Re: Communication and enforcement of DEFCON photo policy

Specifically addressing the "7000+ images on facebook" -- a majority if not all of these were done by official DEF CON volunteers. My experience with these specific volunteers, is they asked permission before taking video, and were polite with their interaction with attendees.

Now, as for policies... This has come up several times before and has been revised.

Here is a discussion from 2011 on this:

Press/Photos/Video restrictions


This post from Nikita describes some legal issues in trying to impose a policy on attendees:
Does DEF CON take place in a "public space" ?

Is DEF CON equivalent to events like concerts, movie theaters, plays, where "intellectual property" is on display, and are these events which require payment to attend really "publc events" or "private events"?

What options are available if a photo-policy of denying still or video without permission is implemented:
* What can be done when there is suspicion of this? Can we legally place our hands on a person, take a person's tech, search it, and if we find evidence of images or video having been taken without permission, can we yank their badge? Would a refund be required?
* Even if we can, is this what we want to do?

With reductions in size of tech, and equipment like "Google Glass" , wearable tech, hidden cameras, and fast media with lots of storage space, it would be very easy to record images or video without being obvious about it; Is that person really on a cell-phone call, or are they recording video while they hold it up to their ear? That camera lens on their phone, sticking out their pocket... is it recording video?

Should "the media" (Press) have different rules from "Humans" and if so, why would anyone sign up for a Press badge, if they have more access as a Human?

From my view, the official DEF CON video/image crew asks permission to take images of people. This is my own observation, not a statement of policy.


The history of photography and video at DEF CON has been complex, and changes.

I am not in charge of any of these policies. The only thing I control are contributions to services like on these forums.

None of what I type above is an indication of what the present policy is, but it meant to provide links to history and discussions about this with issues described, and some past decisions mentioned.

If you have new ideas on what you think should be a policy, please provide your ideas with descriptions on how to implement them and balance legal concerns, with privacy, and freedom to take pictures in public spaces.

in 2011, this was the last post on this policy from DT:

POST: Policy posted by DT in 2011

New ideas for discussion are welcome. For your ideas to have the best chance at being considered, include as much as you can on how to implement your ideas, and address concerns mentioned in that thread cited above.

Hope this helps.

Good luck!
-Cot

Re: Communication and enforcement of DEFCON photo policy

Cot, thanks for your post, it's helpful and well referenced as usual :-)

I don't doubt that these volunteers are well intentioned, polite, and are sensitive to the issues discussed here. Many of the pictures are of folks on stage, or otherwise in positions where they were obviously OK witih being photographed, which is cool. However, there are also lots of crowd shots (not from behind), hallway shots, and situations where I find it hard to believe that everyone recognizable in the picture was queried for permission. I'm not trying to vilify the photographers -- they're just trying to contribute to the community in their way. I'm trying to show evidence/examples of what my point is. In my opinion, some of these photos show that overall, most folks don't put much stock in the photography rules. I'd love to hear from folks (like the photographers) if I'm wrong here.

However, I think the bigger issue here (or maybe the cause of what I view as a problem) is a lack of consistency and communication in what the official policy actually *is*. Read on for more...

Yeah, I have read the previous discussions before, and I just went back and re-read the thread you mentioned. In order to keep my post on point, I'm going to skip the debate about what I think the policy *should* be, public vs. private spaces, difficulty of enforcement, etc. (at least for now). Rather, let's look at the rules that were in that post:

Then, as you pointed out, DT modified the rules to be the following, in this post:

This seems mostly consistent with the policy found on last year's Press page, which I referenced before:

So, it seems like the official policy for DC21 (I'd call this "the current policy" until it's communicated otherwise) was like it was in the "good old days" -- explicit permission was required from those included in the shot, no crowd/hallway shots were allowed (unless from behind or folks were given the chance to exclude themselves). Applied equally to press and attendees.

I am actually happy with this policy as written, but I suspect many folks would be surprised to read that that was the actual policy in force at DC21. Hence, my issue -- I think the photo policy message is not consistently communicated from management. There seems to be widespread belief that this policy was changed some years ago to the "photography generally allowed" policy, which as far as I can tell, it wasn't (or if it was, it was since switched back). And when I posed the question to a security goon at DC21, I understood that he and his management were unable to obtain clear direction on what to do in the situation I had just encountered -- a film crew shooting the hallway. I understood his meaning to be that they didn't know what the *policy was supposed to be*, rather than a lack of direction on how or whether to enforce it. If the security goons don't know the policy when an attendee asks, I consider that a management communication problem. (Maybe it was the case of miscommunication to one goon, but that's not the sense I get from talking about this informally with folks in the community.)

