Define skills under 'Privacy' competency for v1.5

[dajbelshaw]

Privacy Examining the consequences of sharing data online

• Debating privacy as a value and right in a networked world
• Explaining ways in which unsolicited third parties can track users across the web
• Controlling (meta)data shared with online services
• Identifying rights retained and removed through user agreements
• Managing and shaping online identities

---

See spreadsheet at http://goo.gl/R1tjj3

[jgmac1106]

There was a question about:

• Taking steps to secure non-encrypted connections.

But it seemed resolved to discussion and the skill can be accepted.

[jgmac1106]

There was a discussion if this was too jargon and buzzword heavy:

• Managing the digital footprint of an online persona

[jgmac1106]

The other discussion revolved around the difference between privacy and security but no new skills or edits were proposed.

[gaditb]

I'd like to add a specific use case sort of thing to consider: a teenager exploring gender or sexual identity online, who does NOT want that exploring to have any chance of that leaking into the rest of their life.

That's not the only use case, but it doesn't seem to have been considered yet?

That's probably the sort of things I'm expecting a bunch of Privacy to be -- having a sense of what information you're putting out, where that information is going, and who might be able to find that information.

So from that perspective, "Security" would be "not getting taking over", either by malware, someone guessing or cracking your password, etc., and "Privacy" would be "controlling your information".

[jgmac1106]

@gaditb good distinction between the two. We need to make sure that distinction exists between the two competencies.

[dajbelshaw]

More discussion needed here.

[dajbelshaw]

In advance of today's half-hour hack session just wanted to flag that Privacy is the competency that needs most work.

Right now, we've only got two skills defined for v1.5. You can see the skills we defined for v1.1 here.

A reminder that we're parsing the distinction between Privacy and Security in the following way:

• Privacy - the reason you put curtains on your windows
• Security - the reason you put locks on your doors

I think we need something around privacy in relation to identity. What do others think?

[jgmac1106]

Based on the guiding metaphor the second privacy skill about computer criminals seems like security.

[ChiaraRustici]

Hello! Chiara Rustici here.

Just joined the conversation, so apologies if I am repeating content that had already been covered. Wanted to run past the group a couple of observations and classifications I have been grappling with in my own work on privacy. Let me know if these are of help in nailing down categories of data that may be considered "private" or if they are beyond the scope of this exercise.

[1] Building a taxonomy of personally identifiable data

By categorising data according to connection device, app, platform or operating system etc., a taxonomy can quickly become outdated given the pace of digital innovation. Could these might be more "enduring" category headings, which may then be populated with whatever data new devices ans apps can produce? Any other not listed? In no particular order:

(a) Location and movement data (b) Communication data (c) Retail data (d) Medical data (e) Financial data (f) Social security data (g) Transportation data - CCTV on buses, Oyster/travel card on the Underground, navigation/mileage records on car SatNav (h) Exposure to content data - Web-browsing, exposure to news feeds, library borrowing (i) Employment data (j) Social connection/membership & association data (k) Others...?

[2] "Offline Joe" & "Online Jane"

Digital, personally identifiable information is created about you whether or not you are online. Should a web literacy map include awareness of what digital data and metadata is produced by "Offline Joe" as he walks down the street, catches a train, searches the library, talks to his GP/family doctor...?

[3] Structured Data & Unstructured Data

This distinction is mostly used by practitioners in data search and collection and refers to the difference between information / data expressed in ordinary language or video images on the one hand, and information expressed in binary /machine language, on the other. It is not hard and fast, but it may hold some value.

The text of an email, the recording of a voice-mail, a CCTV footage are examples of "unstructured data" and are meaningful and searchable given semantic, ordinary human language competences. Numerical entries into an excel spreadsheet, a security system in a building recording entrance/exit swipe logs of an employee's badge are examples of "structured data" and are searchable and meaningful (can be cross-referenced with other data sets) without the need for a human language interpreter, so to speak.

Could this distinction be relevant to a privacy literacy map? Should an individual be able to identify and manage both structured and unstructured data produced by his online interactions when that data amounts to personally identifiable information? Partly overlaps with the next issue.

