"Apathy and Arsenic: a Victorian Era lesson on fighting the surveillance state" - Attacus

hey folks thank you for coming can everyone hear me okay yep okay start waving your arms about if you can't anyway I'm Atticus I'm a pen tester with assurance and am a ward member of Digital Rights Watch Australia I'm a former historian and a future cyborg you may remember me from such conference talks is the one where I rant about history and the one where I rant about privacy and most popularly the one where I rant about history and privacy together and this talk falls into that latter category so I want to talk about arsenic and a mass surveillance because there's a lot that we can learn from one about the other and as a quick note um

during this talk I am gonna mention death a lot I'll talk about murder a bit and you'll hear quotes of threats that people have made to other people and if you are not in a good place to hear about those things right now that is extremely understandable and your mother welcome to leave this session and do another thing instead this is arsenic trioxide arsenic sin natural element it's been used for all kinds of things since the time of the ancient Greeks but for the next half hour or so while I'm talking about arsenic I'm specifically talking about this stuff a snake trioxide or white arsenic and this is an industrial byproducts that began cropping up pretty much everywhere after

the industrial revolution began it looks a lot like sugar or flour and when it's mixed into food arsenic is colorless and tasteless and odorless and extremely poisonous if you take a lot at once it has an effect much like cholera which is kind of like the the worst diarrhea that you've ever had in your life followed by the end of your life if you only take a little bit of arsenic at a time it can make you tired it can make you a key it can give you trouble breathing and in England in the 1800's arsenic was very cheap because it was a waste product that fir-trees wanted to get rid of and you could get it almost anywhere in

almost anything and anything I do mean anything for example you could get it in cosmetics there were a lot of companies that produce arsenical wafers or powders that promise to get rid of pimples and blackheads and slow the signs of aging which is very interesting if you think about it I was also used domestically to kill mice and rats and cockroaches and other pests so it was really easy to walk into a shop and get a box of the pure stuff to keep in the kitchen but I think was most popular as a color pigment especially an emerald green also known as Paris green which was used in the exact same form as a pigment by artists

and as a pest killer by farmers it produced a really vibrant green color that no other pigment was ever able to give and because it was in pigments it meant that arsenic ended up in pretty much anything that needed color so cases were recorded of people being poisoned by arsenic in their playing cards and in fabric dyes and in product packaging arsenic also found its way into famous art like van Gogh's Starry Night this is one of several reasons that art galleries do not like it if you look at their paintings most notoriously it was also in wallpaper wallpaper was put up in the homes of anyone who could afford it and because our Cenacle pigment was

cheap eventually it meant that most people could afford it the pigment dust would come out of the walls if people brushed past or if there was a breeze and if he got damp which it did in England especially it emitted a toxic arson as gas you could get arsenical wallpaper in in most Western countries but it was especially a problem in England and in the United States two countries that were not really keen on government regulation of industry what you're looking at here is a digitized arsenical wallpaper sample it came from a book called shadows from the walls of death this book was published in 1874 as part of a public health campaign to raise

awareness of the dangers of our Senecal wallpaper and it was eventually so successful at its goal that out of the original hundred odd copies that were made there are now only four left because people realized how poisonous they were some brave soul at the University of Michigan digitized this one they are hopefully still okay but because these are pretty and they're in the public domain you'll see a few examples of them as I keep talking maybe most importantly arsenic also had a reputation as a quick way to make money because your family would not notice if you stirred it into their tea and for this reason it was also known as inheritance powder but we

are at a hacker conference which is why we're also talking about digital privacy or lack thereof and by this I mean the current practice of various governments and corporations gathering literally as much data about everybody as they possibly can and storing it forever not always very well I'm talking about Facebook and Google's ad networks and metadata retention and the dodgy apps that promise to make you look really good in selfies and then require a suspicious number of permissions and the issues around my health record and and and all of that and then what happens to this data when it's not secured properly or someone inside a data gathering organization develops a grudge or even when it's used

