1. Privacy for Security Geeks: Dancing with Lawyers JASON SHIRK PRIVACY/SECURITY LEAD ONLINE SERVICES DIVISION MICROSOFT JASON.SHIRK@MICROSOFT.COM

2. ABitAbout Me I, like you, am a hacker at heart As a Hobby for a while (~25 years) Professional focus for the last decade 3 years responsible for Microsofts Fuzzing Strategy and Toolkit A degree, years of Vulnerability Management, Penetration Testing, etc 2 years as the Privacy Manager for Bing and Security Manager for Social within Bing Not a lawyer or a policy guy Having been on the attack side I understand Where the Jewels are hidden What the Jewels are worth Currently the Lead for Security and Privacy reviews for OSD 3. The $64,000 Question, why Privacy? When I made the change to Privacy, people really wondered why (Im paraphrasing here) Inside Microsoft: Really, Privacy?!? Thats a big problem, Im sure youll get the skills you need, theyre uh different than Security Outside Microsoft: Dude, if youre sure then do what makes you happy. I tried that for about 6 months and ran screaming from it, good luck! That seems different. Im sure well see you back before too long Simply put, I believe that Private Data is the single biggest problem facing Technology and Security Experts are properly equipped to help. 4. Technology is at an Inflection Point Digital Persona, Social Graph and Physical Location have come together The intersection is creating new kinds of services and data The new services are Real-time Location specific Data-centric The opportunity is enormous There are hundreds of billions of dollars up for grabs As we know, for good and bad alike 5. There are Some Edgy Players 6. And People are Noticing 7. The Landscape has Changed Laws exist prohibiting the exfiltration of Private Data regarding their citizens in: The European Union China India Safe Harbor agreements allow for this data to be moved to specific countries Between the US and the EU for example Agreements are still being discussed with China and India Violating these agreements could nullify the ability to do business with continent 8. Sony PlayStation Network (And payment systems and localized international websites and a different part of the payment system and phone site and well more) 9. The Penalties are Increasing,Alarmingly Fast The FTC recently fined Google $22.5M for bypassing the Safari 3rd party cookie blocking Largest fine EVER levied by the FTC It was called insufficient and ineffective by Privacy Advocates Last week A US judge in California approved a settlement against Facebook for $20M This ruling could also affect the ability of software companies to change their Privacy Policies without user approvals The European Commission has proposed rules allowing for fines regarding privacy violations of up to 2% of GLOBAL REVENUE of a company Expected to be effective by 2015 Oh, and this can be levied PER COUNTRY in the EU!!! Global Revenue for Microsoft for FY12 was $73.7B With 27 member states at up to $1.47B per country Thats a Big number 10. What does this have to do with a room full of hackers? Privacy *is* Security, BUT: Privacy tends to have a Policy Slant (LOTS of Lawyers) Security tends to have a Technical Slant (Mostly Engineers) Privacy Nerds and Security Geeks do not speak the same language (Im both, I can say this) Legalese vs. Technobabble Lawyers (mostly) do not understand Technobabble Hackers (mostly) do not tolerate Legalese Your technical expertise is HIGHLY valued by the Privacy Community When you speak up, they will pay attention When you offer solutions, they will want to implement them We have to understand their point of view though 11. Privacy:ACoders View Data==BusinessLifeBlood; If (NoPrivacy) Data=NULL; PrivacyExecutionAbilityToday < PrivacyNeedsToday < PrivacyNeedsTomorrow; CloudDevelopment++; ManagedCodeInvestment++; Developer != PrivacyExpert; 12. What Exactly Does Privacy Mean? How would you define Privacy? Trevor Hughes, President of the International Association of Privacy Professionals (IAPP) There are 11 different definitions of Privacy (Anonymity is only 1 of these ) Dictionary 1a: the quality or state of being apart from company or observation : seclusion b: freedom from unauthorized intrusion 2 archaic: a place of seclusion 3a: secrecy b: a private matter : secret 13. ALanguage Lesson: Privacy Personally Identifiable Information (PII) also called Personal Data (PD) Data that allows for a data subject to be tied to a real human being Prominent Consent A notice to a user prior to data collection and/or use, giving informed consent for the data collection/use End User License Agreement (EULA)/Terms of Use (ToU) These are