Cockroaches in the Fine Print: Lights On for Privacy Policies

thank you Cat uh for those of you who may have not heard because if you were Milling around in the hallway I'm just going to Echo it out one more time if you are on the bides PGH Wi-Fi that is part of the casino do not port scan that laws are real you will go to jail get onto the actual CTF Network um thank you all for coming today first of all quick Vibe check how many of you have ever tried to read a privacy policy okay privacy privacy policies okay uh so we have some privacy curious individuals here uh raise your hand if you have not actually used a product or service because of what you've seen in one of

those policies okay some of you have been turned off enough to say not for me okay that's primarily the best way we're going to be able to avoid some of the icky stuff that we encounter and then last but not least raise your hand if you feel like you actually have the means to control your digital footprint yeah that's not a surprise so who am I um well I started out trying to get my education I was going to be a music education teacher I wanted to teach High School band I took a calcul Calculus class for my general education credit and realized that those people are my nerds not the people with the trombones so that's where my path

sort of took a left-hand turn and went to the dark side of the Sciences I've worked a little bit as a furnace engineer working in glass furnaces and steel furnaces during that time I taught myself myself to code because I was trying to solve some problems and that's where I took the second leftand turn into the world of software development and since then I've been working as a freelance engineer uh most recently as a full stack engineer with a marketing company uh we do experiential marketing so we build Museum exhibits and different types of interactive experiences that would be on display at exhibits uh something like this right so it's a it's a way for Brands to get

their name out we do not do like to follow you around the internet that I'm about to be talking about uh when I'm not working on those types of daytime daytime things I am Moonlighting as the CEO of absolutely nothing that's not a joke that's the name we've chosen for now uh right now there's three of us we've got two technical developers and then one catd Wrangler who functions as our project manager and our coo this is my third time attending bsides and my first time speaking so if you cannot hear me feel free to like Point your fingers up so that I can figure out how to hold a mic closer to my face because I'm not used to doing

this uh and yeah let me know if you cannot hear me in my free time I listen to a lot of podcasts regarding like economics privacy type things I've also found something related to the federal court system which believe it or not is pretty interesting right now when I'm not doing that I will play some video games mostly some fortnite and Zelda just to kind of decompress I do a lot of non-fiction reading and lately I've gotten an ebike because I sold my car so I've been taking this thing everywhere to work and also sometimes out on the trails in Pittsburgh and so this is a lovely view from Frick Park I had an awesome experience lots of endorphins

going this is mostly a commuter bike that I'm on so this was a bit advant or adventurous for me and uh it was a real quick lesson in that some of your highs can very quickly be some of your lows as I fell off the trail and uh just a few minutes later realized I had to drag myself back up double check I had all of my parts you know make sure that my sock was not going to be completely shattered with blood um still recovering from a little bit of this but it's been great and I absolutely love it before we go on a little bit more I just want to say Obviously you know we're at

a conference here these are my beliefs and do not necessarily reflect the views or opinions of my employer again I'm sort of in the marketing space but we don't do the sort of icky things that I purport to be talking about here so why did I start looking into Security in the first place right I kind of had this Meandering path well honestly it was a lot of the nation state type of hacks that were coming around and becoming public during the time when I was learning about coding so we've the Equifax data breach we had uh about hundreds of millions of credit related data leaked this one was attributed to the uh people's Liberation Army which is

a a AP out of China We Believe The W to cry virus which took down a large portion of the National Health service within the British United Kingdom this one struck me as pretty funny because the gentleman who figured this out and air quotes sort of Saved everybody was named Marcus Hutchins and for a few few days he was laed as a hero and then very shortly after the FBI connected him with some gry hat stuff and arrested him so um was a pretty tried andrue example of how you got to be careful when you're work in the Cyber domain just because you know you got to be on the up and up and even on your best days you you sort