I'm sorry if my first post seemed like I was trying to engage in a debate about what the policy should be (maybe I had that in mind too, but it was secondary). Really, I want to know what the policy actually is, and then (depending on that answer), point out that it is not being consistently communicated. I think there are enforcement problems too, but we (the community, goons, press, etc.) have to know what the policy is before we can evaluate how well it's being enforced. (Again, I realize enforcement is problematic and imperfect, but I think that currently we don't even know what to strive to enforce, if anything.)

Can others contribute what their current understanding of the photo policy is (at least what you thought it was before reading this post)? Did you think it was the "permission required, no group/hallway shots" type or the "do what you want but don't be a dick" type?

- hinge

Re: Communication and enforcement of DEFCON photo policy

You are welcome. I read your post, and will not include a quoted copy of it here. (Not going to reply to any specifics in this latest post.)

I've asked others if they could include the present photo policy in something like that DEF CON FAQ
https://www.defcon.org/html/links/dc-faq/dc-faq.html

There is no guarantee that they will reply here, but if I hear it has been published, I'll try to include a link to it here.

Everyone else is welcome to discuss this, and state your opinion on policy and what should happen.

Thanks for starting this discussion, and good luck!
-Cot

Re: Communication and enforcement of DEFCON photo policy

Things of issue before with photographic policies:
* Inconsistent rules: Humans vs. Press, differences open door to exploitation.
* "Special exceptions": some contests, or rooms that "Human Badges" allowed people to enter had their own rules on photography
* "Special exceptions": some talks have had special exceptions (the last time I remember this happening was 10+ years ago)
* How can it be enforced?
* What "should" the penalty be?
* How can it be detected?
* When a claim is made, is the claim enough to punish? This can be exploited by people making false claims to have "punishment" applied to targets they do not like.
* Who would enforce this?
* What course of actions should a human take if they find a case of abuse?
* Are there cases, where permission is not required? (People on stage? backs of people's heads (no faces)? People giving talks in any village? Demos at a table in a village? Demos at a table in a chill-out space? All spaces "outside" the DEF CON badge checkpoints, and DEF CON "jurisdiction" like the line where people gather to buy DEF CON badges, hotel room hallways, hall to Penn and Teller theater?

Some things to consider...
SkyTalks invites people to speak on topics that are meant to be in the older style, with a promise that "none of the presentation will be recorded." An open recording policy could "scare off" some speakers in the SkyTalks forum.
CTF had a long history of "no photography" for many reasons. Some: "avoid team vs. team spying" and "contestants might be scared away if images of them were to be taken and distributed on the Internet as participating"

This is a complex issue, and nearly everyone has an opinion on it. Do you know of other issues, or reasons to support one idea or attack another idea?

Please provide your thoughts on this, and what you think the policy should be, and why.

Also, how would you enforce what you think should be the policy, and what penalty should exist?

Re: Communication and enforcement of DEFCON photo policy

So this is an area of particular interest to me. I am a previous violator of these policies... I have to admit it's usually cause I'm hammered and not thinking straight. That said, it's certainly not an excuse and I am actually quite regretful for ever taking photos without prior consent... or even post consent. Because of this I've experienced an evolution of thought on this subject over the years.

DEFCON is like family. And if someone in my family has a requirement or request for privacy, then I think that should be strongly protected. Because I want my family happy, I want my family to feel safe. With this said I think there are several layers of responsibility in this matter.

For the sake of the following I assume all attendees be it goon, press, human, or fed, to be equally liable on the corresponding ways.

1) The individual "victim" responsibility - please keep in mind, no one is likely suffering PTSD over a photo being taken, so when I say "victim" it is in the lightest possible way. I point this out because this is the "blame the victim" responsibility. As we know forming a trust relationship with others is likely to expose you to exploitation. Especially if the trust is only implied, i.e. as it is with strangers. It is your responsibility as an individual to protect yourself. e.g. last year I spent the vast majority of the con with my face covered by a red bandanna (and top hat). When I say it your responsibility as an individual, I do not mean that you have to go to the extent of obscuring your face like I did (which astcell still managed to snap some photos of me with the bandanna down anyway without me noticing until after the photos were up on the internet). But to maintain a degree of vigilance in concerns to your surroundings, did you see someone peg you in a photo? Is it worth asking them? It is? Then why are you still sitting here thinking about it, go and do it and make your intention made.

