Samuel Greenfeld | Dox Yourself

works okay uh first I'll start off with a bit of a disclaimer this presentation uses personal examples it's not the view of my employer uh some fields are blacked out for pictures in the uh and the ongoing video recording I know you can find the information uh I know of no doubt you can make my life or others miserable please don't uh uh doxing is the art of reporting someone who finding out who someone is I'm not going to go too much into that rather I'm going to go into the information sources that are out there and how that how it affects us as Security Professionals this talk covers a lot of little things the slide in references

are online so you don't have to worry about taking pictures of every last thing that said I'm Samuel greenfeld I am CS issp certified I'm a member of the South Florida Issa and my date of birth is on the cd-round from 1997. hey it contains over seven hundred thousand records of a federal license database uh it's also in traditionally 1997 was the year they stopped issuing date of birth with these sort of Records but they persisted online for several years uh most federal and state public and profession licenses are public information so if you've ever wondered in Florida what you see your hairdresser posts their little certificate next to their chair saying they're a licensed

hairdresser but kind of hides it because their address is on there or why everyone's suddenly worried about having to register their drones with the Federal Aviation Administration this is why uh um uh the last four digits in my college email address or my social last four the last four digits of my social security number if uh this was a very common practice at the time uh we used social security numbers for everything the pizza place had the the every a list of social security numbers so if everyone whose account at the college had over fifty dollars in cash so you could order stuff uh you use pressers used it for grades everything College administrators are

kind of hesitant to admit they used to do this but it was pretty common around that time it was not around until 2007 when I first received an alternate ID number and this practice stopped uh this school kept doing it up to I guess winter of 2011 with the last three digits of this social security number uh this school also does has is division one sports championship teams so it's not like it's a minor school to just in the middle of nowhere uh here is a University's job application system uh it wants the last five digits of your Social Security number and the month of day of birth for to create an identifier I took this

picture earlier this month so that is still live and this is actually a real University it was somewhere in the state of Florida and if you add up all the schools which had practices like this these you have an identity theft issue of the scale matching anything in the news today the reason for this is unless you're extremely young uh Social Security numbers are predictable uh prior to 2011 uh Social Security numbers were issued in a predictable sequence first four three digits is just the location where it was identified uh the middle digits are issued in a known sequence and Social Security Administration was nice enough to tell you when what numbers were valid in there because they needed

some way for other people to do it last digital set is just some sequential and this becomes really important because the IRS started requiring Social Security numbers for dependents in 1987 to make sure you had a legitimate tax deduction around the same time there's an enumeration and birth initiative causing uh uh infants to 96 percent of infants to be given their social security number is listed electronically at the time they were done at the house they were born a Carnegie Mellon study in 2009 looked at the deaf Master file for some of these students the children born after this period uh uh where they found they were able to determine the last four digits of the social security

number within a thousand attempts and they could figure out the first five digits for sixty percent of the population within two attempts uh so if you the last digits are known that's where all the potential pseudo-randomness is so I know where you've been it's all you can do I should also note that your Florida's driver's license number is not much better I just say this because you can do the obvious internet Google search and find out all the information on how to create your own that I recommend doing that uh and so I just say this could also because some sites like Satan's against saying this would give us your last four digits of social security numbers in the

Enterprise for the last four digits of your driver's license and in the Florida that really doesn't give you very much information uh surprised I mean a new station figured out this obvious internet search a few years back they even told someone as far as I know the practice hasn't changed someone also uh created a proof of concept last year where they showed off that they figured out uh uh uh credit card vendors uh number format uh the earliest record I could find of someone figuring out bits and pieces of that credit cards number format dates back to 1989. and I have two credit cards from that vendor right now in my wallet where over half the digits are the same