of got to be careful likewise we also had the colonial pipeline ransomware attack this one was attributed to an Eastern European uh hacking group called dark side and all these things right the solar wind supply chain hack these all have started to in my mind during this time period be like holy C this is real this is a real ecosystem with some real problems and the currency of all of this almost all the time is data different types of data but data nonetheless most recently we could talk about twio there's been problems with open SSH and uh I think probably one of the most recent ones we've been tracking is snowflake which has had uh

consequences for sender and uh Ticket Master so if any of you are swifties and need yet another Reon to be mad at Ticket Master I've just given you one and basically talk to me on any given week right this stuff just keeps happening data keeps leaking there's hacks there's ransomwares these are all mostly on the nation state side and along this time period I also have this parallel track of starting to hear about data right that's regarding personal user information and starting to tickle the portion of my privacy brain privacy sorry that's uh just not super thrilled with what I'm hearing so one of the first bits was Cambridge analytica where we found that a British company was

collecting and building profiles on Facebook users and then delivering targeted ads towards those users in an effort to sway political elections that was a little bit creepy and we have some evidence I believe that uh data was accessed from Russia doesn't necessarily mean it was exfiltrated but still gets a little bit hairy there and straddles the nation state actor in 2017 Vio was found to be selling minute-by-minute viewing preferences to advertisers so whether you are actively watching something or pausing and what that content is was then being used to Target individuals this one uh you know not very consensually aware of this and so the FTC decided to find viio $2.2 million however the Real Pain point there was

the class action suit that paid out almost 17 million and that amounts to basically one month of Netflix per user uh in today's dollars I suppose I've also seen talks about what your smart devices know and share about you there's a wonderful talk by Kashmir Hill in the New York Times that talks about sorry this was a TED Talk uh that addresses a basically a one-month study where every iot device within the house was connected to uh pie hole or some other sort of routing mechanism and they observed all the packets and in an entire month there was Zero moments of digital silence and this even included when that family left the house for a

week of vacation so you've got an empty house and your devices are still beaconing home and transmitting data about you and the biggest culprit here was Amazon Echo which phone home once every 3 minutes no surprise there that a e-commerce company wants to know whether or not they can sell you something for any moment of the day that you may need it it also led to some pretty weird consequences like toothbrushes with passwords which I think all of us is going too far down the Continuum of weird and just absolutely not necessary the reason that these two brushes were sending data home is because there are dental policies that would love that insurance and will

actually give you discounts based on whether or not you are brushing your teeth on a regular basis hitting the right zones and you know just having good oral hygiene it also led to some crazy dystopian phrases that you need to learn in order to properly trigger the devices such as using the bore brand name of a coffee maker to be able to start your coffee in the morning which I don't know about you uh but learning a phrase like that and memorizing it before I cut coffee is probably not the greatest way to go um we've also seen that through this study there is a company called We Vibe which makes sex toys and decided to

send Telemetry back on the duration frequency uh mode temperature settings for market research now this is sort of a a instance where the idea sounds great right those of you who may have a long-distance relationship can communicate with your partner uh but unless you're into voyerism or having surprise 3 sums Maybe to this one the continuation of some weird things that have just sort of cultivated in my mind that brought to light some of these problems that we have in the personal data space specifically is there's a life app 360 right and this is a an app that was being sold to parents to help them track the location of their children keep an eye on them do some

parental monitoring sounds all well and good right except for the fact that these data companies were sorry Life 360 was actually selling data to dozens of Brokers location data is part of the most valuable piece of information that you can be taking on a user because every business knows that you need to be at the right time at the right place to make a transaction with a customer and so to know where they are and what time they are is a great advantage to have so this data was being sold off and because it was going to Brokers there's essentially no transparency on who the downstream customer is for this data so you know buy or beware sort of in in

that scenario in line with sort of the toothbrush uh model where we're trying to understand your habits and give you sort of a discount there are plenty of us who use first-party data with companies like all state State Farm uh I think Progressive also has an offering where you can essentially put a dongle in your car and share some information with that company and they will give you lower rates if you do not drive like me part of the reason I sold my car uh so there is a way for you to sort of see some benefit but in those instances you're dealing with a first party right you've opted in you've consented to work with