2) The community - in order for an individual to be able to successfully make a request to remove a photo, they must have policy support AND policy education. In these scenarios there should be policy in place with enough bite to assist an individual in discreetly and privately managing the resolution of their complaint in a polite manner. In the event they can not reach a resolution, DC management or security should have the ability to enforce a penalty on a non-compliant attendee. Because their are so often new comers, 50% or more, I believe that the policy allow for some leniency. But multiple complaints should definitely be able to allow for removal from the con.

3) The assailant responsibility - cameras should likely not be brandished into crowds at DEFCON. Prior policy seems to strongly support this. With this in mind, the individual responsibility (see above) is to remain vigilant to the naturally altering threat scape of photography. The community responsibility is to support the individual in the event a complaint is registered. And finally the assailant responsibility is to be prepared to defend themselves from allegations. If you want to snap a photo, be prepared to prove that individuals in the photo are all consenting. This means you must, by using your device publicly, be willing to share the contents of your device publicly. Especially if you're going to make a "public place" claim, then you should be willing to consider your private intellectual property (IP) of a "public place" to actually be private IP with public extensions to use, namely in the ability to at least review the content of the IP. By sharing your photos of a public place with interested parties should be met with compliance (as part of the policy) and the failure to do so should qualify, harshly, as grounds for removal. This responsibility ensures that the individual responsibility can be met by an individual and may be enforced by the community. This means you might want to leave the SD card with the nudes of the misses at home. Or carry an SD card fully of goatse so trolling random complaints who are insistent on viewing the full card can get what's coming. ;-)

Do I think people should be thrown out willie-nillie? Of course not.

Can this be strongly enforced by a single goon? Probably shouldn't be, to help mitigate abuse cases.

Perhaps we want to form a tribunal system where public opinion on a case by case basis may be levied on stage publicly and a panel of judges (who will probably be terrible at their jobs) doles out a series of harsh/semiharsh punishments to attendees willing to relinquish themselves to the "court?" Bust a deal face the wheel. Be spanked on stage, slapped in the face by a fresh salmon, submitted to yoddling in a sound proof box. And now the response to the question is probably just too long and I'm rambling a bit too much.

Basic idea, people should have the capacity to make a take down request with a reasonable expectation of compliance. This reasonable expectation should be backed by the community via policy & penalty and willingness to enact a take down request on behalf of individuals who may not have had the ability to they themselves make the request (in the case of an individual not knowing their photo has been taken). And the individual who is wielding the device in question should be aware that by using their device they may be subject to random requests, valid or not, and be prepared to validate or invalidated those claims based on evidence they can present (i.e. the photo(s) in question) and be placed in a position of accepting removal from the con after repeat violations or otherwise resolving the issue by publicly reaching compliance with policy (by consent, or removal of offending material).

Edit: I know it sounds like a such a pipe dream. But people should be made aware of their rights to privacy at con.... I mean if ever there was a place where privacy should be at the forefront of every individuals mind, it's DEFCON.

Re: Communication and enforcement of DEFCON photo policy

If there was a policy that "taking pictures everywhere a Human Badge can take you except as noted outside the door to certain rooms" would that work for people?

What if the method for notifying people of rooms where taking pictures is not allowed is part of a sign outside the room?

For example, imagine "SkyTalks" had the sign out front announcing "SkyTalks" and at the bottom, an image or icon showing "no photographs", "no video recording", "no audio recording" ? How prominent should these icons be? Should there be other signs?

Also, *private* parties -- parties that your DEF CON Human badge alone won't give you access, would have their own policies and methods to enforce them. Private parties are not controlled by DEF CON.

CTF and SkyTalks each have recently had their own rooms, and might be able to take advantage of a "per-room" rule.

Thoughts? Comments?

Re: Communication and enforcement of DEFCON photo policy

Replying to a couple different things here...

At the risk of harping, I think there is one important thing missing from your list. It is:

* Lack of consistent and effective communication of the photo policy -- most other points are moot if different people have differing understandings of what the rules are supposed to be

This is the issue that bugs me the most, even if I disagree with the content of the policy. I present as evidence my quest (outlined in previous posts) to determine which photo policy was in force during DC21. I claim that my quest was unsuccessful, since I still don't know what policy management intended to have in place.

