Disaster Ready Digital Safety: Building resilient support systems for domestic violence survivors

Great. Oh, so many friendly faces. Thank you all so much for joining. My name is Naomi Meyer and my talk, like you heard, is Disaster Ready Cyber Security Guidelines: Building Resilient Support Systems for Domestic Violence Survivors. And um I'm sharing this work from my master's degree at the University of Washington. So go Huskys. Woohoo! you dub. Great. So, let's see if this works. Woohoo. Okay, it worked. So, um, domestic violence, it's really heavy subject. I'm going to try and keep it not too heavy, but I do want to share this content warning that this is a really sensitive topic. And so, um, thank you all for treating it with sensitivity. And, um, I'm not going to

be sharing any explicit images, but um, if you're feeling triggered or need to take a break, please take care of yourself. You know, you step outside. um this is a safe space. So I really want to um treat this sensitive topic with sensitivity and thank you all for joining me in creating this safe space. So here's some headlines recently of um to give you a sense of the problem that I'm talking about. So in pink we have um from think global health gender-based violence the unseen toll of hurricanes um from the Houston area women's shelter hurricane barrel impacts domestic violence shelter funds needed for families fleeing violence and then from the United Nations women in green

um tackling violence against women and girls in the context of climate change. So there are many headlines like this. Just a few more examples. We have um from the Georgetown Journal of Gender and the Law, immigrant women, domestic violence, and hurricanes Irma and Maria in Puerto Rico compounding the violence for the most vulnerable. There's a TV news story um there's many examples of similar TV news stories of domestic violence causes rise during natural disasters in North Carolina. And then um this is from a academic peer-reviewed journal of planetary health about extreme events and gender-based violence. So overall, you know, I could share more headlines with you. Um, from popular news, media, blogs, academic, peer-reviewed, evidence-based research

demonstrates overwhelmingly that there is a significant uptick in domestic violence, gender- based violence during hurricanes, natural disasters, floods, especially here in the US. So, big topic, big problem, right? Um, what are we going to do about it? Um, that's kind of our agenda for today. I'm going to share who I am, who's on my team, why I think this is so important, what is being done about the problem, and then how you can be part of the solution. So um I really want everyone to come away today with some key sort of ideas, thoughts, mental models that you can shift your perspective um to think about domestic violence in the context of cyber security and um resources if you're

interested in helping because as I've been here you know at Bsides everyone is super supportive when they hear about my talk and they say oh yeah that's important I want to help. And so I want to give you some resources of how you can contribute to be part of the solution. So overall my goal um is to help build tech for and to protect those who are most vulnerable online. And I know a lot of people are interested in cyber security to protect those most vulnerable online. and particularly domestic violence is a problem that overwhelmingly impacts um immigrant populations, people of color black indigenous Latina uh LGBTQ, vulnerable populations, and particularly in our current political

climate. Um we need all the help we can get. So, uh here's where you can find me online. Um, like I said, I'm Naomi Meyer and this is my handle and my website. I would love to continue the conversation online. Um, if you have any feedback, if you have any strong opinions, please feel free to reach out. Um, so this research is ongoing and it's very much still in development and so I would love to hear from you all because I know there's some some amazing experts in the room who uh are really knowledgeable about this topic. So, um to share some background of like why I'm talking about this, why I care. Um I

going to share a bit about my my journey. So actually my um bio on session eyes is a little old. So I used to work as a software development engineer at Adobe and I was there for five years and I learned a lot. It was a great experience. However, at the end of my kind of tenure, I was um there was a reorg and I was working on um some tracking software that you know the cookie pixel that was tracking users to sell ads online. And I was feeling um in our current political climate a little bit um uneasy about some of that work. And I wanted a chance to kind of question some of the ethical and

moral ideas about the technology that I was building. And I felt like the analogy I like to use is that I felt like I was a mechanic who um a mechanic of the internet or of software where you know I know how to open up the hood of the internet and of software and ch out the engine and kind of know how some of the components work. Um, but not all my friends and family and people who I love don't necess don't have that mechanic knowledge and so I feel a responsibility to um be intentional and thoughtful about how we're building that technology. Um, I'm seeing some heads nod so I feel like people understand

where I'm where I'm coming from. So as sort of a mechanic of the internet, I wanted to be part of the solution and um in our current political climate like I am anti-Trump and I am anti-fascism and I want to be thank and I want to be on the right side of history. Um thank you. Yes. So, I wanted to to take a pause from big big corporate tech and work on something that I thought was meaningful and was unquestionably um for good. And so, that's where I'm partnering with the National Network to End Domestic Violence. and um they are a federally funded national um not for-profit that um works all across the United States to

