Mike Gerwitz

Activist for User Freedom

summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMike Gerwitz <mtg@gnu.org>2017-03-19 03:35:45 -0400
committerMike Gerwitz <mtg@gnu.org>2017-04-02 22:04:28 -0400
commita896777647748f0d03b965e0330261f818eb3119 (patch)
tree40e21a7d4479fc35153993afc7af7bcad3f5e33a
parent01c0c4cfc5c907061105aa95470c1dfa21e5cf95 (diff)
downloadsapsf-a896777647748f0d03b965e0330261f818eb3119.tar.gz
sapsf-a896777647748f0d03b965e0330261f818eb3119.tar.bz2
sapsf-a896777647748f0d03b965e0330261f818eb3119.zip
Initial revision of Data and Profiling section
This is missing information on giving up information to social media, SaaSS, the "cloud", etc.
-rw-r--r--images/tp/SHA256SUM6
-rw-r--r--images/tp/remote-list6
-rw-r--r--sapsf.bib89
-rw-r--r--slides.org286
4 files changed, 358 insertions, 29 deletions
diff --git a/images/tp/SHA256SUM b/images/tp/SHA256SUM
index be428f8..c8e2519 100644
--- a/images/tp/SHA256SUM
+++ b/images/tp/SHA256SUM
@@ -15,3 +15,9 @@ ee2c1e8325221cc5ae01b078930d7e74d447cec25cebeb18c0aaa1989994b918 tor-diagram.pn
f9600308d10debbc56e116087aa83a1ada126f3979f8b528228e1e89a87efd12 torbrowser.png
4f231d937e622d9012706d57d5b0faa233f83d1e864db3b1b50d40d714aa8244 tails.png
dce3dbf6572077dd495a9413ff11d7017d785142af85286a5ab51b7c7e4da728 whonix.png
+9cb6cfd3c0c07c605f514e9b262a9baf224c622a86aea7d6b978e73127685e76 networks-of-control.png
+e52d8250d9a98ae68a68a758e1421231aebd4933cc44bc5a2364222984e1ee7f oracle-id-fuu.png
+4d1a1bb46f21f8d88336b6316a1131fc8f21400b96820c4b54e07288ff23fbf7 lexisnexis.png
+912270ce97ece82c5a335ce84d80e9470c6fb7e1822aa937fa7550a499d87952 palantir.png
+cbf3495473a9b111b3ba9723d5ebb9476bd6abf9bf3af711bdbe803baf98067f target-logo.png
+0a47a1e0b74fa4ec168d935357081a6d15e55ba77edad483ecb7fe14c3f6f4dc trustev-graph.png
diff --git a/images/tp/remote-list b/images/tp/remote-list
index a6a28ea..6d4f264 100644
--- a/images/tp/remote-list
+++ b/images/tp/remote-list
@@ -15,3 +15,9 @@ tor-diagram.png https://web.archive.org/web/20170318055957/https://www.torprojec
torbrowser.png https://web.archive.org/web/20170318161549/https://www.torproject.org/images/tb-lg.png -crop 185x135+0+0
tails.png https://web.archive.org/web/20170318162345/https://tails.boum.org/lib/banner.png -crop 495x114+30+0
whonix.png https://web.archive.org/web/20170318164321/https://upload.wikimedia.org/wikipedia/en/7/75/Whonix_Logo.png
+networks-of-control.png https://web.archive.org/web/20170318184646/http://www.facultas.at/upload/verlag/networksofcontrol/Christl_Networks_300.jpg -scale 50%
+oracle-id-fuu.png https://web.archive.org/web/20170318183230/http://www.oracle.com/us/corporate/acquisitions/datalogix/general-presentation-2395307.pdf oracle-id-fuu.png[7]
+lexisnexis.png https://web.archive.org/web/20170319033528/http://www.lexisnexis.com/risk/img/logo-lexisnexis.png
+palantir.png https://web.archive.org/web/20170319035510/https://www.palantir.com/build/images/global/opengraph-banner.png -crop 170x210+515+170
+target-logo.png https://web.archive.org/web/20170319055701/https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Target_Corporation_logo_%28vector%29.svg/240px-Target_Corporation_logo_%28vector%29.svg.png
+trustev-graph.png https://web.archive.org/web/20170319060719/http://www.trustev.com/hs-fs/hubfs/JANUARY-2016/Technology/r-feb-t-circle1.png?t=1473256538000&width=1788&name=r-feb-t-circle1.png
diff --git a/sapsf.bib b/sapsf.bib
index 5437f6f..7f4e2d3 100644
--- a/sapsf.bib
+++ b/sapsf.bib
@@ -868,7 +868,23 @@
urldate = {2017-03-17},
}
-@article{ars:fingerprint,
+@article{ijcseit:biometric,
+ author = {Mudholkar, Smita S.