true legal documents which represent agreements or contracts between a user and a software provider. Installed software typically has a EULA (Windows, Office, ) Services typically have ToUs (Bing, O365, Xbox Live) Privacy Statement/Policy/Terms This is a legally required document for all electronic data collection. It is not a contract in the same way as a EULA or ToU and is usually written in much friendlier (read not-so-lawyerly) terms, but does bind the data collector to follow the terms. Both installed software *and* services typically have Privacy Statements Retention Requirements Conversely to being required to keep data for at least a certain period of time, it is frequent in Privacy that data may *only* be kept for a certain amount of time. 14. ALanguage Lesson: Enforcers Federal Trade Commission (FTC) The FTC is responsible for enforcing Privacy regulations in the United States Article 29 Working Party A working party created by the European Commission to make recommendations for EU Article 29, regarding data privacy. They make recommendations for changes to the EU Directives and Articles. Data Protection Authority (DPA) Each country implements the EU Directives differently, thus each country in the EU has at least one DPA and may have several. The DPAs enforce Privacy regulations in their respective countries. CNIL (France), the UK, Irish and German DPAs have all taken recent significant action against technology vendors Canadian Privacy Commissioner Canada has a national-level commissioner responsible for enforcing Privacy regulations. There are also Provincial Privacy Commissioners. The Privacy Commissioner for Ontario is quite outspoken and drives significant enforcement efforts. 15. ALanguage Lesson: Enforcement Fine As stated earlier, there are large sums of money that can be taken by enforcement agencies. Consent Decree The FTC has been not only levying fines, but in the agreements it is making with companies requiring *20 YEARS* of audits to verify that Privacy by Design is being implemented. Facebook and Google have both recently gotten these, Microsoft had one for 10 years in the past Injunction Advocates are beginning to ask for legal injunctions stopping changes to policies and technology 16. ALanguage Lesson: Security Privacy Lexicon Abstraction For Security, we speak in terms of vulnerabilities (overflow, double free, ...), exploits (arbitrary code execution, DoS, ), and payloads (Trojans, rootkits, ) For Privacy, up-level the conversation to the potential consequences being data leaks (third-party access, database exfiltration, ), unauthorized use (prominent consent, intended use, ) and regulatory action (hearings, fines, ) Mitigation In Security, we excel at recommending mitigations and fixes to technical problems In Privacy, the Security mitigations and fixes *are* often a part of the solutions needed, bring them to the table Automation In Security we build tools to do jobs that are too complex (or that we dont want to do ad nauseum) In Privacy there is a growing need for sustainable processes (automated tools) to ensure Privacy standards (moderately complex but measureable baselines) are met 17. What Problems are We Facing? (Buzzword Bingo!) Big Data is the word From the last presidential race (Extremely accurate precinct-by-precinct predictions) To Lady Gaga (31M+ Twitter followers that she wants the rights to mine for her own) Everything is in The Cloud Check-ins, Check-outs, Check-ups and just plain old Checks The On-ramp to the Cloud is Changing Smart phones overtook feature phones globally in 2011 (according to Nielsen) There are approximately 2.4 Billion internet users today (according to internetworldstats.com) nearly half of that is mobile. 18. What Can You Do? Pragmatic Security solutions can be applied to a number of these areas: Static Analysis tools for Personally Identifiable Information(PII)/Personal Data(PD) In-transit Data detection Lightweight Encryption mechanisms Obfuscation implementations (only for defense-in-depth of course) By simply building tools 19. Wrap-up: Privacy is a Security Problem Security Engineers are uniquely qualified to help solve Privacy problems We are already recognized advocates for users and their data Up-level the conversation appropriately Talk about impact of a vulnerability/exploit Deliver Solutions and Mitigations to problems Build tools and automate process/reporting Build for the future: Big Data, Cloud, Mobile Be pragmatic While code trumps all, these technologies must be deployable Help boil the problem down to bite-sized pieces and make recommendations accordingly 20. Questions? Oh, and were hiring