As for the policy content, frankly, I don't see what the problem is with the "old style" rules. Photography forbidden without permission, crowd shots only from behind, that sort of thing. It seems pretty easy to communicate (sign with a camera inside a red circle/slash*: "before taking a photo of people, please obtain their permission", with more details in smaller print for those that are interested). Put up a few of these near the entrance and on the registration line. Of course it's imperfect and enforcement will not be universal and it doesn't cover all cases (what does?), but at least then the community has some clear rules that can be "socialized" around, and folks that are passionate about not being photographed have something to support them. On this topic, I think that catatonicprime presented some good ideas (although probably too detailed and onerous in direct implementation, the spirit is there, especially around shared responsibilities from folks in different roles).

* - I just learned that what I call the red circle/slash is more properly termed the ISO 3864-1 prohibition sign. At least I learned that today.

If something like this were done, I think signs inside the room are recommended, in addition to the ones at the door (it's easy to miss a sign when you're walking in). A camera inside a red circle/slash and "no photos or other recording" would be pretty clear. Hell, print the same thing in black and white on regular paper for the few signs inside the room (cheap and easy) and that is certainly better than nothing, if one is trying to set an expectation for that space.

To answer some of the other points that Cot lists, I propose the same rule for humans and press (I see no reason the rules should be different), if certain rooms want a different policy it is their responsibility to post/communiate it, enforcement is like any other prohibited behavior (member of the community politely reminds the offender of the policy, escalation to goons when necessary).

As for private spaces (whether it's a private party or my hotel room), I hope that it's clear the "proprietor" of the space retains the right to set their own photo policies, just like they can decide who gets in and who doesn't. Same as any other private space outside of Defcon, from my perspective. For example, the only pictures allowed in my hotel room are those of my hairy ass.

Lastly, I'd like to address one of the comments from the Twitter thread (is that even the right word?) on this:

https://twitter.com/TCMBC/status/429342822521524224

Joey @l0stkn0wledge said "it's hilarious because the casino has videos/pictures of all of us from a thousand angles."

I think Joey misunderstands the old Defcon photo policy and the reasons for it. Everyone realizes that government and casino survaillence is ubiquitous in Vegas, whether we like it or not. But the risks from this are very different than the risks from press and attendees taking pictures/recordings at the event. Government and casino recordings are very, very unlikely* to be made public, whereas photos taken by press are probably intended to be seen far and wide, and attendee pictures fall somewhere in the middle. It's all about the likely audience for the picture/video/audio.

* - I suppose if you were standing in the frame when a significant crime was committed, and the cops needed help finding the perpetrator, the video/photo could be made public. So it is possible, just very very unlikely.

One of the original reasons for the old restrictive Defcon photo policy was that some folks would get in trouble with their employers for attending Defcon (this used to be a scary underground hacker con, rife with criminals, remember). Your employer is unlikely to see the casino's video tapes, but they might see you in press coverage of the event, or in a picture on pics.defcon.org or on Facebook (or however attendees like to share their personal pictures). This concern is certainly less than it used to be (since Defcon is more mainstream now), but I suspect there are still some employers like this even today. Not everyone is enlightened about infosec, and many folks still remain frightened of those nasty hackers. Some employers still have policies about not attending work-paid-for events in Vegas, or about proximity of alcohol to work events, etc. Maybe you wouldn't mind if someone posted a picture to Twitter (with the hashtags #hacker #working at #defcon) of you, wearing an "I hack charities" shirt and drinking a beer. Maybe your employer wouldn't be bothered by having paid for that trip. But I suspect not everyone is in that boat, even today.

Other reasons were more specific to presenters; remember that legal threats and arrests have happened at Defcon. Cameras with "evidence" on them are just more things for the spooks to subpoena/sieze and use against people. Some folks were trying for anonymity, although that's pretty tough to achieve today. I could be wrong about this, but I think that there are not casino cameras in all of the talk rooms even today (maybe in the larger ones, but not smaller ones like Skytalks use?).

Of course, another reason is just that many infosec/hacker types are simply "passionate about personal privacy", as stated on the DC21 Press Page. Maybe someone doesn't want to end up on the Defcon photo feed _just because they don't want to_. I happen to think such a wish should be respected, although I realize I'm swimming upstream against most of society here.

Anyway, hopefully that helps explain some of the reasons for discussion about the policy (for Joey and others with similar perspectives). Government/casino surveillance != press/human photogs.

Re: Communication and enforcement of DEFCON photo policy

I tried to address that in this post, above:

In this way, it is not a question to be answered here, in this thread; it is something I started as a request when talking to those that set policies for DEF CON. I tried to focus on things that could change opinions among decision-makers, or encourage new solutions to identified problems.