well a lot of this is really just curiosity it's not necessarily people being evil trying to do things like this but maybe people trying to figure it out but it's not necessarily all this stuff is just public information just generally talked in forms you wouldn't think of as Carter's forums or anything like that it's just generally known information at the time now uh as Security Professionals we love to talk about the latest data breach technique but we forget we'll consider what was acceptable in the past all the previous items may have been great given program requirements and the known security risks at the time but and data but data breaches like the one that happened here at UCF are scary

and I have no doubt someone's scrolling that even if the information away for evil malicious purposes but I would argue in the United States at least public information and the information we voluntarily give away is just as dangerous the reason this whole talk kind of came about was I was ordering something actually the SSD drive I put in this laptop and uh the computer store I was dealing with decided to pop up this form here after I had entered in and the order was apparently processed uh there's uh it's not just sales and backing that acts security questions like what's your birth date or whatever claiming it's public information if you ever signed up for like UPS's or FedEx's

delivery notification Services they need semi way of verifying who you are and that's what they use but in this case they should never have been required this I used a credit card with with the ad my exact address on it and I was sending back to the address on the credit card therefore they should have it's there's a much more advanced version of you entering your ZIP code on the pump where if you process things online they can verify all the little parts of the address and verify that it was correct they also tried using verified by Visa uh but that wasn't supported by my bank so I was pondering a bit the first question they're asking is birthdays uh

birth certificates and driver's license records tend to be pretty protected nowadays are kind of the exceptions uh but you've voter registration is a possibility commercial records maybe the obviously this is a third party giving them this information to try and identify me data aggregators social media maybe someone looking to see if someone said happy birthday to me I don't know but my bad more than anything is probably was voter information and in Florida if you look uh the with uh your name address date of birth party of affiliation when you voted is all public information uh you can just submit a request to your local County say please give me these records uh and it even more interesting is they

State the obvious don't just pull it up here for purposes of the recording that public information can find its way onto the Internet by individuals or entities that obtain public records from the state once information is in the public domain you'll need to contact the owner administrator of third party sites in order to get the information removed couldn't really say it much better but there's lots of third-party sites grabbing this information and they may not let you remove or change it uh worth noting that not all states lets you use voted data for any purpose although there are a number of interesting database compromises so far in this election cycle or just of voter databases which is found mysteriously

open on the internet if you don't want to use uh voter records it's probably too many pay sites to list if you just do a Google search for like someone's name you'll find all sorts of companies trying to get information from you in terms of uh they'll give you someone's name address social media accounts and really if I'm willing to do date of birth the problem is there's so many of these sites that they're competing with each other that they each give different hits so one may give you roughly how old I am one may give you the month one may give you the year I've seen one that gave you a zodiac sign and so there So eventually maybe

especially if you could figure out as the current month maybe you just wait a few days and maybe my evil malicious twin would win with me who'll happen to live with me would get get my num number after this decide to ask a few more questions I'll focus on the first and last ones first it's asking uh for the approximate information of of where I live how big is it is my little apartment I own and what is the property tax amount on it gee I wonder is there a website with that information I mean and here is the amount of tax and here's roughly how big it is and oh there's a lot the middle section was

just a set a series of phone numbers does anyone just try just Googling that and seeing if any matches came up it works rather well and with that I basically found a way another way if I was not me to answer all their checks what's the problem here probably been used to want to know who they're dealing with either for strict purposes of like authentic author thinking someone or advertising where you might just want to know generally are you this might be someone users want to just be able to do things easily and have the all the neat features like estimated time to your destination and things like that uh not to pick on the store but if you

had to do something like this how would you do that to remotely identify someone you've never met uh but what's the real problem big data is the in in thing everyone wants to gather as much data as they can just in case they can use it they want to make using their systems as sticky and easy as possible but when everyone has lots of data how do you identify someone how do you differentiate your service all this old information like the my old CDs from 1997 it's not going away it's still readable and I'm sure there's lots of other copies of it about and lots of data is already compromised uh anyone and everyone wants to know

