That Time I Was Quoted In The New Yorker

I was quoted in The New Yorker today. It was kind of weird, and got me thinking about how we should report on privacy.

The article (Trump Preparedness: Digital Security 101) chronicles a digital security workshop in November. Generally, digital security is something I understand well enough to know when to be skeptical about it, but apparently not well enough to do it professionally. But I’d like to change that, I received the call for volunteers on November 9, and it pledged to reach out to “anyone working with undocumented immigrants and Muslim communities,” so I responded.

It went fine, and Thanksgiving happened. Then, yesterday:

A woman named Ruth Miller started the password-management workshop with an explanation of the password-management tool 1Password. “I have never known them, I will never know them, they’re unknowable,” she said, of her passwords.

Why is this weird?

1. “Woman” strikes me as an odd qualifier. For comparison, here’s how every other person is described in the article:

  • “a journalist and one of the event’s organizers”
  • “who is in his mid-twenties, willowy, and blond”
  • “a middle-aged civil engineer wearing a fleece vest from the Leadership Institute”
  • “a security researcher visiting from Berlin for the Thanksgiving holiday, who, like most people one encounters at a privacy workshop, declined to give his name. Skinny and dressed in all black, he was folded around a ten-year-old I.B.M. ThinkPad, which sported an external signal board—running Linux, an open-source operating system—dangling off the side”

Apparently, the most interesting thing about my being there was that I was female. Was the reporter trying to make the event look more diverse? Or more accessible, in declaring me a layperson? Were there too few column inches available to give me even a shred of credibility?

Next time, let’s at least go with something like “Sailor Moon aficionado, highly-organized person, and digital security expert Ruth Miller.”

2. The reporter neither introduced herself as a reporter, nor gave me an opportunity to withhold my name, so it’s funny she mentions that people were hesitant to give their names. [She did offer to try after I complained on Twitter, which was professional, but missed the point.] The organizer (also a journalist) told her it was a public event, so because I said my name out loud, it was public record for a stealth reporter and is now online. That can’t possibly be a best, or even decent practice.

Balancing Privacy and Public Interest

We need more people thinking critically about their privacy, but not all attention is good attention. What should reporters keep in mind when investigating, interviewing, and reporting on people who work with privacy?

  • When does someone deserve anonymity? This is the opposite of how local reporters see the world: if it happens in the public, it’s public record, and the public has a right to know. But many people that seek privacy protections have either perceived or legitimate reasons to want anonymity. Reporters already have protocols for dealing with precarious sources in places with autocratic regimes – it’s time to bring those home.
  • What constitutes anonymity? There are many ways to identify someone beside their name, and if they’re truly a target for surveillance, bits of seemingly unrelated information can be pieced together to derive an identify. How many details are necessary to tell the story? “A security engineer from Berlin” is nicely vague, especially at Noisebridge. Further details, like employers, hometowns, or comments on appearance go too far.

And of course we, as security researchers, have our own related challenges.

  • How to create and maintain safe spaces? Introduce Chatham House Rules. Have reporters introduce themselves to the whole group. Urge participants to identify themselves as willing or unwilling to be photographed. Ensure all staff know what to do if a reporter or anyone else violates these ground rules, and encourage people to report and intervene if they see a violation taking place.
  • How to support learning? If security were easy, people wouldn’t have to go to trainings. Participants, reporters, and trainers all have much to learn. Help the story be told well by making people available to answer questions on background, but…
  • Who’s needs should be prioritized …only if it doesn’t detract from the event itself. Would you pull a trainer (or God forbid a translator) away from a session to talk to a reporter? Unless the goal is to raise awareness for the cause to support future events, then marketing may be useful. Set a priority, and stick with it.