This is a mistake on my part, in failing to communicate who the "others" were in my post. The implication that others would be people able to set a policy is not as strongly tied as an explicit statement. To be explicit, the "others" mentioned are people that organize DEF CON, and can set policies for departments.

Even if you (individual) know this, one or more readers finding this thread may need this explanation.

"Can't we all just get along?" is a desire by many, but implementation of systems to encourage a desired behavior or discourage an undesired behavior are difficult.

In any system of laws or rules several things should be considered:
1) Can we consistently recognize a rule is being broken? If it is trivial for people to avoid being recognized as breaking a rule, why have the rule? (rhetorical)
2) What is sufficient proof to "convict" someone, and can the minimum proof be leveraged by "evil doers" by making false claims against innocent victims to punish them?
3) What can we legally do to investigate? Can we legally search someone? Lay hands upon them, and hold them down? Gain access to all storage media? Then, even if we find this activity is *legal* is this something "we" (attendees and people contributing to running DEF CON) would want to do? (Even if legal, I am betting it is not something we would want to do... it is not something I would want to do.)
4) What is the penalty for being caught and found "guilty" of violation of a "law" (or rule)?

These are all important points, which address the question of, "why can't we just go back to the old policies?"

If there is no penalty, will a hacker "obey" just because "someone says so?"
If we can't legally investigate (unable), or we find the act of violating a person's privacy so distasteful as to not be willing to investigate (unwilling), we can't arrive at a minimum threshold to find the accused "guilty".
If the requirements for proof are too high, then people can't be penalized, and if too low, can be abused by Social Engineers to apply $penalty to $innocent_accused_of_breaking_rule.
And last, if people are using "hidden cameras" and/or cameras so small, or well placed as to not be identified as functional, how can we begin to suspect that someone using these methods is violating the rule?

All of these points demonstrate how any policy discouraging taking video or images without permission as troublesome or useless.

The above text are why I tried to ask for suggestions on these points, to see if there any solutions that would allow for "no photo" zones?

In addition, if we are able to resolve those issues, then we have the question of how to inform attendees of these zones. (Thanks for contributing ideas about how to ID such spaces....)

These are good suggestions, and have previously been included as ways to ID spaces designated, "no photo zones," if a policy afforded us such zones.

Yes, but without a penalty, and some of the other issues resolved, we could have a useless policy that means no consequences when violated, or maybe something we can't prove.

Example: A goon sees someone hold a device to their face, a light on the device flash, and the device even makes a noise like a camera. Proof that a picture was really taken is on the device, if it exists. Were they pretending? Were they trolling security? Can we take the device and inspect it? Do we want to? (This would feel, to me, like jack-boot thug-style oppression, kind of the opposite direction I'd expect from people that value free expression, and something that I think our younger selves would find even more disgusting than we do now.)

Do we ask for the device, and failure to deliver means they lose their badge and are banned?
If this is the policy, can "we" be co-opted by LEO with search warrant, and be compelled to do this to people they believe have tech worth examining?
I don't think "we" (attendees and volunteers) want to open any door related to looking at the contents of media for "proof."

I am not saying that this is what would be needed, either, or is the ONLY way to resolve this. It is meant to illustrate some of the complex problems associated with this part of this policy. There are probably other solutions.

When DEF CON was a smaller collective with a large majority of people enjoying privacy, it was easy to have an unwritten policy and social etiquette for not taking pictures without permission. Some people in the early days faced a possible risk of a "free toss-in-the-pool service" by those willing and able to provide it, or worse. Now? The hotel is just as likely to kick/ban all parties involved in an incident (victim and aggressors) , or get LVPD involved, and risk a need for parties to go to court or spend DEF CON weekend in jail. Best case? DEF CON Security Goons settle the problem before hotel security gets there. This becomes even worse when you (generic "you" as in, "anyone reading this") know that in the past a DEF CON hotel/casino has banned people from being on their property for an incident, even though they were not banned from DEF CON -- this meant they were banned from legally attending future DEF CON at that property, and if they were caught violating this, risk criminal prosecution by the hotel for trespassing. In one case, when this happened, *some* of the *victims* of an incident were finally able to get unbanned by the hotel after a lot of work by some goons talking to the hotel.

I did comment about private events outside of DEF CON having their own rules, because if/when there is a published policy, I also know some "special flower" will assume the policy applies everywhere, and the complain in social media when someone at a private party took away their camera/phone and slagged it. Comments about private events outside of DEF CON could also appear in the DEF CON policy, as would spaces outside of DEF CON, where badges are not required, like where people go to buy badges, or the stretch of hallway from the main DEF CON area and the P&T theater. I asked if these kinds of things could be addressed in the policy/FAQ, to avoid drama at DEF CON.