[4] Data & Metadata

Whether personally identifiable data is structured or unstructured, it will always be accompanied by a host of metadata. Again this is not a hard and fast distinction, but much used in data recovery and eDiscovery circles. Could it be a distinction relevant to this privacy heading of the Web literacy map, given that metadata is also personally identifiable information? Example: I place a call/chat with customer service re product complaint. For good measure I record what I say and what the assistant replies. This is my data. The retail company, however, may have a CRM system which produces a host of metadata: both system-generated - what time I called, what device I called from, what product pages I had been browsing before I placed the chat ...- and generated by the assistant himself - additional annotations about me and my complaint. Should the ability to identify and manage the metadata generated by my interactions with different IT systems be part of the Web literacy map? Admittedly, a CRM system is owned and managed by the company and, whether it be cloud-based or hosted on premises, its data content should not leak into the open web. But as it is still personally identifiable information, even if I did not own that metadata, I have at least the right: (a) to view it; (b) to demand that it be kept private (eg. not featured on marketing material, or divulged in a business publication, for example); (c) not to be discriminated / victimised because of it.

Mapping personally identifiable metadata is a hard problem because: (i) digital apps and systems evolve faster than we can map them; (ii) IT systems and the metadata they produce are often proprietary, hence covered by trade secret considerations; (iii) personally identifiable metadata will be generated both by proprietary and open source/non proprietary apps and often by a combination of the two.

Nonetheless it is worth some effort, I think. It is the sort of data that can be especially valuable in validating hard-to-prove claims. What do others think?

Thank you for reading to the end! I look forward to reading more on this topic by the group and to any feedback on the points above.

Chiara

[jgmac1106]

• Managing and shaping online personas

This is a revision to remove the jargon of "digital footprint" and to get at yesterday's discussion of Roz's point of sometime you need to use real IDs while other times you use pseudonyms to protect identity (ie transgender youth).

-Explaining ways in which computer criminals are able to gain access to user information

Is this security? I want to lock the doors to my user ID. Not just pull a curtain closed. I propose moving to fifth security skill.

• Taking steps to secure non-encrypted connections.

I would argue that this is privacy and not security as I can be secure with non-encrypted connections but I am not private. Does that distinction make sense?

• Adjusting privacy settings of social networks.

We don't speak to this but if we want to speak to "Facebook effect" we need to.

[gaditb]

I really like @ChiaraRustici 's whole "Building a Taxonomy of Personally Identifiable Data"/"What is your data and where does it go?" thing. l think that should definitely be one of the skills, and they've already done a lot of the work for the "and how should we teach this skill".

I agree with basically all that @jgmac1106 said -- "how computer criminals get my SSN and stuff" seems to be more security than privacy.

What is the "Facebook Effect"? I can only find things about the book that don't explain anything much.

[jgmac1106]

Sorry @gaditb I stole it from Marc Surman who was referring to the many number of users worldwide who say they never go on the web but report heavy facebook use. They also are unsecure with log in credentials such as providing them to internet cafe operators or printing passwords on business cards.

On Tue, Mar 17, 2015 at 10:26 AM gaditb notifications@github.com wrote:

I really like @ChiaraRustici https://github.com/ChiaraRustici 's whole "Building a Taxonomy of Personally Identifiable Data"/"What is your data and where does it go?" thing. l think that should definitely be one of the skills, and they've already done a lot of the work for the "and how should we teach this skill".

I agree with basically all that @jgmac1106 https://github.com/jgmac1106 said -- "how computer criminals get my SSN and stuff" seems to be more security than privacy.

What is the "Facebook Effect"? I can only find things about the book that don't explain anything much.

— Reply to this email directly or view it on GitHub https://github.com/mozilla/webliteracymap/issues/34#issuecomment-82381957 .

[dajbelshaw]

Thanks very much to @ChiaraRustici for following up the conversation I had with her this morning! I think that the work she's doing is extremely valuable.

For the purposes of the Web Literacy Map we need to put to one side the offline component. While all the items in Chiara's list are possibly relevant, I think the three to focus our attention on are:

(b) Communication data (h) Exposure to content data - Web-browsing, exposure to news feeds, library borrowing (j) Social connection/membership & association data

I think there's something here around metadata and taking steps to prevent sharing it unless you choose to. Perhaps:

• Controlling metadata shared with online services

Does that work? :)

[jgmac1106]

To our audience their is no difference to metdata and data.