support survivors and their families. And um they have what's called the safety net project that explores technology safety in the context of intimate partner violence, sexual assault and violence against women. and um they have seen a significant uptick in um the need for support um during natural disasters. And so they reached out to us graduate students at the University of Washington and said, "Hey, can you help us out?" And we said, "Absolutely, we would love to." And um so that is what I'm doing sort of my master's thesis or master's capstone project on. Um, and so this is a big project that I could talk your ear off about for hours, but I'm gonna um sort

of zoom in on some specific content that I thought would be most meaningful for the folks in the room today. And um Oh, yes. So, the National Network to End Domestic Violence, they support about a thousand survivors and their not a thousand, a million a million survivors and their families annually. And then what they do is they work with um what they call local victim service providers. So like women's shelters all across the United States um to provide guidance and documentation and kind of key resources and so and there's about 2,000 different women's shelters and local victim service providers who they support. So this is a big project that scales all across the United States. and

our team is um so I'm I'm sort of say when I say we about my project team a lot these are the people who I have to give a big shout out to unfortunately they're not here today but um my sort of co- students my classmates for the master's thesis are Dea and Alex and then Andrew Wolf is our academic adviser from the University of Washington and then um Jesse Lel Dr. Jesse Lel, the brilliant, um, is she is at the National Network to End Domestic Violence and she has been doing this for ever and so um, a lot I'm I'm citing a lot of her amazing research. So, um, as part of this project, we've had

opportunities to interview experts across the field. And, um, Natalie Doli is the assistant director of Safe Campus at UDub here in Seattle. And um she says that domestic violence issues are often tech canaries in the coal mine because they represent how um abusers might abuse technology and abuse sort of the latest and greatest new technology um immediately. And so because they are these canaries in the coal mine, they're really important to study and to be aware of for tech practitioners. um in different sort of business cases across the field because this is um sort of how abusers can abuse new tech. And so that's why I think it's really important to study. And something um

Natalie also talks about is her work at the University um of Washington. It has seen a lot of domestic violence abusers are sort of doing similar things that um h that similar attacks against um like researchers and scientists and academics at the university. And so um these sort of similar kinds of campaigns to discredit people are um seen in these examples. So academic researchers in particular lately climate change scientists um reproductive health scientists at UDub medicine um physicians for human rights journalists and human rights advocates. I mean the list goes on. I'm sure you can can think of other examples of cases where um there are campaigns to discredit this important work. Um and so that's why

it's very important to study and to consider um domestic violence in your cyber security. So with that in mind, let's move on to some examples. So um we talked about sort of the who and the why. So now let's transition into the what and the how. So again like I said this is a big M's project that expands across lots of domains. Um and we're particularly focused on um providing guidance for the uh survivors and in women's shelters in local victim service providers. And so um I didn't think that that content would be as useful for you all as more kind of practitioners in the cyber security field or more private sector. Um and so

I want to provide some sort of examples that might open your mind and um I'm hoping that you can think more broadly about domestic violence um cases in your cyber security work. So, I'm going to go into that first with threat modeling and then location tracking and then end with um non-consensual intimate image abuse. So, let's talk about threat modeling. Um I know many of you are experts in threat modeling and do it in your domains at your big tech companies and so I won't tell you what it is but at a high level um it's a structured approach for identifying analyzing and mitigating potential security threats to systems and applications often right and so sort of the traditional systems

focused definition of threat modeling um examples like the CIA triad you know confidentiality integrity and availability or the Microsoft stride framework um follow this threat model where um the goal is to improve the security posture for the organization to reduce risk and um increase cost effectiveness for the company. Right? So um there's some researchers out there who are um advocating to kind of challenge this traditional systems focused definition of threat modeling to instead think more deeply about the actual human involved. So the survivor, the the person impacted by the threat, right? And so um there's some really fascinating research and this is a huge paper that I would love to talk your ear off about later. Um but

it's called threat mar threat modeling intimate partner violence tech abuse as a cyber security challenge particularly in the internet of things. And so these scholars have a shift from the conventional technical focus as a risk to systems instead toward risks to people to the humans who are impacted. And so to do a full threat model and this is their example of a tech abuse threat model from their paper. And um they talk about ownership, harmful messages, exposures of information and gaslighting as some ways to um threat model an attack. Similarly, there's other research. Um this paper is called threat me rights a human harms threat model for system for technical systems. And so this human