+ and Shende, Pradnya M.
+ and Sarode, Milind V.},
+ title = {Biometrics Authentication Technique for Intrustion Detection
+ Systems Using Fingerprint Recognition},
+ journal = {International Journal of Computer Science, Engineering and
+ Information Technology},
+ volume = 2,
+ number = 4,
+ doi = {10.5121/ijcseit.2012.2106},
+ date = {2012-02},
+ url = {http://airccse.org/journal/ijcseit/papers/2112ijcseit06.pdf},
+ urldate = {2017-03-19},
+}
+
+@online{ars:fingerprint,
author = {Goodwin, Dan},
title = {Now sites can fingerprint you online even when you use multiple
browsers},
@@ -934,9 +950,78 @@
urldate = {2017-03-17},
}
-@cite{tor:browser,
+@online{tor:browser,
title = {Tor Browser},
organization = {Tor Project},
url = {https://www.torproject.org/projects/torbrowser.html.en},
urldate = {2017-03-17},
}
+
+@online{ghostery:companies,
+ title = {Company Database},
+ organization = {Ghostery Enterprise},
+ url = {http://www.ghosteryenterprise.com/company-database/},
+ urldate = {2017-03-17},
+}
+
+@online{networks-of-control,
+ author = {Christl, Wolfie,
+ and Spiekermann, Sarah},
+ title = {Networks of Control},
+ date = {2016},
+ url = {http://crackedlabs.org/en/networksofcontrol},
+ urldate = {2017-03-18},
+}
+
+@online{33c3:surveil,
+ author = {Christl, Wolfie},
+ title = {Corporare surveillance, digital tracking, big data~\&~privacy},
+ subtitle = {How thousands of companies are profiling, categorizing, rating
+ and affecting the lives of billions},
+ location = {33^{rd} Chaos Communication Congress},
+ date = {2016-12-30},
+ url = {https://media.ccc.de/v/33c3-8414-corporate_surveillance_digital_tracking_big_data_privacy},
+ urldate = {2017-03-18},
+ annotation = {See also \cite{networks-of-control}}
+}
+
+@online{oracle:datalogix-acq,
+ title = {Oracle Buys Datalogix},
+ subtitle = {Creates the World's Most Valuable Data Cloud to Maximize the
+ Power of Digital Marketing},
+ organization = {Oracle},
+ url = {http://www.oracle.com/us/corporate/acquisitions/datalogix/general-presentation-2395307.pdf},
+ urldate = {2017-03-18},
+}
+
+@online{lexisnexis:trueid,
+ title = {LexisNexis TrueID},
+ organization = {LexisNexis},
+ url = {http://www.lexisnexis.com/risk/downloads/literature/trueid.pdf},
+ urldate = {2017-03-18},
+}
+
+@online{techcrunch:palantir,
+ author = {Burns, Matt},
+ title = {Leaked Palantir Doc Reveals Uses, Specific Functions And Key Clients},
+ organization = {TechCrunch},
+ date = {2015-01-11},
+ url = {https://techcrunch.com/2015/01/11/leaked-palantir-doc-reveals-uses-specific-functions-and-key-clients/},
+ urldate = {2017-03-19},
+}
+
+@online{nyt:learn-secrets,
+ author = {Duhigg, Charles},
+ title = {How Companies Learn Your Secrets},
+ organization = {The New York Times},
+ date = {2016-02-16},
+ url = {http://www.nytimes.com/2012/02/19/magazine/shopping-habits.html},
+ urldate = {2017-03-19},
+}
+
+@online{trustev:tech,
+ title = {TransUnion | Trustev -- Technology},
+ organization = {TransUnion},
+ url = {http://www.trustev.com/technology},
+ urldate = {2017-03-19},
+}
diff --git a/slides.org b/slides.org
index d7d401f..30ab9e3 100644
--- a/slides.org
+++ b/slides.org
@@ -1429,7 +1429,8 @@ Very creative ones.