Progressive or whatever company that you're putting one of these W uh dongles in the car this is a situation where GM and Chevy were encouraging new buyers of new vehicles to turn on the inboard options to basically give you some insight onto how hard you're breaking and what your gas mileage is because like you know that's useful enough right fairly benign however part of that opt-in was that that data could be sold to Lexus Nexus one of these third party Brokers who's out there and again with no limitations on who that Downstream purchaser is people were finding that they were getting denied coverage because you know who loves data from Lexus Nexus the people who need to

underwrite your insurance policy so there was individuals who were showing up to renew their Auto policy and they were finding that they had rates of 2 3 400% or were actually being told that they were uninsurable because they didn't even realize that they had data going out there so that may be a benefit to the rest of us that these people are off the road however I would argue that's still a violation of our privacy and um you know not really a consent sharing of data this is probably one of my favorite ones uh the Strava app which is used for Fitness tracking right you can map your runs you can identify how far you've

been going and turns out you can actually find the location of army bases with this straa was actually using precise location to track and measure workouts in a nice you know way for those of us who are doing the Quantified Self sort of thing and they would plot these items on a map again sounds relatively benign Until you realize that you can find military bases in the middle of the desert as well as map the halls of the Pentagon so certainly not something that we want to be sharing willy-nilly or at least be aware of when we are sharing out that data so there was actually problems with this to the point where I believe individuals who

work for the government were told they need to remove the app until further notice you've seen similar calls for that with other types of social media apps and uh you know sort of not a not a new story there and then just in general I found this random tracker that the health and human services will maintain and you can actually go in here and check out what has happened and filter by state and pull down what types of companies have had either hacks or just general breaches or bad security policies that result in a leak of personal data and this is a situation where I was able to find that there were over 7.4 million people affected in

Pennsylvania just adding up the stats on each one of these breaches now if that is a one person unique person on each data hit that would equate to over half of the people in Pennsylvania alone which is kind of a scary thought but I think what's even scarier is if you think that there are repeats within that data set you've actually got fairly significant profiles that you can build on individuals regarding their Health Data so this is not a problem that's going to be going away anytime soon and I talked about the fact that location is one of the largest factors for data uh in terms of the proper Market not on on the dark Market these this type of data

is worth about 12 billion dollars a year so I threw up some images here and you may or may not recognize them and they may be too small but it doesn't really matter because they're either going to change their name or they sort of exist behind the Shadows anyway as these third parties that a lot of the services you're using end up selling your data to or sharing your data to and you know brokering out to whoever they shall like there's also some good news here in that there are different websites privacy rights.org has got a list of data Brokers so you can begin to find some of these individuals sorry not individuals they are you know fully

fledged llc's corporations things like that and I think one of the the greatest takeaways here and I would definitely suggest check this one out privacy rights.org they do let you know which companies have opt out mechanisms now jury's out on how accurate those are and whether or not they obey them but if you can start hitting some of those and keeping the records you may be doing a little bit to protect yourself for future legal action if you decide to do so I am seeing a rise in class action suits and we'll talk a little bit more about that but this is a location where you might be able to find some of those Brokers

interesting interestingly enough some of them don't even have location they don't have emails or they don't have opt outs so they really are existing pretty much in the shadows and it's going to be a little bit harder to track them down a few more just general creepy anecdotes that you know have come up in in conversation with myself and well yeah not talking to myself but just in conversation with other people as well some things like as soon as I hit 30 I started getting a lot of advertisements for erectile dysfunction which seemed a bit premature uh and also a little scary and was like one of those moments where it's like geez okay I've

entered a new phase of my life apparently uh that's what I get to look forward to it's only a matter of time before I get hair loss uh advertisements I suppose on the flip side or sort of the other direction of the Continuum for gender my partner uh who identifies as a woman was inundated with egg freezing ads essentially the day she turned 30 so you know it's uh I guess I can share that Kiser with others and that we're all sort of being targeted at these critical entry to Market segments right when when we hit a certain Landmark there are definitely different companies that become more and more interested in us speaking of unique