whether you're doing stores data firms nation states and internet provider Verizon past week I believe was just they just announced that it was fine minor fine of 1.4 million out of their hundreds of billions in Revenue uh for adding a header to everyone using Verizon for their cell phones if you did not opt out where they it would go out on the internet and if you send an HTTP request from your phone they would add this header that uniquely identified your phone that someone else could just tag and when they rotated it every few days you could they could still tell it was your phone uh uh uh ATT has their new gigapower service uh they charge roughly thirty

dollars more a month some sources claim more for ATT not to track your web browsing search engineering and other behaviors resulting offers presented to you by on the web email and postal mail we'll hear thought things that ever would have ever thought that uh your what you do on the internet at home is worth thirty dollars a month to someone how many internet providers out there may just be taking that thirty dollars a month in pocketing and not even telling you uh and you can't always choose your internet provider uh it's also interesting is last year Florida removed their Universal service requirement so already there's been a few cases where a development in construction had

had a contract with another provider and then the phone company refused to wire the property or the remainder of the development still under construction uh private search engines there's a lot of them and just left some Fields out here because they're incorrect I did speak at Ohio Linux Fitness and I volunteered there but they never paid me uh but that said I've never lived in North Brunswick or worked for laptop magazine um if something's collected by the public it's collected from the private except you'd have to hunt down every private firm who's collected it to fix the record and with all of this is set strung by the CD the beginning is still here here

are some emails I wrote probably roughly 15 years ago with my college email address they're still online somewhat embarrassingly uh I went out at the time I was in college I was aware and this yes this is my college email address this is my last four digits of my social security number in it too I should add uh these this is all of this all these emails is at the time I was aware of mailing of websites that subscribe to mailing lists and archived all the messages on public lists but I would never have thought 15 years ago that these would be online 15 years later uh this if you're a college student this is a fair warning

uh but uh this is uh this is stuff at the time these emails were written the graphical World Wide Web was not even 10 years old I mean services like AOL Prodigy and compustive stole were probably a bitten their Heyday your average home internet connection was probably still less than a megabit or just dial up and but all this all information is still there and it's not just silly little things like us writing emails that have are migrating on the internet uh here is a UCF graduate I know uh one day he forgot his uh insurance card in 2002 and as you can see he just came through and he paid the five dollar fee got it uh and did

all his stuff and he just basically said yeah you have insurance and let him on his way but oh by the way did I mention you went to traffic school uh for a violation in 1999 uh the internet brings a lot of stuff that was not previously online and it would be very surprised if Orange County had a website like this back then also worth noting that in these records a lot of the information that used had to pay for to get it for a full or court records to see online they've now made as of last year available for free so you can go drill down pretty detail provided as it's not something that is

unlike juvenile or probate or something where the records are sealed I should note I did get permission from them to use this example in this talk though he did find this kind of embarrassing that I pointed out that he went to traffic school and he forgot about it uh here's an example from Broward County of someone getting a speeding ticket the speeding information is actually further down on the page but I have someone's knowing their attorney for the moment I have some Nate someone's name gender race height and date of birth Austin's just more records than you got from Orlando's in the earlier citations myself all the other vehicles information so even though the DMV may not

necessarily tell you right who owns what I can get those records from here and if you get arrested Oh Oh Hell Breaks Loose look at all this level information I got in someone who got hit on a misdemeanor charge and if you're ever arrested your mug shots photos taken and those are up within a few hours on the internet now that mugshot records are also considered public information and good luck ever getting those down from all the websites that pull them up even if you're found innocent that is uh the driver's license numbers are even though I showed you a formula you can kind of use to calculate them for for the most part uh they they're considered

private fit but uh attached to this is a PDF document with the guy's driver's license number voting people won't give you signatures to copy they'll let you look at signatures uh here here these are PDF files of the guy signing he's guilty uh admittedly Broward County has an easy way to practice flag info should be directed the laws are contradicting themselves I already know a property manager who knows about this Broward County has this lovely website with all this information on it she's already used it to take adverse address and Advantage people do you know or believe that a non-lawyer can accurately interpret this information I found a case of a potential pre-trial intervention uh the court record shows the guy based