as its intended and then a thought nurse a thoughtless new feature comes in upsets everything so where the probe where the topics of digital privacy and arsenic intersect is that for a good period of time despite the best efforts of people who knew what they were talking about the public didn't really give a damn about either of them arsenic and mass data gathering of both things that have pervaded every day life in large-scale ways that have seemed impossible to change and despite lots of well-informed people agreeing in their respective centuries that these things are damaging our well-being or our way of life it's hard to get people to care or to think that things can change

they aren't great but things are just you too useful they're too convenient arsenic makes vibrant cheap shades of green that look nice it gives you a clear complexion it kills mice really well data can tell us how to plant cities it can provide accurate help us provide accurate medical care and it can help us catch but while these things don't change people's lives have also been upended by these things in increasing numbers inhaling ambient arsenic didn't make everybody sick in the same way one person might die and another person in the same house might just get bad headaches and just this way mass surveillance and privacy invasion disproportionately affect the members of society who are already most vulnerable

then there are the more targeted attacks both with arsenic and the data that can become devastating to whoever's on the receiving end to illustrate my point I want to tell you two short stories in 1852 an English coal mine worker named William Mowbray married a young woman named Mary Ann and together they had nine children over the next years seven seven of these children died tragically from what was recorded as gastric fever in the mid 19th century times were really hard and it wasn't uncommon for children not to reach out altered the couple collected the insurance money and life went on after 13 years of marriage in the January of 1865 William Mowbray himself died

tragically of gastric fever leaving Mary Ann and her two remaining daughters to make their own way in the world with a little bit more insurance money to help them on their way by the way the average life insurance payout for an adult man at this point in time was equivalent to about his year's wages George Ward an engineer was recovering from an illness in hospital in 1865 when he fell in love with a nurse named Mary Ann when they were married in August 1865 Ward tragically died of gastric fever 14 months later his wife collected the insurance payout James Robinson was a shipwright in 1886 he had a new baby son and a recently deceased wife so he hired

a housekeeper to help him out the new housekeeper a woman named Mary Ann had only been living in the household for a month when the baby died tragically of gastric fever Robinson found that Mary Ann's presence was emotionally helpful and he married her in the August of 1867 by this time Marianne was pregnant with their daughter who was born two months after the wedding but the baby only lived for three months before dying tragically of gastric fever Marianne's misfortune continued while she'd been living with Ward one of her surviving children from her first marriage died tragically of gastric fever after marrying Robinson her only remaining daughter from her first marriage also died tragically of gastric fever and so

did two of Robinson's children from his first marriage so did Mary Anne's mother just after Mary Ann went to visit her and Mary Ann inherited almost everything soon after all of these tragedies James Robinson the shipwright discovered that Mary Ann had been stealing from him and running up debts he also noticed that she was becoming weirdly insistent that he should take out a life-insurance policy on himself which she refused to do Robison kicked Mary Ann out of his house and he did not die tragically of gastric fever one of Mary Ann's friends took pity on her tragic circumstances and introduced Mary Ann to her brother Frederick cotton cotton was a widower with two small children of his own and

he fell into Mary Ann's arms when in the March of 1870 his beloved sister Mary Ann's friend died tragically from gastric fever cotton and Mary Ann married in September 1870 and in 1871 they had a son unfortunately before the year was over Frederick cotton also died tragically of gastric fever Mary Ann collected the insurance money do you know what happens next she moves in with another guy and brings the surviving kids and stepkids with her wills get rewritten and suddenly pretty much the entire household dies tragically of gastric fever this left Mary Ann with one remaining stepson who she complained loudly about all the time to her new employer when the boy took ill and died

tragically have gastric fever her boss became suspicious I got the local doctor to delay issuing the death certificate when Maryann discovered she couldn't get the insurance payout on her stepsons life without the death certificate she had a public meltdown about it which led to people asking questions and then more questions and then testing her stepsons remains for arsenic which was found in abundance Maryann was convicted of his murder and died tragically of rock poisoning in 1873 in her lifetime she had murdered 16 of her children and stepchildren four of her partners her mother and an inconvenient friend and collected insurance payouts and will benefits from almost all of them it now takes a lot less time for criminal to

