Societies with secrets, security culture and online social media

There’s a post about a new Social Media Code of Conduct for Massachusetts Freemasons [PDF] (HT @Masonictraveller) over at Freemason Information, part of The Beehive series by Fred Milliken. This document mentioned is particularly interesting to me because it touches on some issues I think are important; and the reactions to the document are also interesting. (I’m also more amused than I should be that the date on the original document is May 1st, International Workers’ Day, due to the frisson between seemingly oft conservative Freemasons and the ideas of the, frankly quite often more broadly fraternal to my mind, international workers’ movement; and, also because of the connection between the ideas I’m going to talk about and the direct and indirect history of May Day.)

I should also say that I’m intentionally using the term “society with secrets” here to mean not just Freemasonry, but really any group with secrets that is publicly known. Freemasonry is not a secret society, really, after all. But, like everyone sharing a book or movie recommendation who doesn’t want to reveal the important points of the plot, let alone the ending, Freemasonry does have secrets. (I’ve been meaning to write about my thoughts around “society with secrets vs secret societies” for a long time, but, I suppose the fullness of that topic will remains one of my own secret for now.)


The “code of conduct” document itself offers a number of specific directives about how the Freemasonic Grand Lodge of Massachusetts wishes its members to behave online, not just in social media though that’s what the title suggests is the scope.


“As a Mason, he must be aware that his postings are a permanent record; therefore, his conduct may influence the world with a positive or a negative opinion about him personally and also about any organizations to which he belongs.”

As the librarian of the Hermetic Library, I can say I’ve received email from people several times wishing my help to remove, alter or obfuscate content they wrote that still appears online.

In some cases, people want their names removed. In some cases, people want the content to go away. In others, they want links to archives of their content removed so that Google stops indexing the linked to archive. In even other cases, people have contacted me to let me know they’ve removed previously written content from their site due to a new role they’ve taken in which those comments aren’t now appropriate, as if the whole of one’s history is merely, and must conform with, the current accidents of the moment (which ironically requires history to constantly be changed to make an illusion). In some cases, it’s clear that the person contacting me is embarrassed by something they’ve written in the past and wants to distance themselves from that; which motive I personally find revolting and pathetic and deceitful. In other cases, the motives are more or less clean, such as needing to manage how others might use past writing as a weapon, how others might twist and misrepresent the past to impune the present person. (You might, or not, be surprised at how much vitriol and willful harassment there is out there, sometimes hidden in back channels and sometimes not, in which cases managing access to one’s information becomes important as a defensive measure against evil, unscrupulous or stalker-y people.) So, there’s a whole gamut of reasons why people seem to want their previous work forgotten.

Interestingly, there may seem a serious disconnect in my own views on this matter. For example, I am viciously adamant about my own right to remove content from services like Facebook, but I am relatively lassez-faire about my content being permanently on display in various revisions at the Wayback Machine. Of course, the primary difference is that Facebook, and corporations like it purporting to offer a service, is in fact constantly and expansively trying to enclose and encumber not just the works of our minds but every hour of our lives in order to control and monetize both; and to that my resistance is very consistent and internally consistent.


“Do not identify any Freemason as a member of the Craft unless he has provided his consent, or has already identified himself as such.”

Another of the points in this code of conduct is not to reveal the identity of a member unless they’ve already done so. This point is a big one for many sub-cultures, and is an important one. “Outing” another person is a serious breach of security and etiquette. But, it should also be considered a serious breach to reveal information about not just the identity but also the location and activities of another member, especially to strangers. (This point is a hint at why personally I almost universally refuse to broadcast my future whereabouts or add instant, or even relatively contemporaneous, geolocation data to my content. I also do not participate in any service which is either dedicated to showing my instant location data or where I cannot hide that, even from “friends”, even so far as to eschew instant messaging services in favour of asynchronous email.)

Anyone with any IT security experience should be able to share strong reasons not to succumb to social engineering, revealing important details to not only strangers but even well-known people who should not have some bits of information. Anyone who’s worked in retail or the service industry should be able to confirm how dangerous it can be to reveal personal information or work schedules of co-workers, both about their time at work and their time away from work. Loose lips not only sink ships and breach internal security, but lead to things like stalking and other antisocial behaviour.

I can hardly begin to tell you the times I’ve gotten strange looks and had eyes rolled at me when I’ve tried to educate people about the dangers and dimwittedness of revealing information about not only others but about themselves to strangers. I cannot count on my fingers the number of times I’ve tried to shush someone who’s speaking on the phone to some random stranger who’s just called and to whom they are revealing all kinds of privileged information about someone else’s schedule and whereabouts … It’s just shocking and disheartening to have people I know, or moreover people I’ve cared about, be so dumb about such things. Really, the Pavlovian desperation to respond most people have to phone and electronic communications, and moreover the ease with which most people reveal information (passwords, account information or even just random particulars) to some unknown person as if merely by being on the phone or online imbues some Milgrim-like authority, is something both breathtaking and bizarre to me.

