Great Decisions 2015 Topic

1. Great Decisions 2015
Privacy in the Information Age
Jordan Peacock

2. "The saddest aspect
of life right now is
that science gathers
knowledge faster
than society gathers
wisdom."
—Isaac Asimov

3. Threat Landscape
Key Points:
Our attack surface has increased tremendously.
Our capacities to defend ourselves have not kept pace.
Opting out is less and less of an option.
Risk of becoming collateral damage exceeds risk of direct targeting.

4. Autoimmune
in an age of
endemic disease

5. Big Data
Facebook indexes > 1 trillion posts

6. Evolution of Attackers

8. Internet-Wide Vulnerabilities

9. Negligence and bad norms
Several former Home Depot employees said they were
not surprised the company had been hacked. They said
that over the years, when they sought new software and
training, managers came back with the same response:
“We sell hammers.”
—New York Times
On February 4, Anthem revealed that it had
been the target of a massive cyberattack by
hackers who broke into its servers and stole the
personal information of as many as 80 million
current and former members and employees.
Anthem CEO Joseph Swedish said the attack
compromised names, dates of birth, member
IDs, Social Security numbers, addresses, phone
numbers, email addresses and employment
information. But he said he found no evidence
that any credit card or medical records had been
exposed.
—CNET
“The relationship with Superfish is not financially
significant; our goal was to enhance the experience for
users.”
—Lenovo

10. Negligence and bad norms
Social Security numbers stored by the OPM were not
encrypted due to the networks being “too old.”
—Director Katherine Archuleta admitted in testimony
If you paid $19 to delete [your Ashley Madison account,]
[...] your GPS coordinates would not be removed, nor
would your city, state, country, weight, height, date of
birth, whether you smoke and/or like a drink, your
gender, your ethnicity, what turns you on, and other bits
and pieces. And if you didn't pay the 19 bucks,
everything was eventually leaked online by the website's
hackers.
—The Register
Some Samsung smart TVs are sending users’ voice
searches and data over the internet unencrypted,
allowing hackers and snoopers to listen in on their
activity.
—The Guardian

11. Security Theater
Asset secured
against threat
Feeling secure The ideal

12. Security Theater
Security Questions:
“What is your mother’s maiden
name?”
__________________
“What city were you born in?”
__________________
The Department of Homeland Security
that revealed that agents with the
Transportation Security Administration
failed 67 out of 70 tests that were carried
out by special investigators.

13. First-Order Consequences
Target (40m credit/debit cards, 70m phone numbers, addresses, emails)
Sony (internal network, basically everything)
Home Depot (56m credit cards, 53m emails)
Global Payments (1.5m credit cards)
Anthem (80m names, DOB, SSN, other info)
Office of Personnel Management (25.7m names, SSN, security
clearance and background check data, etc; 1.1m fingerprints)

14. "I hope the Chinese aren't
collating the Ashley Madison
data with their handy federal list
of every American with a
security clearance."
—Bruce Sterling

15. “U.S. intelligence officials have
seen evidence that China's
Ministry of State Security has
combined medical data snatched
in January from health insurance
giant Anthem, passenger
records stripped from United
Airlines servers in May and the
OPM security clearance files.”
—Los Angeles Times
September 7, 2015

18. AOL User No. 4417749
AOL search terms:
numb fingers
dog that urinates on
everything
landscapers in Lilburn, Ga
60 single men

20. New York Times: In a six-month period — from Aug 31, 2009, to Feb. 28, 2010, Deutsche Telekom had recorded and
saved [German politican Malte Spitz’s] longitude and latitude coordinates more than 35,000 times. It traced him from a
train on the way to Erlangen at the start through to that last night, when he was home in Berlin.