- Panopticlick (EFF)\cite{panopti:about}
- User Agent, cookies, screen resolution, fonts, language, session storage,
- canvas, WebGL, ad blocker, audio, keystrokes, mouse movement, \ldots
+ canvas, WebGL, ad blocker, audio, keystrokes,
+ mouse movement,\nbsp{}\ldots\cite{ijcseit:biometric}
- Can even track separate browsers on the same
hardware\cite{hardware-fingerprint,ars:fingerprint}
@@ -1571,7 +1572,7 @@ Well, it depends on your threat model,
#+BEAMER: \only<2-3>{
- <2-3> Preempt most sophisticated and damning fingerprinting methods
- <2-3> Stop hardware profiling
- - <2-3> Stop keystroke/mouse analysis
+ - <2-3> Stop keystroke/mouse analysis\cite{ijcseit:biometric}
- <3> Remember those audio beacons?\cite{bleep:ultrasound-tor}
#+BEAMER: }
#+BEAMER: \only<4-5>{
@@ -1860,21 +1861,29 @@ There's obvious tradeoffs there for both;
#+END_COMMENT
-** LACKING Data Analytics [0/2]
-*** DRAFT Introduction [0/1] :B_ignoreheading:
+** REVIEWED Data and Profiling [0/3]
+*** REVIEWED Introduction :B_ignoreheading:
:PROPERTIES:
:BEAMER_env: ignoreheading
:END:
-**** DRAFT Introduction :B_fullframe:
+**** REVIEWED Introduction :B_fullframe:
:PROPERTIES:
-:DURATION: 00:00
+:DURATION: 00:00:05
:BEAMER_env: fullframe
:END:
#+BEGIN_CENTER
-``Big Data''
+#+BEAMER: \only<1>{
+\Huge ``Big Data''
(/Your/ Big Data)
+#+BEAMER: }
+#+BEAMER: \only<2>{
+\Huge ``Business Intelligence''
+#+BEAMER: }
+#+BEAMER: \only<3>{
+\Huge ``Data Brokers''
+#+BEAMER: }
#+END_CENTER
#+BEGIN_COMMENT
@@ -1882,52 +1891,275 @@ We've seen adversaries with different motives.
Let's explore what some of them do with all those data.
#+END_COMMENT
+*** REVIEWED Those Who Spy
+**** REVIEWED Data Brokers
+:PROPERTIES:
+:DURATION: 00:00:15
+:END:
-*** LACKING Headings [0/3]
-**** LACKING Advertisers
+***** Lightbeam Reminder
:PROPERTIES:
-:DURATION: 00:02
+:BEAMER_col: 0.50
:END:
-- Most users' threat models don't include the NSA
-- Biggest threat to privacy are companies that aggregate data to understand
- you (often /better than you/)
+[[./images/lightbeam-ex.png]]
+
+***** Summary
+:PROPERTIES:
+:BEAMER_col: 0.50
+:END:
+
+- Ghostery lists *over 3,000 companies receiving web/app
+ data*\cite{ghostery:companies}
+
#+BEGIN_COMMENT
-The biggest threat to privacy to the average user is by companies that
- aggregate data for the purpose of understanding _you_.
-Probably better than you understand you.
-I'm sure many of you heard of the story of Target knowing a girl was
- pregnant before she did.
+Back to that Lightbeam graph of third parties.