landmarks there are situations where people who are shopping for engagement rings have had the secret spoiled because of leaflets that show up in the mail or different type of advertising portfolios that are shown to them during their let's say you know Netflix well yeah Netflix has ad supported now uh different different types of media consumption they get hit with different types of ads and sort of has you looking at your partner going are you shopping um and that's sort of you know a little upsetting because it spoils the surprise but there are definitely situations where this carries a lot more emotional distress specifically there are instances that I found where a women who just recently had a miscarriage

ended up getting free baby products delivered to her in the mail uh which I can't even imagine suffering that loss to begin with but then to have unknown advertisers who are essentially just buying your data from these Brokers identifying that you're about to enter their market and they want to get in front of you and build that good relationship the first taste is free all that kind of you know marketing jargon can really have a a a mental consequence so you know these are not just you know funny incidents uh they are but some of them actually carry some real levity and then you know last but not least every time I pause Hulu I get ads

for toilet paper which I don't know is a coincidence or not uh but actually yeah it probably is I bring this up because a lot of what we feel as creepy advertisement are the targeted and retargeted attempts that are very specific to us there's also several other branches of advertisement but one of them is contextual right so just based on your location right you get advertisements based on where you are or the time of day or in this case Hulu is taking a pretty good guess that if I'm pausing whatever I'm watching it's to get up and use the bathroom or I often see things for Doritos or COC Cola products right very very reasonable

types of products that you would want when you're in the middle of a binging binging session so so all this is coming out right this is everything that I've been seeing as I'm learning to code as I'm starting to understand how the world works as I'm starting to learn how to sniff packets and just understand the ecosystem that we work in right everything is programmed nowadays it's it's just you can't escape it I'm sure even this microphone has some sort of microchip in it that's running some sort of telemetry right just to understand how how well it's functioning uh what types of loads it's under actually it inserts um microchips into your hand while you're

holding it it does so I get a souvenir to take home thank you thank you that's so kind of you um just checking your location right now yeah that that was in my uh speaker agreement wasn't it um along with check in when you get here which I did not do I'm sorry uh so apologize to anybody who was searching for me but anyway so I'm seeing all these things and like how am I feeling I'm willing to bet it's going to Echo with some of you but I'm feeling you know pretty fearful uh everybody's watching me surveillance capitalism is here it is a thing a little angry because I've sort of been removed from

the equation in the past if a door-to-door Salesman came to my front door I had the choice on whether or not I spoke to them or told them yeah today's not a day go to somebody else I think my neighbor would love to take a look at whatever you've got a little bit of rage right cuz a lot of this anger can simmer and continue to Fester but then it also moves to a sense of powerlessness right in in the beginning we've all I think agreed unanimously and silently that we feel pretty powerless to even do something about this and this sort of leads to apathy and I apologize for bringing the tone of the room down a

little bit uh but that's that's how I was feeling but in general I'm a fairly optimistic person and I'm very action oriented so sit with this for a little bit but then it turns out turns around and I'm like okay what can I do I want to help digital citizens reclaim ownership with their footprint no clue how to do that but uh I'm going to do something because doing nothing seems not to be very sustainable and if we do nothing it's just going to continue to happen right and I would like to make the Bad actors bleed a little that's that that's part of the rage and Vindication portion of this and I think most

importantly I want the Next Generation to start with a clean slate I'm in my mid-30s I've been in the internet since probably 2010 I think is when we swapped out dialup for something a little bit more or sorry not 2010 uh 2001 switching my numbers there um so I know I have a long history and there are certainly people who are older than me and younger than me in this room and all of us probably the cat's out of the bag but the Next Generation always gets to start with a clean slate right the first thing you get is that birth certificate at the hospital unless your parents have already made Registries and stuff like that for you

