Click for Full Transcript

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

 

Jodi Daniels  0:21  

Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and Certified Information Privacy professional, providing practical privacy advice to overwhelmed companies.

 

Justin Daniels  0:35  

Hi, Justin Daniels. Here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

 

Jodi Daniels  0:52  

This episode is brought to you by that was interesting Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, ecommerce, media and professional services. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, visit redcloveradvisors.com. So what’s fun about today is we’re recording at five o’clock on a Friday. And what was the song earlier today that you were thinking?

 

Justin Daniels  1:34  

It’s five o’clock somewhere? Where’s your adult beverage?

 

Jodi Daniels  1:36  

Five o’clock somewhere. So we have our waters ready to go and our podcast recording here for both of us. And we’re gonna dive in so we sound a little crazy. It’s because it’s five o’clock on a Friday. Are you going to introduce our awesome guest

 

Justin Daniels  1:53  

today? I’d be happy to. So today we have Leigh Honeywell, who is the co founder and CEO of Tall Poppy, where she helps companies protect their employees from online harassment. Previously, she was a technology Fellow at the ACLU and held industry roles at SLAC, Salesforce, Microsoft and Sematech. Leigh has a BSc from the University of Toronto. Welcome.

 

Leigh Honeywell  2:20  

Thanks, it’s a I’m so glad to be able to join you on this this afternoon. As again, non adult beverages. Yes, super, super stoked to get to talk about the intersection of security and privacy, which is really, really fundamental to what we do people. You know, I was, as I was doing a little bit of background reading on your podcast, the idea I think there’s this like, often stated thing that security and privacy or intention, but I think the online harassment space is one of those places where it really like they are really at this. It’s the same stuff when it comes to online harassment.

 

Jodi Daniels  2:57  

So to get us started, we’re going to take you back a little bit. And I know you’re super excited to dive in, and we’re getting out there, but we want to know who you are. And how did you get to the space that you’re in today?

 

Leigh Honeywell  3:10  

Oh, man, so I am Canadian. I spent the past 10 plus years living in the States working at a bunch of different technology companies in Redmond working at Microsoft moved down to the bay area to work at Slack and or to work at Heroku which is part of Salesforce and leader at Slack. I have worn a lot of different hats across the cybersecurity industry. And write around summer 2020 pandemic, I was working from home anyway, I was really homesick. So I ended up moving back to Canada. From the Bay Area, the San Francisco Bay Area. And now I live in Ottawa. I’m usually not known for very much recently, we had this whole convoy thing that was a bunch of drama and a bunch of people being very loud downtown for several weeks. Very, very irritating. But yeah, so I’ve been I’ve been doing security work for over a decade at this point. did my undergrad in computer science and equity studies got hired down to Microsoft to work on the Patch Tuesday team which reboots everybody’s computer with those lovely security updates that everybody gets super nice, but they’re so important. And yeah, I’ve always really enjoyed doing Incident Response work when when like, people’s hair’s on fire. That’s like when I’m like I go into just like super focused mode. And over the years, some of that incident response work ended up translating into this other sort of side thing that I did, which was helping people deal with harassment situations. And that’s that’s how we ended up here today. So yeah,

 

Jodi Daniels  4:47  

there we go. I always find this is my favorite question, because I just think people’s stories are super cool and fun and fascinating. Are you looking at me like a strange person?

 

Justin Daniels  4:58  

Had a couple of drinks and haven’t told me If

 

Jodi Daniels  5:01  

there is a closed water bottle here, you never know,

 

Justin Daniels  5:04  

that would be exciting. So our next question is talk a little bit about the mission of your company.

 