+Ghostery has a list of third parties receiving web and app data.
+There's over 3,000 of them.
-<<user profiles>>
+Looking at this graph from a few sites,
+ that might not be too surprising.
#+END_COMMENT
+**** REVIEWED Oracle Identity Graph
+:PROPERTIES:
+:DURATION: 00:00:30
+:END:
+
+#+BEGIN_CENTER
+#+ATTR_LATEX: :height 2in
+[[./images/tp/oracle-id-fuu.png]]
+#+END_CENTER
+
+#+BEGIN_QUOTE
+\footnotesize ``Aggregates and provides insights on over $2\nbsp{}trillion in
+consumer spending from 1,500 data partners across 110 million US
+households''\cite{oracle:datalogix-acq}
+#+END_QUOTE
-**** DEVOID Social Media
+#+BEGIN_COMMENT
+Look how happy she is to be tracked!
+I'm kidding of course.
+If we put some random person's picture in her place,
+ they might feel a bit uncomfortable.
+
+<Read quote>
+
+Look at that last bullet point there.
+#+END_COMMENT
+
+
+**** REVIEWED All About the Experience :B_fullframe:
:PROPERTIES:
-:DURATION: 00:01
+:BEAMER_env: fullframe
+:DURATION: 00:00:05
:END:
-TODO
+#+BEGIN_CENTER
+\Huge ``More Relevant Customer Experience''
+#+END_CENTER
+
+
+**** REVIEWED Target Pregnancy Prediction
+:PROPERTIES:
+:DURATION: 00:00:25
+:END:
+
+#+BEGIN_CENTER
+#+ATTR_LATEX: :height 1in
+[[./images/tp/target-logo.png]]
+#+END_CENTER
+
+- <1-> Records purchases, credit cards, coupons, surveys, refunds, customer
+ helpline calls, email, website visits, \ldots\cite{networks-of-control}
+- <1-> Purchase more information from third parties\cite{networks-of-control}
+- <2-> Identified 25 products to create a ``pregnancy prediction'' score and
+ estimate due date\cite{nyt:learn-secrets}
+ - <2-> Quantities of types of lotions, soaps, cotton balls,
+ supplements,\nbsp{}etc
#+BEGIN_COMMENT
-(Where you are, what you do.)
+One of the most popular examples of these types of analytics is a case where
+ a father received coupons for baby clothes in the mail for his daughter.
+Target successfully predicted that she was pregnant based on certain items
+ that she purchased,
+ like quantities of certain lotions,
+ and even things like cotton balls.
+They call this a ``pregnancy prediction''.
+It's creepy.
+It's lucrative.
#+END_COMMENT
-**** DEVOID Governments
+**** REVIEWED Transparency Needed
:PROPERTIES:
-:DURATION: 00:00:30
+:DURATION: 00:00:40
:END:
-TODO
+***** Trustev Graph
+:PROPERTIES:
+:BEAMER_col: 0.50
+:END:
+
+#+BEGIN_CENTER
+[[./images/tp/trustev-graph.png]]
+
+\incite{trustev:tech}
+#+END_CENTER
+
+***** Summary
+:PROPERTIES:
+:BEAMER_col: 0.50
+:END:
+- *Let users see their data in this graph!*
+- Erase nonpublic information that they don't want to be known
+- Let them correct what is wrong
+ - <3> Also a problem with law enforcement / government
+- <2-> Let them *opt out!*
#+BEGIN_COMMENT
-(Segue into government surveillance.)
+Look, at the end of the day,
+ some people do legitimately want this.
+They want to have this ``relevant customer experience''.
+
+What we need is transparency.
+
+Companies like Oracle should let you see your data in this graph.
+Let you correct it if it's wrong.
+Erase it if it's nonpublic information that you don't want to be known.
+And allow you to /opt out/!
+
+We talked about government surveillance a while ago.
+This is a problem there as well.
+What if you're flagged as suspicious?
+Put on some no-fly list or terrorism watch list?
+What if it were based on completely wrong information inferred by some
+ algorithm?
+
+Let's look at that graph on the left a little more closely.
