Wednesday, 8 August 2018

Public shaming and the mob

For our latest post on the topic of digital citizenship, Stephanie Jesper tries not to make a mistake...

A pitchfork

Someone is wrong on the internet - how do you respond? Social media, comments sections, forums... all of these are fundamentally discursive tools, so response is certainly an option. Perhaps, as xkcd implied, you have a duty to respond.

But there is an old mantra of the internet, the more polite version of which goes “don’t be a jerk”. As the Wikimedia community’s essay on this topic puts it:

Being right about an issue does not mean you’re behaving properly! Jerks are often right — but they’re still jerks… This is not the same as just being uncivil or impolite (though incivility and rudeness often accompany it). One can be perfectly civil and follow every rule of etiquette and still be wrong… Truly being civil and polite means that you show respect for others (such as in not needlessly pointing out grammar issues), even when right. Respect others even when you disagree.

We're generally familiar with trolling these days: behaviours aimed at deliberately sowing discord on the internet, often with the intent of undermining specific groups or people. But aspects of trolling can start in well-meaning ways: be it from a sense of accuracy or even a sense of moral responsibility.

Have you ever @-ed a politician or an organisation, or posted on their wall, to tell them that you disagree with their policy? How polite were you? Have you ever seen someone say something utterly despicable online, and felt a need to pull them up on it? How many other people do you think did a similar thing? We're all answerable to the things we post on line, and that means being prepared for responses beyond “Like” or “Favourite”. If you take a controversial position in a public forum, it seems reasonable that you may have to defend that point. The problems start to occur if that point reaches an audience beyond that which you originally intended: if it goes viral.

Jon Ronson’s 2015 book “So you’ve been publicly shamed” tackles the topic of online shaming, the mob mentality that can hit places like Twitter or Facebook when an opprobrious post starts getting shared beyond its original audience, and the often devastating consequences for the original poster. In this TED talk, he discusses a couple of (in some cases quite sweary) examples, and it’s somewhat horrifying to see how a single misjudged attempt at irony on Twitter can explode into a tirade of abuse from well-meaning people: abuse that grows into a frenzy and demands that the tweeter lose her job, which she ultimately does.

It isn’t just the scale of the response: thousands of people all sending a similar message of disappointment or disdain… These things start out as well-meaning responses, but once the hue and cry is raised and the mob begins to mass, feelings become heightened and thought of consequence can easily go out of the window. The mob is a compelling beast, as has long been established by sociologists. Be it convergence, contagion, or some other compulsion, we find ourselves drawn in to the pile-on, and as the numbers escalate, so does the sense of outrage. The outcome isn’t simply an unusably busy notifications page; in many cases, the author of the contentious post loses their job, as with the earlier example in the Jon Ronson piece, and with these cases:

Perhaps they deserved a rebuking tweet; but they probably didn’t deserve to have their livelihoods destroyed.

Wikipedia lists a range of examples of online shaming, not all of which seem quite as horrific as those mentioned above. Indeed, in some cases, the technique has been used against people engaged in criminal behaviour, as a means of exacting justice. In her 2015 book, “Is Shame Necessary? New uses for an Old Tool”, Jennifer Jacquet proposes the use of shaming for:

Transgressions that have a clear impact on broader society – like environmental pollution – and transgressions for which there is no obvious formal route to punishment

She suggests, as a rule of thumb, to “go after groups”, although she does not exempt individuals who are “politically powerful” or who “sizeably impact society”, so long as “the punishment is proportional”. There though lies the problem: how can you determine proportionality? How can you judge what’s an appropriate response? In short, how do you not be a jerk?

Wednesday, 25 July 2018

Legal rights and responsibilities

In this week's digital citizenship blog post, Susan Halfpenny and Stephanie Jesper share too much information...

A dog behind bars (don't worry -- it's a CC0 image)

For those of us who, through some social awkwardness or other, struggled with the challenges and responsibilities we encountered in our everyday lives, the online world came as a blessing: it was a benign anarchy; a sandpit with no sense of consequences. Images were shared without caring about who made them in the first place, and memes were established as a consequence. Likewise with music and video, when the bandwidth had increased sufficiently to permit it. Cyberspace was a place where property laws did not apply: an information commons in the public domain.

But this was a fantasy. Rights owners soon learnt what was going on and were keen to regain control of their properties online. The 2000s saw a steady shift as businesses caught onto the opportunities of the internet. Spotify and iTunes found efficient and legitimate ways to replace music-sharing services like Napster and its successors, and the likes of Netflix and Amazon Video are doing similar things with video. But respecting rights of ownership can still be a challenge, especially if rights-holders don’t engage with the accepted online channels.