online in which case you've already got a you've already got a footprint so with this action oriented approach like what can we actually do and you know in this back and forth attrition of all this this privacy stuff privacy what can we actually do uh the bad news is we're losing right now the Atlantic a couple years ago found out that it would Tak 76 working days to read all of the Privacy policies that we come across each year which clearly is not scalable uh working days is you know Monday the Friday you know 8 to 4 9 to 5 2:00 a.m. to 10:00 a.m. depending on whatever your your cycle is but the point is it's it's not

super scalable right and that's almost eight months of work time uh some of us may milk the clock here and there but that's probably not going to go undetected if you say no no don't worry boss I'm just reading the Privacy policies for you I attended one of the bsides talk that I first attended was what we do in the shadows going dark with consumer electronics by Timmy doomsday this caught my eye because it was like oh I have consumer electronics how can I you know maybe not be followed everywhere on the web and the takea away from that was it's probably easier just to read the Privacy policies and also if I do all of

the things that I need to be secure I'm probably never going to hear from my parents again unless they send me something by carrier pigeon so that also was not a you know very uplifting moment for me despite being very informative and even more recently nordvpn found that hey if you just take the top 20 sites it's still going to take you a full nine hours to move through this so things haven't really gotten better and again it's it's going to be near impossible to keep up especially because we all are constantly getting these emails that say we updated our privacy policy I like great I just finished that now you're giving me more homework like what's going on

um and we get this every day and I have now had friends because I've told them I'm reading privacy policies they now send their policies to me so if you think your inbox sucks imagine what mine looks like but anyway these are all moving targets and then to top it off the FTC finds that when people are actually trying to take action to you know make those actors bleed they're only hitting about 9% of the actual audience that would be eligible for compensation in situations where these companies have you know essentially violated their privacy either through malpractice or in some cases intentionally selling data to Brokers or other third parties that weren't otherwise included in these privacy

policy consent forms so the activist based is is really small but there is some good news uh I wouldn't I wouldn't leave you too far down there in the dumps and small small victory is that some companies are starting to have opt out mechanisms I have to think that there are individuals in the legal department who are realizing hey some of the chickens are coming home to roost here let's maybe have some liability Shields here and most people won't find these things anyway so let's just put them in there right so we do have some companies that are starting to include these opt out mechanisms again the the Privacy uh I forget what the site was

but you'll have a copy of the slides you can find some of these opt out forms Europe has their gdpr framework that's been in effect for I think six years seven years now and it's a good start however that's the wrong side of the pond for where we're talking about right now that being said there are some really good tenants in the framework here that we're starting to see State Side in various state legislators so the first is the right to be informed right the ability to actually know what types of footprints you're leaving in different places that's obviously a really you know good point I suppose the right to be able to access those to be

able to see you know your data and understand that you can actually access it and in some cases Rectify it if it's incorrect data this one's really important when it comes to financial data right for instance uh we have had something like this in the US uh under the Consumer Finance Protection Bureau that has allowed us the access to our credit scores and anytime an adverse effect has been taken against you you get to know what on your credit score made you ineligible right so the the gdpr framework extends this not only to to your financial information but also just information in general you have the right to rectify it if it's wrong the big one that everybody seems to remember

which is the big you know nuclear button right the right to eraser just forget me entirely that's a pretty good one if you decide you're going to take your ball and go play somewhere else on that topic uh if you decide that you don't want to be erased there are situations in which you can opt into the Restriction of your data so you can decide yes you're allowed to use it but you're not allowed to sell it to any third parties again those are typically through opt out mechanisms but at any rate it does exist and then portability right I think this is going to happen a little bit more as we start to see Federated social

networks the idea that you can take your data from one typical Network to another and figure out you know how you can onboard yourself there that portability is something that's been built into the law you also have the right to object in terms of not letting your data be used to be processed in certain ways and an extension of that processing is actually the ability to opt out of any automated decision- making so you can say hey if you're not having a human in the loop on this you can't use my data to make judgments about me which I think is some some pretty good news and some continuing things again I mentioned some of the states in the US