21. Evolution of Attackers

24. Map of hacked devices using embedded Linux
with default passwords

28. Computer Viruses
Antivirus companies now report that they are struggling to classify and
combat an average of 82,000 new malicious software variants
attacking computers every day.
—Brian Krebs

31. Technology cuts both ways
Western do-gooders may
have missed how [the
internet]… entrenches
dictators, threatens
dissidents, and makes it
harder – not easier –to
promote democracy.
—Evgeny Morozov

32. China
Specialized military network
warfare forces: network
cyberattacks and defense
Civilian teams which have been
given the go-ahead by the
Chinese military to carry out
"network warfare operations."
Umbrella for "external entities"
which "can be organized and
mobilized for network warfare
operations," but act outside of
government departments.

33. The Chinese have penetrated
every major corporation of any
consequence in the United States
and taken information... We've
never, ever not found Chinese
malware.
—Mike McConnell, Director
of National Intelligence under
President George W. Bush

34. Costs to Security
Falling behind the rapid development of Internet technology and
applications, our current management of the Internet is
seriously flawed and cannot function properly. [...] How to
strengthen oversight within a legal framework and guide public
opinion and how to ensure the orderly dissemination of online
information, while at the same time safeguarding national
security and social stability, have become pressing problems for
us.
- Xi Jinping, Explanatory Notes to the “Decision of the CPC
Central Committee on Some Major Issues”

35. Russia
The 2015 Worldwide Threat
Assessment of the U.S. Intelligence
Community singles out Russia as the
single most capable cyber actor:
"We foresee an ongoing series of
low-to-moderate level cyber attacks
from a variety of sources over time,
which will impose cumulative costs
on U.S. economic competitiveness
and national security.”

36. U.S.A.

38. Section 215 of the PATRIOT Act
Status: Expired, with the passing of the USA Freedom Act on June 2nd.
What it was supposed to do: Help the FBI cast a wider net when conducting domestic
terrorism investigations, through record searches, intelligence searches, secret searches and
‘trap & trace’ searches.
How it was misused: Bulk phone record collection on millions of Americans not under
investigation.
“The administration claims authority to sift through details of our private lives because the
Patriot Act says that it can. I disagree. I authored the Patriot Act, and this is an abuse of that
law.”
- Rep. Jim Sensenbrenner
Status: Expired May 31 2015. Partially restored until 2019 on June 2 as part of the US
Freedom Act.

39. Section 702 of the FISA Amendments Act
Status: Active
What it was supposed to do: Help the NSA track information that originated outside the
U.S. but incidentally flowed through U.S. communications systems.
How it was misused: By ‘incidental’ the NSA understood this to mean any amount of
information on any channel it could access.
In principle, the NSA is accountable to and must receive approval from the FISA Court.
In practice, this is a rubber stamp: out of 34,000+ warrant requests, only 11 have ever been
rejected.

40. Executive Order 12333
Status: 1981 Executive Order under Reagan, Currently Active
What it was supposed to do: Gives the NSA broad authorities to conduct surveillance
outside the United States and collect data on Americans.
How it was misused: No protections for U.S. citizens whose information is held outside of
the United States.
At least in 2007, the president believed he could modify or ignore [Executive Order 12333] at
will and in secret. As a result, we know very little about how Executive Order 12333 is being
interpreted inside the NSA.
- Bruce Schneier

41. Pop Quiz
What do emails, buddy lists, drive back ups, social networking posts,
web browsing history, your medical data, your bank records, your face
print, your voice print, your driving patterns and your DNA have in
common?

42. Pop Quiz
What do emails, buddy lists, drive back ups, social networking posts,
web browsing history, your medical data, your bank records, your face
print, your voice print, your driving patterns and your DNA have in
common?
The U.S. Department of Justice (DOJ) doesn’t think any of these things
are private. Because the data is technically accessible to service
providers or visible in public, it should be freely accessible to
investigators and spies.