The deaths of David Bowie and Prince in 2016 highlight the complexities of online rights very effectively: following Bowie’s death, social media was awash with shared videos, images, music and film. Sharing is how social media intrinsically works, and also how society tends to work more generally. People shared their grief through artifacts for which they were not the rights holders, or linked to YouTube videos put up by fans with little or no regard to whatever individual or company actually owned the copyright.

When Prince died, a few months later, there was notably less of this going on. Prince had taken a firm stand regarding his music copyright, with takedowns issued on YouTube, and his albums pulled from streaming services. His argument was that artists could not earn a living from streaming royalties, and it’s an argument that for the most part holds true, certainly for smaller acts. It could be countered that the internet serves as a form of free advertising, and that online sharing can translate into sales, though this is far from evident in the record industry.

It’s clear then that the challenges and responsibilities we face in the online world are great and morally complex. On the one hand we want to celebrate our heroes and share in our enjoyment of their works. On the other hand, we also want to see artists recompensed, or at the very least, stay on the right side of the law. It’s a conflict we all have to negotiate in our online behaviour; and it’s one of many. The conversational nature of social media has seen numerous people charged with libel and other offenses. In some cases this has initiated changes in the law to adapt to the new circumstances of the digital age; in many cases it has firmly established a continuity of the law within the digital realm. Even a deleted post can leave a trace — there is no ten second rule in terms of social media.

What laws do we need to be aware of?

Social media and online interaction allows us all to be journalists, researchers, and, effectively, online publishers. We’re publishing our thoughts and opinions to a global audience. Are we therefore subject to the same laws of privacy, defamation, copyright, marketing, official secrets, (the list goes on), as traditional publishers?

The short answer to this is yes.

We need to think about what we are sharing, and ask ourselves whether it is in line with the legislation that governs creative outputs, the use of other people’s data, human rights and other legal rights. But unlike many large publishing firms, we haven’t all got our own legal team, nor are we likely to have a fighting fund to pay any legal fees that may come our way, should we do something that turns out to be questionable in the eyes of the law.

And it’s made more complicated still by the fact that we are publishing our thoughts globally. It would be impossible to go into detail of all the laws across more than 200 jurisdictions that we potentially need to consider when we are publishing online.

Don’t let these legal complexities put you off going online, though. We’re subject to just as many in the offline world. If we behave in a socially responsible way, we should be able to avoid any unwanted interest from the law.

There's more about the legality and ethics of online engagement on our Information security Skills Guide and our Practical Guide to Copyright.

Wednesday, 11 July 2018

Is the password system broken?

For our latest look at the topic of digital citizenship, Susan Halfpenny must use at least one lower case character, upper case character, number and special character.

Padlocks on a rail

Large data breaches in recent years have led to millions of accounts being hacked and personal information being shared (take a look at World’s Biggest Data Breaches for a visual representation): the Yahoo! hack in 2013 resulted in more than one billion user account credentials being stolen.

Often, compromised security and theft of username and password information can lead to more than just one of your online accounts being compromised. Matt Honan has written at length about his experience of being “epically hacked”, where in the space of an hour his Google account was deleted, his Twitter account taken over and his AppleID account broken into, resulting in the data being deleted from his iPhone, iPad and MacBook.

Hackers will often exploit weaknesses in security systems to access information. For example, in the iCloud leak of celebrity photos in 2014, hackers may have taken advantage of a flaw in the application interface which permitted unlimited attempts to guess passwords. Could companies do more, then, to protect our information?

Encryption and adding layers of security to applications can obviously help, but the major flaws undermining everything else are the limitations of human memory, our collective lack of understanding regarding what factors make a password secure, and our lack of patience. More often than not, though, we will give our information away through phishing emails and poor personal information security like using the same weak password for every account. We might try to come up with more, but, in our modern, busy lives, who of us can remember a hundred and one different and adequately complex passwords?

Even those of us who should or do have a high level of awareness and understanding of information security will still fall prey to laziness. I’m currently trying to use two-step authentication to keep my accounts more secure, but I hate it when I have gone to deliver a workshop and then realise I have forgotten to pick up my phone from my desk, so I then need to head back to the office to collect it in order that I can receive the text message containing the additional one-use code that I need to employ to access my account. It’s times like this that there is a very compelling temptation to switch the two-step authentication off!

The current password system relies too much on our memory and our patience; and on the everyday person who isn’t trained to think about information security all day. We might therefore say that the current passwords system is broken.

So how are hackers exploiting security flaws and human errors?

You may be surprised to hear that hackers aren’t necessary using complicated coding to hack into account. Yes, sometimes large scale attack will take place using programs to attack security flaws, but often passwords can be guessed through social engineering: using the information you share online. For some stark examples, take a look at this article by Kevin Roose where he exploits the digital literacies of hackers to highlight security risks.

