achieve perfect security, and that you need to accept some harm. It is about recovering, learning, growing up.

Why do I talk about this? Because I hear a lot about (cyber)security, and not about (cyber)safety. Security being about perceived risk, and applying behavior control in a way that will be perceived as a reduction of this risk, leads to the current regime of mass-surveillance we live under.
I’ve red a Story about Jessica a while back. And I think it address the fact that we do not have (cyber)safety, that the infosec community have no clue about safety and what it means. The security focused industry means more surveillance (logging) and behavior control (don’t click on links, upgrade, choose a stronger password, don’t publish your key, and many of the do and don’t prevalent in the infosec community).
In computer science, the safety of the software an entity have to manage is, however, quite pregnant. You’ll have backup of the data, backups of the infrastructure, disaster recovery plans, etc. But this is only about the safety of the software. It is not about safety of users or the people who maintain it. If you cannot achieve software security for your company, you’ll probably end up fired at some point. All the on-calls procedures are just means of maintaining a software in a safe state (alive and running, or at least partly running after a crash).
However, users of the software are not protected by those technical safety solution. What will happens when users data will be leaked? What steps are you taking to reduce the arm being done to them? You must be able to answer this question. It could be providing legal counseling, or collaborating with law enforcement (not that I’m a big fan of cops). It could be being proactive and warn them as soon as you find out something bad happened to their data, and try to provide them assistance in recovering access to your software for instance.

Holistic security goes a deep further into control. It is based on the fact that achieving full security requires you to have a specific mindset, and that you must take care of you in order to achieve security. I find it interesting to link way of life to exposure to perceived risks. If you sleep well, you’ll be better at security. Too bad you suffer from depression and insomnia, meaning your last good night sleep was ten days ago, and it was drug induced. Holistic security tends to be, form my point of view, ableist. If you’re not emotionally, physically and socially fit, you can’t hope for security. You cannot get your mind of all the stuff that’s forbidding you to achieve security. It is, in the long run, blaming the victim. You didn’t took care of you, ergo your security has been breached.
I’m not saying that we must get rid of security. It is important to reduce risk exposure. But it has a cost: surveillance and behavior control. I’m saying that we must focus more on safety, on what happens when the cops gt you during a protest with your unlocked phone (or they unlock it using your face). What harm will you be facing when someone is black mailing you over the nudes you got in your Direct Message – or stored on your computer.
This is the question asked in the stroy about Jessica. And I didn’t find a lot of answer since this been published. Facebook tries to help with revenge porn, and there’s a lot of things being done here (go have a look at what BADASSis doing for instance. And this is an issue where technology can’t save you (it is, again, something that provide surveillance and control behavior). Safety means there’s something to take care of people and to help them to recover. It means about caring about people (not software, their just maths, they can’t be in pain), it means trying to make everyone life better (and not easier). For instance, Code of Conducts are security measures. And they’re important because they allow people coming to your community to know that they’re not at risks. Until you do not enforce your own Code of Conduct for instance.
Having a post-harassment process to help the victims, and the harasser (yes, I mean that), to understand what happened, to document it, and to provide support for the victim is safety. That is what safe space should be about. Not space where you won’t be hurt, but space where, when it happens, you’re allowed to take less harm than if you were alone. It is also a space where you’ll be told something you’ve done did hurt someone – not that you broke a rule. It is a space where people will address your behavior and helps you to stop it, not by expelling you, but by a process. It can mean that, for sometime, you cannot come in certain places. It depends on how your community provides safety.

Safety is feeling welcome, feeling belonging to something, knowing that you can make mistakes, own them, and grow out of them. It is not something you can code in your software and, in fact, a lot of the time, your software works against safety.
If your data collection algorithm can be used by cops to identify perpetrators of a crime, it can also allow anti-gay bigots to identify gay people in their surrounding. It can be used by an abusive husband to identify where’s the woman he lived with as fled. It can be used by adults to expose teenagers sexting each others. It can be used to locate where a camgirl lives to stalk her.

And what’s the perceived risks you’re collection of data is protecting users against? You have to wonder if people can conduct drug traffic or do sex wok using your software, and if, by using your data collecting software, they put themselves at risk if you cooperate with cops. Security, in this case, would be to not use your data collecting software. If you value the possibility for law enforcement community to identify sex workers more than you value their safety, it means that you’ve got a political motivation for keeping several years of activity logs.

Keeping data about people is collaborating with cops, harassers and stalkers. It is not about safety of your users, it is about security and control. If you want to do cyberSafety, then it must be impossible for cops to identify anyone with the data you got. It means that you must not be able to identify formally your users. It also means that you must not do ad tracking. It means that the well being of your users is important for you, whatever they do in their life, whoever they are.
Stop logging, start caring.


Posted

in

by