What ‘90s London Raves Can Teach Us About Infosec

One of the highlights of HybridConf 2016 was hearing writer Stevyn Colgan talk about his time as a police officer at London's Scotland Yard. He entertained the audience of UX designers and front-end developers with stories from his book, Why Did the Policeman Cross the Road?. As someone who is concerned about the state of policing (in line with recent protests in the United States), I did not expect to be impressed, but Colgan's design-thinking approach to crime prevention took me by surprise.

Design Thinking + Policing

Colgan was a founding member of the Problem Solving Unit, which operated differently from the rest of Scotland Yard. Instead of solving crimes, they made it their duty to prevent them. Colgan didn't use dystopic tools to identify future criminals. Rather, his team borrowed techniques from cognitive science, marketing, urban planning, and other fields to consider the influence of environmental factors. It is this holistic approach - contemplating physical, technical, and social systems - that makes him a design thinker.

Colgan shared many stories about his 30 years with the police force, and a few of them were particularly relevant to the security crowd. Information security is about keeping unauthorized people from accessing sensitive content, so in a sense, infosec overlaps with law enforcement in its commitment to crime prevention. Instead of only taking a classic defensive-security stance, borrow from Colgan's Problem Solving Unit and find inspiration by thinking like a creative cop. Here are a few pieces of advice from Colgan's stories:

  • Make your stuff less attractive - Something as simple as covering a motorcycle decreases the likelihood that it will be stolen. The added friction of needing to uncover the motorcycle will redirect thieves to other more-accessible targets nearby.

A covered motorcycle is less attractive to thieves than uncovered motorcycles nearby (from Stevyn Colgan’s Hybrid Conf talk)
A covered motorcycle is less attractive to thieves than uncovered motorcycles nearby (from Stevyn Colgan’s Hybrid Conf talk)

  • Identify the weakness - In many enclaves, trash collection happens on a set day. Residents wheel their garbage bins to the curb and bring them back after they've been emptied. In Colgan's city, the only distinguishing factor across these bins is the owner's house number scrawled on the side. Uncollected bins signal that people aren't home; with one glance, thieves can deduce which houses would make the best targets for daytime break-ins.

    After uncovering the garbage bin problem, the Problem Solving Unit settled on a social engineering solution. Colgan's team organized neighborhood meet-and-greets so that residents could come up with a plan to wheel one another's bins in if their neighbors couldn't wheel theirs in right away. The result was a dramatic decrease in daytime break-ins.

Garbage bins are identical except for the house number written on the side (from Stevyn Colgan’s Hybrid Conf talk)
Garbage bins are identical except for the house number written on the side (from Stevyn Colgan’s Hybrid Conf talk)

  • Constantly adapt your techniques - In the 1990s, London was a center for raves. While these gatherings were a mainstay of cultural life for many people during that era, the police considered them to be dangerous because of illegal drug use, sexual assaults, and overcrowding in the case of fire. Before the internet, people relied on posters to learn when and where raves would be held. The Problem Solving Unit made it difficult for promoters to attach posters by adding diagonal braces to walls, which meant that fewer people learned of the raves. Inclement weather played a role, too. The posters were easily damaged when it was wet or windy because they were posted on uneven surfaces.

    In response, determined promoters hung angled posters specifically designed to fit between the diagonal braces. The police came back with an inexpensive solution: They covered the time and place on the posters with "cancelled" stickers, and attendance continued to go down.

Diagonal bracing made it more difficult for promoters to attach posters to the wall wall (from Stevyn Colgan’s Hybrid Conf talk)
Diagonal bracing made it more difficult for promoters to attach posters to the wall wall (from Stevyn Colgan’s Hybrid Conf talk)

Implications for infosec

Colgan's stories of social engineering drew on observations of human behavior and environmental signals, and the Problem Solving Unit's successes and can be applied to infosec UX. Key takeaways include:

  • Basic precautions are good enough for most people
    Withstanding a targeted attack by a powerful adversary is difficult, but deflecting crime is easier. Just as covering your motorcycle redirects attention, simple deterrents can save your data from harm.
  • Look with fresh eyes
    Identical garbage bins are unremarkable features in many landscapes because they're so common. Thinking like a designer means looking past the surface and seeing what can be tweaked. Removing bin numbers - the superficial solution - would have been a complex and impractical response, but nudging people to change their behavior worked just as well.
  • Consider the entire user journey
    Rather than focusing only on undesirable behavior at raves, Colgan mapped the entire user journey from the very moment that people learn of a rave. By looking for the starting point, Colgan's team came up with the clever solution to use "cancelled" stickers.

I was surprised to find a police officer at a design conference, but Colgan's stories demonstrate that a design mindset always has a place, and technical problems don't always need technical solutions. Colgan's solutions may have been in plain sight, but they were elegant. Instead of signaling a lack of originality, tactics like the "cancelled" stickers are markers of success.

Sometimes, the best adjustments are so trivial that we overlook or discount them. When crafting new technologies, what simple solutions have been sitting in front of you, waiting to be discovered?


Closing the Participation Gap: HotPETS Presentation Summary

I really enjoyed being part of the emerging-work track, HotPETS, at the Privacy Enhancing Technologies Symposium earlier this month. From meeting lots of great people to getting face-time with the Simply Secure team, Philadelphia was fun. Scout and I presented “Human-Centered Design for Secure Communication: Opportunities to Close the Participation Gap” as part of a session on Privacy and Human Behavior. The session also included some nice qualitative work from Tactical Technologies covering the collaborative and social nature of privacy and ethical implications for researchers working with vulnerable populations.

Lessons from Architecture School: Part 1

This is the first in a series of posts pulled from a talk I gave at O’Reilly’s online conference Experience Design for Internet of Things (IoT) on “Lessons from Architecture School for IoT Security.” The talk is a call to action for designers and non-technical people to get involved — with us at Simply Secure or elsewhere — in the worthy problems of experience design for IoT security. I want to encourage more people to think about security and to outline some ways UX design can support privacy in IoT applications.

Security is a “Design in Tech” Trend

Designers are urgently needed to help build products and services people trust. Here’s how design professionals are starting to embrace security.