 Our next talk will be by Caroline Harden and Jen Dalson. They're going to be talking to us today about sluts, bullies, and best selves, rethinking digital privacy education. So taking away Caroline and Jen. We live in a technological world, or should we say a cyber world. We're uploading photos, sharing videos, or sending messages. It's just part of our daily routine. And when our personal information is everywhere, digital privacy can literally become a life or death issue. But how are schools and teachers helping our kids navigate this water to digital privacy? I'm Caroline Harden. I'm a PhD candidate at University of Wisconsin-Madison where I'm studying computer science education. And I'm Jen Dalson, also at the University of Wisconsin. We're academics, but we're trying to work on it, so bear with us. So in this presentation, we'll be looking at a couple of things. First, what is privacy? Second, what hackers think we should be teaching about digital privacy? What are our teachers actually teaching our kids at school? And then the concerning implications about what they're being taught. AKA, this is some bullshit, and we need to fix it. So unequal burdens, vulnerable groups, and most impacted by that. And what can we do about this? So according to Seva Valdez, what we really demand in some measure is our control over our reputations. Who should have the power to collect, cross-reference, publicize, or share information about us? How this plays out in a practical example depends on culture, on individuals within these cultures, and on circumstances particular to these individuals. It's not a simple public or private flag. Privacy settings are much harder than ACL. Digital privacy varies from meat space, privacy only, and how easy it is for information to flow beyond what we intend. While we do spend a lot of time teaching our kids about physical space, such as close the bathroom door, or wear pants when you go outside, the education we give kids about digital privacy is not enough. The need we need, we need to have more than a one-off conversation, or a unit at school that happens once a year. What kid is going to give a fuck about what a one-time lesson gives us? Nobody. And we have to tell people, like, what parents are gonna do about this? A parent is not about to sit down and have a long conversation about a kid with the stuff. I mean, who can blame them? Talking about nude photos with your kid is super awkward. So to understand how digital privacy is being taught in school, we wanted to start with seeing what hackers and InfoSec professionals, and other people with a technical background, think about digital privacy and how it should be taught. So we did a survey with the question, what advice would you give others about protecting digital privacy? For this survey, we used what is called a convenience sample, which meant we asked our friends, which are mostly computer science and InfoSec people, to take the survey. And then because it became obvious that just asking our friend turned out to not be very many people, we did what's called a snowball, which we asked our friends to ask their friends. In the end, we surveyed 47 people, 27 women, and 20 men. And we analyzed the responses and found that there were two main categories in what hackers and InfoSec professionals said about what should be taught about digital privacy. 81% of participants said technical advice, VPN, full disc encryption, setting Facebook privacy settings, and so on. In addition, 65% of people offered avoidance or discretion philosophies. Don't post photos of yourself in that swimsuit. Don't tweet that you like Windows Vista. In only one case, did someone recommend negotiating social, negotiating privacy with your social groups and with your family? And talking about how you want your information to be shared. These findings reflect a lot about how digital privacy curricula is structured. But something about this always struck me as really incomplete. As we know, a webcam sticker can only go so far when you have a neighbor or aunt who consistently over shares things on your behalf. I took a class in sociocultural theory where I learned about a somewhat obtuse theory called Figured Worlds. So Figured Worlds are the socially and culturally constructed realm of interpretation in which particular characters and actors are recognized. ELI 5, people are messy. And we live in this world where it's easy to understand when you think about all the different roles people have. And the Figured World is kind of like an augmented reality overlay that says, this matters to me when I'm in this role and this matters to me when I'm in this other role. So privacy lets us live these rich social lives because we have somewhat contradictory Figured Worlds in which we need to keep information separate from one of our roles from the other role that we have. So consider the off-color joke. It means something different when told to a friend drinking beer in your kitchen as it does when said as a representative of your company at a professional conference. Failure to understand this and failure to understand when you should and should not tweet the overhead joke has serious implication on people's lives and jobs. So we kind of need to figure out this digital privacy education thing. So based on our research, we decided to investigate what digital privacy looks like in education. What are kids being told? We looked at a major curriculum to figure out how kids are being taught about privacy, how they're told to manage these Figured Worlds and how people should respond to privacy loss. So we looked at a popular curriculum that focused on digital privacy, IROC, the Institute for Responsible Online and Cell Phone Communication. So IROC's core message is, quote, anything that you do with digital technology can instantly become public and permanent trademark. This curriculum is available for purchase in book, video, form, or you can schedule a school presentation. The map shows the presentations that are currently scheduled for 2018. So yay, webinar for kids about digital privacy. What fun. So the advice found in IROC and other similar curricula that we looked at answered the first question. Who is responsible for privacy with? Privacy can be assured through individual discretion. What is meant by individual discretion? It means everyone is responsible for making sure they control what is shared about themselves on the internet in every circumstance all the time. In the curriculum we looked at, we found the emphasized things such as not posting pictures, not taking pictures, not being in the background of pictures that other people take that might get posted. A typical example of this comes from IROC in this quote and emphasis is my own. True, if you apply digital consciousness trademark, a mindset of public and permanent trademark, when using the internet, cell phones, apps, social media, interactive gaming, and any other digital tools and technologies, you eliminate any potential for self-inflicted challenges and reduce your risk of facing devastating and life-octering consequences that often accompany the abuse of digital tools. So the answer to the second question. How do you manage different figured worlds? Was answered by these curricula in what can be summarized as, only post stuff which reflects a singular best self, but best self to who? Another quote explains. Each time you power up any digital tool, camera, computer, internet, cell phone, picture a family member, friend, child, enemy, criminal, deceased, loved