43. “Collect”
Under Department of Defense regulations, information is considered to
be “collected” only after it has been “received for use by an employee of
a DoD intelligence component,” and “data acquired by electronic
means is ‘collected’ only when it has been processed into intelligible
form.”
In other words, the NSA can intercept and store communications in its
database, then have an algorithm search them for key words and
analyze the metadata without ever considering the communications
“collected.”
—Electronic Frontier Foundation

44. Loss of Credibility, Influence
October 2013, Wired:
All of the major internet organisations have pledged,
at a summit in Uruguay, to free themselves of
the influence of the US government.
The directors of ICANN, the Internet Engineering Task Force, the Internet Architecture Board, the
World Wide Web Consortium, the Internet Society and all five of the regional Internet address
registries have vowed to break their associations with the US government.
In a statement, the group called for "accelerating the globalization of ICANN and IANA functions,
towards an environment in which all stakeholders, including all governments, participate on an
equal footing".
That's a distinct change from the current situation, where the US department of commerce has
oversight of ICANN.

45. Costs to U.S. Businesses
Studies by the Information Technology and Innovation Foundation and Forrester
Research estimate NSA surveillance will cost the U.S. tech industry between $22
billion and $180 billion over the new three years, a loss of up to 25% of total
industry revenue.

46. Costs to U.S. Businesses
The government response was, ‘Oh
don’t worry, we’re not spying on any
Americans.’
Oh, wonderful: that’s really helpful to
companies trying to serve people
around the world, and that’s really
going to inspire confidence in
American internet companies.”
-Mark Zuckerberg, CEO of
Facebook

47. Yahoo and PRISM
The U.S. government threatened to fine
Yahoo $250,000 each day the Internet
giant did not share data about its users
– a fine that would have doubled for
each week of noncompliance,
according to newly unsealed court
documents.
"In 2007 Yahoo filed a lawsuit
against the new Patriot Act, parts
of PRISM and FISA, we were the
key plaintiff. A lot of people have
wondered about that case and
who it was. It was us ... we lost.
The thing is, we lost and if you
don't comply it's treason."
—Marissa Mayer

48. Apple and the FBI
Apple said iMessage and
FaceTime conversations were
protected by end-to-end
encryption so no-one but the
sender and receiver could see
or read them.
"Apple cannot decrypt that
data. Similarly, we do not store
data related to customers'
location, Map searches or Siri
requests in any identifiable
form."

51. Schneier’s proposal
Break NSA up into three parts:
- Domestic work moves under
the aegis (and oversight) of
the FBI
- Cyberwarfare moves under
US CYBERCOM
- NSA retains foreign
surveillance

54. Positive Achievements
- US Code of Fair Information Practices 1973
- US Consumer Privacy Bill of Rights 2012
- OECD Privacy Framework 1980

55. Cyber Threat
Sharing Act
Protecting Cyber
Networks Act
Cybersecurity
Information Sharing Act
National Cybersecurity
Advancement Act
Companies may give data directly to FBI X X
Legal protections for companies that violate
your rights
X X
Broad exemptions for state & federal
government
X X
Permission to share information across
agencies unrelated to cybersecurity
X
“Cybersecurity” purposes defined to include
minor drug offenses and crimes for purpose of
information sharing
X
Opaque sharing with international partners X X X
Restricts civilian control of domestic
cybersecurity
X
Status Vote deferred Passed in House Referred to the
Committee on
Homeland Security
and Governmental
Affairs.
Passed in House

56. Implications for international law
Government documents clarify that the basis for permitting an investigation isn’t
terrorism, but the person’s status as a non-US person:
“For traditional FISAs you must have probable cause that the target is a ‘foreign
power’ or agent of a ‘foreign power.’ For section 702, however, there must a
reasonable belief that the target is a NON-USPER located outside the United
States”. US law doesn’t grant the same rights to non-US persons, at least for
those overseas. This is in contrast to, for example, the European Court of Human
Rights, which recognizes the right of liberty and security for each person
regardless of citizenship.
—Susan Landau