The *Unofficial* DEF CON Shoot is a great example of this, with their own policies on photography and video. They make it easy for people to quickly announce their level of privacy, and for *respectful* people with cameras to honor the requests of people at this event. (Historically, special tape over shirt as "X" means, "do not video/photopgraph me" and a single "/" means "ok to photo/video me, but only for private use, no social networks or on public networks" and "nothing" means "ok to video/photo me for social media or other things." (This system may change designation, implementation or not be 100% accurate. If Deviant Ollam correct it or revises it, follow his advice, as this is an event that he runs. My comments are from memory.)

It is good and useful information for people to put the rule and policy discussion into context, and educate people on scope of content in images or video depending on the entity that captured them.

I've passed on ideas discussed in this thread to the "others" (mentioned above) responsible for setting policies. Thanks to all people here and on twitter for their contributions to this discussion.

I think the others are really close to a policy decision. There were some alternate solutions being investigated by some of these others. If/when there is a policy, what kinds of questions would "you" want to have answered in a FAQ for it? ("You" meaning anyone reading this.)



-Cot

Re: Communication and enforcement of DEFCON photo policy

Ah, now I'm picking up what you were laying down. I had read that, but didn't put it together that this was a method to address that concern. I get it now, thanks.

If there is a revision or restatement of the photo policy from the organizers, my suggestion is that it make the FAQ, but also the Press Page (since it's likely to be relevant to them) and that it be communicated out to the departments for dissemination, notably security goons and info booth types, so everyone is on the same page. I state this not to you, Cot, but to any organizers that might be following this informative and entertaining thread.

If that's your worst mistake of the day, I'd say that's a pretty awesome day :-) For the record, I realized who the "others" were, I just didn't get that this was a way to address my concern. Got it now.

I guess I'm coming at this from a different angle, which some might think is impractical or pie-in-the-sky. I figure that if we set an expectation (that photography is restricted), and communicate it clearly, *most* people will do their best to respect it. Certainly, some will not. But my sense is that this will result in less "unauthorized" pictures being taken, which is what such a policy would be aiming for. How do we deal with those people that don't behave as requested/expected? Because this isn't a safety critical issue, I'd say that folks in the community should politely remind the offender of the rule and request compliance. Assistance of security goons could be requested if folks throught it necessary. However, due to the non-critical nature of this issue, I wouldn't expect anything more than the goons calling the person out and letting folks in the area know they are being a duchebag. Inspection of devices, getting kicked out of the con? No thanks. As in many other aspects of life, sometimes assholes get away with things; the cost to prevent or punish these behaviors is often just not worth it. (This is annoying, of course, since assholes end up being able to exploit this condition and us non-assholes have to wait in line like everybody else. But I believe generally in karma -- assholes attract other assholes and they can all be crappy together.)

Also, with all of the detailed questions of detection and enforcement that Cot brings up, are we trying to solve something that isn't really a problem? This is a real question, since I don't know, but my sense (supported by nothing concrete) is that we are. Back when there was a more restrictive photo policy, were there a lot of violations that had to be dealt with formally, or were there just a few cases that had to be dealt with as one-offs anyway? (Meaning they would be dealt with as one-offs regarless of a formal policy/method.) I realize the community has changed over time, but I'm still not convinced we need to outline this level of detection and enforcement detail in an effort to cover what might be a small number of violations that would ever rise to that level.

In trying to think of a parallel, I came up with the "no food or drink allowed" rules that some places have, like libraries or theaters. These are sometimes fully or semi-public places, sometimes private venues. The desired outcome of the rule is that people make less of a mess with food and drink, or maybe don't disturb other patrons with their wrappers and crunching. (I'm not talking about rules prohibiting *outside* food and drink, I mean ones in places that just don't want any eating/drinking in certain areas.) How are these enforced? Often, they are not, although I suppose if you were being obnoxious about it something might happen. And yet I'd bet they still result in less spills and messes.

All that said, I'll take a stab at this list from my "can't we all just get along" world of ponies and rainbows:

1. We can recognize most cases of people who are simply ignorant of the rule, since they're likely to be taking pictures obviously and in the open. I happen to think most violators would fall into this category. I have seen anecdotes on these forums from folks (maybe Deviant and others?) who took pictures years ago out of ignorance or for other well-intentioned reasons that they now state were ill-advised (or at least that they wouldn't do the same thing again). I'm sure I've found myself in that same boat on various topics. A gentle reminder might have helped me out.

