Privacy And Tech-Enabled Abuse - Sarah Connelly

all right thanks for coming everyone um so it's slightly different to the program um I'm a standin speaker as of the early hours of this morning um but it's is quite an important topic to me so um I've offered to present it here um this is something that's often overlooked in our industry and I felt it was a good one for a conversation starter um the reason for doing this talk for me actually came from a conversation I had with my sister who works for women's Aid and it was about the topic of tech enabled abuse and I was surprised with how little I actually knew about it um which led to a lot of

research and the outcome is this talk and hopefully uh a lot more knowledge for yourselves as well to take back in sort your day-to-day so every slide has to have one um so this is about me um so in my day-to-day I work with projects in a business um primarily looking at uh risk analysis recommending control goals for applications and projects we have um I'm also a member of for Fox um I think what I do there could be summed up with sort of the Mad Science side of things but um primarily speaking I'm really interested in Secure software um M mitigating risks with application design and I've got a bit of background in operational fraud

risk management my discord's there if you want to have a chat or catch me afterwards if you do want to discuss anything so because of the nature of the topic and as you'll see because of the statistics that are involved um someone in the audience May well have experienced some of the things I'm going to talk about today um so this is just a warning to state that this topic will include references to domestic violence uh coercive control manipulative Behavior please look after yourselves if you need to step out please do so we've got friendly green shirt volunteers I'm also happy to have a chat if you want to stop by afterwards and speak to me um or

if you want to catch me later on as well so what is Tech enabled abuse well the term actually um started to become popularized um in August last year so there was a report for MPS calling on the government to tackle Tech enabled abuse this came from an inquiry that happened in May 2022 and it was by a group that was looking into Internet of Things devices iots and the dangers or opportunities for them given that they were w ly becoming a very very big thing um abuse Ena Tech enabled abuse as a result of iots was a significant finding from that report and led to it essentially being it its own recommendation in terms of statistics um

I was quite surprised with how high this was but one in four women and one in six men will experience domestic abuse at some point in their lives and in the year ending march 23 we're looking at 2.1 million people experiencing domestic abuse so that's a significant proportion of the population of those uh 59% so this is a refuge study reported technology enabled abuse and that figure is only growing some Charities have actually said that cases they see today it's as high as 80 or 90% of cases they're seeing have some form of Technology enabled abuse I did want to talk a little bit about um gender-based violence and the language that I'll use in the report um

I will make mention of uh primarily women in the report due to the source material I'm going to keep the source words as they are and unfortunately it is um a majority of as you can see more likely to be women who experience this abuse at the hands of male Partners but that's not to undermine that this can happen to anyone and does happen to it could happen to anyone so I've tried to keep it as gender neutral as possible but where the source material has included a gender I've included it here so when we talk about tech enable debut specifically um I I found a great paper that defined five types of tech enable

deuse so you can kind of categorize them and bring it into context what I mean by Tech enable debuse so the first one is ownership based access this is where a perpetrator owns the device or sets up the device or accounts and then the victim has delegated access to them so the person who's purchased the device or set up the account had knows understands how the device Works has set all of the permissions and privacy settings and can then withdraw access from that device or account for from the victim um potentially for coercive control or manipulative reasons they can also ATT track track how the account is being used and any of the data that's

associated with it so if you think about location trackers if you think about social media accounts with messages all of that would come under that ownership based access you then have account or device compromise so this is where uh credentials can be guessed or coerced from the victim uh it may also involve installing stalk aware on the device um a note here that stalk aware is slightly different from spyware um the terms used to be interchangeable when I talk about stalk aware that's going to be somebody that's known to the person whose data is being harvested spyware is typically an unknown third party and it's usually for um sort of metrics based reasons or um

for deploying further malware stalk aware is specifically about obtaining information on a victim you then have harassment so this can involve contacting somebody on social media either um impersonating the victim or as a third party threatening to uh disclose information about them harassing friends and colleagues and then malicious exposure is usually a form of harassment where if information has been obtained from a um a device that's been compromised or an account that's been compromised threatening to share that with people that that person knows there's also gaslighting um so you may have heard of the term outside of the realm of tech abuse but in terms of tech abuse it is using technology to make the victim s of question their