or whoever the suspect was basically was it supposedly said he's going into pre-trial intervention he wrote a five-page handwritten essay explaining why he did his bad he took a drug test and theoretically the charge was discharged but the court record was still online I don't know if it's no technically that may be out of his criminal record presuming that I was an actual and expungent but how would you feel if you stumbled upon the record saying this guy went through this thing even if he does hand you the paperwork saying uh I this doesn't count you can't count this against me legally because I I this was erased off my record and if you think no one is playing

playing for bulk access to scraping This Record website you're kidding yourself there's lots of firms not just Nexus Lexus Nexus and big name firms like those looking at court records uh you use a lot of places you can kind of get information like this and I guess at this point to any any questions in the first section okay okay oh I'm done talking about uh uh public information in various ways it can be found so focus on how perfect this is Security Professionals and system designers fortunately at least in my personal view protecting against public information as well as people compromising information stuff like that follows much the same approach I'm not going to go too much into

authorization because access rights tend to be pretty system specific historically uh we used to use security questions and stuff like that um many crown with security questions is uh many answers are easily found in public record to Social Security media uh also Google did a study and they found 40 percent of users forgot their answers to the security questions on top of that while you think people may just throw random garbage in it apparently Google found who got random stuff that people put in there that weren't the real answers often were the same predictive predictable non-real answers uh uh uh if you've also with security questions you might not know uh they're often used if you ever call your your

the person you're you have the the vendor your bank you're dealing with for answers so if don't necessarily if you put random whatever from your LastPass or key pass or any whatever your password safe is to your security questions be prepared to read that on the phone uh security pictures were an early form of two two-factor authentication which really isn't fortunately this is going away uh uh but the current Trend I would say generally is at least what's kind of ironically is when with all the data bridges in the news what I was noticed over the past year or so is everyone is asking for more information uh here's Microsoft after the secure there's their

privacy policy update asking for more information not quite sure why they didn't have this information before going to have had a Microsoft account for a year it's also interesting usability example because they ask twice for the same information uh but really what I've really started last I think really happened is everyone realized last year with all the data breaches in the news that they really couldn't trust who they were doing dealing with just purely the way they've been doing it so what real what's been going on is with more and more websites they're doing some swarm of two-factor Authentication two factor is when you have something you know along with proof of something you have

uh the problem with the two-factor authentication is everyone seems to have their own solution some groups will do phone calls and SMS messages others use this system called open authentication Google Authenticator actually is a pretty good example of open authentication uh basically it lets you the the sites you deal with all generate sequence and then it just updates the thing either every time the display appears or every ad set time in verticals and you can do here as it's shown you can all you don't necess everyone who deal with open authentication generates you a neat token so here's someone has a personal one and one for their employer but it would be simple if everyone just

used the same authenticator we can't possibly have that right uh Microsoft has their own well interestingly they will issue you an oath token if you tell them other but if you tell them you have an Android or an iPhone or something they'll want you to download their app steam has an authenticator built into their store application and Yahoo and Google are interestingly are looking to skip the first factor of authentication and just identify you by your phone but as noticed many firms lately seem to be looking for your phone number uh which is often true even you have two Factor enabled often they wanted as a password reset or something here's LinkedIn asking here's steam which is a game

store asking here's American Express action here's an interesting example of a a financial website I dealt with where they asked for the mobile number uh they if you hit is it there's a spot it says it's optional in the fine text there's a skip button but if you hit the skip button it says you didn't provide the number and please tell uh well next time you log in please give it uh and it's worth noting this financial site did fix this that bug but not every Financial State will not or site will let you get away with not providing information like this also is an interesting example where this was one of the first websites I

