a cyber world. We're uploading photos, sharing videos, or sending messages. It's just part of our daily routine. And when our personal information is everywhere, digital privacy can literally become a life or death issue. But how are schools and teachers helping our kids navigate these waters of digital privacy? I'm Caroline

Hardin, I'm a PhD candidate at University of Wisconsin-Madison, where I'm studying computer science education. And I'm Jen Dawson, also with the University of Wisconsin. We're academics, but we're trying to work on it, so bear with us. So, in this presentation, we'll be looking at a couple of things. First, what is privacy? Second,

what hackers think we should be teaching about digital privacy? What are our teachers actually teaching our kids at school? And then the concerning implications about what they're being taught. AKA, this is some bullshit, and we need to fix it. So, unequal burdens, vulnerable groups, and most impacted by that. And what can we do about this?

So, according to Siva Valjian, what we do, what we really demand in some measure of control over our reputations. Who should have the power to collect, cross reference, publicize, or share information about us? How this plays out in a practical example

depends on culture, on individuals within these cultures, and on circumstances particular to these individuals. It's not a simple public or private flag. Privacy settings are much harder than ACL. Digital privacy varies from meets-based privacy only, and how easy it is for information to flow beyond what we intend. While we do

spend a lot of time teaching our kids about physical space, such as close the bathroom door, or wear pants when you go outside, the education we give kids about digital privacy is not enough. The need we need, we need to have more than a one-off conversation, or a unit at school that happens once a year. What kid is going to

give a fuck about what a one-time lesson gives us? Nobody. And we have to tell people, like, what the parents are going to do about this? A parent is now about to sit down and have a long conversation about a kid with this stuff. I mean, who can blame them? Talking about nude photos with your kid is super awkward. So to

understand how digital privacy is being taught in school, we wanted to start with seeing what hackers and infosec professionals and other people with a technical background think about digital privacy and how it should be taught. So we did a survey with the question, what advice would you give others about protecting digital privacy? For this survey, we used what is called a convenience sample, which meant we

asked our friends, which are mostly, uh, computer science and infosec people to take the survey. And then because it became obvious that just asking our friend turned out to not be very many people, uh, we- we did what's called a snowball, which we asked our friends to ask their friends. Uh, in the end, we surveyed 47 people, uh, 27 women

and 20 men. And we analyzed the responses and found that there were two main categories in what hackers and infosec professionals said about what should be taught about digital privacy. 81 percent of participants said technical advice, VPN, full disk encryption, setting Facebook privacy settings and so on. In addition, 65 percent of people offered avoidance or discretion philosophies. Don't post photos of

yourself in that swimsuit. Don't tweet that you like Windows Vista. In only one case, did someone recommend negotiating social- negotiating privacy with your social groups and with your family and talking about how you want your information to be shared. These

findings reflect a lot about how digital privacy curricula is structured. But something about this always struck me as really incomplete. As we know, a webcam sticker can only go so far when you have a neighbor or an aunt who consistently overshares things on your behalf. I took a class in sociocultural theory where I learned about a

somewhat obtuse theory called figured worlds. So figured worlds are the socially and constructed and culturally constructed realm of interpretation in which particular characters and actors are recognized. ELI 5, people are messy and we live in this world where it's easy to understand when you think about all the different roles people have

and the figured world is kind of like an augmented reality overlay that says this matters to me when I'm in this role and this matters to me when I'm in this other role. So privacy lets us live these rich social lives because we have somewhat contradictory

figured worlds in which we need to keep information separate from one of our roles from the other role that we have. So consider the off-color joke. It means something different when told to a friend drinking beer in your kitchen as it does when said as a representative of your company at a professional conference. Failure to understand this and

failure to understand when you should and should not tweet the over-heard joke has serious implication on people's lives and jobs. So we kind of need to figure out this digital privacy education thing. So based on our research, we decided to investigate what

digital privacy looks like in education. What are kids being told? We looked at a major curriculum to figure out how kids are being taught about privacy, how they're told to manage these figured worlds, and how people should respond to privacy loss. So we looked at a popular curriculum that focused on digital privacy, IROC, the Institute for

Responsible Online and Cell Phone Communication. So IROC's core message is quote, anything that you do with digital technology can instantly become a public and permanent trademark. This curriculum is available for purchase in book, video form, or you can schedule a school presentation. The map shows the presentations that are currently

scheduled for 2018. So yay, webinar for kids about digital privacy. What fun. So the advice found in IROC and other similar curricula that we looked at answered the first question. Who is responsible for privacy with? Privacy can be assured through

individual discretion. What is meant by individual discretion? It means everyone is responsible for making sure they control what is shared about themselves on the internet in every circumstance, all the time. In the curriculum we looked at, we found the emphasized things such as not posting pictures, not taking pictures, not being in the

background of pictures that other people take that might get posted. A typical example of this comes from IROC in this quote, and emphasis is my own. True, if you apply digital consciousness, trademark, a mindset of public and permanent, trademark, when using

the internet, cell phones, apps, social media, interactive gaming, and any other digital tools and technologies, you eliminate any potential for self-inflicted challenges and reduce your risk of facing devastating and life-altering consequences that often accompany the abuse of digital tools. So the answer to the second question. How do you manage

different figured worlds? Was answered by these curricula in what can be summarized as only post stuff which reflects a singular best self, but best self to who? Another quote explains, each time you power up any digital tool, camera, computer, internet, cell

phone, picture a family member, friend, child, enemy, criminal, deceased, loved one, whoever means or meant the most to you in this world standing right over your shoulder. In