already have some gdpr like Frameworks they're not exactly the same uh but these states are up here Colorado Connecticut uh California Colorado Connecticut Florida Oregon Texas Utah and Virginia they all have some provision that allows you some control over what you're doing on the web and we are looking hopefully like we're going to get something on the federal level the American privacy Rights Act is 147 Pages it's got bipartisan support when I on vacation lately I did take this with me and that was what I read on the beach because I cannot sleep I'm like just can't stop thinking about these things uh and on that topic if you actually want to talk about that afterwards I do have like a

fact sheet here that distills some of this it's not my fact sheet uh however it highlights some of the unique pieces about this legislation again I mentioned it's got bipartisan support so there's a Democrat on it there's a republican they're starting to Rally their their bases it is in draft mode so we're still waiting for it to to get going but one of the things that I like about this that I hadn't seen in some of the gdpr statutes is that you actually have the right to file a lawsuit so for the first time you're actually able to seek damage in pretty significant amounts and again talking about the Next Generation who's coming in any policy

that harms minors cannot be forced into binding arbitration so arbitration is a pro process in it's kind of like having a judge except the company who you're going through arbitration with will decide who that judge is and there's no appeals process so you know your mileage may vary on that one but uh the fact that you cannot subject minors to that type of arbitration I think is a a step in the right direction and yeah so what can we do understanding this landscape understanding you know that we've got some rights that are coming and in general we're still kind of losing but things are maybe moving in the right direction what can we do um well that's

where I sort of do a little self- pitch right absolutely nothing we decided to begin looking through this and try and make aggregated understandable information for you the consumer right the essential like privacy labels for different types of companies so uh and we chose that name as in nothing absolutely nothing in or out without my consent right for us I I'm not an absolutist I don't want you to never share your data with anyone ever right we do live in a marvelous time where you can get a lot for being able to hook yourself into different ecosystems of your choosing and so that's why consent for us is a pretty big item so a quick plug um you know

I've got myself working on that team I also have our chief technical officer we've got uh our chief operating officer and like any good startup we also have a mascot who is our chief parking officer so uh she thinks that she's a doberman but she is a docen don't let the picture fool you it's just zoomed in a little bit uh she is all of about 12 pounds and so what are we doing right how are we actually taking all of this information these these pieces of the ecosystem and trying to distill them for you well the first thing we did was we built a scraper and we're trying to efficiently read these policies in Mass

right we're going to try and solve that problem at scale and understand like what's going on and so right now we're just writing blog posts about it and we are coming out with a product soon that we'll be able to uh allow you to explore a little bit more but I wanted to talk for a sec about some of the fun stuff we found in early scraping so a lot of companies have a robots.txt file that says they don't want you scraping their privacy policy now for those of us in the room who've done any sort of scraping robots. XT is a suggestion it does not mean that you have to follow it completely however you should be aware

that there are consequences if you are scanning that too much you may get uh you know essentially booted from the network they may Blacklist the IP and in certain situations if you are scraping for intellectual property and you know if you're going to try and scrape all of Facebook for all the posts and create a clone you're clearly going to get Su right so that's that's why they say you know obey what's going on the robots.txt however ethic or not uh we're going to do it anyway it's a request and not a requirement and I would politely request that you don't take my data without you know informing me so I just see it as a

little bit of um you know that's the table Stakes we're working with here some other fun things we found is that open aai is one of those companies that has a waiver form that would allow you to retain your rights to a lawsuit in the event that they use something that you did not want them to be using uh and sort of get out of this binding arbitration situation which naturally because that company is funded by billions of dollars and has the backing of Microsoft that form is a Google form I'm I'm not kidding um that shout out to ji for finding that one he was like hey guess what I found and I was

like oh no and that one was actually kind of a happy day that was that was a nice little pleasantry uh California has a Shine the Light law and I mentioned earlier that we have protections under the consumer priv or uh Financial Protection Bureau to have rights to our financial information California has a similar Shine the Light law regarding policies or sorry privacy where you can once a year request from a business a a portable dump of your data so if you are in California do business in California the next time you're there maybe try and make a request and see almost like when you do your credit reports what kind of data is out there on you that's probably