harms model goes over harassment, access restrictions manipulation and surveillance as um things that you can threat model for, right? And focus more on the human instead of the sort of corporate business loss, right? And so these researchers say that um the existing models like we've talked about are coverage of technical threats to technical systems but these tools do not always apply in interpersonal abuse situations where an abuser may be using technology as intended but in a way that inflicts harm to another. And so instead, interpersonal abuse poses a threat to users instead of the system. So this causes issues when attempting to threat model around tech around non-technical adversaries. So I want to kind of

challenge you all to think about threat modeling as a human centered strategy, right? And so I'm sure many of you have heard of human- centered design. So, I want to add human- centered threat modeling um because interpersonal abuse poses a threat to users instead of a threat to the system. And um providing more comprehensive coverage where the technology is working as intended, but there's still a threat is the goal. So, let's move on to location tracking. another hot topic. Um, I'm sure as everyone in security already knows, there's a lot of risks to some existing location tracking technologies. Um, and so there's [Music] cars, air tags, petfinder, there's a long list of examples of um ways that

attackers can um abuse this technology. And so to sort of ex to go over the example of threat modeling as a human-based approach, we're going to focus on Apple Airax. Sounds good. Okay, great. So um here's some recent press of um examples. We have Apple Air Tag stalking led to ruin and murder lawsuit says um how Apple Air Tag is fueling domestic violence. And um I know you've been digital spying and divorce in the smartphone era from NPR. Similarly, police records show women are being stalked with Apple Air Tag across the country. Um and from local the Seattle Journal of Technology, environmental and innovation law, unintended consequences, the impact of Apple Air Tags on vulnerable

populations. So big problem. Um, so I'm gonna go through an example scenario where we can um kind of use our human centered threat modeling for the Apple Air Tag problem. And this example scenario comes from unwanted tracking scenarios implications for the adult protocol design from researchers Maggie and Jesse. And um in the interest of time, I won't read it out loud to you, but please um read through this example scenario. Um there's another one here, um where a survivor cannot use tech to scan for location trackers or receive alerts. And so this is an example where lime and lemon um I don't have time to read it all, but this is a um an example of a domestic

violence case with an Apple Air Tag. And so we can threat model this example where we have the attacker profile and the victim profile and other characteristics of this Apple Air Tag abuse. And um the great thing about this research is that they have a solution. And so Maggie and Jesse are working with the Internet Engineering Task Force, the folks who brought us TCP IP. and um they have a working group on detecting unwanted location trackers or DOLT and so this is their working group GitHub um and I would I think they're doing really important work and this DOL method um basically improves the problem of Apple Air Tags with a domestic violence focus and yeah please check them out.

So, to move on, sorry I just I'm talking your ear off and I'm so excited. I'm running through my time, but um we've got um non-consensual intimate image abuse or NCI. And so there are some really amazing nonprofit tools available and these are also um a lot of them have open source. And so if you're interested in contributing to improve these tools, please check them out. Um first we have stop NCI and they are um help with the removal of intimate images and revenge porn from the internet. And then the internet watch Foundation helps with the removal of images and child sexual abuse online. And then take it down.org is a service provided by the National Center

for Missing and Exploited Children and it removes explicit images um for minors on the internet. And so as a as a techie, I think that their technology is really interesting. And so I wanted to share it with you all because I thought you might find it interesting as well. But at a high level, how it works is um instead of sharing the intimate image that um or the revenge porn that people that um survivors don't want shared, what survivors can do is upload the image and the service generates a hash, a cryptographic hash of the image or video and then sends that out to partners like um you know Instagram, Facebook etc. and then they can rem and then they

if there is an exact match with that hash they will remove the image. Um so yeah that's what that says. Um and so I think it's really great to generate that cryptographic hash and they're doing amazing work. However, there are some um sophisticated attackers who could just change one pixel of the image and then it's a different hash and so it's not an exact match. And so we need experts like you to help contribute to improve this technology to make it more effective for to support survivors. Um again, here's um more resources. Here's their global network of partners. um here in North America. They also have international partners and please check them out and support

them online. And um thank you so much. I hope that you've expanded your mind a bit and thought more deeply about how we can build tech for good to protect those who are most vulnerable online. So, thank you so much. This is again where you can find me online. I really appreciate it.