#+END_COMMENT
+*** REVIEWED These Data Affect Your Life!
+**** REVIEWED Trustev Fraud Detection
+:PROPERTIES:
+:DURATION: 00:00:25
+:END:
+#+BEGIN_CENTER
+[[./images/tp/trustev-graph.png]]
+
+\incite{trustev:tech}
+#+END_CENTER
+
+#+BEGIN_COMMENT
+This is a graph of sources for TransUnion's fraud prevention system.
+There are a lot of data sources here.
+And look at the node at the bottom---
+ ``machine learning''.
+
+What if this were wrong?
+You'd be flagged as a fraud.
+This could be inconvenient---
+ like not being able to make an online purchase.
+But what if you are denied a loan because of things like this?
+Or...denied employment?
+#+END_COMMENT
+
+
+**** REVIEWED LexisNexis
+:PROPERTIES:
+:DURATION: 00:00:45
+:END:
+#+BEGIN_CENTER
+#+ATTR_LATEX: :height 0.25in
+[[./images/tp/lexisnexis.png]]
+#+END_CENTER
+
+- Risk management for insurance, finance, retail, travel,
+ government, gaming, and healthcare\cite{networks-of-control}
+- Data on over 500 million customers
+- TrueID---34 billion records from over 10,000 sources\cite{lexisnexis:trueid}
+
+#+BEGIN_QUOTE
+``We help insurers assess their risk and streamline the underwriting process
+in 99% of all U.S. auto insurance claims and more than 90% of all homeowner
+claims.''
+#+END_QUOTE
+
+#+BEGIN_COMMENT
+There's a ton of these companies;
+ we only have time for a few.
+LexisNexis is another popular one.
+And it's fun to say.
+
+They handle risk management for various industries.
+And they pull from a pool of data of over 500 million customers.
+
+<read quote>
+
+To give you an idea of their scale:
+ they also have a system called TrueID,
+ which does identity verification for fraud detection.
+ They aggregate tens of billions of records from over ten thousand sources.
+#+END_COMMENT
+
+**** REVIEWED Palantir
+:PROPERTIES:
+:DURATION: 00:00:25
+:END:
+
+#+BEGIN_CENTER
+#+ATTR_LATEX: :height 1in
+[[./images/tp/palantir.png]]
+#+END_CENTER
+
+- Co-founded by Peter Thiel of PayPal
+- CIA, DHS, NSA, FBI, the CDC, the Marine Corps, the Air Force, Special
+ Operations Command, West Point, the Joint IED-defeat organization and
+ Allies, the Recovery Accountability and Transparency Board and the
+ National Center for Missing and Exploited Children.\cite{techcrunch:palantir}
+
+#+BEGIN_COMMENT
+Another highly controversial one is Palantir.
+It was started by one of the co-founders of PayPal, Peter Thiel,
+ for terrorism intelligence.
+It's now used for its powerful analytic capabilities
+ by not only private corporations,
+ but numerous government agencies,
+ a few of them being the CIA, DHS, FBI, and the NSA itself.
+
+Yeah.
+What if these data are wrong?
+#+END_COMMENT
+
+
+*** REVIEWED More Information
+
+**** REVIEWED Networks of Control :B_fullframe:
+:PROPERTIES:
+:DURATION: 00:00:15
+:BEAMER_env: fullframe
+:END:
+
+#+BEGIN_CENTER
+#+ATTR_LATEX: :height 2in
+[[./images/tp/networks-of-control.png]]
+
+\incite{networks-of-control,33c3:surveil}
+
+Shock and Awe
+#+END_CENTER
+
+#+BEGIN_COMMENT
+If this topic interests you,
+ you need to read the paper Networks of Control.
+One of the authors gave a talk at the recent Chaos Communication Congress,
+ and I was in both shock and awe.
+I've only had the chance to skim the paper.
+Both are referenced here.
+#+END_COMMENT
+
** LACKING Policy and Government [0/6]
*** DRAFT Introduction [0/1] :B_ignoreheading:
:PROPERTIES: