BSidesAtlanta 2019 - Ismaelle Vixsama - Cyberstalking - A Privacy Issue

hello welcome thanks for coming out I'm gonna give a quick thank you to our sponsors tennis Kennesaw State Department of Information Systems the NS a coal fire and cadets key security and tried to introduce this email which is going to be our presenter today the issue and really why you should care so before I start I'll just introduce myself again my name is Ismail Vic sama I actually go by Izzi first of her name and actually last of her name because I'm the only person in this world with this person last name I'm an information security officer at Kentucky security I hold the CISM certification and the ISO 27001 lead implementer and bunch of Education did you probably don't care

about them so just real quick this is what we're gonna be talking about don't want to spend too much time on the agenda but mostly we're going to define what cyber talking is we're going to define the difference between trolling and cyber stalking talk to you about some just stats we're also going to look at some terms in terms of services for some social media platforms and the applicable laws both federal and state and then potential solutions and recommendations for how to alleviate I'm just going to hold all the questions until the end of the presentations and we should have about five to ten minutes or so to ask me whatever you want so raise your hand

if you actually care about cyber stop

those minions now raise your hand again if you know anyone or have been cyber stalked before okay raise your hand again if you know what steps to take to address cyber stalking sorry about that okay raise your hand if you know the steps to address cyber sake okay that's what we're going to talk about so what is cyber stalking this is actually defined by the this is actually the definition by the national conference phase of literature legislature and this is what is written in the law of what cyber stalking is it's basically the use of the internet or anything telecommunications to cost credible threat and what does that actually mean we don't really know so there is a difference between

trolling in cyber something a lot of people actually like to conflate those two terms trolling is in essence just basically being mean online or saying something inappropriate on a comment on Twitter or LinkedIn which I don't see a lot of charlie happily on LinkedIn but whatever methods in control but the difference between Cypress and controlling that's really important here is trolling typically does not cause harm or physical harm and cyber stalking starts usually online in the mid actually transitions into physical threats and a lot of people don't know what happens once it moves from the digital space into the actual physical space so we're going to talk about social media usage and

but a lot of cyber stalking takes place on social media bad actors huge whatever information you put out there from yourself to actually create and launch the cyber stalking campaigns against you so the majority of the recon is passive which means that you don't know whoever's conducting this research on you and a couple people have come up to me based on my social media and said yeah I looked you up I don't think you should tell someone that you looked them up in the conversation very uncomfortable thereafter but so that's basically how a lot of cyber stalking campaigns start it's usually past it and then whoever wants to against be malicious then it turns into in want of

a harassment in the native eventually gradually turns into physical threats so here are some social media statistics that you may or may not have been aware of Facebook and this information was as of March 1st 2019 this information actually changes every month because they're doing polls every month or so to kind of figure out how many people are using social media so as of March 2 point 3 2 million activity monthly our lodging in 1.5 two billion users are logging in daily and those two numbers actually combine to create about thirty percent of the global population and if you guys remember that number that seven points that are the billion people across the world so Facebook is

seeing about thirty percent of the world's population logging in on a monthly or daily basis five new profiles are created a second which five new profiles just got created in that little pod that I took two hundred and seventy million profiles are fake on Facebook and for LinkedIn the numbers are quite different because there is not as many profiles there are only about five hundred and ninety million users on LinkedIn two hundred and sixty of those are active monthly users and then two new profiles are created a second one relates only about ten percent and I say that because it's much less than Facebook but that's about fifty nine million accounts 5908 five million accounts are fake accounts on engine so

this slide actually says sharing is consistent for what it really means is over sharing statistics so one of four users are sharing Geo attacking themselves when they actually enter into a new location this is typically done on Facebook 63% of social media users post clear up date of birth 61% have their name the location of the schools that they attend high school or universities 23% have their pet names and I'll drop down to 48 percent half their hometown information and everyone in the room knows that this information is basically used to reset your passwords or it's utilized for some of the know your customer type of questions that you can answer and so you pretty

much if you had to need this information on your social media profiles you have given a bad actor all the information they need to essentially reset your passwords and/or be able to cyber sake so with that being said terms I think the plight function is enabled

I took that off but I guess it

[Laughter]

all right so in terms of services this is basically the terms of services are essentially the part of your agreement when you use social media that no one actually ever reads I know I haven't read most of mine but through this presentation I actually did started reading some of the terms of services and it's actually quite important that you do take time to read them as people who are giving your information out to these social media platforms so this is actually screen grab from LinkedIn and this is part of what your three to win

nice you have to play

I have to say this makes me look very technology there it is no I'm not I'm sorry

yeah what which is basically create a false identity or a fake account this is the only part of LinkedIn user agreement that actually talks about fake accounts nowhere else only user agreement or the privacy policy actually use state to this and it's one really long sentence with no period if you just wanted to show you guys that if you have some time we really take a look at what your the terms of courtesy so here is another screen wrap from the privacy policy from LinkedIn this is actually stating what LinkedIn is willing to do if they identify any fraud or fake profiles and essentially there is no section in the privacy policy or in the User Agreement

