privacy in the information age
TRANSCRIPT
"The saddest aspect of life right now is that science gathers knowledge faster than society gathers wisdom."
—Isaac Asimov
Threat Landscape
Key Points:
Our attack surface has increased tremendously.
Our capacities to defend ourselves have not kept pace.
Opting out is less and less of an option.
Risk of becoming collateral damage exceeds risk of direct targeting.
Negligence and bad norms
Several former Home Depot employees said they were not surprised the company had been hacked. They said that over the years, when they sought new software and training, managers came back with the same response: “We sell hammers.”
—New York Times
On February 4, Anthem revealed that it had been the target of a massive cyberattack by hackers who broke into its servers and stole the personal information of as many as 80 million current and former members and employees. Anthem CEO Joseph Swedish said the attack compromised names, dates of birth, member IDs, Social Security numbers, addresses, phone numbers, email addresses and employment information. But he said he found no evidence that any credit card or medical records had been exposed.
—CNET
“The relationship with Superfish is not financially
significant; our goal was to enhance the experience for
users.”
—Lenovo
Negligence and bad norms
Social Security numbers stored by the OPM were not encrypted due to the networks being “too old.”
—Director Katherine Archuleta admitted in testimony
If you paid $19 to delete [your Ashley Madison account,]
[...] your GPS coordinates would not be removed, nor
would your city, state, country, weight, height, date of
birth, whether you smoke and/or like a drink, your
gender, your ethnicity, what turns you on, and other bits
and pieces. And if you didn't pay the 19 bucks,
everything was eventually leaked online by the website's
hackers.
—The Register
Some Samsung smart TVs are sending users’ voice
searches and data over the internet unencrypted,
allowing hackers and snoopers to listen in on their
activity.
—The Guardian
Security Theater
Security Questions:“What is your mother’s maiden
name?”__________________
“What city were you born in?”__________________
The Department of Homeland Security that revealed that agents with the Transportation Security Administration failed 67 out of 70 tests that were carried out by special investigators.
First-Order ConsequencesTarget (40m credit/debit cards, 70m phone numbers, addresses, emails)
Sony (internal network, basically everything)
Home Depot (56m credit cards, 53m emails)
Global Payments (1.5m credit cards)
Anthem (80m names, DOB, SSN, other info)
Office of Personnel Management (25.7m names, SSN, security
clearance and background check data, etc; 1.1m fingerprints)
"I hope the Chinese aren't collating the Ashley Madison data with their handy federal list of every American with a security clearance."
—Bruce Sterling
“U.S. intelligence officials have
seen evidence that China's
Ministry of State Security has
combined medical data snatched
in January from health insurance
giant Anthem, passenger
records stripped from United
Airlines servers in May and the
OPM security clearance files.”
—Los Angeles TimesSeptember 7, 2015
AOL User No. 4417749AOL search terms:
numb fingersdog that urinates on
everythinglandscapers in Lilburn, Ga60 single men
New York Times: In a six-month period — from Aug 31, 2009, to Feb. 28, 2010, Deutsche Telekom had recorded and saved [German politican Malte Spitz’s] longitude and latitude coordinates more than 35,000 times. It traced him from a train on the way to Erlangen at the start through to that last night, when he was home in Berlin.
Computer Viruses
Antivirus companies now report that they are struggling to classify and combat an average of 82,000 new malicious software variants attacking computers every day.
—Brian Krebs
Technology cuts both waysWestern do-gooders may have missed how [the internet]… entrenches dictators, threatens dissidents, and makes it harder – not easier –to promote democracy.
—Evgeny Morozov
ChinaSpecialized military network
warfare forces: network cyberattacks and defense
Civilian teams which have been given the go-ahead by the Chinese military to carry out "network warfare operations."
Umbrella for "external entities" which "can be organized and mobilized for network warfare operations," but act outside of government departments.
The Chinese have penetrated every major corporation of any consequence in the United States and taken information... We've never, ever not found Chinese malware.
—Mike McConnell, Director of National Intelligence under
President George W. Bush
Costs to Security
Falling behind the rapid development of Internet technology and
applications, our current management of the Internet is
seriously flawed and cannot function properly. [...] How to
strengthen oversight within a legal framework and guide public
opinion and how to ensure the orderly dissemination of online
information, while at the same time safeguarding national
security and social stability, have become pressing problems for
us.
- Xi Jinping, Explanatory Notes to the “Decision of the CPC
Central Committee on Some Major Issues”
RussiaThe 2015 Worldwide Threat Assessment of the U.S. Intelligence Community singles out Russia as the single most capable cyber actor:
"We foresee an ongoing series of low-to-moderate level cyber attacks from a variety of sources over time, which will impose cumulative costs on U.S. economic competitiveness and national security.”
