Annual NYS Cyber Security Conference

Transcript:

2013 NYS CyberSecurity Conference Q&A

The world today is vastly different than the world we grew up in. When we were kids, privacy was a way of life. I’m sure we all remember uttering the phrase, “None of your beeswax,” when telling people to mind their own business. Maintaining a certain level of privacy was just common sense.

Kids today, on the other hand, have no such compunctions about sharing all of the minutiae of their lives—not only with friends and neighbors, but also with the public at large thanks to social media. Younger generations often spend more time documenting and sharing events online than actually experiencing them. And while it might be fun for your daughter to post that bathroom selfie showing her friends what she chose to wear for the day, or for your son to live-tweet a blow-by-blow report of how his date is going, what sort of implications might these activities have on their future? On their safety? On the security and well-being of your family?

Cybersecurity and privacy law expert Raj Goel, the founder and CEO of BrainLink, is here to answer questions you might have about how to address these issues with your children and grandchildren and how to help instill in them a healthy sense of privacy.

Q: Why should parents and grandparents be concerned about educating themselves and their children or grandchildren on some basic principles about cybersecurity and privacy?

Raj: There are some things you as a parent or a kid might want to know and arm yourself with, especially if you’re traveling, or your kids are going to study abroad at some point. Because the fundamental aspect of every law in the world, every legal precedent, is that ignorance is not a defense. And if you or your kids choose to be ignorant about social media, computing, and digital privacy, in my experience, you’ll get nailed for it. And it is no excuse to say, “I didn’t know. No one told me.” You have to take personal responsibility and educate yourself.

In the US, we have the Miranda warnings where when the cops arrest someone, they actually have to tell them that everything they say can be held against them. Strangely, however, we have no such protection on the Internet. The Internet never states that anything you post today will be public for the rest of your life. Gmail has never disclosed that anything you keep online is accessible to third parties forever. Facebook never says, “Yes, like that update. Thank you very much. You’ve just deleted your First, Fourth, and Fifth Amendment rights for life.

Q: What are some real-life dangers of social media sharing?

Raj: Facebook says friend your neighbors. Well, in New Hampshire, for example, people have done exactly that. They’re friending all their neighbors, and then noticing that somebody has posted a brand new TV, a brand new car, brand new jewelry, a diamond ring, and that the Jones family is now vacationing in Hawaii, Albany, any place not in New Hampshire; well, like good neighbors, they know when to help themselves and offer an extra pair of hands.

Adam Savage from Mythbusters used to be a bit of a privacy nut, but for their 100th episode, Toyota gave them a brand new Tundra. They took a photo of it and put it up on Flicker. Well, within 5 minutes of the photo being on Flickr, Savage’s fans knew exactly where he lived. Why? Because every Smartphone from the last decade and most digital cameras have GPS-enabled geo-tagging that is automatically enabled. So, you take a picture and go to Instagram. Once there, they let you add filters, add colors, and make your picture look better. They give you all these options, but do you think there’s ever an option to strip all geo data? No. Why not? It’s not that difficult to do. The bottom line is it’s not in their interest to take away metadata. All these companies make their money off of you and the data about your content that they can monetize and sell to advertisers.

Q: How effective are social media privacy settings at providing protection from these types of dangers?

Raj: Not very. There was a guy in the UK who worked for Apple stores who went on Facebook and posted derogatory statements about his manager. Well, one of his Facebook “friends” printed out the comments and showed them to the manager, and, naturally, the guy got fired. However, the guy turned around and sued based on the EU human rights act saying that they had violated his privacy and that he deserved restitution. But more than one judge on the UK tribunal ruled that anything on social media is not private.

This goes to illustrate that there’s legal precedent that information entered into and posted onto Facebook is not private, and that also goes for other forms of social media. This goes not only for the UK and Australia, but also for the U.S. In effect, those privacy settings are a lie.

Now, the US does have a legal ruling that says if there are minors are involved, then media can’t publish names or photos unless they were approved from parents or certain third parties who are involved. Australia also has similar rules due to a situation where a television show went to a kid’s Facebook page and grabbed some photos and then ran a news story with it. The parents sued for violation of privacy and the Australian media regulator ruled that since it’s on Facebook, it’s public domain.

Q: What about posting photos of our kids to share with friends and family? That’s harmless, right?