that says when we then actually does once we've identified a fake profile so in order for me to find this report fake profiles I actually have to search for I went in and I detecting reporting a fake profile and this is what came up and throughout researching the remaining user agreements or the privacy policies I actually didn't see what LinkedIn does after usually reported does anyone actually know what happens after you report a fake profile on LinkedIn come back I didn't think so either and this is another portion of their privacy policy and this essentially which is why you should probably read this it tells you what you are entitled to as a user giving you LinkedIn your

data so you can ask them to them each change correct or you can object to your data being shared with any of their third parties including LinkedIn interim services because LinkedIn actually shares data with other LinkedIn services that you may not have a son had signed up for so reading your privacy policy is quite important so why am I talking to you a bunch of currency policies to talk about cyber stalking because this is the only they go on social media that actually gives you any rights or tells you what you can can't do with your own data so if you don't want your information out there for someone to be able to misuse this is the only thing that's kind of

helping either

so now let's go back to cyber stopping an applicable laws so for those of you that were honest about you know caring about the topic or not caring which like I think for people in totally that didn't care which happy you guys actually care about my topic for those four people that didn't actually have to care about it this is why you should 65% of Internet users between eighteen to twenty twenty-nine have experienced online harassing harassment I know I have and some people raise their hands in the air actions that people do so you should understand what this is a very important topic twenty six percent about twenty six percent of women between ages of 18 and

24 said they have been cyber stopped and 25 percent of women on the internet have experienced severe sexual harassment or sexual harassment as a result of their cyber stalking so the majority of people women who are being cyber soft and things like work a good number of them are experiencing physical and sexual harm as a result of the cyber sake and lastly 8% of Americans have been stopped online it doesn't seem like a big number but it's pretty significant in terms of cyber stopping wasn't even a term about two or three years ago so so here the federal laws that are in place today that actually kind of address this or somewhat address it so the Computer

Fraud and Abuse Act of 1956 which is a pretty old law seeing that cyber stalking is normal there's more current than this law has been actually in terms of updated so just quickly walk through I'll walk through some of the information that I found out about these laws I'm not too much to you but this was actually put in place the computer actually put in place just to counteract history so for the large majority of the last year's what cyber stalking everything that was being persecuted under this law which there wasn't any real consequences for cyber stuff and still not have been went on I guess there were no consequences recently so for the u.s. code 18 section

2 2 6 1 aim this actually there's law that has been put in place for cyber stalking and it's basically written for domestic violence and stalking and there's a very small so that the subset of that lava talks about the electronic communications services being used to perform domestic violence for stopping so it's not it's still not very clear that it's specifically for cyber sake is for physical abuse and physical stalking and then one that I think is really important to point out here is the infringement copyright and this actually has been used recently for things for cases such as like revenge porn where someone is using your own photographer nude photos or explicit photos against

you in an activist foundation so this actually does it put anyone in prison it just makes it so that the victim was the original creator of the photograph to be able to sue that person so this is actually kind of a good thing but it doesn't actually give any money legal authority to put you in jail for a sham your nude photographs which I think we still have a long way to go and then lastly the Communications Decency Act section 230 that is really important to talk about here because this section of this Act actually makes it so that social media platforms are not responsible for using their fat one to launch a cyber stalking campaign against you so what

that means is that someone who decides that they want to stop you Facebook has no responsibility for anything within you and this part is actually a big problem because this is why cyber stalking is not being persecuted on the right there in the regular basis so then there in the recent years there have been some new state laws that have been I guess published or written to kind of address this California which seems to be a leader in a lot of privacy law they have recently well they actually were the first state to create a cyber stalking law and that was in 1991 and the Texas followed shortly in 2000 with their uh that's actually called stalking by

Electronic Communications Act since 2001 and lastly there are forty five stalking laws that existed in the u.s. only about 18 of them don't incorporate minors so what that means is that majority of these laws are only applicable if you're under the age of 18 so let's talk about the previous cases that were actually tried so just quickly right through this actually under Massachusetts right Iceland 25 he launched a cyber stalking campaign against his former housemate who I believe was also paid back in the span of a year so he made over 120 bomb threats he called the FBI and indicated that she was making bombs at her home he launched the campaign against her mother

her friends are known associates he posted nude photographs of her online create a fake facebook profile of her he sent child pornographic photos to her family her friends and her known associates and he even posted her address and her information on websites for men that were known for supporting domestic violence so this caused for strangers to show that her home and actually caused her physical on so at the end of the sentence and he was 17 years in prison with five years of supervised release I want to call out that the reason why this was actually investigated by the FBI was struggling because of 120 Bumpus the second case I'm going to talk about just recently

happened this is one Thomas in a very nice that he's from st. Louis but the ciphers not me actually happened anymore he launched a campaign against his ex-girlfriend in Rochester Rossi and they actually met on an online dating site and so they were dating for a period of a year and together more and want Thompson just if I was a reporter so he was able to get a lot of information on his victims just by using his his resources means the reporter so he posted her home address he basically did similar to similar things as the previous you posted her old address in multiple places people came to her home listed sex from her folks anonymous reports

