Great Decisions 2015Privacy in the Information Age

Jordan Peacock

"The saddest aspect of life right now is that science gathers knowledge faster than society gathers wisdom."

—Isaac Asimov

Threat Landscape

Key Points:

Our attack surface has increased tremendously.

Our capacities to defend ourselves have not kept pace.

Opting out is less and less of an option.

Risk of becoming collateral damage exceeds risk of direct targeting.

Autoimmune in an age of

endemic disease

Big Data

Facebook indexes > 1 trillion posts

Evolution of Attackers

Internet-Wide Vulnerabilities

Negligence and bad norms

Several former Home Depot employees said they were not surprised the company had been hacked. They said that over the years, when they sought new software and training, managers came back with the same response: “We sell hammers.”

—New York Times

On February 4, Anthem revealed that it had been the target of a massive cyberattack by hackers who broke into its servers and stole the personal information of as many as 80 million current and former members and employees. Anthem CEO Joseph Swedish said the attack compromised names, dates of birth, member IDs, Social Security numbers, addresses, phone numbers, email addresses and employment information. But he said he found no evidence that any credit card or medical records had been exposed.

—CNET

“The relationship with Superfish is not financially

significant; our goal was to enhance the experience for

users.”

—Lenovo

Negligence and bad norms

Social Security numbers stored by the OPM were not encrypted due to the networks being “too old.”

—Director Katherine Archuleta admitted in testimony

If you paid $19 to delete [your Ashley Madison account,]

[...] your GPS coordinates would not be removed, nor

would your city, state, country, weight, height, date of

birth, whether you smoke and/or like a drink, your

gender, your ethnicity, what turns you on, and other bits

and pieces. And if you didn't pay the 19 bucks,

everything was eventually leaked online by the website's

hackers.

—The Register

Some Samsung smart TVs are sending users’ voice

searches and data over the internet unencrypted,

allowing hackers and snoopers to listen in on their

activity.

—The Guardian

Security Theater

Asset secured

against threatFeeling secure The ideal

Security Theater

Security Questions:“What is your mother’s maiden

name?”__________________

“What city were you born in?”__________________

The Department of Homeland Security that revealed that agents with the Transportation Security Administration failed 67 out of 70 tests that were carried out by special investigators.

First-Order ConsequencesTarget (40m credit/debit cards, 70m phone numbers, addresses, emails)

Sony (internal network, basically everything)

Home Depot (56m credit cards, 53m emails)

Global Payments (1.5m credit cards)

Anthem (80m names, DOB, SSN, other info)

Office of Personnel Management (25.7m names, SSN, security

clearance and background check data, etc; 1.1m fingerprints)

"I hope the Chinese aren't collating the Ashley Madison data with their handy federal list of every American with a security clearance."

—Bruce Sterling

“U.S. intelligence officials have

seen evidence that China's

Ministry of State Security has

combined medical data snatched

in January from health insurance

giant Anthem, passenger

records stripped from United

Airlines servers in May and the

OPM security clearance files.”

—Los Angeles TimesSeptember 7, 2015

AOL User No. 4417749AOL search terms:

numb fingersdog that urinates on

everythinglandscapers in Lilburn, Ga60 single men

New York Times: In a six-month period — from Aug 31, 2009, to Feb. 28, 2010, Deutsche Telekom had recorded and saved [German politican Malte Spitz’s] longitude and latitude coordinates more than 35,000 times. It traced him from a train on the way to Erlangen at the start through to that last night, when he was home in Berlin.

Evolution of Attackers

Map of hacked devices using embedded Linux with default passwords

Computer Viruses

Antivirus companies now report that they are struggling to classify and combat an average of 82,000 new malicious software variants attacking computers every day.

—Brian Krebs

Technology cuts both waysWestern do-gooders may have missed how [the internet]… entrenches dictators, threatens dissidents, and makes it harder – not easier –to promote democracy.

—Evgeny Morozov

ChinaSpecialized military network

warfare forces: network cyberattacks and defense

Civilian teams which have been given the go-ahead by the Chinese military to carry out "network warfare operations."

Umbrella for "external entities" which "can be organized and mobilized for network warfare operations," but act outside of government departments.

The Chinese have penetrated every major corporation of any consequence in the United States and taken information... We've never, ever not found Chinese malware.

—Mike McConnell, Director of National Intelligence under

President George W. Bush

Costs to Security

Falling behind the rapid development of Internet technology and

applications, our current management of the Internet is

seriously flawed and cannot function properly. [...] How to

strengthen oversight within a legal framework and guide public

opinion and how to ensure the orderly dissemination of online

information, while at the same time safeguarding national

security and social stability, have become pressing problems for

us.