Folks who know they are breaking a rule and so are making detection difficult will probably get away with it, just like many other rule violations that can be hard to detect if the rule breaker is aware and skilled. Frankly, I realize that stopping a dedicated and skilled attacker from doing most anything is really hard, and that's not what I propose we try to do.

2. Since I propose that there be no significant penalty other than maybe being called a duchebag for taking unwanted pictures (if the person is not agreeable to a more civil discussion), I don't think we need conviction-level proof. Sure someone could falsely accuse someone else, but I'm confident that if such a thing happened and it were escalated to goons, they could handle it. More on this in a bit.

3. I don't propose we do any of these things.

4. I think I covered this, but just to be complete.. the penalty is being reminded of the rule, and maybe having to talk to some security goons about it.

I think that most people will try to obey the rules, yes. Even hackers. Or maybe *especially* hackers on this topic, since they seem to be somewhat more aware of personal privacy concerns than non-hackers.

People using hidden cameras will either be caught and outed, or they will get away with it, regardless of what the Defcon photo policy states. I don't think anyone likes this kind of behavior, and I suspect if found, it would be called out. Would they get kicked out? I would submit that if such a thing was discovered, they could be kicked out at the organizer's discretion regardless, depending on the circumstances. I think covert recording is its own thing, and it will be unaffected by this policy.

Folks can probably guess that I disagree with that statement. Here's my perspective on "risk" for this topic. I'm talking mostly about people that simply don't want their photographs to be taken or (especially) not made public, or are averse to their photograph being made public due to some outside reason (employer prohibition, etc.) I believe that by far the highest "risk" to these individuals is getting included by mistake in an otherwise well-intentioned person's picture. People who know these people would be less likely to photograph them (since they're more likely to know about their preference), and these people probably try to avoid putting themselves in situations where the risk of getting photographed is higher (dancing in a thong on stage, etc.) Could someone be stalking them to knowingly take their picture for blackmail? Sure. But that's low likelihood, and we aren't going to stop it anyway. In my view, it is by far the most likely that they would be caught in pictures by mistake.

Given this, a policy that causes most people to take less pictures (being careful to get permission for the ones they do take, etc.) is the best way to reduce this risk. It does not eliminate the risk, and it is not perfect. To achieve this outcome, I don't think enforcement needs to be any more than a polite reminder and in those extreme cases, getting yelled at by a goon. So we get a big gain for modest effort, and we can just disregard the outliers. Just like the theaters that probably aren't going to kick you out for drinking a coffee, but still end up with a lot less stains on their chairs.

Goon says, "Did you just take a picture?" The response of the person almost doesn't matter as to what the goon says next. Goon: "The Defcon community is against picture taking unless you have explicit permission of everyone in the photo, did you know that? Please delete the picture if you didn't have permission." I think that would handle most cases. If the person gets belligerent, deal with them like they deal with belligerent people. Goon: "You are being an asshole. Please delete the picture and/or be respectful of the policy and of your fellow con attendees. Now go away." If the person doesn't go away and escalates the situation, I fail to see how this would be different than any other person escalating an encounter with a security goon for any other reason.

About the same thing should happen for a non-goon observing someone take a picture. Remind them of the policy and ask for complaince. If the person gets belligerent, escalate to a goon or just walk away and let the asshole have their bad mojo. If the offender is the one to ignore the reminder and walk away, well, they walked away. (In the latter case, if the picture were really inappropriate and obviously not OK to take, like covert in the bathroom or upskirt or something crazy like that, escalation would be appropriate regardless of the photo policy.)

Notice that in my world above, the goon didn't ask for the device, didn't try to do anything. They just reminded the person of the policy, asked for compliance, and then asked them to move on (whether the person complied with the policy/request or not). I've not been a security goon, but I suspect that they do this kind of thing with minor infractions all the time -- ask for compliance, but don't press the issue when it's not worth pressing. How many times do people get told to squish in to chairs in packed rooms or clear the aisles and yet the goons aren't kicking out those few people who don't comply 100%? I've seen it plenty of times. Maybe I'm wrong, but this seems like a normal enforcement approach for minor things.

I like my solution of ponies and rainbows. If it gets implemented, I'd also like it to be covered in sweet frosting.

In my view, there will always be "special flowers" that whine about something, regardless of what any policy says on any topic. Let's not legislate to them.