Leigh Honeywell  5:12  

So we started with this really intense focus on online harassment as this unsolved problem in our society, right? Like, every time things are in the news around, some poor person gets targeted for happening to be a woman on the internet, or LGBTQ or whatever other like marginalized identity. And there’s a bunch of like, wringing of hands and gnashing of teeth about how terrible this problem is. But it often felt like for many years that nobody was really doing anything about it, people were like, the platforms need to do something. Well, yeah, the platform has definitely control a lot of the variables with like, what kind of content gets attention, what causes people to like, be the folk beat, people talk about the main character of the internet, your goal is to not be the main character of the internet on any given day. And the experience of being that main character is is terrifying and disrupting. And even if it’s, in some cases, because the person has done something like actually shitty, am I allowed to swear on this podcast, I can remember, I’ll try not to swear too much. Sometimes somebody’s done something really, actually bad. But often, it’s it’s literally just for existing while being again, like someone with a marginalized identity or advocating on behalf of policy positions, things like that. So when we think about the problem of online harassment, there is this sort of platform harassment piece of it. But we’re not actually focused on that, because we’re not, I’m not whoever owns Twitter today, whenever some people listen to this podcast, whoever happens to own Twitter, then, you know, I’m not Zuckerberg, I’m just a security professional. And I know what is within my control. And that’s people’s individual personal security practices, and the sort of ownership that people have of the data that’s out there about them online. So our goal as a company, is to take that that piece of leverage that we have around the individual security and privacy practices, and enable people to make better choices, to have better security settings and stuff like that. So that if the internet does get mad at you, you can be safe from the worst ways that that can escalate. So fundamentally, we, we started out with this, like nebulous, how do we move the needle on the issue of online harassment, we focused in on this sort of personal security piece. And the thing that we’ve been doing an increasing amount recently is stuff that doesn’t necessarily come in the door as like online harassment, but if someone is a particularly highly visible person within an organization, or it’s an organization that is, is visible as a whole, for whatever political or historical or whatever reasons, and everyone at the company feels sort of like they’re under the microscope. And you want to have the ability for those folks to feel safer in their day to day use of the internet use of technology. So thinking beyond just this narrow piece of online harassment, to the greater problem of personal security, in a very connected world.

 

Jodi Daniels  8:18  

With everything that happened in the pandemic, and so many people going online even more, how has that impacted? online harassment?

 

Leigh Honeywell  8:27  

Such a good question, I think, when the biggest thing that we saw when everybody started working from home is the, the context collapse. It used to be you know, if you were dealing with harassment as a result of your workplace, maybe your customer support person, and people are just being like, crappy to you and the customer support tickets. You get to go home at the end of the night, and leave that at your office, when you’re working from home that home context, life context and work contexts are the same. So those those threats to your personal security, the whether it’s like the mean tweets, or the the nasty messages in the customer support inbox. They’re they’re happening in the same emotional and psychological context. So the impact of even the same level of like background noise of nastiness, is that much greater when people are at home. The other thing that we’ve seen with the pandemic was working from home with some of the like, sort of culture war stuff around mask mandates, and post school closures and all these different things is there’s a whole class of people who you would never have thought would be visible or targeted, that are all of a sudden, like having to deal with security threats that would normally be the kind of thing that like celebrities and politicians have to deal with. Instead, it’s like, you know, your school board trustee or your public health official are dealing with death threats or dealing with account hacking. They’re dealing with all of this stuff that we think of as being like a pretty, pretty sharp and of the spear when it comes to harassment, but all of these, like, random like functionaries, and civil servants are having to deal with it.

 

Jodi Daniels  10:08  

That’s really interesting. I hadn’t thought about the context piece in that level before. I mean, obviously, where it’s all connected. But that’s a really interesting observation. Thank you for sharing.

 

Justin Daniels  10:19  

Seems to me based on what she’s saying, try to have a smaller social media presence, because then you don’t read the stuff about you, or whatever people are saying,

 

Jodi Daniels  10:27  

well, there’s that too.

 

Leigh Honeywell  10:29  

Oh, that’s such a and I think that’s one of the interesting, again, that privacy and security piece, there’s having the situational awareness of what’s being what’s being said about you, but without sort of internalizing it without taking on the like, emotional impact of it. One of the things that we often advise, whether it’s clients or like my friends that are dealing with, like internet haters, or whatever, it’s, if you can have somebody else monitor the situation for you, just having that like one step of remove, where it’s like, it’s your your teammate, or your your family member who’s going to, like watch your Twitter mentions for you, while you go into like, a bit of a lockdown. I think the other the other piece of it is like, it’s 2022, or whenever people are listening to this, you can’t just tell people like, why don’t you just delete your accounts, right, so much of our professional lives involve being in public, so much of our, the sort of the weight that we bring to many of the employment positions or leadership roles involve, like having that interaction with the public. And I think the the thing with with online harassment, that’s so different than we think of like a traditional executive 20 years ago, or whatever is, we’re all on this like, same giant social graph. And if you’re the CEO of a huge company, you have a Twitter account, every random like disgruntled customer can just like out reply to you. And that’s, that’s a very, very different dynamic than we’ve ever seen before in human history effectively.

 

Jodi Daniels  12:00  

And don’t get it Twitter. I mean, it can happen everywhere. That doesn’t really solve it.