could not with I could not you get through this dialogue if I was blocking third-party trackers in my web browser so even banking sites are playing with third-party trackers now and it's not just phone numbers that's going on as a bit of an aside when a company wants you to provide something whether it's information upload a photo switch to paperless systems they can get quite persistent nowadays so users are being encouraged by pretty much every website they're going to now to provide information even if it isn't really necessary to provide directly provide the service historically we've told users don't provide your information to things and that's necessary where have we seen this before right I mean users you do

you users will do anything really to get at these things that what they're supposed to do I mean you know SSL warning studies typically show a 50 plus click-through rate close to 100 percent if you tell them to do a task in the account error it on the way now users are being taught every website and application they deal with asks their name date of birth zip code things like that this is more than enough to uniquely identify an individual if users are willing to give almost every website their phone number nowadays what about their social security number if an industry newsletter says sends a survey asking about your company's plans nowadays well your employees provide that

information as Jim Wildman who's a local Red Hat representative in this area likes to say it used to be we told our neighbors the intimate details of our lives and information didn't travel very far outside of the community but now we tell complete strangers and those far away about more about ourselves than our neighbors we train people for this oh look this span there must be something wrong obviously you can tell it's spam or fishing or something it you can't possibly respond to this but in practice uh uh the user evil is not always that obvious I mean you there was a study that was done that's saying there's a lot of Bank emails include the last four

digits of your your account number right uh Studies have shown people respond to the first four digits just as effectively in the four digits just identify what bank is on the card uh here we have an email I received last month uh from from a a properly authentic mail with a mail relay reputable Mail system completely digitally signed message authentication headers stick him dick him if you're familiar with it and it got through with a Trojan attached made it through all the antivirus defenses uh would you you would you be able to spot something like this if you were an accountant would your users necessarily if you're a security professional this problem is much made much harder by the

rate companies drown us in their their advertising emails and stuff like that I get get if you sign up for like a reward service at a store they like emails you several times per week if you hoping you'll buy something from them if you've ever been to an event like this one you'll find all sorts of vendors at that event potentially email you and then you get emails from people you don't even recall seeing and then maybe even companies you don't recall seeing if someone resells the list so it's an odds game really because you're just drowning in this stuff and at one point or another you're going to make a mistake still uh fallbacks to historical

approaches exist uh what happens if the user doesn't have their second Factor you're going to have to find some way to identify them uh you need uh FedEx and UPS if you sign up for the service or email you a postcard or letter I recommend doing some something like that to make it obvious that and not use the path you use to reset the password to tell the guy I reset your password uh if you change email addresses send in one last message vague one to the old email address telling them their emails changed so they know and can contact you if there's a problem and with any authentication system you have to determine your acceptable level of risk

so questions on that or okay I guess the final section I'm going to kind of talk on is Analytics if you ever search on something on the Internet and have it follow you around for a few days perhaps even after you've purchased it that's what a good example of Analytics here I have two coffee makers an older model and a newer one both sitting in my kitchen the older one is subject to a semi-documented buffer overflow where if you put hit both size buttons the drones will just dump all the hot water it has until it runs out of water but that's really meant to prime it and you'd probably never get away with that for

security reasons nowadays but the new one the new kirk20 is interesting and not just because of all the DRM stuff people love talking about because if you look on the bottom of it one there's this interesting data port on the bottom of them uh people have been I've been surprisingly haven't seen very much playing around with the data Port Kirk just says it's for expansion but if you look on YouTube there's a way you can get these into a diagnostic mode when they'll just start spitting out how you've used the device and all sorts of interesting statistics this likely primarily now this is a pretty harmless example I imagine there's not a radio inside of your

coffee Baker calling home and and sending data on what your how many cups of coffee you brewed that day but but if you ever return the unit to kurg and say I had a problem this probably comes into play is unless I'm figure out what was going on with the unit and how it worked this is a rather benign example of Analytics analytics is the Discovery and communication of meaningful patterns and data uh site information can be used for site information and performance also for use user information in um demographics the problem is it's very hard to separate these two apart I mean it's great to know how everyone's traveling down the highway so you can

figure out a speed estimate but at the same time you know the speed every what everyone on the highway is doing you can figure out who they are uh it can be used for secondary identify vacation along with advertising in general you're not told about it I've guess I skipped some elections examples I'll just cover them now uh there was a uh one one like presidential candidate I believe it was kite so far this cycle although it's in my notes if you look at the slides online uh he was looking at high school yearbooks to figure out potential influencers to use for purposes of his campaigns and Ted Cruz has an application that he's giving out uh where I believe you get

