care webs: daydreaming community security

I don’t have a complete and coherent thought on this yet, but if I get a post out in the next 26 hours I’ll be technically continuing a streak of monthly posting, so I’m going to jot down the half-formed thought pieces and hope they come together for me or someone else.

I read Care Work: Dreaming Disability Justice with a book club years ago and we met together in a park before any of us were thinking about things like airflow to prevent infection, before covid-19 started causing short- and long-term disabilities in my friend group. I should really re-read it soon, and it’s been on my mind a lot lately. The core thing I remember from the book is that over and over again it brings up ideas of “care webs” – instead of a linear relationship between a Caregiver and a Recipient of Care, what does community care look like when we all give and receive supportive care of various types?

I’ve worked with a lot of people who view security (jobs) like this. Someone is a Security Person and they shape the world the User lives in.

An emoticon diagram where a Security icon (in this case a bear) has an arrow pointing from them in one direction to a User icon (in this case a cat) and the arrow is labeled "rulez" indicating tht there is one, omnidirectional, set of rules

Sometimes I meet people who see it as something a little different, where Users are there to do a job and Security Person is there to answer questions and enable the Users to do their jobs in accordance with decisions the Security Person has reached for them.

An emoticon diagram where the User (cat) icon has an arrow pointing to the Security icon and the arrow is labeled "question" prior to a repeat of the Security icon having an arrow pointing to the User icon labeled "rulez". There is input, but it is still one omnidirectional relationship.

Information security is obviously reliant on some niche knowledge, but I’m willing to argue that so are most care tasks. (Life with a roommate who never learned how to do any chores around the house makes this very obvious pretty quickly.) Lifting and bathing a bed-bound person safely (for both parties) is niche knowledge that I personally don’t have, but I have to imagine that I could learn at least the basics – enough to apply in a specific situation and know when I need to escalate to someone else. If we take it on account that we can also convey this sort of basic knowledge package for security, I can start imagining security as a care web.

A complex emoticon diagram in which the bear icon is unlabeled and points an arrow to a humanoid emoticon labeled "intervention", the cat emoticon has an arrow pointed to the bear icon labeled "observation" and the cat icon also has an arrow pointing to a different, new, bear icon labeled "third thing" because the author could not think of a third thing. intended to represent a multi-directional interconnection of relationships.

okay this is getting out of hand for little emoticon drawings isn’t it

Part of why I’ve been thinking about this is an idea that I’m pretty sure puts me at odds with at least some of my colleagues: the idea that surveillance and monitoring, is not directly synonymous with security. Obviously I regularly collect and monitor data with the goal of keeping people secure – but I’ve also seen plenty of examples of collecting and holding data because of the belief that it might be useful later, or worse, because it could be sold or monetized in some way. Sometimes even totally well-meaning people wind up off-track of whatever the original threat model and use cases were and it’s harder to defend, detect, and respond because there’s just a lot of moving parts that maybe don’t need to be there. And truly, when I think about keeping people “secure” what I’m really thinking about is keeping people safe.

Is safety the exact same as security?

When I picture these ideas I keep coming back to a mental image of kids playing in a very well child-proofed room in the house where the outlets are covered and cocomelon is banned from the youtube app, compared to kids in a park where the whole neighborhood knows who they are, who the parents are, who all the regular parkgoers are, and takes an interest in looking out for the kids as part of the “village” of people living together. I’d call one of those scenarios secure, but both of them safe. (Keep walking with me here and don’t get too caught up in the example or whether or not those villages still exist, I know, I know.)

So maybe what I’m actually picturing is safety as a care web. Listen, I said in the beginning that this was a bunch of thought pieces put together and not necessarily a coherent thought. This is a personal blog, I have like ten visitors ever, I’m not submitting this for a BlackHat presentation. I’m just wondering about what The Future of Security looks like, because especially when we move out of the structure of working for a corporation and into the idea of keeping our communities safe from fraud, deception, and theft, it doesn’t feel to me like a unilateral authoritative structure works or is the most beneficial.

kerstyn.blog