Heather Poggi-Mannis, Microassist’s information security training product manager, attended the ACLU Privacy and Technology conference at the AT&T Conference Center at the University of Texas Austin. The purpose of the conference was to start conversations about privacy, how technology can be used to violate it and what is being done to protect privacy rights.
Morning Keynote: Dr. Chris Soghoian, Principal Technologist and Senior Policy Analyst, ACLU: What Keeps You Up at Night?
Dr. Soghojan gave examples of some recent, major hacks in the automotive industry: Jeep, Chrysler, GM as discussed on wired.com. (Hackers Remotely Kill a Jeep on the Highway—With Me in It). As more and more devices, consumer and otherwise, become networked over the Internet, they become the “Internet of Things” or IoT. Dr. Soghojan’s examples led to a conversation about IoT vulnerabilities – the unnoticed crisis of smart phone operating system software and smart TVs. Unlike computers, most devices that connect to the Internet don’t have automatic patching and are therefore vulnerable to hacks. These hacks include turning on your camera and/or microphone and monitoring the unaware user. Since consumers are no longer in the “repair and keep” mode but more of “if it breaks, go get a new one” and “got to have the newest …” many of these devices are handed down. For TVs, it moves from the living room to a bedroom; for smart phones, they are often passed down to children. Basically, “older electronics that are insecure are given to vulnerable members of your family.”
Unpatched electronics such as smart phones and smart TVs are a business problem, not an engineering problem. Unlike Microsoft’s example of pushing out security updates for their operating systems (even the old ones like Windows XP which they finally stopped supporting after 15 years) on a regular basis, most companies don’t have the business model/strategy to support older versions.
Dr. Soghojan explained that once the item is sold to the consumer, the company that sold it is not really interested in maintaining it (as in providing security updates) for free, nor are the manufacturers of the device. For the manufacturers, often the focus is on getting out the newest version, not maintaining the existing or old versions.
Dr. Soghojan warns, “the Internet of Things = the Internet of No Updates.” This may not seem important but understand that these vulnerabilities provide an entry point into your home network. Most people don’t use encryption on their hard drives, so once access to your network is made, your information is readily available. Your network can also be used to mount attacks on other systems.
Ironically, one of his solutions is to NOT get the smart TV for instance and use a separate, external device that can be replaced regularly (once a year?) and will have the “latest” security patches. For the more IT-wise consumers, he recommends getting a wireless router that has multiple network capabilities and putting your IoT on a quarantine network separate from your home PCs.
A good phrase from Dr. Ram Krishnan, Department of Engineering, UTSA summed up the morning session: “Privacy is how you get free email.”
Afternoon Panel: The Future of Surveillance and Privacy Reform
The afternoon panel talked about The Future of Surveillance and Privacy Reform. This session started off with an update of some of the reforms in the works – how bulk collection of internet data (emails, social media), analyzing it all THEN sort out what’s needed really flies in the face of the 4th amendment protections against unlawful search and seizure. It became a bit of a rant, but what caught my attention was “transient authority.” Say someone in Mexico sends an email to someone in Canada. The email passes through or is transient on a network in the US. The NSA contends that it can gather and eventually use that email and its contents because the endpoints are outside of the US and “there is no expectations of privacy” for those kinds of emails.
The NSA and others “asking” US-based encryption companies to include a backdoor script was discussed.
On the state level, Kathy Mitchell from the Texas Electronic Privacy Coalition, talked about Missouri’s constitutional amendment to protect electronic privacy (August 2014) and how her coalition is working towards an electronic privacy statute.
Finally, Brian Holland, Professor of Law from Texas A&M’s new law school talked about a current case that has many worldwide ISPs nervous, the “Microsoft warrant” case. This is now on appeal but he expects Microsoft to lose and this will have some interesting fall out. Essentially, the private emails and personal information of web users can be handed over to US law enforcement – even if that data is stored on servers outside the US. The information in question is stored on Microsoft servers in Ireland and, therefore, “subject to EU privacy laws.” However, the search warrant specifically calls out, “All information … in the CONTROL of Microsoft.” Control being defined at the ability to access, transfer, view and supply to the government. Previously this just had to do with business records, now that it is personal emails and other info, it comes under privacy laws. (Nationality in the cloud: US clashes with Microsoft over seizing data from abroad)
Professor Holland predicts that there will be structural changes made to data networks as well as changes to corporate legal structures in order to avoid “control”.
Update: USA Today reports the Europe’s top court rejects “Safe Harbor” Ruling”. This ruling will have ramifications across many industries. From a training perspective, how many global companies have their learning management systems located in the EU? How will this affect the privacy of learner’s information?
The conference met its intended goal of “starting conversations.” From the other groups that I belong to and participate in, Information Systems Security Association (ISSA), Health Information Management Systems Society (HIMSS) and others, privacy is one of the top five concerns. It will be interesting to see what the next conference brings in terms of updates and new conversations.