I would suggest: controlling data shared with online services (which includes metadata..if we enter is data plural debate....)

@dajbelshaw did a nice job of remixing @ChiaraRustici suggestions. It gets at what I and @gaditb were discussing. It is also both more concise than my privacy settings suggestion while also being more inclusive to an ever changing web.

On Tue, Mar 17, 2015 at 11:11 AM Doug Belshaw notifications@github.com wrote:

Thanks very much to @ChiaraRustici https://github.com/ChiaraRustici for following up the conversation I had with her this morning! I think that the work she's doing is extremely valuable.

For the purposes of the Web Literacy Map we need to put to one side the offline component. While all the items in Chiara's list are possibly relevant, I think the three to focus our attention on are:

(b) Communication data

(h) Exposure to content data - Web-browsing, exposure to news feeds, library borrowing

(j) Social connection/membership & association data

I think there's something here around metadata and taking steps to prevent sharing it unless you choose to. Perhaps:

• Controlling metadata shared with online services

Does that work? :)

— Reply to this email directly or view it on GitHub https://github.com/mozilla/webliteracymap/issues/34#issuecomment-82399834 .

[dajbelshaw]

Dave Crusoe got in touch by email to remind us of the work some of us did last year around the deliverable from the Badge Alliance working group on Digital/Web Literacies.

More here: http://goo.gl/40byub

[jgmac1106]

Karen represents a perfect example of someone shaping their identity and privacy. One could speculate she added "Louise" either for deeply personal reasons or to differentiate what had to be a very algorithm "Karen Smith." It could be as simple as thats my name, so please use it.

No matter the motives Karen is helping to control how she is perceived on the web. We should try to capture something with the identity/digital footprint/persona skill.

[ChiaraRustici]

Thanks, everyone!

[1] Intrigued by jgmac1106's comment: "To our audience there is no difference between metadata and data"...

My questions are:

• Is it a helpful distinction or is it confusing for your audience?
• If it is confusing, what other terminology or strategy are you using to make individuals aware that, once online, they are sharing much more that what they are simply writing or saying?

[2] Agree with dajbelshaw's focus on fewer types of data.

Have strong feelings on one more, however: location. Wondering if the easy availability of GPS precise location data once you access the web via mobile is not getting increasingly uncomfortable and worth discussing.

Thank you

[jgmac1106]

@ChiaraRustici I now know what you were getting at with metadata. Truth be told until I saw your "more information than typing or sharing" I didn't really understand the distinction.

[LauraHilliger]

oi vey...ok trying to sum up the skills we've got:

• Identifying rights retained and removed through user agreements
• Explaining ways in which computer criminals are able to gain access to user information
• Controlling data shared with online services
• Managing and shaping online personas
• Adjusting privacy settings of social networks

Is that right? Did I miss any?

I know we need to keep the "offline" piece out of it, but I feel like a part of web literacy is making decisions about what you don't put online, like never ever. Don't know how to word it but it's about understanding that online is never truly private. :microphone: drop

[jgmac1106]

If we include Controlling (meta)data shared with online services we do not need Adjusting privacy settings of social networks

[ChiaraRustici]

@jgmac1106's brilliant heading for the last bullet point gets my vote: includes both data and metadata and refers to any online service (not just social networks, but also the iTunes store, Amazon, booking.com etc)

[dajbelshaw]

Thanks to those who made the half-hour hack session just now. We decided on:

• Identifying rights retained and removed through user agreements
• Explaining ways in which computer criminals are able to gain access to user information
• Controlling (meta)data shared with online services
• Managing and shaping online identities

Do we need a fifth skill?