250 I believe action points as they call them for uh uploading your contacts out of your cell phone into their database that's more points than they give for a variety of things I do give credit to Cruz for actually asking first because not all applications do that but as a third on collection examples actually on this slide it's been previously discovered if you show how someone votes compared to one of their name or random neighbor of theirs they'll it'll increase voter turnout by eight percent but if you show how someone how often someone voted compared to a name they might recognize you can increase turnout uh roughly 15 percent uh some of the SLO warning dialogue

studies with that that I previously mentioned also we're done with analytics so Google particularly Mike Firefox and chrome they looked at look at the if you've opt into their data collection we'll look through the click-through rates of if you click through an SSL warning dialogue uh Google Chrome was even looking at how fast you clicked at the SSL warning dialogue and what do the credit they've been kind of standardized on it if you look at the studies I believe I linked to because Chrome caught Earl caught from their studies that people are clicking through there's a lot more than Firefox is and then corrected for that uh the next speak at this point I'd normally be speaking about web analytics

I guess I'm going to bit faster well

the question is is voting the poll access public information the fact you were at an election is public information what your exact voting choices hopefully is Secret but anyone can obtain the records to say yes you've I've even received postcards in the mail where someone said congratulations you voted in the past X elections and I believe Ted Cruz did some sort of votability score although I don't know the exact whatever they were just doing that as a threatening mailing or uh please come to the polls or don't come I don't quite know what was going on there uh anyways at this point I'd normally talk a bit about web analytics but uh Cooper Kenton the next speaker is going

to do an entire session on web analytics so all I'm gonna we talked in advance and I'm going to focus on real world examples and he'll handle the non-real world internet style stuff but I'm just going to steal one little thing from from his the system's Electronics Frontier Foundation has and looked at the panoptic click system is this is really an odds game so you have a lot of little details none of which uh you know this is a bit of an eye chart but it's like this field over here is one the field over here it says one in X browsers have this value right and none of those fields say one and one

so it's not none of these are unique on their own but my browser is unique among the over 136 000 that websites tested but so it's but not necessarily all of this is needed same my time zone changed because I'm in I'm in California if the rest of the information still matches it's still likely me if my web user agent or my web browser changes because I upgraded it and it's a new version it's still probably me right and where this really comes into questions is that your cell phone really has become the supercuting not just because your phone number by being given to everyone is effectively your new social security number or if really much

the equivalent to you don't change your mobile number very much do you if you move locations you tend to keep it even if it's across States now we provide it to everyone who asks not even the uh not even applications on your phone might even ask I've noticed just as a read password reset uh you can identify your cell phone pretty even if it's checked by Tower check-ins you know how Google can kind of automatically with their now service figure out home and work well an mn19 and a university in Belgium looked at anonymized data for 15 months on 1.5 million users in your Europe uh they were able to identify 95 percent of them if they knew four data points uh

and they were able to identify approximately half of them with only two data points this can be useful with all this that said but Banks and credit card companies are looking into having their application on your phone so they know not to to allow credit card transition in another state while you're still in another location so there is some benefits to it but that means that your credit card and bank companies now know where you are and have a record of that in addition to every other record that could potentially be subpoenaed or combined everyone else could use and if several firms have the same piece of information to get they can use it to