make a lot more money than Maryann cotton ever did but instead of marrying and murdering they can use the info out of stolen data dumps which are about as cheap and plentiful as arsenic was back in the day so here's my next story sometime after July last year some of us opened our inboxes and saw a threatening email that might have looked like it had come from our own email address the message probably went a bit like this one hello I am a programmer who cracked your email account and device about half year ago you entered a password on one of the unsecure site you visited and I catched it your password from Fredrik cotton a gmail comm on moment of crack

hunter 2 of course you can and will change your password or already made it but it doesn't matter my rad software updated every time please don't try to contact me or find me it is impossible since I sent you an email from your email account through your email I uploaded malicious code to your operations system I saved all of your contacts with friends colleagues relatives and a complete history of visits to the internet resources also I install the rad software on your device and longtime spying on you you are not my only victim I usually lock devices and ask for ransom but I was struck by the sites of intimate content you very often visit I am in shock of your reach

fantasies Wow I have never seen anything like this I did not even know that such content could be so exciting so when you had fun on intimate sites you know what I mean I made screenshot with using my program from your camera of yours device after that I jointed them to the content of the currently viewed side will be funny when I send these photos to your contacts and if your relatives see it but I'm sure you don't want it I definitely would not want to I will not do this if you pay me a little amount I think seven hundred and fifty four dollars is a nice price for it I accept only bitcoins my Bitcoin wallet address

is some long string you have two days 48 hours for make a payment if this does not happen all your contacts will get crazy shots of your dirty life do not take this frivolously this is the last warning I hope you will be prudent bye so in just one month after these emails first appeared researchers found that about 70 point eight Bitcoin which is about three hundred and eighty four thousand Australian dollars in today's exchange rate had been deposited to wallets that were listed in those scam emails and when I checked again about four months later just one of those wallets had nine hundred and twenty eight point nine Bitcoin in it which is about five million Australian dollars

today I tried checking again this morning but after eight or so months the sextortion scam idea has now spread to so many people and turned up in so many different languages that tracking the number of Bitcoin wallets involved in the scam took far more time than I had available and this amount of money is many many times more than a year's wages for most of us and more money that didn't Maryann cotton could ever have dreamed of and I know a lot of a lot of us in this room who got this email read it and saw it for the scam that it was and had a good luck but clearly many thousands of other people suffered

through their own private hell before paying up the thing that sets these so-called sextortion emails apart from other traditional spam email is the inclusion of real passwords from old data dumps a lot of us probably know exactly the kinds of breaches that these things came from this is easy enough to find mail merge is easy to use and you only need a few scared people to start seeing these results but most people don't know this stuff even today and the inclusion of something like a password which they thought was private makes it more likely that they're going to get really scared and pay off and clearly they are paying up because personal data is potent like

that but serial killers like Mary Ann cotton were outliers when it came to arsenic death most people in Victorian England didn't need to live with a murderer to be poised with arsenic because as we already said arsenic was everywhere gone men died from inhaling it off the walls in their sleep elderly women died after mistaking it for sugar and putting it in their own tea and children died from being looked after by nurses who were wearing uniforms that had been dyed with arsenical colours and far far more people didn't die but lived with chronic headaches and breathing problems in poor digestion that they could never find a cause for in their day and age in the same way large-scale

personal data is not something that needs to be used by individual criminals to cause problems as we know more formal uses of this kind of data can end up outing trans people like what happened in 2014 when Google consolidated some of their messaging services to create hangouts which merged previously separate accounts into one legal name identity and put lots of trans Google users in dangerous situations it can also end up strongly influencing democratic elections like what Cambridge analytic added to the u.s. presidential election in 2016 using Facebook's data it can end up stealing company secrets like we learned in November last year when a Dutch team revealed that microsoft office 365 was sending the sentences before and after spelling and