Raj: Indeed, now lots of families take pictures and videos of their children, and as a result, we now have kids who are basically being recorded from the day they were born, as if they’re in the Truman Show. Well, you might think you’re just recording baby photos to show to the family. But there are more and more jurisdictions where other people’s family photos are being sliced and diced and put together with video effects into porn. In essence, people’s children are being tunred into porn stars in other countries. And because these things are taking place in other jurisdictions such as Thailand, India and Hong Kong, there’s really not anything anyone in this country can do about it. And unfortunately, once it’s out, it’s out.

As a side note, after Flickr PDA went big, they included a clause in their terms of service that stated all photos posted on Flickr will become Flickr property. For instance, a marketing company in Poland or Lithuania took a picture of a happy family and used it as a stock photo, making billboards and supermarket ads featuring this family. And how do we know about this? Well, the family in the photographs was actually on vacation and they were astounded when they saw a picture of themselves staring back at them from the storefront in a foreign country.

Q: What are some other examples of how failing to carefully consider how we use social media could come back to bite us?

Raj: Now, here’s a fun one for you, I’ve seen a lot of police academies who’ll put up Facebook postings of cops as they graduate. Now seeing that information like that is public domain data, is that really the right thing to do? What happens when these cops go undercover? Having images of them floating around on Facebook or other social media will make them hard to protect. This practice is clearly an example of not thinking things through clearly.

There’s a company based in Hong Kong called Lenddo, which is a very small division of a large bank, and they have innovated a new product. Lenddo provides you an account where you can get a loan through them. As part of the sign-up, you give them your Facebook information, and other social media account information. Basically, your social media presence functions as your basis for loan credibility. So that as you make your loan payments on time, you get bonuses, and they’ll tweet or post about it.

But here’s what they don’t advertise—if you’re late on your payments, they will broadcast on social media that you or your friends are deadbeats.

Another trend I see happening more and more is illustrated by a particular case where a young lady went to college and took a gay and lesbian course. At one point, the course instructor put a photo of all them on Facebook and poor dad found out his daughter was a lesbian before she told him. How many of our kids join societies in college knowing that their photos might go online, exposing data at a time when they don’t want it to go public? This is happening more and more in every country that I’ve studied.

You know, every corporation, every government spends millions and millions on security. How many of you work in places where you have to sit through stupid security training videos or training every quarter, or every year or so? Well, Dell Corporations spends about $3 million a year for the protection of Michael Dell and his family. Yet in a single week two of his kids completely destroyed Dell Corporation’s entire security budget. The daughter posted a photo on Instagram of where she was going to be for her high school reunion or some party she was going to. On the same day her brother posted a photo of his $15,000 breakfast spread.

Have you thought about this before? I’m training the CEO, I’m training my captain, I’m training my manager, I’m training my secretary. But what about their kids and their grandkids? Security departments mainly focus on telling their employees what they can and can’t do, or what they can and cannot say, but give little if any thought to how their security concerns can become completely unraveled by an employee’s loved one bragging about where they are or where they’ll be traveling to.

Q: How can you control what other people post that might be harmful to you?

Raj: We have very little control. Control is primarily an illusion. If you train employees and if you have proper conversations about security lapses, you might be able to defend against it. We kept a lot of secrets by training a whole generation that loose lips sink ships. For example, there are plenty of men and women who were born, served, and died, with their families never knowing what they did for a living.

Q: Can social media outlets be held liable for these types of security breaches and privacy violations?

Raj: It’s not always the user’s fault. The vendors make it too damn easy. In legal circles there’s a concept that we track users. For instance, if there’s a pool in a backyard without a proper fence, then there’s a risk that kids could come over and drown in it; and if they do, then that could make the owner of the pool liable. Same thing if you’ve got a swing set in your yard and you don’t keep your neighbor’s kids out. If they come in and break their necks, then you are legally liable.

We don’t have a concept of legal liability for social media, do we?

Q: Is it just social media we need to be worried about? What about other types of apps we use?

Raj: You may remember there was an app that came out not long ago with a lot of hype. It would take Facebook status updates, your location data and your gender from Facebook, and then combine them so you could find men or women in your area you could hook up with. Well, there was a big media backlash, and within 2 weeks, the company died. However, the data and the concept lived on, and were coopted by both campaigns in the run up to the last election so they could help their volunteers find fellow Democrats and Republicans.

This app is not dead. In fact, there was a nightclub that put up cameras at the door and on top of the bar. The pitch of the nightclub’s owner is that he was protecting people from theft, but more importantly, he was trying to get more drinkers and more patrons. How? You could pull up the app or go to the website and type in the zip code and he would tell someone of any party they have seen happening, how many people are there, what’s the male to female ratio, what’s the demographic of the drinkers. Gone are the days of walking to nice, smoky little bars and having private conversations.