[smithisgeneric]

Hi all, sorry to be late to the conversation here, especially when I got a shout out from @jgmac1106 re: my user profile choices :)

Based on the Hive Toronto privacy badges work, I'd highly recommend starting out privacy with the following skill:

• Analyzing privacy as a value and right in a networked world

I also wanted to flag that I think @ChiaraRustici 's personally identifiable information (PII) data taxonomy suggestions, point to some important issues in relation to the skill currently listed as "Controlling (meta)data shared with online services." Many PII data points that get collected and stored online, are virtually impossible to control (i.e., if I want to ride the bus and RFID chipped cards are the defacto ticket option and there are networked CCTV cameras in all of the transit stations, I can't really control PII data collection). Online spying also points to the shortcomings in trying to control your data and metadata. On this basis, I'd suggest revising to:

• Understanding and shaping the (meta)data shared with online services

The "understanding" part is already in teaching activity format with the Data Trail Timeline activity, but please note the kit is still in draft form.

[jgmac1106]

Karen provides a great example of offline and online blending together. However given thst we are talking web literacy I do not think we ned to speak to this use case.

Though I do like the idea of privacy as a right. I would like to add the analyzing skill.

However I do think computer criminal skill should move to security. That sounds like a lock front door skill.

[dajbelshaw]

Thanks for your input, @smithisgeneric :)

I like the sound of Analyzing privacy as a value and right in a networked world but wonder if it sounds a bit 'woolly'? I'm genuinely interested in how you'd go about creating a learning activity on top of that?

In terms of adding understanding to the (meta)data skill, I see where you're coming from, but I think it's implied. Also, we're trying to steer clear of 'head knowledge' verbs such as that.

Finally, as a result of @jgmac1106's comments I've begun to have misgivings about our mention of 'computer criminals'. It's actually government and corporate surveillance we should be worried about! We could change that skill to:

• Explaining ways in which third parties are able to gain access to user information

Thoughts?

[jamiea]

I think that's much better @dajbelshaw , maybe maintaining the focus is helped with:

• Explaining ways in which unsolicited third parties can gain access to user information

[dajbelshaw]

Oh +1, @jamiea. Plus. One. :)

[jgmac1106]

+1

On Thu, Mar 19, 2015, 7:18 AM Doug Belshaw notifications@github.com wrote:

Oh +1, @jamiea https://github.com/jamiea. Plus. One. :)

— Reply to this email directly or view it on GitHub https://github.com/mozilla/webliteracymap/issues/34#issuecomment-83515494 .

[smithisgeneric]

I like the iterations to move away from cybercrime and towards third party access. This is a good idea.

For analyzing privacy as a value and right in a networked world, a pretty straight forward spectogram could foster the necessary discussion to accomplish the learning objective.

The controversial prompts to trigger discussion for a spectogram, where participants stand on a line to agree or disagree, could include:

• I don't need privacy, I've got nothing to hide!
• It's a good idea to use an alias, not your real name, for your username online
• Privacy is a right in [your country]
• Your friends should always ask your permission before they post a photo of you on social media
• Parents should know their teenagers social media and phone passwords
• Governments should be able to monitor their citizens' email for public safety

[dajbelshaw]

Thanks, @smithisgeneric, nice example. How about:

• Debating privacy as a value and right in a networked world

I wouldn't fall on my sword to defend the difference, but does that verb change change anything in a positive way? :)

[jgmac1106]

I am okay with any of these options. Will defer to the BDL.

On Thu, Mar 19, 2015 at 12:40 PM Doug Belshaw notifications@github.com wrote:

Thanks, @smithisgeneric https://github.com/smithisgeneric, nice example. How about:

• Debating privacy as a value and right in a networked world

I wouldn't fall on my sword to defend the nuance in difference, but does that verb change change anything in a positive way? :)

— Reply to this email directly or view it on GitHub https://github.com/mozilla/webliteracymap/issues/34#issuecomment-83654473 .

[jgmac1106]

My question: Is a privacy skill or a security skill Explaining ways in which unsolicited third parties can gain access to user information

Sounds like a locked door not a curtain issue.

Once gain I like

• Debating privacy as a value and right in a networked world or
• Explaining ways in which unsolicited third parties can gain access to user information

[dajbelshaw]

My question: Is a privacy skill or a security skill Explaining ways in which unsolicited third parties can gain access to user information

It's a valid question, @jgmac1106 and one that sits right at the overlap between the two competencies. Given we haven't specifically mentioned 'tracking' yet, how about changing it to:

• Explaining ways in which unsolicited third parties can track users across the web

Does that work?