- Xi Jinping, Explanatory Notes to the “Decision of the CPC

Central Committee on Some Major Issues”

RussiaThe 2015 Worldwide Threat Assessment of the U.S. Intelligence Community singles out Russia as the single most capable cyber actor:

"We foresee an ongoing series of low-to-moderate level cyber attacks from a variety of sources over time, which will impose cumulative costs on U.S. economic competitiveness and national security.”

U.S.A.

Section 215 of the PATRIOT Act

Status: Expired, with the passing of the USA Freedom Act on June 2nd.

What it was supposed to do: Help the FBI cast a wider net when conducting domestic

terrorism investigations, through record searches, intelligence searches, secret searches and

‘trap & trace’ searches.

How it was misused: Bulk phone record collection on millions of Americans not under

investigation.

“The administration claims authority to sift through details of our private lives because the

Patriot Act says that it can. I disagree. I authored the Patriot Act, and this is an abuse of that

law.”

- Rep. Jim Sensenbrenner

Status: Expired May 31 2015. Partially restored until 2019 on June 2 as part of the US

Freedom Act.

Section 702 of the FISA Amendments Act

Status: Active

What it was supposed to do: Help the NSA track information that originated outside the

U.S. but incidentally flowed through U.S. communications systems.

How it was misused: By ‘incidental’ the NSA understood this to mean any amount of

information on any channel it could access.

In principle, the NSA is accountable to and must receive approval from the FISA Court.

In practice, this is a rubber stamp: out of 34,000+ warrant requests, only 11 have ever been

rejected.

Executive Order 12333

Status: 1981 Executive Order under Reagan, Currently Active

What it was supposed to do: Gives the NSA broad authorities to conduct surveillance

outside the United States and collect data on Americans.

How it was misused: No protections for U.S. citizens whose information is held outside of

the United States.

At least in 2007, the president believed he could modify or ignore [Executive Order 12333] at

will and in secret. As a result, we know very little about how Executive Order 12333 is being

interpreted inside the NSA.

- Bruce Schneier

Pop Quiz

What do emails, buddy lists, drive back ups, social networking posts, web browsing history, your medical data, your bank records, your face

print, your voice print, your driving patterns and your DNA have in common?

Pop Quiz

What do emails, buddy lists, drive back ups, social networking posts, web browsing history, your medical data, your bank records, your face

print, your voice print, your driving patterns and your DNA have in common?

The U.S. Department of Justice (DOJ) doesn’t think any of these things are private. Because the data is technically accessible to service

providers or visible in public, it should be freely accessible to investigators and spies.

“Collect”Under Department of Defense regulations, information is considered to be “collected” only after it has been “received for use by an employee of a DoD intelligence component,” and “data acquired by electronic means is ‘collected’ only when it has been processed into intelligible form.”In other words, the NSA can intercept and store communications in its database, then have an algorithm search them for key words and analyze the metadata without ever considering the communications “collected.”

—Electronic Frontier Foundation

Loss of Credibility, Influence

October 2013, Wired:

All of the major internet organisations have pledged,

at a summit in Uruguay, to free themselves of

the influence of the US government.

The directors of ICANN, the Internet Engineering Task Force, the Internet Architecture Board, the

World Wide Web Consortium, the Internet Society and all five of the regional Internet address

registries have vowed to break their associations with the US government.

In a statement, the group called for "accelerating the globalization of ICANN and IANA functions,

towards an environment in which all stakeholders, including all governments, participate on an

equal footing".

That's a distinct change from the current situation, where the US department of commerce has

oversight of ICANN.

Costs to U.S. Businesses

Studies by the Information Technology and Innovation Foundation and Forrester

Research estimate NSA surveillance will cost the U.S. tech industry between $22

billion and $180 billion over the new three years, a loss of up to 25% of total

industry revenue.

Costs to U.S. Businesses

The government response was, ‘Oh

don’t worry, we’re not spying on any

Americans.’

Oh, wonderful: that’s really helpful to

companies trying to serve people

around the world, and that’s really

going to inspire confidence in

American internet companies.”

-Mark Zuckerberg, CEO of

Facebook

Yahoo and PRISM

The U.S. government threatened to fine

Yahoo $250,000 each day the Internet

giant did not share data about its users

– a fine that would have doubled for

each week of noncompliance,

according to newly unsealed court

documents.

"In 2007 Yahoo filed a lawsuit

against the new Patriot Act, parts

of PRISM and FISA, we were the

key plaintiff. A lot of people have

wondered about that case and

who it was. It was us ... we lost.

The thing is, we lost and if you

don't comply it's treason."

—Marissa Mayer

Apple and the FBI

Apple said iMessage and

FaceTime conversations were

protected by end-to-end

encryption so no-one but the

sender and receiver could see

or read them.

"Apple cannot decrypt that

data. Similarly, we do not store

data related to customers'

location, Map searches or Siri

requests in any identifiable

form."