Q: But if these apps use our private data to serve us useful information, then what’s the problem?

Raj: Well, governments and corporations do stupid things for the right reasons. For example, India’s problem, like most emerging economies, is that they have a large population that is still underserved. They’re poor, and they have a large welfare payment problem. India wants to cut the fraud and waste. Furthermore, there’s a large ID theft epidemic in India like most countries, so they’ve built this amazing biometric database containing roughly 1.2 billion people. Currently this is the second largest database and many times bigger than the Homeland Security database.

After most of the building of the database has been completed you get all the great reasons for it like, we want more people to get logged on and have more accessibility, or not let their welfare payments get stolen by the politicians and thieves in the food chain. And when they ask, what about security, the director of the project says, “Why should these people worry about security? They live 12 people to a room.” I agree. If you’re starving, if you’re living on less than a dollar a day, security and privacy will be the least of your concerns.

But now every Indian who’s in the system has for the rest of their lives their non-modifiable identifiers in a government-built database, built by the lowest bidder, with security not even being a concern. Because they’re not looking at it from a security perspective; they’re looking at it from a utilitarian standpoint of how we feed our people. I expect this database to make our social security number problem look like a joke real soon.

Q: But how is that a problem in developed nations that place a high value on freedom and democracy?

Raj: Óscar Benavides, the former Peruvian president has a wonderful quote, “For my friends, anything; for my enemies, the law.” How many of you believe that to be true? Just remember, we live in a country where the someone who’s influential can claim he smoked marijuana but did not inhale, and then can become president; while another privileged person can claim they smoked cocaine–but they’re clean now–and they, too, can become president. But if either of them had been under 18 in New York City walking down the street smoking pot or cocaine, they would probably be in jail right now.

Indeed, for the elites anything; for the rest of us, the law. How many of you have heard of the Electronic Communications Privacy Act of 1986? The law explicitly states that any email that you store unopened and unread online in a third party provider gets 6 months of privacy protection from the government. However, on day 181 it’s considered public property.

Yet in reality, anything in an online database has zero days of privacy from anyone. What are Facebook, Twitter and Salesforce? They’re all databases. Gmail you can argue is a database because they actually include service with minor emails in the context of advertising. I actually can’t find any email system that cannot be cross-fed as a database because they all do data mining. So it’s not been tested in court yet; but in theory, all emails have zero rights to privacy.

Q: But if I’m not doing anything wrong, then why should I care whether my e-mail is private?

Raj: Remember David Petraeus, who used to be director of the CIA, the most powerful intelligence agency in human history? Even he couldn’t protect himself from ECP overuse by the FBI, so what makes you think you can? This is scary: no one is immune from an angry FBI agent who decides to take on the head of the CIA just because they’re hot for a girl in Miami. The director lost his job; the FBI agent, however, I believe is still gainfully employed by our tax dollars.

The Patriot Act has a lot of provisions that most people didn’t read. One of them is that it lets the US government get data from around the world. If your data is sold by an American provider, they can rendition it. The CIA has a small habit of putting a black bag over people’s heads and taking them to foreign countries. It’s called Rendition. Well, welcome to the digital equivalent of rendition.

Don’t take my word for it. European governments have forbidden their government departments from using Amazon, Rackspace, Google, Facebook, and any other American providers precisely because any data in there, especially on their citizenry, would violate the EU charter of human rights, the EU privacy acts, and would allow the data to be sent back to the United States with no control over what happens to it once there.

Q: But aren’t these laws and this technology put in place to protect us?

Raj: Now, how does technology work around the world? Well, the Saudis have a wonderful culture. If you’re a man, you have everything; if you’re a woman, you have less rights than a camel. I’m not kidding. Under Saudi law and Saudi culture the adult male of your house–it could be your husband, your father-in-law, your brother, your son—if you’re a female, he is your legal guardian. And whenever Saudi women leave the country, their legal male guardian gets notified by the Saudi government. They get a text message, “Hey, your wife is entering the airport. Your wife just left the country.”

How many would love to live in a country like that? Oh, I’m sorry, you have Foursquare and Facebook, don’t you? So welcome to the United States of Saudi Arabia.

Q: What about service companies that we entrust with our personal data and private communications?

Raj: It used to be, when you paid a vendor, you could trust him with your data. However, in this age—the 2011 riots in London being an example–you pay a vendor, and without being asked, they take the entire media message logs for the affected zip codes and give them to the police, no questions asked.

