Keeping Safe Spaces Safe and Secure

[mozfest-bot]

[ UUID ] 4a532f59-574a-41fb-bde0-9da7f4ae2a0f

[ Session Name ] Keeping Safe Spaces Safe and Secure [ Primary Space ] Privacy and Security [ Secondary Space ] Web Literacy

[ Submitter's Name ] Allison Ivey [ Submitter's Affiliated Organisation ] Learn All the Time Network [ Submitter's Github ] https://github.com/billfitzgerald/

[ Additional facilitators ] Bill Fitzgerald,Robert Friedman

What will happen in your session?

This session explores the challenges facing organizations as the demand for more data leads to a need for sound data security policies. Although universally applicable, we will examine privacy and security through the lens of organizations that provide educational and safe spaces to youth.

Leveraging MozFest participant’s global perspective and expertise we examine these questions: a.) How do privacy and security concerns vary across a global community? b.) What current risks keep organizational leaders up at night? c.) What resources and training would benefit these organizations? d.) What should training include to be relevant?

The session incorporates interactive scenarios and connects them to specific practices that improve privacy and security by focusing on practical human-centered steps organizations can implement.

What is the goal or outcome of your session?

The goal of this session is to: • foster a dialogue and gather expertise from the global community about the current resources and best practices for privacy and security; • uncover insights on international issues and universal concerns for privacy and security; • crowd-source content and approaches to help in the development of a privacy and security training program for organizational leaders; • document barriers and issues that need to be addressed to improve practice; and • define clear next steps for implementation and monitoring of privacy and security in order to improve compliance and best practice.

The outcomes of these discussions and the training materials will be shared so that all participants can benefit from the collective brainpower in the session.

If your session requires additional materials or electronic equipment, please outline your needs.

Our session will require chart paper (if available), markers, post-it notes and colored dot stickers (for real time voting and prioritization of ideas).

We will bring any handouts or other resources that are not accessible via the etherpad.

Because one of the goals of this session is to emphasize that privacy and security concerns are best addressed via both technical and non-technical means, we are intentionally emphasizing both low-tech and more explicitly technical approaches that make an impact on improving privacy and security practice regardless of organizational resources or budgets.

Time needed

90 mins

[omnignorant]

flagging @chrislarry33 – this is the evolution of the Austin proposal from May

[brettgaylor]

Hello @billfitzgerald! Thank you for submitting this proposal!

I'm helping to program the privacy track, and wondering if you could outline the facilitation/session design you imagine. You've mentioned "The session incorporates interactive scenarios " - freed from the tryanny of the original forms character limit, could you outline in more detail what they'd be?

Thank you!

[billfitzgerald]

Hello, @brettgaylor !

It's always great to be freed from tyranny, in any form - character limits or otherwise :)

I checked in with the team running this session, and here are our thoughts.

In the session, the first thing we'll do is get a pulse of the room and an understanding of who is in the audience. We'll want to know before getting into the hands-on activities what people do in their daily work, and what they are looking to learn from the session. We generally structure things like this via informal, high level polls.

We'll use scenarios drawn from real experiences that organizations handling data about youth and their families have faced. We are currently planning to structure the scenarios in two steps:

Step One: This situation happened. How do you and your organization respond? Step Two: You can go back in time 12 months. What steps or processes do you put in place to help mitigate this situation?

The scenarios we are currently looking at include the following - we can use any combination of these, depending on audience interest:

A. You are the program coordinator for an after school club at a public school. You've been using your personal phone to collect parent contact information for kids. When you came into the school today, you noticed immigration and customs enforcement agency (ICE) officers parked outside. You're pretty sure some of your students are undocumented. What do you do?

B. You are doing a review of the contact information for the youth who participate in your program, and their families. As part of this work, you do a search on a parent's name via DuckDuckGo search. The second hit on the search page comes up with a result that links back to a document in your organization's Google drive -- except this document is supposed to be private. When you check the permissions on the file, you see that the permissions on the folder have been altered so that all the contents in the folder are publicly visible. This folder contains spreadsheets that contain both personal contact information and health information about students. What do you do?

C. Johnny Nash walks into your office at 4:30 on Friday afternoon and says, "It's quitting time. I just got this file from IT, and when I tried to read it it told me I needed to update my PDF reader. I downloaded it just like they said and now my computer is frozen. See you Monday!"

D. A parent volunteer calls you and says that they need another USB drive to finish their work because they lost the one they had. In the conversation, the volunteer shares that they left it behind in a crowded coffeeshop.

These scenarios (and the two-part structure) will allow us to focus on response and preparation. By leading with response, we will help focus the work on preventive, proactive preparation paired with threat modeling. During the conversation and report outs that occur as we discuss responses to these scenarios, we will be able to identify best practices and patterns that will help inform response and preparation guides that we are working on as part of a related project.

We can also prepare additional or different scenarios pretty easily. Unfortunately, data incidents occur with alarming regularity, and the bulk of them involve a human factor that is magnified by a technical setup that is less than ideal. Our scenarios and conversations will attempt to highlight both.

Please let me know if there's any area where we can add additional detail, or if there's anything we should clarify.

Thank you!

[brettgaylor]

Thank you for that added detail, @billfitzgerald ! Appreciated.

[bunnybooboo]

CONGRATULATIONS! Your session proposal has been accepted.

@billfitzgerald our team will be in further contact with you via email in the coming days.

[billfitzgerald]

Woohoo! We are all very excited!!!!

[chrislarry33]

Hi Bill!

Our paths cross again! Exciting you will be coming to Mozfest.

Sent from my iPhone

On Sep 6, 2017, at 4:21 PM, Bill Fitzgerald notifications@github.com wrote:

Woohoo! We are all very excited!!!!

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[billfitzgerald]

Hello, @chrislarry33 !

Really looking forward to it! It'll be great to catch up!

[bunnybooboo]

Hi @billfitzgerald we're getting so so close now! Locking in ticketing this week so I need all the names and emails of additional people for this session, aside from Allison. Could you please see that's EMAILED me by THURSDAY October 12?

[billfitzgerald]

Sounds good, @bunnybooboo - aside from Allison, Robert, and me, there's one other person. Tracking the email down now, and will send it along shortly, hopefully by tomorrow at the latest!

[bunnybooboo]

Cool. Hey we can only do THREE free facilitators tickets @billfitzgerald, including Allison. We can get the extra one in on a discounted rate. When emailing be sure to designate who is the free, and who is the discounted rate.

[billfitzgerald]

Just responded via email, @bunnybooboo - thank you!

[bunnybooboo]

Top man! Confirming ticket lockdown

[omnignorant]

I shouldn't count as a ticket. I'm Mozilla staff.

[bunnybooboo]

I know as Bill has discussed with me already in email. As a precautionary measure I am taking all names and emails so there is zero problem at the door. By all accounts security is being stepped up this year and I'm crossing my t's and dotting those i's. We're cool @omnignorant Real cool.