Yeah, I like the Shoot's approach, although I think it's too complicated for the wider Defcon. Now that I just typed that, I'm not comfortable with it, but it still seems right. And I'm out of time for now, so I'll just leave that there.

Again, thanks for the healthy discussion and chance to outline my perspective. Hopefully it's helpful to somebody other than me.

- hinge

Re: Communication and enforcement of DEFCON photo policy

Wow how did I miss this from January? There is so much I can add here. In no particular order:

Press has press restrictions which are a higher expectation than anyone with an iPhone. If a photo gets syndicated it can wrap the world three times before the talk it was shot at is over. But nowadays, the same happens with twitter and a viral image from an iPhone. The Press standards are fine, the only complaints I have seen in press abuse ended up with the press tapes being confiscated and the journalists being ejected from the event. No issues here.

First let's not have mental masturbation here. No trolls. Unless YOU have an issue with being photographed AND you have had a bad experience with a photographer that was NOT resolved, then you are a troll. I don't make sure the food at the hotel is kosher or halal or meeting Michelle Obama's lunch standards and then whine about it online because that would be trolling. I don't complain about addicted gamblers having to go to a gambling city for tech talks because I am not a troll.

Next, have you had a bad experience with a person with a camera? That means they refused to delete a picture of you, ruined your perfect time with their in-your-face attitude, or snuck around and watched you, etc. If so, then kick the cameraman in the nuts for me. That's what makes legitimate photo work tough.

For the last two cons (21 and 22) Defcon has had official goon photographers, of which I am one. When the Defcon Documentary was being made at DC20 I recall DT stating how we are more accustomed to cameras and accepting of video and stills. And it is true. No longer do we have to set up a huge projector to watch a 3-minute movie on 8mm film. There was also a time when still cameras and movie cameras were only seen on tourists and journalists. The rest of the word had a camera in the back of the closet between the gun and great-grandma's ashes. Today more images are taken in one day than in the entire decade of the 60s. We all have cameras. Welcome to reality. Even court houses have given up restricting cameras. And we are no longer restricted to 36 exposures on one roll at a high cost to process. It seems all the barriers in photography are coming down.

Now there are those who wish not to be photographed. When that happens they let me know by shaking their head, saying "no pics" out loud, or turning away. Or maybe they freeze because a camera looks like a crossbow. That's fine, it is very easy to tell when someone resists, and there is no reason to take a picture at that moment. People who use a camera to harrass others are jerks, even without a camera.

So did YOU take pictures at Defcon? Did you clear it with everyone in the picture, even in the background? Do you have signed and notarized releases for every image? Have you filed for copyright protection? You see, we have extremes at each end. Now the question is, what to do about it.

I already do not shoot when it is obviously not wanted, or even if in doubt. I delete pics when the subject desires, or send them only to said person and no others. It is that trust that enables me to work in this position. Not long ago one person said they wished ALL pics of them deleted, and I did so once they provided the image link. I have found that a large majority of the images are appreciated and desired. That's why we're here. Also as there was no lashout about the defcon documentary, it seems the majority feels the same way. But to try the documentary at Defcon 8? Impossible. Different world.

Re: Communication and enforcement of DEFCON photo policy

DC21 was my first DefCon, and I didn't know about the rules. However, I've always been privacy conscious and would not snap a pic if I saw someone turning away or specifically showing that he/she doesn't want to be photographed. After reading the actual rules I stopped snapping most pics, basically limiting myself to speaker presentations or the neat stuff set up in some rooms (I really like the smiley thingy in the Chillout Lounge). Same with videos.

Re: Communication and enforcement of DEFCON photo policy

Wow photos were pretty okay since about Defcon 18, so 21 should be a normal event for you. You should have seen Defcon 8 or 9 when cameras could end up in the pool. It is still okay to ask that pictures be deleted becaus you are in them, and if the person refuses then let a goon know.

Re: Communication and enforcement of DEFCON photo policy

Ah, yes. I resemble that remark. Camera plus person. I swear it was an accident.

Re: Communication and enforcement of DEFCON photo policy

Perhaps the DC23 badge should be a mask that can be optionally worn for anonymity...

I'm only half-joking. :P It might be cool if there was an easy way to tell if someone did not want photos taken of them, perhaps built in to the badge (a tri-color LED, perhaps? Blinking Red = No, Blinking Green = Yes). That way people's desires are known. Whether people respect them or not is a separate issue, but I tend to think most people will respects others' wishes.