other words, you must consider a single best self for every possible audience with everything used digital tools for. Finally, the third question is, how should people in community respond to situations where there is a loss of privacy? These curricula emphasize that consequences are inevitable and must be born individually. They offer many

examples in lurid detail of the negative consequences which can occur from a loss of privacy. These warning stories included those of a person's misjudgment, an honest mistake, and malicious attacks. But all are framed as, this is the way the world is, this is what happens. You can see an example of this in the quote comes from digital

consciousness trademark, contract the IROC curriculum, suggests parents have their kids sign. I am aware that by poor digital judgment betrays my ancestors, my parents, my

community, and my future generations. In other words, the consequence is shame and it is a betrayal of others and this betrayal is individual. So, these findings reveal some

concerning implications of these common themes in digital privacy curriculum. Even if you did our discrete on what you post, on what you say, complete discretion is unrealistic unless you and everyone around you doesn't do anything with the digital tools. So, to say privacy is entirely responsible of an individual ignores how a loss of

privacy requires at least two people. We are taught not to open someone else's diary, for example, and if it's left on the table, all alone. But if we have someone who are to say, put the wrong settings in their live journal, and yes, we're dating ourselves by saying live journal, we're not teaching kids, are we teaching kids not to read that post or are we

ignoring that completely? To let the poster know that perhaps the needs to change the settings again or do we just read through it? So, in what about malicious privacy violations? Situations such as non-consensual photos are largely not discussed in this issues. I mean, we are not robots and yet we are being told that we need to be in order to be

successful in discretion. So, but nobody has a single best self. To let someone's identity to a single public and permanent trademark, figured world in this case, an idealized student or worker who only says a thing that would not upset anyone else and who can

only talk about the successes is completely impossible. We're not robots. We may say something to a co-worker in passing in the, you know, hallway and then maybe the boss should not be knowing about that but it spreads. Like, where does the discretion lie? And for teenagers who are still figuring out their identity, how horrible is it to put pressure, this added pressure on them for what they must be perfect? Perfect online at all

times. Furthermore, what message should we send to vulnerable and marginalized groups? For example, the LGBT people who are often focused to make more nuanced decisions about how out they are in different contexts, lest they risk discrimination, harassment in some

countries, imprisonment and literally death. And we are telling them that their gender and sexual orientation isn't their best self. This best self has created a culture of slut-shaming. Anyone who has an intimate photo or text released, this has literally cost the lives of young women and men and it needs to stop. This is an example of how

the burden of digital privacy, privacy aren't equal. This advice creates equity issues as it recommends erasure for those whose identities are frequent targets of cyber bullying such as women and LGBT groups and some online spaces such as gaming. This

often means women feel they can't use voice chat, lest their gender is revealed and they become a large target of harassment. A final implication is that we suggest that bullying is an expected and appropriate response, misjudgments about what to share. Little to nothing is offered to help teens learn to recover from privacy miscalculations or

violations to support their friends when it does occur or to renegotiate how their information is shared in cases of misunderstanding. Instead, these materials are rife with the almost gleeful recounting of tragedies from loss of privacy with limited discussion of the culpability of those who instigated or otherwise participated in privacy violations.

Blaming the ex who shares news is important, but those, there is also culpability with every person who also forwarded that. Elsewhere and more disturbingly, it is suggested an appropriate consequence to visit on those who violate others in privacy is death. And I quote Iraq, quote, her full remarks may just move bullies to the head of a kill list,

end quote. It is not that hard to find anyone through the internet. I'll pause here to remind you that this curriculum is being taught to this many children across the United States. We did find two recommend, two resources which we can recommend. The human

sexuality curriculum, Our Whole Lives, does a good job of discussing how to create a pure culture of respecting privacy, especially in intimate relationships. And the Smart Girls Guide to Privacy by Violet Blue does an excellent job covering how to respond to

incidents and in taking a firm anti-slut-shaming stance. So what are our next steps? We want to see digital privacy, which not only covers the technical aspects of how to protect privacy and having reasonable discussion, but also includes material on how to help people

identify where the conflicts between their figured worlds might exist, makes negotiating privacy with others a norm, and covers more resources to help recover privacy, recover from privacy whether it's accidental or malicious. So we thought it was a little weak sauce to say there should be better digital privacy education without offering

any examples. So we made one. We created Digital Privacy Detectives, an interactive narrative mystery game. Its design was based on the sociocultural framework. Presented here, it looks at discretion philosophies of keeping and maintaining social relationships in figured worlds, setting and communicating boundaries with others regarding privacy

and using technology solutions. This workstation was piloted for the first time at Roots yesterday. So now that your kids have had their way with what we thought would be a great lesson plan, a game, we're going to redesign it a little with their feedback

in mind, and later this fall we'll release it for anyone to use. Just watch our Twitter feed for details on that. We also have a draft of a creative commons-like license for private information, tentatively called Sexting the License, to help people easily

negotiate how information is shared. So under what terms are you sharing this photo? With whom? How long do they get to keep it? Who do they get to show it to? Things like that. If you're interested in collaborating on Sexting the License, please come talk to us. What can you do? For the tech you design, design it in ways which

represents people as complex social creatures with a variety of roles. Create sharing settings that allow users to easily specify who is shared with each piece of shared content, not a single public-private flag, kind of like Google+. I know you didn't expect to hear anyone defend Google+, here at DEFCON, but... So I'd like to conclude

with this quote from Jesse Irwin, privacy isn't about hiding, it's about sharing on your terms. Thank you.