combine their records uh buyers like ID scanners I mean have you anyone ever had their driver's license swiped right it's a nice magnetic stripe USB scanner uh the all the data and then some on on the front of your driver's license is in that signature in is on the rear so if some of it may just be okay I want you to swipe I want to swipe your license in my register to get the anal to get get it but if they do test test drive your car okay now they know your address so they can start sending you Flyers uh bars can know the same sort of information okay now I can send you

information too uh and I've I've even at least one grocery store I know if we'll ask to swipe your driver's license in order to get their rewards card uh granted again this is also great it's a good as a computer measure for if you don't want someone to be a one of your Cashiers to be arrested and force them to swipe the driver's license to verify uh that the person is have age so they don't get in trouble but beyond that it's a bit of a problem uh Vizio uh is now with their new smart TVs monitoring what you watch and using it so you can see targeted ads across all your devices uh in order to get out of this you have

to opt out of the smart interactivity uh your driver's license records and your video historically your video rental records are private Vizio believes that this is not subject to those laws in terms of you yes you may be watching a video you rented but the way they're accessing the data doesn't tell them it's a rental uh Samsung Notes that their new smart TVs support voice commands which are May record sensitive information I believe we have them all over our office um fortunately I don't think any of our our Samsung TVs are on the internet I hope any at least and the power of this is due to cross device tracking which the Trade Commission had a a hearing on last

November uh adversity group the center for democracy and Technology noted that companies are doing this at a rate about 90 accuracy uh once the company they cite uh the CDT says silver purse uses ultrasonic sound just to track user across users smartphones tablets desktop computers and TVs uh this is as of April 2015 silver pushes software was known to being 67 apps and the company monitored 18 million smartphones per their own press release and once you have all this data uh you can enhance it you oh I have some data what did you have some more data too and a lot of your your credit reporting agency as well as other companies like choice and point will happily give given

a piece of data tell you more information about someone here's an example of a service Experian offers where you have an IP address uh and you give Experian just an IP address they'll try to guess the demographic age occupantation personal interest how lucky you are to purchase things credit worth Worthy is how much money you have and more whatever really just given an IP address I mean a lot I mean a lot of this is relatively straightforward but if you collect enough data you can find a lot of patterns and stuff I mean if you you think about it if you swipe the credit card someone's credit card and you go to the store ask what's your zip code it's

not just to get necessarily to get okay you came from this ZIP code the stores in this ZIP code this is how far you traveled uh given in the name off your credit card and the zip code I can reverse address look up your actual address and then start selling sending you stuff William simoma apparently does this or did this and it came up in a court case and that's how I found out about it and uh vigilance is I know seems to be a villain at the moment it's a company that captures licensed private company that captures license plates uh according to this land the Atlantic uh they've this article from Atlantic they've taken roughly 2.2 billion

license plate photos uh and every month it's permanently stores another 80 million now we know with public license plate records how long they keep them what's in them some people have even subpoenaed the records and said look I can show you Mr representative here's where you've been and I I was able to de-anonymize you but there's always this is also about the public private blur because there's also the Texas just a lot of the Vigilant is giving them these machines to just work with and such uh we know a fair amount about public databases but when a public government buys it from a private database and a private people start working with the public people the lines get blurred a

lot uh Fitbit is if you have a device on you is data exists and it's not legally predicted it can be in court uh this is an interesting case also in that there's a proprietary algorithms being used to produce a profender's case employers are worth noting are usually legally prohibited from accessing your records but nothing stops them from asking a third party to look at the data uh infinite and fitness program can save a company potentially hundreds of thousands of dollars it's not small discounts insurers give just for implementing one of these but firms also mine data records on behalf of employers to figure out what percentage of the populations might become pregnant or sick uh and if if you know what partion

of your population is becoming pregnant do you think that potentially could impact hiring decisions uh granted they won't they won't necessarily tell you which employees they think are are pregnant or becoming pregnant but may be pregnant soon they will just but they will they will but they will just tell you percentage is provided you have enough but what rules apply to all this data here's an interesting service then I meant this first paragraph was recently removed here's a service called higgy you may have seen them in public stores uh in other locations or where they say HIPAA the health insurance the Privacy Act for your health information doesn't apply to them and and they removed that