Section 215 of the PATRIOT Act
Status: Expired, with the passing of the USA Freedom Act on June 2nd.
What it was supposed to do: Help the FBI cast a wider net when conducting domestic
terrorism investigations, through record searches, intelligence searches, secret searches and
‘trap & trace’ searches.
How it was misused: Bulk phone record collection on millions of Americans not under
investigation.
“The administration claims authority to sift through details of our private lives because the
Patriot Act says that it can. I disagree. I authored the Patriot Act, and this is an abuse of that
law.”
- Rep. Jim Sensenbrenner
Status: Expired May 31 2015. Partially restored until 2019 on June 2 as part of the US
Freedom Act.
Section 702 of the FISA Amendments Act
Status: Active
What it was supposed to do: Help the NSA track information that originated outside the
U.S. but incidentally flowed through U.S. communications systems.
How it was misused: By ‘incidental’ the NSA understood this to mean any amount of
information on any channel it could access.
In principle, the NSA is accountable to and must receive approval from the FISA Court.
In practice, this is a rubber stamp: out of 34,000+ warrant requests, only 11 have ever been
rejected.
Executive Order 12333
Status: 1981 Executive Order under Reagan, Currently Active
What it was supposed to do: Gives the NSA broad authorities to conduct surveillance
outside the United States and collect data on Americans.
How it was misused: No protections for U.S. citizens whose information is held outside of
the United States.
At least in 2007, the president believed he could modify or ignore [Executive Order 12333] at
will and in secret. As a result, we know very little about how Executive Order 12333 is being
interpreted inside the NSA.
- Bruce Schneier
Pop Quiz
What do emails, buddy lists, drive back ups, social networking posts, web browsing history, your medical data, your bank records, your face
print, your voice print, your driving patterns and your DNA have in common?
Pop Quiz
What do emails, buddy lists, drive back ups, social networking posts, web browsing history, your medical data, your bank records, your face
print, your voice print, your driving patterns and your DNA have in common?
The U.S. Department of Justice (DOJ) doesn’t think any of these things are private. Because the data is technically accessible to service
providers or visible in public, it should be freely accessible to investigators and spies.
“Collect”Under Department of Defense regulations, information is considered to be “collected” only after it has been “received for use by an employee of a DoD intelligence component,” and “data acquired by electronic means is ‘collected’ only when it has been processed into intelligible form.”In other words, the NSA can intercept and store communications in its database, then have an algorithm search them for key words and analyze the metadata without ever considering the communications “collected.”
—Electronic Frontier Foundation
Loss of Credibility, Influence
October 2013, Wired:
All of the major internet organisations have pledged,
at a summit in Uruguay, to free themselves of
the influence of the US government.
The directors of ICANN, the Internet Engineering Task Force, the Internet Architecture Board, the
World Wide Web Consortium, the Internet Society and all five of the regional Internet address
registries have vowed to break their associations with the US government.
In a statement, the group called for "accelerating the globalization of ICANN and IANA functions,
towards an environment in which all stakeholders, including all governments, participate on an
equal footing".
That's a distinct change from the current situation, where the US department of commerce has
oversight of ICANN.
Costs to U.S. Businesses
Studies by the Information Technology and Innovation Foundation and Forrester
Research estimate NSA surveillance will cost the U.S. tech industry between $22
billion and $180 billion over the new three years, a loss of up to 25% of total
industry revenue.
Costs to U.S. Businesses
The government response was, ‘Oh
don’t worry, we’re not spying on any
Americans.’
Oh, wonderful: that’s really helpful to
companies trying to serve people
around the world, and that’s really
going to inspire confidence in
American internet companies.”
-Mark Zuckerberg, CEO of
Yahoo and PRISM
The U.S. government threatened to fine
Yahoo $250,000 each day the Internet
giant did not share data about its users
– a fine that would have doubled for
each week of noncompliance,
according to newly unsealed court
documents.
"In 2007 Yahoo filed a lawsuit
against the new Patriot Act, parts
of PRISM and FISA, we were the
key plaintiff. A lot of people have
wondered about that case and
who it was. It was us ... we lost.
The thing is, we lost and if you
don't comply it's treason."
—Marissa Mayer
Apple and the FBI
Apple said iMessage and
FaceTime conversations were
protected by end-to-end
encryption so no-one but the
sender and receiver could see
or read them.
"Apple cannot decrypt that
data. Similarly, we do not store
data related to customers'
location, Map searches or Siri
requests in any identifiable
form."
