Computer Insecurity & PrivacyThrowing people in the mix

Brad TempletonElectronic Frontier Foundation

bt@eff.org

It sucks

• But it's amazing how well we get along• Most people are pretty decent• The automation of good and evil

Firewall Hoax

Monoculture

• Attractive targets• Liability won't work

Botnets

• Underworld• Intelligence• 30% of computers botted!• DDOS Attack

Design vs. Deployment

• Algorithm vs. Protocol vs Deployment• Public Key Encryption

– Like a Mailslot– Also does Signature

• Key management• Certificates• ZUI: Hard to use means rarely used

Phishing & Social Engineering

Crypto & Export Control

• Quantum computing & Quantum Crypto• Weak Systems (DES, WEP)

Clouds, Transparency,Time travel and Privacy

Some topics

• Value of Privacy• Threats to Privacy

– Now and in the future and other countries

• Erasure of 4th amendment• Ease of use and user choice as negatives

Privacy is Freedom – the Heisenberg problem

• A Watched Populace never boils• Apes the only ones who need privacy• Surveillance doesn’t chill all freedom, but why

give up any important freedom?• Anonymous communication the foundation of free

societies• Each generation defines a new concept.• “Privacy is what you take away from someone

when you want to torture them.”

Blinded me with bad science

• Look hard enough, in a big enough sea of data

• You’ll probably find whatever you’re looking for

• Seattle firefighter learned this

• Scientists barely know this, ordinary people and juries don’t.

Why be a privacy Zealot?

• You don't care about your privacy until after it's invaded– They’ll trade it for a chance to win an iPod

• You must protect other's privacy to protect yours• There really is a slope -- "we accept this, why not

more?“• You must not walk even near the edge of the

police state

Shy people need privacy

In a way extroverts won’t understand…

Cloud Applications

• Storing Applications in the cloud• Roaming, Scalability• What does it look like…

User

User

User

User

ServerFarm

The Pendulum

• Timesharing• Personal Computing – nobody can say no• Timesharing

Data out of your hands

• No “reasonable expectation of privacy” says the supreme court.

• Some statutory protection, but they no longer have to go through you and your lawyer to get at your data.

• If we move all our data out of our homes and into the cloud...

• Erasing the 4th Amendment

• Let's think this through

• Recently we've had big changes!

We must take care not to build the infrastructure of a police state

• Don't install the switch, by making it a question of policy rather than implementation.

AI Privacy Invasion

• Understanding natural language documents in bulk

• Face and person recognition• Speech recognition• Facial expression and body language

recognition• Patterns of network activity

Scalability is the Key

• Always been possible to follow people• It didn't scale• Computers have scaled a lot of it• AI can scale the rest

Time traveling robots from the futureTime traveling robots from the future

Time Travel

• We don't have good AI today• We will have more of it in the future• We do have cheap storage today• We're recording what goes on• AI systems will be able to scan the past• “Are you now or have you ever been...”

Sins of the Future Are visited in the Past

• We know what to look out for today• We keep private what could hurt us• We don't know what will be the sins of the

future• What we consider bad today they may not

care about

Other countries

• Facebook for Falun Gong • Or Burmese Monks• Or German Jews• Don’t be big brother’s “preferred vendor.”

The balance is changing

We should ask ourselves with each step, did we want to change the

balance?

Ease of Use is a Bug

Mag stripe on your driver’s licenceLong web form is impediment

End-User control prevents negotiation

• Negotiated vs. non-negotiated• Negotiation only happens with power• What’s the history of success? P3P?

Agents? Reputations?• Bizarrely, Passport could have done better!• Proxies

Data Portability or BEPSI

Or data hosting?

What to do?

• Consider privacy invasive uses of what we design today

• Consider its use in other regimes and future regimes

• Be a bit paranoid, even with things you don't think you have to protect -- yet.

Robots and Cameras Everywhere

• Robot cars are coming, with many positive results

• It means cameras and other sensors recording everything, everywhere

• It means records of everywhere we travel, everybody we travel with

Pause

– Click to agree contracts replacing law

– Software Monoculture

– National Security

– Trusted Computing & DRM

– Spam & Parasites

– Censorship, censorship avoidance and the collapse of borders

– Cheap nanotech sensors & cameras

– Suing AT&T for $1 Trillion

– Strong cockpit doors

– Capability OS

– Threat Models

They’ll abuse it

• Hey, it’s not like they would tap people without warrants

• Echelon program and international cooperation

• The scalability of good and evil

Other future risks

• Nanotech sensing– Chemical sensors, drugs– DNA sensors

• Cheap electronic sensors– Cameras– RFID

Views of the future

• “Privacy is dead, get over it.”

• European Privacy Laws

• Children raised without privacy

• The transparent society

• Privacy must die

The Transparent Society

Three competing forces

• Freedom to observe, record, share and publish information

• Desire for security

• Need for privacy

Not always a tradeoff

• It’s not necessary security vs. privacy

• For each problem, we must find the “strengthened cockpit door.”

• It’s not always so obvious, it may be more work, but it’s worth it.

• The boogeymen: Terrorists, kiddie pornographers, music pirates

Can we stop the surveillance?

• Not with laws

• Perhaps with tech

• Perhaps with convention

EFF vs. AT&T

• President orders NSA to do wiretaps

• The phone companies do the dirty work

• Boxes installed in secret rooms at major switching centers

• Suspicion of data mining everybody’s call records

Extreme Suggestions

• Watch everybody • Watch the profiled• Rewire the brains of the profiled• Rewire everybody!• Hope prosperity discourages attack?• Will prosperity (destroying ideology)

trigger the attack?

Is surveillance that effective?

• Not even in china or prison camps

• Oppressed always win, at least in the small

• But it’s always abused

• And what we build is used in less enlightened places

You can't stop terrorism with enhanced security

• You can't win a "war on terrorism", not with technology, not with surveillance

The more you ban privacy, the more people will want it

• And the more people will help them

• The blind eye

• Deliberate noise

We've always used social convention

• This is not like trying to command the tide not to come in.

• Human behaviour is much more fungible than gravity.

Live Free or Die

• If privacy is freedom it's worth defending

Thank you