going to be one the greatest ways to see what's out there and they call that the Shine the Light law which is you know partially the inspiration for this talk right understanding what's what's buried in these things we have also found some some different Global privacy controls these seem to be just headers that get attached to outgoing Network requests for whatever browser you're you're using no surprise it's not in Chrome uh but it is in some of the other browsers like I believe Brave Firefox and there's a few other obscure ones that I don't remember but this link will take you to that once you've got a copy of the slides and it's pretty funny because

we've noticed that there's not just one Global opt out there's multiple Global opt outs which I think violates the principle of a global opt out uh and we've also found that a lot of these policies some of them declare that they will obey that signal but they don't tell you what signal they're following so they just say generically if you have an opt out we follow that and it's like okay well there's multiple protocols that seem to be happening here which one are you following and a lot of them don't tell you so there are browser extensions for a lot of these that you can put on again that's sort of up to your own security posturing because if

it's able to alter your outgoing requests there's the potential there for that inty to also see what you're doing so most of these organizations are nonprofits and uh are called out by you know relatively kosher type of Industry groups so you know check those out and in the next few weeks we're actually going to be talking specifically about who has the longest and shortest policies I think at the end of the day we all have to get into this together and we want to make sure that we are sort of helping each other along the way and so I'm going to try and identify the shortest ones and easiest ones to get into so if you're interested in this

uh you can definitely start checking that out we're also going to start measuring data elements in terms of like if you were to come up with location or latitude longitude zip code uh age gender race all of these right we can all think of thousands of data points we're going to try and get them in one spot and let you know who's calling out the most and least data points right these are rough proxies for us understanding the size of footprints that we might be leaving as we agree to these different privacy policies and then also we're going to take a look at some of the easiest and hardest to digest in terms of of you

know just general reading level right if we find out that AWS has the reading level of a fourth grader we're all going to be seriously upset with ourselves uh and likewise we may find that you know VTEC which makes children's toys is actually one of the hardest to read we don't know yet but we're we're running these types of um Explorations on what we're finding so that's our first step right we're trying to build awareness we're trying to find these things we're trying to surface them to you the next step is the exploration right we want to actually begin indexing these policies in a way that uh you can begin to identify commonalities again between

these data points also we're going to try and start surfacing the raw diffs so when you get an email that says hey we changed our privacy policy rather than reading what the legal ease is of what they had to technically put there by law we're just going to take you to what actually was changed from you know so and so may and to so and so will right that's a very different phrasing and even just those small words can really pivot the way in which we view ourselves interacting with these entities we're also going to be building a visual tool and that's going to be a lot easier because right now in order to figure out what policies are covering

you have to go read them right that's what we're doing and so we're going to try and build a browser extension as well so that you can have sort of in the- moment Audits and right now our working hypothesis is most of you may remember this either fondly or with Terror uh but this is actually a pretty good visual right different types of elements are grouped based on how they have relationship sh to one another and so we're going to take that and sort of flip it on its head and hopefully do that with your different data points and so you'd be able to come to our tool click on whatever data point is of

concern to you and figure out which policies are calling that out so again we are fighting a losing War but one of the best ways to vote is to vote with your feet so we hope that by showing you this you'll be able to eventually decide which companies you want to continue to have a a relationship with the final step right is you know building on this periodic table of data being able to analyze these changes as they're happening in reference with the lawsuits that are being filed so again you know if you click on something we can tell you hey this company's being sued up to you if you want to get in on that uh but

we'll actually let you know if there is something to be getting in on right I'm a a a student of economics and everything is built around incentives and disincentives so if we can make the disincentives Fairly strong and painful I think that we're going to start seeing some you know more healthy practices without even needing legal intervention and finally we're going to start helping digital citizens set up yet another Global sharing preference right so the idea here is that we're going to ask you if you were to go out on the web what are the things that you're okay sharing with almost anyone right I'm okay with my ZIP code right please don't Target me any narrower than