in January but prior to that they said oh look we have a HIPAA interface and you can access our information that way and it's compliant which which is it can it be both at the same time uh we had a fun time I first gave this talk talking with someone administrator from a hospital who was arguing that even if he had a picture of a patient somewhere on a security camera he couldn't he couldn't give that out record out and this is this is like impossible if they have accurate health information they shouldn't be able to do this but it's very interesting what applies just like mandatory arbitration clauses users may be giving their consent to have their data used in

various ways be in legal text also worth noting like many websites hickey's thermostat says says their system does not give medical advice yet they've published studies saying look using our gamification system causes people's blood pressure to go down there's a medical outcome there is there a correlation or correlation that's potentially medically interesting yes and so how could it not be medical advice if it potentially helps I'm not sure in short let me just quickly finish up is everyone wants to have their cake and eat it too consumers want to have accurate predictions but they don't want to necessarily know everything about everyone businesses want to beat their competitors by having a secret sauce but they don't want to necessarily tell you

that they're going to use the information they use in combining with like 50 a dozen other providers information to get all sorts of things you would never think would be possible uh governments want to be able to monitor things but they don't want to necessarily have communications that they are responsible to protect broken kind of see that now with interview with this okay with this encryption debates okay we want a back door but we want to have a back door we don't want anyone else to have a back door and really that's very difficult if not possible to do the acceptable answers to all of this will probably verify the country and Society uh you may have China insists we

must have your source code in back doors you may have the USA or Europe say no you can't and this could make very things very difficult for us trying to develop technology sure the catch is with all of this you have to hunt down the truth all too often researchers find ways to take information information claims is not personally identified and use it identify users uh recent thing I saw this week was someone was found a way to identify tour users via their Mouse movements uh the worth also noting that Mouse movements are commonly used to generate heat maps to figure out where you're interested on a website which is uh used to say what what parts of my

website get used in what parts of the web page are looked at uh well we need to look out for misleading arguments logical falsies fake Grassroots office everything the eff would probably tell you about as well I admit but I'm not that crazy and by the way this is a very good book if you haven't read it he doesn't presume you're a statistics person this book has been in print the date examples are a bit dated because but the book is over 60 years old and stolen print so it's also I believe there's also a copy and archive org of an older version I don't know if it's supposed to necessarily be on there but that's

copyright law for you uh if you're a user uh realize how much information about you is public hearing from daily interactions provide more than you realize look at your Google history haven't yet and if you're using their services if you are someone else put some information on the internet may never go away if you want to try that blocking software do about realize some websites block you nowadays and these can occasionally break websites if you track too much if you want to Doc someone can see if you really want to do it you will affect feelings as I mentioned there may be legal implementations uh really the only reason I can think you should do this is if you're

researching your family history there's a case when I first gave this talk I believe around November someone posting social media the dog's bathroom was wrapped in duct taken they mob kind of just looked hunted that person down uh but there's also a case around the time of the Boston Marathon where the internet went went hunting for the Boston Marathon suspect and found the wrong person and and really made a Havoc of his life if you're trying to fornicate users there's a careful balance making your system easy secure many identifiers or public information or can be derived don't try to special case Things based on local form I'd say two Factor probably everyone's going to have to do

two factor or at least secondary reset will have to be via a second mechanisms and if if you're an analytics respect your users don't try functionality into fragile ways as I said the bank site broke because I blocked the tracker uh these tools to measure your impact on performance it's a whole interesting ironic reason ghostery exists is it's an ad company who wants to know how many trackers are being loaded on in various websites and we'll provide the information to you uh don't just do things at home and if you collect it someone will steal it and as someone mentioned this morning if you you're not compromised you will be and that's it and slides are on SlideShare

foreign