57. Implications for international law
- Article 12 of the Universal Declaration of Human Rights states that " No one shall be subjected to
arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his
honour and reputation. Everyone has the right to the protection of the law against such interference
or attacks."
- The 2012 draft European Data Protection Regulation Article 17 details the "right to be forgotten and
to erasure".
Under Article 17 individuals to whom the data appertains are granted the right to "obtain from the
controller the erasure of personal data relating to them and the abstention from further
dissemination of such data, especially in relation to personal data which are made available by the
data subject while he or she was a child or where the data is no longer necessary for the purpose it
was collected for, the subject withdraws consent, the storage period has expired, the data subject
objects to the processing of personal data or the processing of data does not comply with other
regulation".

58. Implications for international law
Government documents clarify that the basis for permitting an investigation isn’t
terrorism, but the person’s status as a non-US person:
“For traditional FISAs you must have probable cause that the target is a ‘foreign
power’ or agent of a ‘foreign power.’ For section 702, however, there must a
reasonable belief that the target is a NON-USPER located outside the United
States”. US law doesn’t grant the same rights to non-US persons, at least for
those overseas. This is in contrast to, for example, the European Court of Human
Rights, which recognizes the right of liberty and security for each person
regardless of citizenship.
—Susan Landau

59. Resources for international agreement
For the U.S.:
Consumer Data Privacy in a Networked World
For businesses:
OECD Privacy Principles
For the international community:
13 International Principles on the Application of Human Rights to
Communication Surveillance

60. Next Steps
Low-Hanging Fruit
- Enforce existing laws
- Incentivize proactive defense and disclosure after breaches
- International coordination on reciprocal protection for citizens
Questions to pose to institutions and organizations:
- Why are you retaining this information?
- Is the present value worth the future risk?
- What is the risk of not keeping it?
- Could an unfriendly government steal or force you to surrender
it?

61. At the end of the day, the law
doesn't defend us; we defend the
law. And when it becomes
contrary to our morals, we have
both the right and the
responsibility to rebalance it
toward just ends.
— Edward Snowden

62. Privacy as Agency
Positioning privacy and public-ness
in opposition is a false dichotomy.
People want privacy and they want
to be able to participate in public.
Protecting privacy is about making
certain that people have the agency
they need to make informed
decisions about how they engage in
public.
—danah boyd

63. Implications for users/customers
Questions for companies and organizations:
Why are you retaining this information?
Is the present value worth the future risk?
What is the risk of not keeping it?
Could an unfriendly (domestic or foreign) government force you to give
it, or steal it?

64. things a consumer can do
to protect themselves?’
I hate to be a gloomy Gus,
but the message I give
journalists and others is
there’s basically nothing
you can do.
It’s like saying, what can
you do about climate
change by yourself … when
the problem is structural
architecture and the flow
around your data.”
—Lee Tien
Electronic Frontier
Foundation

65. Individual Defense Strategies
A Layered Defense
Examples:
- Firewall
- Antivirus
- Passphrase
- Two-Factor Authentication

66. Surveillance & Sousveillance
Surveillance is when the masters watch over the masses.
Sousveillance is where everybody has the capability to
watch over each other, peer-to-peer style – and not even
the rulers are exempt from the universal collective eye.
It’s generally meant to imply that citizens have and exercise
the power to look-back at the powers-that-be, or to “watch
the watchmen.”
—David Brin and Ben Goertzel

67. Evaluating Strategies for Information Security
Mossad
Magic
???
Not-Mossad
https
Strong password
Applied security
patches
Threat:

68. Best Practices
- HTTPS
- Passphrases
- Two-Factor Authentication
- Antivirus
- Device encryption
- Install security updates

71. Antivirus

72. Password Managers

73. Identity Theft/Fraud Resources
identitytheft.gov
ftc.gov/idtheft

74. Additional resources
For further questions or a copy of
this presentation, email:
Jordan Peacock
CEO, Becoming Machinic
jordan@becomingmachinic.com