that but like I'd like to know what's going on in Pittsburgh the Greater Pittsburgh area that's fine uh so again helping people set those individual preferences and then the long Arc of the business is I hate to say it but we're going to try and be a data broker but at the end of the day our customer is the consumer right so we want to put you in the driver's seat and have everything be under a system where you can give informed consent and essentially get compensated up front either being told you're getting access to special features or in some cases being paid right one of the oldest business models in the world was to send coupons in your

you know uh newspaper every Sunday so in a sense we're we're doing a digital version of that and we think that op D signals of like yes I'm willing to share this information is actually going to be better for the marketers in the long run they're not going to need as much data and the things that you have told them that you're willing to to share about yourself you're going to get stuff that is relevant to you um and then at the end of the day we're essentially trying to help you manage this Ingress egress to your personal data and hopefully you won't have to do it on a app bya basis service by service

basis because as we saw that's just unattainable so for the road map we're doing the blog scraper that's been up we're going to launch the periodic table tool sometime this summer uh the browser extension a little bit in the fall and beginning to let people know about class actions in early January of next year and then 2027 plus is where we're getting to that point where we're going to try and help you hook up with people who actually want to you know use your data in consentable manner uh so cck FAQs that I have been asked in the past I've been on the web for 30 years what can I do basically vote with your feet right there are

things you can do like checking out have I been pawned and just me Ming good password hygiene to help yourself going forward but a lot of these things you can't get out of and if you want to start reading policies what should you look for uh I would honestly search for California right California has a lot of standards that describe how data needs to be reported and so you can actually find a nice rubric that declares what data they're taking why they take it and who they're sharing it with so that's one of the quickest things to look for in a policy if you want to get involved you can follow us and uh let us know

that you'd like to help read pracy policies with us uh I don't know how many drinks you need to do that but we're still looking for the help and um oh sorry last one was how can I help elderly non-technical people honestly I love analogies so just tell them anytime you hit the accept all on a cookie Banner you're basically just inviting a door-to-door Salesman to live with you so you know try to get the strictly necessary if you can or opt out as much as possible that's the best you can do for especially those elderly people who may understand the door-to-door salesperson analogy without understanding the inner workings of the web so uh I think I am just about at of

time if you'd like you can find us at absolutely nothing I put QR codes up there that's terrible obsc if you'd like you can copy down the the URLs but they do go to the right place it's up to you if you want to trust me or not um and I guess I'll just leave you with there are reasons for Hope please don't send me the Privacy policies that you get uh unless you have read it if you've read it and something is interesting to you I would love to hear from you but don't just forward stuff onto me please please please um go ahead and subscribe to the blog to keep up to date on what we do

what we find and um yeah I guess just if you want to support the project you can buy us a coffee and um we're working on various like perk levels for people who want to continue supporting so uh with that I think I'm at a time I appreciate you all coming here today and if you want to talk about what the framework for the American privacy policy Act is uh I can certainly nerd out on you with this this fact sheet that I've got so thank you very much if we've got time I can take a few questions um otherwise the bar opens in 10 minutes 20 minutes sorry 18 but who's counting um yeah I see a question

over here in uh like a purple

shirt AOW now we start

people so the question was and if I'm not hearing you incorrectly it sounds like you also wear a tin hat um the opt out mechanisms are becoming more ubiquitous and sometimes we're even getting them in text messages so what's to say that these uh agencies aren't just using that as a way to actually confirm they've got the right person you bring up a valid point right there's a certain level of trust that we have to take when we're navigating the internet I suppose I personally would not opt out of anything that comes via text message I would look to the source right in the same way that if you get a fishing message one of the best ways to make

sure that you're not being fished just to look up the real information from the real site and you'd have to go with a a grain of trust that what you find on the website is as close as you can get to an authentic opt out uh yeah so that being said I personally probably wouldn't do the text message version ones I would just um you know put those on my block list unfortunately again it goes back to the we're kind of losing sometimes cool any other questions I'm not seeing maybe no those a stretch okay well thank you everyone for coming feel free to find me