Three years ago there were a lot of rumors going around about what cell phone companies are doing with our data. But no one had any hard evidence on what was being done. Many of us already suspected Verizon, Sprint, AT&T and others of handing over data to the government and law enforcement. So the phone companies were subpoenaed. As a result, they admitted that in a single 12 or 13-month period the phone companies gave law enforcement 1.3 million cell phone surveillance requests, including GPS locations of cell phones—all without a warrant. That’s 1.3 million in a country that has a population of roughly 350 million people; that’s about a third of the population of America..

They got caught doing illegal surveillance. Sadly, Australia and some Germans have done this, the Brits have done this and the Americans have done this. Every government is breaking laws right now globally and spying on their own citizens.

Q: Where do you see all of this headed in the future?

Raj: In 1983, Willam Gibson told New York Magazine, “The future’s already here, it’s just not evenly distributed.” That means what’s going to happen 5 to 20 years from now is already happening in some parts of the world.

Where is it happening? First, let’s go back in time and quickly review social security numbers. In 1934 to 1935 we had a debate in Congress. The Right didn’t want national ID numbers because it seemed to play into prophetic passages of the Bible that mention the mark of the beast. The Left didn’t want national ID numbers because they disenfranchise minorities, the poor and immigrants. So in 1936, they reach a happy compromise: we’ll have national ID numbers used by the IRS that reflect income taxes. That’s actually the official law. Interestingly, to this day, only the IRS is legally allowed to use social security numbers for any identifiers; banks, insurance companies, credit card companies, mortgage companies, schools, universities–none of these institutions and organization are supposed to use Syour SN, and they’re all violating federal law when they do. But try getting a loan or a job without a SSN; indeed, they’re becoming the de facto ID number.

What’s the problem? To find out, let’s compare your social security number to your credit card number. Let’s say you have a credit card and you lose it and you call your bank. They cancel the number in about a minute. And you get your card back in a couple of days. Or let’s say I’m a merchant and you give me your credit card. I can usually validate that it’s yours and if it’s active and how much money is available in about 30 seconds or less.

Social security numbers, on the other hand–how many of you know your social security number? How can you be sure absolutely no one else in the country has your number? How many of you can check your SSN number and know you’re checking the right person? You can’t. For decades SSN have been so small, they’re reusable. So we have two different people; one dead, one living, both with the same SSN number. And yet they’ve become the de facto ID card for our country.

Why is this a problem? What happens when somebody’s ID gets stolen? Who pays for the clean up? Does the thief or the companies who have benefited; or is it the poor consumer who spends thousands of hours and thousands of dollars trying to get their life back?. We as a society pay for a compromise made in 1936.

Q: So is the only true solution to privacy to stay offline, use land line phones and pay cash for everything?

Raj: Even that might not help. Google Street View came out not long ago. Turns out, government authorities are now using it to comb through neighborhoods and have started hitting people with tax bills. One of my favorite stories is this woman that was caught climbing into a hammock in her front yard, and the next thing she knows the tax cops show up saying, “Your income says this, but your house is worth that; please help us do the math. By the way, here’s your bill.” And they’re not the only ones: there’s a couple of communities in Long Island, New York and around the country doing this, along with a lot of homeowners associations. They’re using Google Street View and Google Earth data to detect whether someone is violating zoning codes or homeowner association by-laws.

Here’s what [Google’s Executive Chairman] Mr. Eric Schmidt said a couple of years ago: “We know where you are, we know where you’ve been, we more or less know what you’re thinking about.” When street view first came out, people were going, “Why?” He literally said if you have something you don’t want anyone to know, maybe you shouldn’t be doing it in the first place. Apparently he’s never raised children. Apparently he’s never been a child himself.

Lastly, two weeks ago, he said this in the Daily Telegraph: “You have to fight for your privacy or you will lose it.” Here’s what I want to know. How does one of the men who helped shepherd a company that is the largest invader of privacy ever, all of a sudden he has religion? What happened in his professional life that he now says we have to fight for our privacy? Could it be because drones are now commercially available, and he doesn’t want his neighbors flying drones over his property? Did somebody like CNET do a Google search to invade his privacy at some point, and find out his minimal income? Absolute heresy. That’s like the Pope saying atheist can go to heaven. Oh, that happened, too. We love this new world.

Raj: Recently, the Texas legislature unanimously passed a law which will require subpoenas and warrants for all email. It is the toughest email privacy law in the nation. As a result, Texas will have the strictest—at least as of 2013–email privacy law at the state level in the United States.