Schneier’s proposal

Break NSA up into three parts:

- Domestic work moves under

the aegis (and oversight) of

the FBI

- Cyberwarfare moves under

US CYBERCOM

- NSA retains foreign

surveillance

Positive Achievements

- US Code of Fair Information Practices 1973- US Consumer Privacy Bill of Rights 2012- OECD Privacy Framework 1980

Cyber Threat

Sharing Act

Protecting Cyber

Networks Act

Cybersecurity

Information Sharing Act

National Cybersecurity

Advancement Act

Companies may give data directly to FBI X X

Legal protections for companies that violate

your rights

X X

Broad exemptions for state & federal

government

X X

Permission to share information across

agencies unrelated to cybersecurity

X

“Cybersecurity” purposes defined to include

minor drug offenses and crimes for purpose of

information sharing

X

Opaque sharing with international partners X X X

Restricts civilian control of domestic

cybersecurity

X

Status Vote deferred Passed in House Referred to the

Committee on

Homeland Security

and Governmental

Affairs.

Passed in House

Implications for international law

Government documents clarify that the basis for permitting an investigation isn’t

terrorism, but the person’s status as a non-US person:

“For traditional FISAs you must have probable cause that the target is a ‘foreign

power’ or agent of a ‘foreign power.’ For section 702, however, there must a

reasonable belief that the target is a NON-USPER located outside the United

States”. US law doesn’t grant the same rights to non-US persons, at least for

those overseas. This is in contrast to, for example, the European Court of Human

Rights, which recognizes the right of liberty and security for each person

regardless of citizenship.

—Susan Landau

Implications for international law

- Article 12 of the Universal Declaration of Human Rights states that " No one shall be subjected to

arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his

honour and reputation. Everyone has the right to the protection of the law against such interference

or attacks."

- The 2012 draft European Data Protection Regulation Article 17 details the "right to be forgotten and

to erasure".

Under Article 17 individuals to whom the data appertains are granted the right to "obtain from the

controller the erasure of personal data relating to them and the abstention from further

dissemination of such data, especially in relation to personal data which are made available by the

data subject while he or she was a child or where the data is no longer necessary for the purpose it

was collected for, the subject withdraws consent, the storage period has expired, the data subject

objects to the processing of personal data or the processing of data does not comply with other

regulation".

Resources for international agreement

For the U.S.:

Consumer Data Privacy in a Networked World

For businesses:

OECD Privacy Principles

For the international community:

13 International Principles on the Application of Human Rights to

Communication Surveillance

Next Steps

Low-Hanging Fruit- Enforce existing laws- Incentivize proactive defense and disclosure after breaches- International coordination on reciprocal protection for citizens

Questions to pose to institutions and organizations:- Why are you retaining this information?- Is the present value worth the future risk?- What is the risk of not keeping it?- Could an unfriendly government steal or force you to surrender

it?

At the end of the day, the law doesn't defend us; we defend the law. And when it becomes contrary to our morals, we have both the right and the responsibility to rebalance it toward just ends.

— Edward Snowden

Privacy as AgencyPositioning privacy and public-ness in opposition is a false dichotomy. People want privacy and they want to be able to participate in public.

Protecting privacy is about making certain that people have the agency they need to make informed decisions about how they engage in public.

—danah boyd

Implications for users/customers

Questions for companies and organizations:

Why are you retaining this information?

Is the present value worth the future risk?

What is the risk of not keeping it?

Could an unfriendly (domestic or foreign) government force you to give

it, or steal it?

“Back in the day we’d be asked, ‘What are the 10 things a consumer can do to protect themselves?’

I hate to be a gloomy Gus, but the message I give journalists and others is there’s basically nothing you can do.

It’s like saying, what can you do about climate change by yourself … when the problem is structural architecture and the flow around your data.”

—Lee TienElectronic Frontier Foundation

Individual Defense StrategiesA Layered Defense

Examples:

- Firewall

- Antivirus

- Passphrase

- Two-Factor Authentication

Surveillance & SousveillanceSurveillance is when the masters watch over the masses.Sousveillance is where everybody has the capability to watch over each other, peer-to-peer style – and not even the rulers are exempt from the universal collective eye. It’s generally meant to imply that citizens have and exercise the power to look-back at the powers-that-be, or to “watch the watchmen.”

—David Brin and Ben Goertzel

Evaluating Strategies for Information Security

MossadMagic???

Not-MossadhttpsStrong passwordApplied security

patches

Threat:

Best Practices

- HTTPS- Passphrases- Two-Factor Authentication- Antivirus- Device encryption- Install security updates

Antivirus

Password Managers

Identity Theft/Fraud Resources

identitytheft.gov

ftc.gov/idtheft

Additional resources

For further questions or a copy of

this presentation, email:

Jordan Peacock

CEO, Becoming Machinic

jordan@becomingmachinic.com