 

Justin Daniels  12:09  

I was thinking, I was thinking more along the lines, like when you read on Facebook, if someone makes a personal post, or takes a stand on some political issue, and you just watch the vitriol that gets thrown that person’s way. I mean, it’s like, I don’t really I feel like the social media is the way for people to say things to somebody, they would never say to their face if they were in the room with them. And that, to me, is a

 

Leigh Honeywell  12:33  

psychological distancing effect. It’s pretty widely studied in the in the literature, and it’s, um, I think it’s one of those things that we’re as as a species, we’re engaging in this grand experiment of like, what if we took every silly monkey on this planet and put us all on the same social graph? Our like, puny monkey brains maybe can’t handle being connected to 7 billion other monkeys.

 

Justin Daniels  13:02  

So let’s just try to think this through a little bit from your company’s mission standpoint, and what you do, because obviously, most of us spend a good part of every day at work. So what can we do? Or what or how can we get help in the workplace to handle or try to address this harassment issue that happens, as you say, especially if you work at home, it’s so interrelated. Now, home works right into work, and vice versa? educate us a little bit about how you help on that, you know, at the

 

Leigh Honeywell  13:33  

workplace. Yeah. So we have a couple of different pieces to what we do, we have a software based product, it’s sort of like a cybersecurity awareness training tool, except it’s focused specifically on people’s personal accounts, instead of like, don’t click that email link in your work inbox and get the company hacked. It’s, here’s how to secure your personal social media, your personal infrastructure, so that that is safe against, you know, whatever attackers that you’re dealing with. We deliver that with an online training. We also provide incident response to backup the app. So you know, you go through the steps in the app to take down your personal data from the data brokers that buy and sell, particularly Americans have the sort of privacy landscape. The legal privacy landscape in the states around some classes of personal information is pretty much the most lacks in the world. Obviously, you have this whole ecosystem of companies that just like put your home address online, we help people step through removing that data. We also help people work through securing their personal accounts. So things like your social media, your email, that kind of thing. So when I think through what an employer can do when we work with employer, employers, the biggest thing that we do we deploy our app, we run an online training folks have access to our software, which focuses on the concrete steps that individuals can take to reduce their public footprint of unwanted information about them, as well as to secure their online accounts. So things like your personal Twitter account your personal face, Spok personal emails, it’s, it’s all of the stuff that’s like outside the firewall, it’s not, you know, don’t click on that phishing link and get the company hacked, it’s here’s your personal accounts, and we’re gonna help secure them. And one of the things that’s really nice about that focus on personal security is that people are motivated quite differently than when it’s not like, don’t click on the phishing link and get the company hacked. But they still bring those better security practices back into the workplace. So complementing the apps that we’ve built, we do incident response, if an individual within a covered company is targeted by online harassment, we’ll get on the phone with them, we’ll walk them through taking some remediation steps. We also do call center security services where we work one on one with individuals who are particularly high profile within an organization. And so that’s, you know, doing some data scrubbing, removing the Data Broker data and all of that stuff from the person’s sort of public internet presence. Also, just like letting them know, there’s lots of data that we can’t remove, whether it’s like election donation records, certain kinds of property records, sometimes the horse is just out of the barn, you can’t close the door, but giving people situational awareness of what that looks like, and then doing one on one security work with them. Beyond the sort of stuff that we do, other things that companies can do, that organizations can do, having a really strong social media policy that lays clear ground rules for what employees engagement with the outside world, what consequences are going to exist if they like, say crappy things in public, that reflect badly on the company, or maybe you want to take a more sort of libertarian perspective, and hey, if what you say in public doesn’t break the law, we’re gonna stand behind you. It’s not our business, right? There’s, there’s different lines that based on the values of a company they may want to take is like, hey, you know, if you say stuff that is like discriminatory, that’s, you know, we could terminate you versus the like, you know, we’re not, we’re not going to deal with how you interact in public. These are different sort of philosophical positions that organizations can choose to take. But being very clear with the employee, what the expectations are, I think that’s, that’s one of the biggest things in terms of one of the classic tactics of online harassment is being like, Oh, I’m mad at Jodi. I mean, it doesn’t work in this case, because it’s your own company. But like, I’m mad at Jodi, I’m gonna like, tag her companies Twitter to try and get her fired from her company, because she like said something I didn’t like, don’t do that. I mean, you could, you could, I don’t know if it work I might take.

 

Jodi Daniels  17:30  

And I still, you know, I can do that back to you.