where they need of her threatening police and running guns in about the country since they were so close to Canada he made 12 bomb threats to Jewish community centers and he was only sentenced to three years in prison again this was actually reported by the victim this was actually reported by the victim 12 times in a year and a half and this was only investigated once he started threatening JCC's so a lot of these cases have only been have only the effect results only because they're bomb threats or they're physical threats of violence to children or schools or other religious affiliations and organizations I should say so some of the challenges in proposed solutions which it's up to you to decide if that's

an actual solution or not so one of the challenges is act 2:30 does not hold websites accountable for the content that's posted by their users there's actually a big problem because in law enforcement does want to actually start investigating it makes it hard for them because these social media platforms do not have to cooperate with the investigations in terms of mobile even if they only are required to to cooperate if it's basically and being investigated by the FBI social media platforms cannot control fake profiles being created a lot of cyber stalking campaigns use vacant profiles to collect information on their victims or to post photographs or text messages of their victims reporting fake profiles have

basically doesn't have any clear actions no one knows what happens once the reports fake profile I've recorded profiles and then I go back and check a month later they're still there so I'm assuming nothing happened over a sharing of your personal information this is something that we can control as consumers whatever you put out there just know that someone else to this is able to consume it and the local and state law enforcement they don't have it seems like they don't have intended to investigate or they don't have the resources to properly investigate some of these so here's where I recommend for users and a lot a lot of what I'm gonna recommend today is one to be what we can

do as consumers of social media to protect ourselves so reducing your flip crown Google and what that means is that Google yourself if you don't like the information that's on there try to get something been taken down and you probably won't be able to get all of it but as much as you can taking down do so change privacy settings on your social media platforms I personally have removed all of my information from message media no one knows my date of birth is unless I tell them no one knows how old I have no one even knows my real name so these are just things that I do to protect myself and don't share your

order to accompany information that is kind of difficult on platforms like LinkedIn but what I would recommend is maybe not post your work phone number to work email if you don't want people just calling you up and require post-tax order prior to being posted use your block and report features as often as possible and read your privacy policies in your terms and conditions I think that's really important to actually know what your rights are now what I recommend for law enforcement this is actually going to be something that is quite expensive and time-consuming to action event a lot of state and local law enforcement do not have enough resources even people running for technical skills to actually

have additional incentive 16 but imagine if all of the people who are affording cyberstalking we had a team that could go back and kind of do some investigative investigations to identify who was behind it maybe some of these wouldn't have to get to the point where comments are being made so some of the tools I recommend be this is not an exhaustive list obviously a pool and a try be tracking being you attract someone via their app you can kind of help you figure out who's behind it and then kind of create a profile to further investigate and the rest of these are basically tracking as well but both extractor is specific as a function

where you can search social media specifically since a lot of cyber stalking happen

so for policy recommendations so continued advocacy first Irish knocking laws there needs to be some sort of bridge between state and local and federal I don't believe that it exists for the feds for the feds to come in at any point where there may be a bomb being made I think some of this can happen can be investigated prior to that so figuring out how to bridge the gap between state local and federal updating or performing existing laws and I mentioned only about 18 of the 45 laws and related impacts can actually be applicable to cyber stalking for adults that's a problem because 25 percent as I mentioned in the previous slide about 25 percent of people

being softer over the age of 18 and call former Communications Decency Act because we need to have social media platforms being held accountable for the information that's being posted on there and how it's being used now that one a lot of people probably won't know but giving users more control on how their data is being published used and then being able to opt out of their information being shared is actually quite important kind of being invisible to the internet board people want to launch campaigns against you and just as an FYI most people who have been cyber stalked have their cyber started because of someone through someone that they know and only about 26% of the people

who have been cyberstalk via strangers so it's someone that you know that's probably it has been internet and lastly you or someone that you know here the resources that you can use workings who halts online abuse actually lists out all the states that have cyber stalking laws they also have actually helped

[Applause]

mine is more of a comment you mentioned about the UH sharing of information I mean in this day and age especially if you're a homeowner most of the information about ownership is public online and the government either go to Facebook even if you have been posted their date of birth usually you figure out people's battle it by all the happy battery messages that just kind of like scroll scroll down the page so there's so much of it out there and we know how we can actually control it I think the only thing that sacredness I don't know try to remove it as much as possible that's really

like for example

so if you're if you're being stalked online should you go to the local police the FBI I'd help you out I mean half tuck what's the best way to make it stop are your friend in the Mafia can you stop back

local police department actually has the technology to be able to investigate it and honestly probably don't think it's going to happen until we start making bomb threats or until they show up at your house with a gun then you can probably get a restraining order but again we're sure new herds only go so far so it's actually trying to attack you you can throw the piece of paper it's not a survivor it's actually extremely routinely obviously myspace was still active myspace Facebook LinkedIn and at the time the only the course was not to have anything a weekend so I had no professional anything out there for a number of years and when you kind of like go through

those things and my you know friends family behind in comment get set he finally got one

[Applause]