I spent this past week in Kiev. You may have heard something about the protests, and possibly even about some of the policy changes and new laws that sparked them. I was working with colleagues, journalists and human rights activists, supporting and training them as quickly as possible on digital security basics, and making sure they had contacts to reach out to for timely support.

It was a trip that was scheduled many months ago, when Ukraine was on the cusp of joining the EU. Things, to put it mildly, changed. Obviously, the violent protests have been featured widely in the news, but those capture only the most visible challenges the country is facing. Legislation pushed through with no regard for legal proceedings last Thursday promise to have a chilling effect on free speech, tight limits on media, even citizen journalists, and will devastate the civil society organizations, labeling them as "foreign agents" and taxing them as for-profit corporations if they take any international aid funding.

In the few days I was there, we experienced a "test" of new censorship capabilities as twitter and facebook -- critical messaging and coordination channels for activists -- went dark in Kiev for almost half an hour. People near the protest areas received ominous SMS messages on their phones telling them that they had been registered as present at the (illegal, under the new law) protest.

One note of import - there are two main areas of the protest - EuroMaidan is the months-long, Occupy-on-steroids encampment in Maidan Square. Though well barricaded off, it is a peaceful protest, with daily concerts and speeches on a well-equipped stage, a huge jumbotron, laser-light projections and more. Businesses - from a Nike storefront to a local brewpub to a carousel - are going on with business as normal within the barricaded-off area. The scenes of burning tires, tear gas and molotov cocktails is from the nearby Grushevsky St, where protesters gathered to confront Parliament after their "passage" of this Black Thursday law.

It is inspiring to see the passion and focus of people working to protect and expand their rights, and it is humbling to be able to lend support in any form. However, the challenges aren't getting any easier. The digital tools which provide the most security are also difficult to use, and more difficult to use correctly. They still "stick out" as unusual, and face an uphill battle against popular systems with little if any security.

This has to change. Privacy is not some abstract concept in these situations, it is the economic well-being, and too often, the pure survival of activists, journalists, and their contacts. When we allow policies and practices that undermine security and privacy, we're not just revealing embarrassing factoids about our call history, or even the three felonies a day you're probably committing as a US citizen - we are undermining our global dream of a world of nations with democratic rule, where their citizens can enjoy basic human rights without fear.

The world is ready for this, but when the current Ukrainian government points at American domestic policies as models of their newly crafted censorship and surveillance laws, it's a sign that we as Americans are not drinking our own koolaid (with a hat-tip to the many dedicated civil servants who are working hard to further human rights).

(Or, how to remind anyone snooping your email of your fourth amendment rights)

So clearly we have a situation here where we failed to learn from the past. Fourteen years ago (Exactly in a few days - Oct 21!), we were protesting ECHELON, which was (is) a "worldwide computer spy network [that] reportedly scans all email, packet traffic, telephone conversations, and more in an effort to ferret out potential terrorist or enemy communications. Once a communication is plucked from the electronic cloud, certain keywords allegedly trigger a recording of the conversation or email in question."

In response (along with a short burst in activity around people trying to figure out how to use PGP), hackers added amusing bonus keywords in the parts of emails that humans rarely see (where junk like the path the email took, listserv details, and so on goes) - many, including myself, added the 4th Amendment to the US Constitution, as well as participating in "Jam Echelon day," when everyone added what we presumed at the time were these mythical "trigger words:"

ATF DOD WACO RUBY RIDGE OKC OKLAHOMA CITY MILITIA GUN HANDGUN MILGOV ASSAULT RIFLE TERRORISM BOMB DRUG KORESH PROMIS MOSSAD NASA MI5 ONI CID AK47 M16 C4 MALCOLM X REVOLUTION CHEROKEE HILLARY BILL CLINTON GORE GEORGE BUSH WACKENHUT TERRORIST.

As an aside: maannnnnn, do you remember the 90s? Was that an unpleasant walk down memory lane or what?

Anyhow, this amusing idea that this would work for more than a few minutes just doesn't seem to die, and someone's trying it with a new "security" tool called ScareMail that "takes keywords from an extensive US Department of Homeland Security list used to troll social media websites and utilizes them “to disrupt the NSA’s surveillance efforts by making NSA search results useless.” "

While that's ... well, whatever. It's a nice thought, right? Probably not very useful overall. Anyhow, it gives me a small boost of civic pride to tweak my email settings and put the fourth amendment text back in to almost every email I send out. This requires an actual email client (Thunderbird works nicely), and some configuration hacking:

• Go to Edit → Preferences → Advanced → General → Config editor
• Right click, new, "string"
• For 'Enter the preference name' use "mail.identity.id1.header.header1"
• For the string, add "X-Fourth-Amendment: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
• If you have multiple mail accounts, you'll have to do this for each one, using id2, id3, etc. and header2, header3, etc.
• Restart thunderbird, make sure you didn't break anything. For more details, peek at http://kb.mozillazine.org/Custom_headers

I'm glad that OLPC has finally released what was originally put out as the vapourware-ish XO-3 concept three and a half years back. At the end of the day, though, that's "just" a change in technology (though a huge shift in hardware and underlying software!).

What I'm actually very excited about is commercial sales. This is something I've been arguing in favor of for only around five years or so:

The bottom-of-they-pyramid microfinance approach doesn't even have to drop the education focus. While the returns on education are much to slow to repay loans effectively in most cases, grant programs or other implementations could focus on child usage. For example; the XO could be on sale for anyone; but only young entrepreneurs could qualify for the micro-loans, and they'd have to provide some explanation of how this would fit into their learning. Schools or education-oriented civil groups could to buy on credit in bulk, provided they could support both an educational aspect and a profit-making aspect. Grants could be available to even younger children participating in educational programs, skimming profits off of the loan system and successful entrepreneurs in a new G1G1 style program.

Cross-posted at the Tech Salon site: http://technologysalon.org/2013/04/why-information-security-matters.html

First off, please thank the Internets for creating this site, which can serve as a guide on when you should use the prexif cyber: http://willusingtheprefixcybermakemelooklikeanidiot.com

The tech salon on security and privacy was a predictably raucous debate on finding a sane balance between using 30-character passwords with symbols, numbers, and mixed-case letters that must be changed every month for your timesheet systems ... and taking basic security measures to protect super-private data. How and where do we build in information security in ICT4D? When is it unwarranted, and when is it irresponsible to not address it?

There are the obvious cases, ones with a clear adversary -- be it a repressive government or a group working aggressively against your goals. When you have this clarity, there is an awareness of the need for information and communication security, and

The problem is when there is no clear adversary - when no one actively hates your work. In ICT4D, we normally see this as a good thing, but it means that building in security becomes one more extra, annoying and costly piece of your overhead costs, defending against an unspecified threat - and it often gets dropped.

has a hands-on photoshoot with the revolutionary XO-4 convertible tablet/laptop.  It has an infrared touchscreen, has refocused its interface to run on top of a standard Linux distribution instead of a customized and tweaked version, and... um... it looks rather familiar. I mean to say, it's almost indistinguishable from the XO-1.  

And that's a very good thing.  What has happened to the OLPC program is, in many ways, what I'd hoped they'd intentionally choose as a path forward-  thoughtful and efficient development focused on impact over glitz, using existing projects and tools where available, and not re-inventing things that weren't broken, but using incremental improvements.  Of course, that approach doesn't catch headlines as well, but it does work.