The experts at our 2018 codenomi-con event at Black Hat had a lot of opinions about data privacy. But they agreed on an essential element: citizen action.
We keep hearing that privacy is dead. But there is a good chance that a lot of us still aren’t aware of just how dead. The speakers at our annual codenomi-con event, presented in connection with Black Hat, offered reminders about that reality in both government and the private sector.
Cyrus Farivar, senior tech policy reporter at Ars Technica and one of those who are very much aware, presented the government’s role in data privacy in a keynote based on his most recent book, Habeas Data.
Farivar didn’t paint an entirely hopeless picture. But he said any chance of a meaningful revival of personal privacy is going to take a level of citizen awareness and involvement that doesn’t now exist in most communities.
It’s not just about the metadata from emails and phone calls collected by the National Security Agency (NSA), which former NSA contractor Edward Snowden revealed in 2013. It’s also about the ever-expanding capabilities of modern technology.
Modern technology can allow law enforcement and intelligence agencies to track every car on the road, 24-7. It can fool your smartphone into connecting to a device that it thinks is a cell tower but is really operated by law enforcement. It can enable virtually constant surveillance from the air. It includes rapidly improving facial recognition, to the point where it can identify everybody in public, whether at a football game or a political protest.
Of course, the nation’s legal system hasn’t always kept up with whether the use—and the level of use—of these technologies violates the Fourth Amendment’s protection against “unreasonable search and seizure.”
Farivar’s book reviews 10 major court decisions between 1965 and 2017, most of them decided by the Supreme Court and most of which dealt with the “unreasonable search” issue.
There have been some encouraging decisions in recent years, in which the courts struck down convictions enabled by warrantless surveillance. But the reality remains that the government “toolkit” for tracking the location and activities of citizens is vastly more pervasive and invasive than most people may realize.
Farivar, who lives in Oakland, said a citizen activist inspired him to file a public records request regarding the local police force’s use of license plate readers (LPRs). He received a database with 4.6 million plate images going back five years—each including the date, time, and place the image was recorded. Before he filed his request, nobody on the city council knew the LPRs were in use. “That’s a pretty creepy superpower,” he observed.
Farivar said while he, like most people, wants law enforcement to have the tools it needs to enforce the law and catch criminals, “we don’t want those tools used against us.” There’s only one way, he said, to find the necessary balance between preserving those capabilities and protecting the privacy of innocent citizens: We have to have a level of transparency that doesn’t exist in most communities now.
That requires an informed citizenry. “File records request after records request to find out what is being used where you live.” The silver lining of this dark and stormy cloud is that knowing what’s going on is the way to passing oversight. “There is no meaningful debate or discussion on it in Congress. And we can’t rely on courts to be a meaningful check on it either.”
Following Farivar’s keynote, Amy DeMartine, principal application security analyst at Forrester Research, sat down for a fireside chat with Jim Ivers, VP of marketing at Synopsys, to discuss The Future of Application Security: Optimize Security Testing for DevOps With IAST.
After DeMartine’s fireside chat, a panel discussion on privacy and the Internet of Things (IoT) focused on both the public and private sectors.
Moderator Sammy Migues, senior member, technical, at Synopsys, opened with a question about how privacy has changed over the past several decades.
Kim Zetter, former reporter for Wired, said while “pockets of people” have been concerned about it all along, data collection in the private sector has now become “all-pervasive.” “They track you online and offline. Your TV tracks you,” she said, adding that “a large part of the public doesn’t care.”
Her fellow panelists—Stacey Gray, policy counsel at the Future of Privacy Forum; Ben Ransford, co-founder and CEO, Virta Labs; and Justin Heyl, cybersecurity director, business development, innovations, and strategic partnerships at UL—agreed, offering different examples.
Gray noted that the alleged “Golden State Killer,” Joseph James DeAngelo, was arrested through evidence gathered from a public genealogy database that had data from some of his family members. In that case, one person’s data was used against another.
But all panelists had pretty much the same conclusion as Farivar: The best hope of preserving privacy will be through citizen involvement.
When Migues asked if technology might be able to solve the privacy problems it has created, the group said it would be only part of the solution.
Ransford, a self-described nerd, said he and his peers “can choose what to work on. We have much more power than ever before. We need to use our opinions and expertise, and not make decisions that are bad for privacy.”
Gray said she is encouraged that universities have established centers for privacy, and said she thinks the younger generation cares more about it than many of their elders think they do. “They’re using ad blockers, and the whole point of WhatsApp is the ephemerality of data,” she said.
But the bottom line was the same: The public has to care. “The social component is the big driver,” Ransford said. To which Zetter added, “It’s the public that decides if a line has been crossed.”