Women are doing very important work in the cybersecurity field, and I’ve really been enjoying talking to some of the brightest and most interesting minds in my field.In my last interview, I spoke to Kelly Shortridge. She went from a career in high finance to a security-related product manager role for BAE. This time, I get to talk to Sarah Aoun. She educates people about how to protect their privacy and digital rights online. The people who she educates are often in targeted positions, such as journalists and political activists.Kim Crawley: Tell me a little bit about your current infosec role.Sarah Aoun: I’m a digital security trainer and consultant. I’m based in NYC but I work around the US, as well as in the Middle East. Most of the folks I work with are activists, human rights defenders, journalists and grassroots organizations.KC: So, you protect people from potentially hostile governments? That’s a big deal, even in most of the western world.SA: Yes, definitely – and I want to be careful about using that term because it holds some western-lens to it. A “hostile” government could be European or American.KC: Here in Canada, the United States and in much of Europe, people’s digital rights and privacy are often threatened by the government. I just recently heard some bad news from American Congress lately regarding ISPs.SA: Yes, very bad! ISPs basically can now sell your digital history to advertisers. But generally, yes, I help protect vulnerable communities from either governments or other possible threats.KC: My fear, in addition to government intrusion into people’s personal lives, is that it makes law enforcement less effective due to data overload.SA: That’s a good point. It also reinforces certain prejudices by unfairly targeting certain populations.KC: So, how do you educate people who are in risky positions, such as activists and journalists?SA: Usually with workshops that can be a few hours long to a few days or even a week. Then depending on the situation, you can respond with longer follow-ups and mentorships for a year or more. I train more people within those organizations or groups to become go-to folks on security and privacy issues.KC: Do you find that your students are usually more or less computer literate than typical laypeople?SA: It really depends on the situation and the context. Training in the US, for example, is very different than doing it in the Middle East because even people’s understanding and use of tech, social media and communications is very different. In most cases, I find that digital literacy is usually the most important aspect, in terms of understanding why privacy and security even matter in the first place.KC: What do you think the biggest misconceptions are that your students often have about keeping their data private?SA: I have to respond to viewpoints such as “why does this matter?” to “well, I have nothing to hide,” to “they already know everything anyway.” Generally, it’s not understanding the business model of companies, such as Facebook or Google. We use free services in exchange for our data. People don’t always understand how that business model works. So, even going through that is pretty important. People need to understand that companies amass huge quantities of data and create profiles about you, which are eventually used for better ad targeting.KC: “If you don’t spend money on a service, you are the product.” That sort of thing?SA: Yes. Data is also sold to other parties, such as health insurance companies. And based on your health data collected by products like wearable fitness trackers, for instance, you could get a better or worse deal for your health insurance.KC: Have you had a lot of success with improving people’s digital media habits?SA: Generally, yes. Understanding where our information goes and how it is used is really one of the most empowering transformations that I witness. People do care, but they don’t always understand how their info is used in exchange for free services.Training and workshops can go anywhere from regaining agency and awareness of privacy to learning how to protect oneself from governments and hostile entities, so it really depends on the audience and context. We talk about risk assessments a lot, so it’s about drawing up what risks are for the group in question.KC: Let’s get into this a bit more. Do a lot of services implement weak encryption? I’m not a cryptographer, and often I wonder about the ease of cracking the stream and block ciphers that social media services and consumer apps use.SA: I think some services give the illusion of safety and encryption. For instance, Facebook Messenger has a “safe” or “encrypted” feature, yet it’s not turned on automatically and you have to switch it on from the settings, so your communication isn’t encrypted by default.KC: Do you think tech corps often deliberately choose weak default settings for consumer services?SA: Definitely, for that’s the business model, especially if the services are free. Ad targeting is how these companies make revenue, so it is in their best interest to collect as much data as possible. For example, lots of browsers, such as Chrome or Safari, collect information about you and do have security settings, yet they are not turned on by default. It’s on the user and consumer to dig around and enhance their privacy and security while still using these products or opting for other ones.KC: Got it. So, how did you get into your line of work? How did you get into cybersecurity?SA: My background is in human rights and policy. At some point, I started working in data visualization and advocacy and running training workshops on data-driven journalism, data ethics, data collection, extraction, manipulation, and visualization. I work mostly with activists, NGOs and journalists. While giving those workshops, I found it important to talk about data protection. Especially when working with vulnerable populations, if you’re collecting information and research, it is crucial to make sure that data is secure and private.KC: Did you have technical expertise before you entered the human rights field?SA: No, I picked it up along the way and am mostly self-taught.KC: I see! A lot of us in cybersecurity self-educate. The technology evolves so quickly that being able to educate ourselves is an asset.SA: Definitely! Things change so fast.KC: Is there any advice you would give people reading this article for how they can better secure their internet activities on their end?SA: There’s a lot that you can do, and there are great resources that you can reference to better educate yourself on these issues and then change your habits. I would recommend resources from Tactical Tech and their data detox kit especially. Kind of like a juice cleanse but for your data. They break down a lot of these concepts we covered and give recommendations on things that you can do over eight days.EFF also has a lot of great resources, such as Surveillance Self-Defense. Also, finding cryptoparties in your city or area are great ways to learn more about security and privacy. They’re generally very accessible to folks of all levels.KC: Excellent!Women and non-males are a minority of infosec professionals, as we’re a minority in IT and computer science in general. How do you think we can encourage more non-males to pursue cybersecurity careers? Also, what can organizations do to improve the gender balance?SA: Yes! So glad you brought that up. I would add that intersectionality is an even bigger issue. Because it’s not only women but also women of color, LGBT folks and gender non-conforming people. I rarely come across people who have a similar intersection of identities as mine (an immigrant woman of color), so this really requires a cultural shift. It’s not something that will happen easily, but that can definitely happen.KC: Has bigotry toward the other minority groups that you belong to been as much of an issue as sexism in tech?SA: Creating more opportunities for minorities, changing cultures within companies, and enforcing training and awareness around sexism and racism are crucial. We mustn’t fall back on the easy excuses of “we couldn’t find any women for this job” or “it’s a pipeline problem.”KC: Let’s get back to the topic of encryption. I’m concerned about government attitudes toward encryption, too. For instance, my colleague Javvad Malik at AlienVault recently reported that the British government doesn’t like WhatApp’s implementation of end-to-end encryption.SA: Yes, that was also in the news recently. They’re arguing that end-to-end encryption is bad, supposedly because they want to be able to prevent terrorist attacks.KC: That’s always the excuse, eh. “What about terrorism?”SA: Yep.KC: I think misguided attempts by Western governments to combat terrorism have eroded human rights a lot more than they’ve ever prevented any terrorist attack.SA: Eroding our right to privacy for supposedly protecting us better. Sounds like a dystopian sci-fi movie, doesn’t it?KC: It makes one think that they don’t care so much about terrorism except to use fear as a trojan horse for fewer privacy rights.SA: That’s exactly what it is.KC: It was a pleasure talking to you, Sarah. You do very important work.You can follow Sarah Aoun on Twitter at @sa0un.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine. Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.