Oh, also, I really hope that this point isn't news to anyone, but if you don't already have a basic understanding of what it means to develop information security, now is the fucking time.

Critically, I want to see people being responsible in how they interact with:

A) the dissemination of information and the correction or disruption of misinformation

B) privacy related or personal data (of themselves, but ESPECIALLY of others who you could unknowingly harm)

C) pictures and visual media

D) your bodies: not a good time to start leaving traces of yourself where they shouldn't be, e.g. blood, saliva, etc

E) triangulatory/tangential information (you know that guy who can tell where you are by the weather descriptions? That's an extreme example very few people can pull off, but you'd be horrified how little info I need about someone to correctly interpret whole sections of their personal history and data)

F) other people. If you have never formally done so, find a conflict resolution/group facilitation class with a local organizing group or community college. Start learning what healthy boundaries (flexible, but neither porous nor rigid) look like for you. Pick a communication style to cultivate so you can be consistent in how you navigate stressful moments. Figure out what it means to you to share space with others with intention. (And yes, there is no one way to do this, but every one of us will need to find our most secure version, whatever that is, ESPECIALLY those of us who are already vulnerable here due to past trauma, neurotype, TBI, healthcare/wellbeing needs, etc)

I'm a really open book in a lot of ways, and yall might rightly look at that and go "butts you're one to talk about infosec"

And yeah. Yeah. But like.

I know what you know. I made those choices on purpose or at the very least addressed the aftermath of the accidents with intention. I also know what I did to be protective of myself and my info, and you don't know those things. You should know how to do them for yourself though, because it will help you understand why I can have done what I've done over the years and still say this now.

It matters what people know. It matters how easy that knowledge is to revisit. It matters how much of that knowledge is heresay vs documented and verifiable. It matters what contrary information is ALSO known. It matters what interconnected information about OTHER PEOPLE is known. It matters when you haven't said anything at all versus when you said a bit versus when you said a LOT. It matters when you say a lot without saying anything at all.

Information gathering is about putting together puzzle pieces. It's slow work, and it involves a massive amount of resources to do comprehensively and at scale. Information security is about making the gathering process not worth the investment such that the gatherers give up before they are able to put together enough pieces to do real damage. This is what "need to know" means.

For example, in a healthcare practice, it is a HIPAA requirement that access to protected patient info be limited to those who have a clinically relevant reason for accessing it. This means that certain system credentials or permissions will reveal varying amounts of protected information about a person. While one MIGHT be able to put together enough puzzle pieces for certain minor information gathering from early stages (e.g. where someone will be a the specific time of their appt), one likely cannot identify deeper and more vulnerable levels of information (who is the appt with and what is it for?)

This kind of layered buffer is most important when people who AREN'T PERMITTED (permited as in able to do without effective correction/consequence, not permitted as in legally or appropriately authorized to do) to access this info are trying to access it. If someone is permitted (e.g. if person with the appropriate credentials/access permission discloses it voluntarily or if a subpoena is ordered, etc) then the level of access is less protective - they will typically simply access the level of info they need if they will be permitted to.

But there are further layers still of information security. For example, you can tie up a LOT of time forcing authorized bodies to refresh and specify their authorization over and over again, each time appropriately only providing the exact level of disclosure they have required of you. The more specific the information they are looking for, the easier it is to bury so deep down that they literally cannot access it even if they are looking right at it.

I was taught to write documentation "like at any time it could be read out by the patient in front of you, or by another provider asking us to justify a treatment, or in open court by order of a judge". For a year, my supervisor had me write four copies of every piece of documentation I ever made. My personal copy (burned upon completion of the billable note), my "soft note" that removed all protected/identifiable information from the narrative (e.g. names, ages, genders, specific diagnoses/conditions), my "hardnote" which removed anything "heresay" which had been self-reported by the patient unless I could professionally verify it), and lastly my billable note which I understood needed to offer "detailed justificstion" for the used (and named) interventions which cannot be used to work backwards and interpret the originating care conversation.

The only note that ever gets read by anyone but myself is the billable, because they others are never retained long enough to be seen by others, even if they do have the appropriate access. It becomes very difficult for someone to use the hard data they are capable of getting from me, voluntarily or by force, to actually confirm context. This is a similar principle when orhanizers compartmentalize need-to-information.

So start learning what it looks like to cordon off each layer of infosec you're about to implement in your life. What it will look like to grant someone access to a new layer.

Be responsible. We protect us.