[jgmac1106]

yes that now makes it a privacy and not a security issue.

On Thu, Mar 19, 2015 at 1:05 PM Doug Belshaw notifications@github.com wrote:

My question: Is a privacy skill or a security skill Explaining ways in which unsolicited third parties can gain access to user information

It's a valid question, @jgmac1106 https://github.com/jgmac1106 and one that sits right at the overlap between the two competencies. Given we haven't specifically mentioned 'tracking' yet, how about changing it to:

• Explaining ways in which unsolicited third parties can track users across the web

Does that work?

— Reply to this email directly or view it on GitHub https://github.com/mozilla/webliteracymap/issues/34#issuecomment-83667482 .

[gaditb]

I like explicitly mentioning "track", but I'm wondering if we want to specifically call out against the "which 1-Direction Member/Doctor/Pony are you? Find out! Just give us your: ... <am-I-getting-the-content-of-these-wrong-I-don't-ever-look-at-them-myself> ...!!" sort of thing? Which would be under the more general "gain access", but not really under "track"?

OR we could deal with that in the "Privacy as a value and right" skill. Which might also work.

And on that note, I'd suggest phrasing that as: Understanding Privacy as a value and right in a networked world And I'd really like if someone could find a way to say, also, that you have to watch yourself and your acions to take care of not only your privacy but also your friends' privacy as well. That's a really important thing to get in there, but I can't figure out how to say it concisely.

[dajbelshaw]

Thanks @gaditb :)

The BuzzFeed-style quizzes you mention would constitute examples of learning activities that mentors could build on top of the skills we define here. I like the emphasis on your friends' privacy, but I think this is covered by talking about 'users' (plural).

In terms of 'understanding', that's a verb we've specifically tried to avoid when framing the skills on every version of the Web Literacy Map thus far. That's because it's a difficult thing to measure success in.

Apologies. Not trying to shoot you down in flames. We really value your input - it's just that the stuff you mention here has been discussed a few times before!

---

Unless I hear otherwise, I'm going to add the following to the existing list of four skills and wrap this up tomorrow:

• Explaining ways in which unsolicited third parties can track users across the web

[gaditb]

No, is 'kay, that makes sense. The four skills that we're wrapping up with along with the one in your above post -- are those the ones in the top post of this? Is it edited to be current?

And, like, can you put them all together, either in a comment or at the top, so that we could see them all next to each other? Maybe for last minute tweaks and maybe ordering?

[dajbelshaw]

OK, so here's what we're deciding on. I've had a go at ordering them. Feedback very welcome!

• Explaining ways in which unsolicited third parties can track users across the web
• Controlling (meta)data shared with online services
• Identifying rights retained and removed through user agreements
• Managing and shaping online identities
• Debating privacy as a value and right in a networked world

[jamiea]

'Privacy' is a massive issue and I really, really like this content & structure

[xellpher]

I liked @smithisgeneric 's suggestion about starting with a debate on privacy as a value.

[jgmac1106]

I feel like we got the right skills in the right bucket.

[dajbelshaw]

I liked @smithisgeneric 's suggestion about starting with a debate on privacy as a value.

I know what you mean, @xellpher but I guess with the suggested flow, those improving their web literacy skills / habits / dispositions can come at the final skill from a position of knowledge and understanding?

However, happy to flip it to make Debating privacy as a value and right in a networked world foundational, if others agree.

[jgmac1106]

I would put identities first but thats just my bias as a literacy guy. I just come from the framework that if the web is to be a tool of empowerment its fun to stress the role of identities.

It is also what gets the most play among norms and media. Technophobia, digital citizenship, footprints, cyberbullying these all emerge from the web being a space of identity work.

We know what is up top gets read the most. Thus my vote, but I don't really care and am happy as is. Waiting for 36 to close.

[dajbelshaw]

@jgmac1106: perhaps 'identity' is shaped more through immersion? Not sure.

Either way, I like the idea of bookending this competency with more 'thinky' skills. So let's do that, close this issue, and people can comment to re-open if necessary!