perception of reality and how that can happen is saying that messages weren't sent and then deleting those messages so that person has no record that they were sent or sometimes it can even involve using iots to disrupt that person's environment in ways that they wouldn't expect such as making the house very very cold during the day if they've upset the person or um setting off alarms or sounds and things throughout the house so it's important to state that a lack of confidence in technology is is a big factor here and it allows perpetrators to convince victims of a greater functionality potentially than the device has or they can hide features from somebody so it becomes very

difficult to understand what and where those devices could be used so it could be that they'll convince people that it can track live locations when it can't or that you can listen in on them throughout the day in the case of like smart speakers devices could be smartphones tablets laptops uh Internet connected uh cameras and some of some of the reports have actually included Internet connected toys which have been given as gifts to children in a relationship which are then used to to track the family looking specifically at the women's Aid Federation um their abuse report for 2022 um 31% of people who uh had approached them for support felt that their conversations were monitored

online uh 21% experienced the perpetrator turning up unexpectedly so it was as if they knew their were pounds 20% were monitored using online accounts so that's not just social media that could be things such as your online banking it could be something like what they're watching if it's like a Netflix account it could be a whole variety of things 10% actually had smart listening devices so that would either be smart speakers or could be other sort of microphone type devices in the home and 20% experience gaslighting from Smart Home devices uh to bring it again into context I wanted to include some quotes that were were given as part of that report because I think it's quite it's

quite important to understand what what the victims have gone through at the hands of technology so this was watched everything I did on social media got other people to watch and report back tried to hack my accounts and followed lots of my friends to see what I was doing so this person regardless of what they did with their own accounts the their friends and family became targets for that person in order to track and understand what they were doing so somebody was watched and listened to on internal cameras and if they wanted to do anything that the the perpetrator couldn't find out about they'd have to find blind spots in their own house to make sure that they couldn't be watched

remotely and for this one so um the perpetrator actually signed up their email to a funeral website so they would receive emails telling them to plan their funeral um a particularly malicious way of trying to manipulate and upset the [Music] victim so as I mentioned these cases are not highly sophisticated from a technology perspective we're not talking about master hackers in these cases the technology is often used exactly as it was intended to be used but for malicious purposes so the technology is meant to track you but it's meant to track you maybe for protection or to find your phone or uh things of that nature but instead it's being used in a malicious way um there was a great

report that I WR read um published in 2022 and I I really like the quote that they they put there which is that conventionally in infosec we look at defending computer systems from very specific type of threat you know we're all very aware of the the guy in a hoodie in the basement who's after the cryptocurrency but we're not thinking of interpersonal types of harm where people who are using our systems and our devices and then are having people abuse them using those very same devices so I wanted to do this talk as a bit of a call to action for us as Information Security Professionals we should be looking at securing information for our

users we should be looking at data security dependability and reliability we we shouldn't be admitting this as part of our threat model instead we should be designing for it based on the statistics I've shown if we aren't doing this we're letting down a significant proportion of our users at What could be the most vulnerable time in their lives so it's important it's something that we think about when designing any form of controls uh or features for our [Music] apps so as I said it's not I don't want people to be afraid of Technology that's very much not my intent when I do awareness with uh with people I want people to get the best out of technology

and this is about giving you the skills to go away and think about okay this is a big problem how come can we make this better how can we solve it so for people who are in a position like me where you can enact change within an organization I've got some ideas uh the first is to review your support tools so make the information about the features in your application and what it does what data it gathers clear and concise if a victim is looking to escape a perpetrator go to a shelter they have a very limited time window on a potentially compromised device to look up information and get the information they need about what