Norton collated some useful information about the different ways that hackers hack into your passwords, summarised below:

  • Social engineering: the use of information lifted from your social media to gather answers to your security questions… things like the school you went to, your pet’s name, when you got married, when it’s your birthday, your favourite band… Hackers can gain access to all this information and use it to answer your security questions and guess your passwords.

  • Dictionary attacks: using programs that cycle through a predetermined list of common words often used in passwords. If you are using Password1 as the password for your account then what did you think was going to happen?! To better protect your accounts from dictionary attacks, avoid using common words and phrases in your passwords, or avoid recognisable words altogether.

  • Password crackers: programs used to crack passwords by brute force, repeatedly trying millions of combinations of characters, until your password is detected. Shorter and less complex passwords are quicker to guess for the program. Longer, more complicated passwords take exponentially longer to guess, so the longer and weirder the better!

But if we’re creating lengthy and complex passwords, how can we hope to remember them? Mnemonics can only get us so far. We could potentially use some form of encrypted password management software, but vulnerabilities apply there too: guessing one password may give the hacker access to all of your passwords! Still, it should be more secure than using the same password(s) for everything, because there’s only a single point of failure (the password manager) rather than multiple points of failure (every account you own). Whatever method you choose to use, a set of complicated but securely stored passwords should be far more secure than several easily memorable passwords, if only because they’ll be considerably less guessable.

For more help and advice, take a look at the IT Services tips for choosing a strong password, and test yourself in our information security myths quiz.

Wednesday, 27 June 2018

On the internet, nobody knows you're a dog (unless you tell them)

Our series of explorations into what it means to be a digital citizen continues with Stephanie Jesper pretending to be a dog...

A cat hiding behind a pole

As Peter Steiner’s 1993 cartoon for the New Yorker put it: “On the Internet, nobody knows you’re a dog.”

The internet only knows what you tell it. And what you might want to reveal may vary according to what it is that you want to do. There is a long tradition on internet forums and bulletin boards of using a pseudonymous screen-name or handle. In a large part this was a mechanism to permit discussion of ‘sensitive’ subjects: an alias is a very simple way of distancing your online profile from your off-line one, be it for social, professional, or even legal reasons. But choosing an amusing or clever name can also serve as a fun means of expressing a persona. What is more, pseudonymic screen names can facilitate objectivity in a discussion: social factors such as gender, age, location, education and race may be obscured (partially or entirely), reducing the impact of preconceived biases. A screen name can also allow a user to experiment with or hone their identity (for example in the trans community), and may give confidence to those who might, under their real name, feel socially awkward for whatever reason. This confidence boost can be double-edged, of course: hiding behind a screen name may give you courage to express yourself and your opinions and to explore areas of society and culture that you may otherwise have been too afraid to examine (be it a question of taboo, reputational risk, a fear of failure, or some other impediment), but it can also give you the courage to test the limits of your powers, to be abusive and to threaten other users without fear of recourse. At its most pathetic, this is manifest in Wikipedia vandalism and childishly disruptive behaviour in internet forums; at the other extreme lies persistent trolling, bullying, and even death-threats.

By using an online pseudonym, we make it intentionally difficult for people to connect our online activities to our real-world persona, which is fine unless we actually want that association. We may be looking to promote ourselves, and to connect with people we know, used to know, or want to know in real life, in which case a pseudonym is probably going to get in the way. This is why Facebook and LinkedIn operate real name policies: they’re geared around people finding other people. The problem with being findable, however, is that you can’t especially control who can find you. Having a potential employer find your LinkedIn profile might be a positive thing (assuming it’s an attractive profile); having them find your Facebook profile might be less positive, depending on what you’ve got on there and how locked down it is.

There’s a tradeoff to be had between self-promotion and freedom of expression, and many approaches to take. You could lead a completely uncontroversial life, online and off, and have the tenacity and resilience to be able to cope with any unwanted intrusion. You could live entirely under the cloak of anonymity, but then you may find that you’ve relinquished control of the top search results for your real name, which may not necessarily be a favourable state of affairs. A better solution is to conduct your social activity under one name, and your professional activity under another: some people, especially on Twitter, make use of two accounts – one professional and one social – and Twitter’s own mobile apps support switching between multiple accounts. But in many professions the social use may actually prove a professional advantage, and separating the two can be both a difficult and a false dichotomy to make.

The information trail we leave online isn’t just a reputational concern. We can give away a lot of personal details, and while for the most part this will be just noise in the internet, it is information that can be used against us.

The TV series Hunted provides an effective (and indeed entertaining) illustration of how our online activity can betray our movements, our intentions and our personal networks. In some cases, confiscated devices, phishing attempts and hacked passwords are used as a means of gaining sensitive information, but all too regularly the clues hide in plain sight: on open social media accounts that any of us can see.