one, whoever means or meant the most to you in this world standing right over your shoulder. In other words, you must consider a single best self for every possible audience with everything used digital tools for. Finally, the third question is, how should people in community respond to situations where there is a loss of privacy? These curricula emphasize that consequences are inevitable and must be borne individually. They offer many examples in lurid detail of the negative consequences which can occur from a loss of privacy. These warning stories included those of a person's misjudgment, an honest mistake, and malicious attacks. But all are framed as this is the way the world is, this is what happens. You can see an example of this in the quote comes from digital consciousness trademark, contract the IRA curriculum, suggest parents have their kids sign. I am aware that my poor digital judgment betrays my ancestors. My parents, my community, and my future generations. In other words, the consequence is shame and it is a betrayal of others and this betrayal is individual. So these findings reveal some concerning implications of these common themes in digital privacy curriculum. Even if you are discreet on what you post, on what you say, complete discretion is unrealistic unless you and everyone around you doesn't do anything with the digital tools. So to say privacy is entirely responsible of an individual, ignore how a loss of privacy requires at least two people. We are taught not to open someone else's diary, for example, and if it's left on the table all alone. But if we have someone who are to say put the wrong settings in their live journal and yes, we're dating ourselves by saying live journal, we're not teaching kids, are we teaching kids not to read that post or are we ignoring that completely? To let the poster know that perhaps the needs to change the settings again or do we just read through it? So in what about malicious privacy violations? Situations such as non-consensual photos are largely not discussed in this curriculum. So who is talking to their kids about these issues? I mean, we are not robots and yet we are being told that we need to be in order to be successful in discretion. But nobody has a single best self to let someone's identity to a single public and permanent trademark figured world in this case, an idealized student or worker who only says a thing that they would not upset anyone else and who can only talk about the successes is completely impossible. We're not robots. We may say something to a coworker and passing in that you know hallway and then maybe the boss should not be knowing about that but it spreads. Like where does the discretion lie? And for teenagers who are still figuring out their identity, how horrible is it to put pressure or this added pressure on them for what they must be perfect? Perfect online at all times. Furthermore, what message should we send to vulnerable and marginalized groups? For example, the LGBT people who are often focused to make more nuanced decisions about how out they are in different contexts, less they risk discrimination, harassment in some countries, imprisonment and literally death. And we are telling them that their gender or sexual orientation isn't their best self. This best self has created a culture of slut shaming. Anyone who has an intimate photo or text released, this has literally cost the lives of young women and men and it needs to stop. This is example of how the burden of digital privacy privacy aren't equal. This advice creates equity issues as it recommends erasure. For those whose identities are frequent targets of cyberbullying such as women and LGBT groups and some online spaces such as gaming, this often means women feel they can't use voice chat less their gender is revealed and they become a large target of harassment. A final implication is that we suggest that bullying is an expected and appropriate response to misjudgments about what to share. Little to nothing offered to help teens learn to recover from privacy miscalculations or violations to support their friends when it does occur or to renegotiate how their information is shared in cases of misunderstanding. Instead, these materials are rife with the almost gleeful recounting of tragedies from loss of privacy with limited discussion of the culpability of those who instigated or otherwise participated in the privacy violations. Blaming the acts who shares news is important but there is also culpability with every person who also forwarded that. Elsewhere and more disturbingly, it is suggested an appropriate consequence to visit on those who violate others in privacy is death. And I quote Iraq, quote, her full remarks made just move bullies to the head of a kill list, end quote. It's not that hard to find anyone through the internet. I'll pause here and remind you that this curriculum is being taught to this many children across the United States. We did find two resources which we can recommend. The human sexuality curriculum our whole lives does a good job of discussing how to create a pure culture of respecting privacy, especially in intimate relationships. And the smart girls guide to privacy by Violet Loo does an excellent job covering how to respond to incidents and in taking a firm anti-slut shaming stance. So what are our next steps? We want to see digital privacy which not only covers the technical aspects of how to protect privacy and having reasonable discussion but also includes material and how to help people identify where the conflicts between their figured worlds might exist, makes negotiating privacies with others a norm and covers more resources to help recover privacy, recover from privacy, whether it's accidental or malicious. So we thought it was a little weak sauce to say there should be better digital privacy education without offering any examples. So we made one. We created digital privacy detectives, an interactive narrative mystery game. Its design was based on the sociocultural framework presented here. It looks at discretion philosophies of keeping and maintaining social relationships in figured worlds, setting and communicating boundaries with others regarding privacy and using technology solutions. This workstation was piloted for the first time at Roots yesterday. So now that your kids have had their way with what we thought would be a great lesson plan, a game, we're gonna redesign it a little and with their feedback in mind and later this fall we'll release it for everyone to use, we'll just watch our Twitter feed for details on that. We also have a draft of a creative commons like license for private information tentatively called sexting, the license to help people easily negotiate how information is shared. So under what terms are you sharing this photo with whom? How long do they get to keep it? Who do they get to show it to? Things like that. If you're interested in collaborating on sexting the license, please come talk to us. What can you do? For the tech you design, design it in ways which represents people as complex social creatures with a variety of roles. Create sharing settings that allow users to easily specify who is shared with each piece of shared content, not a single public private flag. Kinda like Google Plus. I know you didn't expect to hear anyone defend Google Plus here at DEF CON, but. So I'd like to conclude with this quote from Jesse Irwin. Privacy isn't about hiding, it's about sharing on your terms. Thank you.