 

Leigh Honeywell  17:35  

See, it’s mutually mutually assured. Destruction. I love it. I love it. And I think that it’s funny, because I think they’re there often is this like, people don’t when they don’t know what the rules are, it’s hard to know what your own like, what’s going to go well, what’s not going to go well, and giving people clarity around that, I think is one of the most important steps that an organization can take to, again, set those guardrails so that those that particular it’s just like, it’s such a classic attack that people use when somebody’s like, I remember one, this was back during the Gamergate, like hate campaign in like the mid 2000s. And I told somebody to like screw off on Twitter, because they were sending like nasty messages to me. And as soon as I was like, go, I think it was even scruff, it was Go away, I literally was like, go away to some troll. And he’s like, at Salesforce, does this person really represent your how you want to treat your customers, and I was just like, you were, you were up in my grill, I told you to go, like, I’m allowed to have boundaries at work, anyway, but they didn’t fire me. So that’s fine,

 

Jodi Daniels  18:47  

that that is good to hear. You know, there’s, when a company has to go through a data breach or some type of incident, there’s some high profile people that are names that are a part of this, what to companies and or the those types of people need to be thinking about. So that they’re not the subject of this type of harassment.

 

Leigh Honeywell  19:09  

You know, we there’s a couple of sort of inflection events that tend to be where we engage with customers, often there’s something sort of on the horizon where it’s like, they’re they’ve just raised a bunch of venture capital, or they’re about to go public. Maybe they’re making a policy change in a very public organization that’s going to get some people mad at them. But I think a data breach is another example where, you know, a company has, in some ways screwed up or like has been hacked, something bad has happened. They’re having to notify all of their customers like, hey, we made a mistake, or we got attacked, whatever. And there’s typically going to be someone’s name on that notification. And I think that’s that’s another one of those like, really interesting sort of inflection points where the organization has to decide like, what are what steps are we going to take to protect this person who we’re putting out in in the fire Main Line in many ways, but I think there’s you know, there are many situations like that where someone within the company ends up becoming a flashpoint for an unpopular, controversial decision. And thinking about the personal security, both from like a nuts and bolts perspective of like, is this person’s personal Gmail gonna get hacked? As well as from the like, interpersonal sort of sustainability perspective of like, are we throwing this person under the bus? Do they have the like the team around them to make sure that they’re like, both technically and emotionally safe? I think it’s, it’s an interesting problem that people see, I feel like CISOs are often the one to get thrown under the bus. And that’s another another case like that. Where are we thinking about the whole person that we’re putting in the firing line there? Oh,

 

Justin Daniels  20:51  

we like to ask all of our guests this little ditty, which is, do you have a favorite privacy tip you could share with our audience?

 

Leigh Honeywell  21:00  

I think for American listeners, if you haven’t already Googled your name and your home address, it’s pretty creepy. I think the there’s like the direct tip, which is do that. And then consider taking that information down if it’s stuff that you don’t want out there. But I think there’s a meta tip there, too, which is, the fact that it’s that easy to find people’s home addresses is is a function of a regulatory failure. And that as individuals, folks need to be advocating for stronger privacy legislation than protections because the combination of that data being super public, and the like, very online world we live in, like, it’s pretty scary. And yeah, so the the direct tip is like Google, your Google your home address, and the indirect one is like advocate for legislative change.

 

Jodi Daniels  21:50  

Those are good tips. So when you are not helping people manage their online profiles. What do you like to do for fun?

 

Leigh Honeywell  21:59  

So I have two cats. They are my first pets. I, we adopted them during the pandemic, and they are delightful little creatures, and I love them very much. So we spent a lot of time with them. And when it’s winter, I spent a lot of time skiing. I was a pretty serious competitive ski racer as a younger person. And now that all of my friends are having kids, I’m getting to teach them how to ski and it’s like the most fun thing in the world. So

 

Jodi Daniels  22:25  

yeah, that sounds really fun. Now, if people would like to connect with you, where should we send them?

 

Leigh Honeywell  22:30  

I’m so tall poppies. Twitter is @tallpoppyHQ. We are tallpoppy.com. I was super stoked when we got the.com. Great. And my Twitter is hypatiadotca. But if you search Twitter for Leigh Honeywell, that’s probably easier to spell.

 

Jodi Daniels  22:47  

Excellent. Well, they were so glad that you joined us today to share all of these great tips and tell us a little bit more about how we can protect ourselves online. And we thank you so much for joining us.

 

Leigh Honeywell  22:58  

Thank you very much and really appreciate the invite

 

Outro  23:05  

thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.