If you’re posting in an open forum, anybody can access that information. Tweeting something like…

Holiday! Just hope my new bike can bear 2 weeks without me, languishing in the backyard of 12A The Grove, Chepstow. Forgot to chain it. Oops

…is obviously a bad idea. But communicating even snippets of such information has risks (as we explore on our Subject Guides) because snippets can build up into a larger picture about you and your circumstances.

It isn’t just what we post that poses a potential risk. Our accounts themselves may be sharing more than we might think, as the Cambridge Analytica scandal has demonstrated. If you’ve ever seen your Facebook profile picture staring back at you from the comments section of a blog post, inviting you to participate, or if you’ve seen adverts targeting your interests, you’ll have an idea of the kind of thing that can get passed around. It’s a good idea to go through your social media security settings with a fine-toothed comb every now and again, to lock down as much as you’re able, but inevitably there is a tradeoff between security and functionality. As with so much, it’s a case of striking a balance and being aware of the risks involved.

Wednesday, 13 June 2018

The need to know

In our second of a series of explorations on what it means to be a digital citizen, Stephanie Jesper and Alison Kaye assert their inalienable right to WiFi.

Maslow's hierarchy of needs, underpinned by the need for WiFi
Maslow's Hierarchy of Needs (revised)

For many of us, internet access has become ubiquitous. As the meme above illustrates, over the course of a single generation we have become profoundly reliant upon our connection to the net.

It’s hard to imagine how those of us who were alive in the early 1990s managed to cope without the world’s knowledge at our fingertips everywhere we went. Arguments over matters of trivia would last for days until Wikipedia became but a few thumb-swipes away. If you’ve ever been to a conference with inadequate WiFi, or taken a holiday in the middle of nowhere, with no network access, you’ve a flavour of what it must be like to live in information poverty.

We're being flippant, of course, but with so much of modern life being online, including job applications and government paperwork, those of us who are not online are at quite a considerable disadvantage. Over half of the world’s population (about 52% as of the end of 2017) do not have an internet connection. Even in the UK, the figure is about 7% — c.5m people (that's more people than watch Gogglebox). These people lack what for many of us has become a basic necessity.

This is why countries such as Costa Rica, Finland, France and Greece have enshrined some form of internet access rights in law, and why in 2011 the UN Special Rapporteur recommended that:

Given that the Internet has become an indispensable tool for realizing a range of human rights, combating inequality, and accelerating development and human progress, ensuring universal access to the Internet should be a priority for all States.

A snail bridges a gap
Bridging the skills gap

The skills gap

But even for those of us who can get online, we still need the skills required to effectively engage in the modern workforce and our digital society. In 2015 the UK Select Committee on Digital Skills, appointed by the House of Lords “to consider and report on information and communications technology, competitiveness and skills in the United Kingdom”, raised alarm bells in their Make or break report. They referred to work by the UK Forum for Computing Education (UKForCE) into the skills required for different occupations. UKForCE outline 4 categories of skill levels required for the population of the labour market:

Digital muggle

“… no digital skills required—digital technology may as well be magic”.

Digital citizen

“… the ability to use digital technology purposefully and confidently to communicate, find information and purchase goods/services”.

Digital worker

“… at the higher end, the ability to evaluate, configure and use complex digital systems. Elementary programming skills such as scripting are often required for these tasks”.

Digital maker

“… skills sufficient to build digital technology (typically software development)”.

They used this framework to analyse the 361 Standard Occupation Codes, a common classification system used to map all occupations in the UK according to their skill level and skill content, to show the following:

Percentage of the UK workforce in each category

Digital muggle: 2.2m (7%); Digital citizen: 10.8m (37%); Digital worker: 13.6m (46%); Digital maker: 2.9m (10%)

According to these figures, 93% of UK jobs require at least some digital skills — skills that 12 million of us in the UK lack. And with automation estimated to threaten 35% of UK jobs, the need for digital skills becomes all the greater.

Libraries can have a role in bridging this skills gap, offering access to digital technologies, fostering the literacies required to navigate the world of digital information, and thereby enabling digital citizenship and participation in digital society (Explore York, for instance, have drop-ins for tablets and e-readers, one-to-one sessions on computer basics, and an introductory course on using the internet).

And here at the University of York there've been a number of projects to develop digital skills for both students and staff. Library & IT staff have been working with departments to incorporate digital literacy across all courses, and we’ve also put together a new programme of digital skills training sessions. Alongside all of this there's our online Skills Guides which are open for anybody to access and use, and we're currently working on an IT Essentials site to help people escape their muggledom and exercise some digital wizardry.