that device can do or what that system can do so make it clear and easy to understand don't have 10,000w privacy policy where it's buried in there make it simple for them have it transparent so make it easy to review your privacy settings make it easy to understand who is accessing what what accounts are being delegated access to view things how often are they being looked at are you considering all of your threats and your threat model when we're thinking about okay how could this be abused are we thinking about the person in the family not just that Anonymous hacker online larger organizations might benefit from specialized teams so Google and apple now have specialized teams to

help with this um both for contacts for external organizations such as refuge and women's Aid um but if you have a large organization and you think that your application or your device could be used um quite frequently in a malicious way having a dedicated team for victims to contact and also for refugees to contact could be extremely valuable and then are is there anything that you could introduce to help um somebody who's looking to prosecute or go to court so um an example I gave when I gave the talk at b-size was if you have a location find my phone feature or a location tracking feature um if somebody is going to try and argue in

court that they set that up for the person's safety and it was only in there in the case of emergency if you as an organization can help show that that person was accessing their location four or five times a day it's clear that that is not going to be for safety reasons it's more coercive control and manipulation and that helps that helps raise the bar for what they need in terms of evidence to potentially convict somebody so we're not all in a position to enact that level of change but even if you're not um there's a few things that I recommend you can do the first is reaching out to organization your local community to look at privacy

awareness is there work that you could do to talk to people about what really happens with your Facebook privacy or what really happens with your Alexa devices or your you know your Google devices could you help people understand what those devices can and can't do and how to essentially take that technology back and understand how it works there's also a lot of research that's needed in identifying and evidencing I've given an example um but a wider example would be things like stalker we have we have technology that can detect viruses and malware on phones um but to my knowledge we don't have anything that can detect stalkerware very easily and very often refugees will just resort to um putting a phone onto

airplane mode or even just resetting the device because they can't guarantee that there's nothing malicious on it having tools available that you could give to refugees um even just to give to victims to be able to scan their phone and discover those kind of apps could be incredibly important and spread the word talk about it I didn't know about this until I had a conversation with my sister um she's worked for women's aid for a few years and it it was something that sort of took me by surprise just how bad this problem is getting but it's not something that has to remain a problem if we take action on it it's something that we could actually turn around and

hopefully make technology an important part of their lives so I've got a few resources for you um the first two are support services so these are refuge and women's Aid if you do need to contact them I've also got a couple of further readings so Refuge actually have a tech safety team now and the work that they're doing is incredibly important there was an organization called safe lives um which did a Tech versus abuse report back in 2017 it's a really brilliant read and talks a lot about how the industry can get involved um there was also an academic uh report that I included here it's too long to put on the resources unfortunately but please contact me if

you'd like it I'm more than happy to share it and thank you thank you everyone for for

listening I think we've got a little time for maybe one or two questions does anybody have any

questions brilliant y

as as in general awareness

or I'd have a look at the uh The Refuge sit so the the tech abuse team for Refuge um they've got a lot of good resources on there for things that you can check with people um you could always look at reaching out to them to offer awareness I've done that with um a couple of the local organizations obviously it depends on whether they've got people to support and a lot of them are unfortunately underfunded um but yeah they they welcome any kind of support people can offer because this is such a a growing issue so yeah have a look at have a look at those uh anyone else

yes so so jailbroken devices is a big problem unfortunately a lot of the stalk aware we see will actually be able to just be installed on phones anyway a lot of them are off the app store or this was a much more common problem before there's been a very recent Crackdown on it but you can get apps that you can install perfectly fine on an Android without jailbreaking it that can send more or less all device Diagnostics to to a remote server and that person then has a lovely little dashboard um the worst case I saw was for £10 p a month you could pretty much get everything from up to five devices in a lovely

little dashboard you could see everywhere they'd gone Wi-Fi networks Bluetooth devices everything so unfortunately yeah stalk aware is a massive problem but jail as they crack down in it I'd imagine there will be a rise in jailbroken devices as well

yeah yeah third parties and yeah yeah yeah it's just built-in features it's very often built in features it's not necessarily we're not talking about hacking we're talking yes absolutely Fab any anything else if not you can grab me afterwards I'm more than happy to have a chat about it Fab thanks very much everyone thanks