Schneier’s proposal
Break NSA up into three parts:
- Domestic work moves under
the aegis (and oversight) of
the FBI
- Cyberwarfare moves under
US CYBERCOM
- NSA retains foreign
surveillance
Positive Achievements
- US Code of Fair Information Practices 1973- US Consumer Privacy Bill of Rights 2012- OECD Privacy Framework 1980
Cyber Threat
Sharing Act
Protecting Cyber
Networks Act
Cybersecurity
Information Sharing Act
National Cybersecurity
Advancement Act
Companies may give data directly to FBI X X
Legal protections for companies that violate
your rights
X X
Broad exemptions for state & federal
government
X X
Permission to share information across
agencies unrelated to cybersecurity
X
“Cybersecurity” purposes defined to include
minor drug offenses and crimes for purpose of
information sharing
X
Opaque sharing with international partners X X X
Restricts civilian control of domestic
cybersecurity
X
Status Vote deferred Passed in House Referred to the
Committee on
Homeland Security
and Governmental
Affairs.
Passed in House
Implications for international law
Government documents clarify that the basis for permitting an investigation isn’t
terrorism, but the person’s status as a non-US person:
“For traditional FISAs you must have probable cause that the target is a ‘foreign
power’ or agent of a ‘foreign power.’ For section 702, however, there must a
reasonable belief that the target is a NON-USPER located outside the United
States”. US law doesn’t grant the same rights to non-US persons, at least for
those overseas. This is in contrast to, for example, the European Court of Human
Rights, which recognizes the right of liberty and security for each person
regardless of citizenship.
—Susan Landau
Implications for international law
- Article 12 of the Universal Declaration of Human Rights states that " No one shall be subjected to
arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his
honour and reputation. Everyone has the right to the protection of the law against such interference
or attacks."
- The 2012 draft European Data Protection Regulation Article 17 details the "right to be forgotten and
to erasure".
Under Article 17 individuals to whom the data appertains are granted the right to "obtain from the
controller the erasure of personal data relating to them and the abstention from further
dissemination of such data, especially in relation to personal data which are made available by the
data subject while he or she was a child or where the data is no longer necessary for the purpose it
was collected for, the subject withdraws consent, the storage period has expired, the data subject
objects to the processing of personal data or the processing of data does not comply with other
regulation".
Resources for international agreement
For the U.S.:
Consumer Data Privacy in a Networked World
For businesses:
OECD Privacy Principles
For the international community:
13 International Principles on the Application of Human Rights to
Communication Surveillance
Next Steps
Low-Hanging Fruit- Enforce existing laws- Incentivize proactive defense and disclosure after breaches- International coordination on reciprocal protection for citizens
Questions to pose to institutions and organizations:- Why are you retaining this information?- Is the present value worth the future risk?- What is the risk of not keeping it?- Could an unfriendly government steal or force you to surrender
it?
At the end of the day, the law doesn't defend us; we defend the law. And when it becomes contrary to our morals, we have both the right and the responsibility to rebalance it toward just ends.
— Edward Snowden
Privacy as AgencyPositioning privacy and public-ness in opposition is a false dichotomy. People want privacy and they want to be able to participate in public.
Protecting privacy is about making certain that people have the agency they need to make informed decisions about how they engage in public.
—danah boyd
Implications for users/customers
Questions for companies and organizations:
Why are you retaining this information?
Is the present value worth the future risk?
What is the risk of not keeping it?
Could an unfriendly (domestic or foreign) government force you to give
it, or steal it?
“Back in the day we’d be asked, ‘What are the 10 things a consumer can do to protect themselves?’
I hate to be a gloomy Gus, but the message I give journalists and others is there’s basically nothing you can do.
It’s like saying, what can you do about climate change by yourself … when the problem is structural architecture and the flow around your data.”
—Lee TienElectronic Frontier Foundation
Individual Defense StrategiesA Layered Defense
Examples:
- Firewall
- Antivirus
- Passphrase
- Two-Factor Authentication
Surveillance & SousveillanceSurveillance is when the masters watch over the masses.Sousveillance is where everybody has the capability to watch over each other, peer-to-peer style – and not even the rulers are exempt from the universal collective eye. It’s generally meant to imply that citizens have and exercise the power to look-back at the powers-that-be, or to “watch the watchmen.”
—David Brin and Ben Goertzel
Evaluating Strategies for Information Security
MossadMagic???
Not-MossadhttpsStrong passwordApplied security
patches
Threat:
Best Practices
- HTTPS- Passphrases- Two-Factor Authentication- Antivirus- Device encryption- Install security updates
Additional resources
For further questions or a copy of
this presentation, email:
Jordan Peacock
CEO, Becoming Machinic