Developing security culture is not just about the security of groups, but is also protecting individuals. I hope those people prone to such information breaches are never in the situation where they learn the hard way by ending up pursued by a stalker, pursued by someone so mentally stunted or backward that they cannot understand the meaning of “no” or even the basic social contract of consent, and then to have information about their activities and whereabouts revealed by themselves or others simply because they didn’t know better. And if that ever happens I hope that nothing seriously harmful happens as a consequence other than learning to be more careful next time, though so many worse things are possible.

Just one more story, of any number of others, about this: At one of the really big Occupy marches in Portland, OR, I have to tell you I cringed every time someone yelled out another person’s name to get their attention. Really? Serious protest foul, that, people!

But, really, the lack of awareness about security culture is a symptom of not having one in the first place. How’s that for a tautology? No, seriously, the adoption of a general security culture could be helped by having serious security culture in subcultural groups, and thus pushing out the wave of adoption by having smaller groups educate and inform their members who then end up bringing that awareness to larger groups and the overall culture in which they each participate. (So, now that you’ve read this, go and find out more so I can pretend I’ve been effective in widening the general awareness of security culture …)


The commentary in the post itself, and the comments by readers to that post, over at Freemason Information are interesting to me as well. Primarily the reaction is focused on how some of the points in the code of conduct are just common sense ideas about protocol and etiquette, but there’s also a perception that the code of conduct is an overreaching attempt to control the actions of members. I think this code of conduct document, while not perfect, seems to me a good first step toward building a meaningful and reasonable security culture. The worth of that, at the very least, is as a catalyst to considering and talking about meaningful and reasonable security culture for any subcultural group of people, whether that’s in, to name a few, a fraternal organization, social club, workplace, or, yes, even in one’s own home environment. But, recognizing that such ideas can be seen as unreasonable attempts to control behaviour suggests how important it is to reveal and share the reasoning behind them, and the reasons why they are being suggested.


There’s a lot of useful thinking and writing that’s been done on creating security culture, and this post is merely a few initial words on the topic. I wrote a setup document for GnuPG, aimed at members of a society with secrets in which I am involved which has a mandate for the use of encryption which is not supported by a culture in which use of encryption is easy for non-technical users or even has much use in spite of the mandate. In that document I tried to include some background and links to further information about security culture, by way of saying how important it is to at least think about such things in any social group with secrets. In the same way that the encryption requirement by the US Grand Lodge of Ordo Templi Orientis is essentially and largely mooted by the apparent lack of implementation among the membership, the Grand Lodge of Massachusetts has started down a pretty slippery slope of creating mandated behaviour and requirements that it cannot hope to maintain ahead of breaches of conduct, but rather only after the fact in selective punishment against those who happen to get caught. Without a security culture, these rules are mostly meaningless as far as stopping behaviours from happening and are really only rubrics that can be used to evaluate behaviours that have already occurred. In other words, it seems to me, these kinds of guidelines need to be part of a program of proactive education instead of taken as proscriptive measures to control behaviour, and where they are merely the later they should be transformed into the former. Guidelines like these need to create a culture in the implementation not create criminals in the breach.

But really, I think the exposure to the ideas of, and how to create, security culture can offer an essential and necessary set of skills for people in this modern day information age to understand and implement the many overlapping circles of information scope in our lives. (Just as I believe thinking about and deconstructing propaganda models and theory offer essential skills for resisting the influence of not just canonical propaganda but also in resisting the influence of pervasive and invasive marketing and advertising in this Western culture.)

For a general primer, I’d encourage you to check out check out a few documents which stand out in my memory as good initial surveys: Towards a Collective Security Culture, Affinity Groups and Why do you need PGP?.

For further reading, you may be interested in Activism and Security Culture, Security Culture, and Security Culture. Beyond those, I commend you to your favourite search engine for further study.

As a last note, I can’t help but suggest and recommend two works, in no small part because these two are on the list of works that appear in my own thoughts consistently, which I think connect to this post and the broader subject of resistance culture. First, both for the history of the resistance of but also the resistance to the international labor movement, I’d like to suggest an excellent history of Industrial Workers of the World, The Wobblies: The Story of the IWW and Syndicalism in the United States by Patrick Renshaw. And, secondly, for the history and role of Freemasonry in the resistance culture of colonial and early American periods of United States history, Revolutionary Brotherhood: Freemasonry and the Transformation of the American Social Order, 1730-1840 by Steven C. Bullock.