grammar checked strings back to the Redmond mothership as telemetry data which you can't turn off anecdotally I have heard of plenty of people who've given up on using large parts of the internet and lots of different services because working out who to trust and how to stay safe and in control was too complex without the layers of knowledge that people like us have from working in this industry but despite how much we know it isn't great most people is too kind of about the whole issue it's easy to understand why people are either apathetic about big problems or resigned to the fact that horrible things are happening and they can't seem to do anything about them

the scale of them seems impossible and the likelihood of it becoming a huge problem for you this week is fairly low the period of time where the most people give the least of the dam is known as peak indifference this is a term that was coined by a Cory Doctorow in 2016 and when he was talking about how the world was at a turning point with regard to the issue of digital privacy and he argued that after this turning point increasing numbers of people would begin to care about their privacy as increasing numbers of breaches or incidents affected them or affected someone that they cared about doctor who linked this idea to the eventual success

of public health campaigns around tobacco smoking but almost every issue reaches peak indifference at one point or another and then what happens to that issue after that tipping point is something that we can learn a lot from where we pass peak indifference about privacy in the West is kind of a nebulous thing to work out and was it after Edward Snowden's actions in 2013 was it after Ashley Madison or Target or Sony you know I think it was definitely sometime after March last year when the Cambridge analytical stuff hit the fan after that point we saw large-scale inquiries into corporate data use particularly in the United States and lots of penitent looking CEOs and public

commitments to change and even if these things were only for sure they were done to appease this real growing and enlightened public sentiment of disgust and mistrust at the way that data was being gathered and used in June last year the Pew Research Center in the United States found that in the previous 12 months seventy-four percent of Facebook users had either adjusted their privacy settings taken a long break from using Facebook or they had deleted the app completely then the gdpr came into force in Europe which meant that companies suddenly had to pay a lot more attention to the data that they had and everyday people were suddenly getting emails from everyone that they'd ever forgotten they'd signed up with

telling them how important their privacy was and how meaningful their consent would be if they so graciously decided to bestow it awareness of just how much data complete randoms could see about them led to more people taking proactive steps to gain control of where their information was going but how do we keep up this momentum we can't let it happen naturally more and more people ending up the victims of data breaches and identity theft and account takeovers and leaked nudes or we can maintain it thoughtfully and with purpose we spent all this time talking about arsenic for a reason 19th century England had its own peak indifference moment and people tried a whole bunch of ways to keep this

issue central I estimate that peak and difference about the domestic arsenic problem probably happened somewhere between 1850 and 1870 by 1900 arsenical wallpaper was hardly worth mentioning except where someone occasionally found some and had to handle its removal in this time two important things gained momentum awareness of the problem and resistance to the problem awareness happened the more that people were educated literacy increased and I don't mean just actual reading skills but general scientific literacy increased tiny particles of poison in an environment are hard to see and without advanced scientific knowledge for that period of time they were conceptually kind of hard to understand but slowly over time the concepts of things like germs and disease communication and

chemical pollutants became understood by scientists and eventually more generally understood by the public in 1840 James Marsh developed a test which could detect the presence of arsenic in a human body something which had previously been impossible suddenly knowing that your use of arsenic could be detected by other people and traced back to you but the people were a lot less casual about poisoning each other on purpose in 1854 a doctor called John Snow not this guy this guy in 1854 a doctor called John snow realized the series of cholera outbreaks in London were happening because one of the public water supplies was contaminated with something that spread the disease this went against the commonly held theory

that disease was spread by miasma or bad air and that breathing the air around a sick or a dead person was the thing that would transmit all diseases so snow tracked down the source of the contaminated water remove the handle off the public pump that gave access to it and the cholera outbreaks stopped and this led to the development of modern sewer systems and built a better public understanding of germs and microorganisms so awareness ended up leading to resistance protests literature played a huge part in helping people to convince others to join the resistance efforts things like shadows from the walls of death was an in-your-face presentation of the problem it put the focus on wallpaper

manufacturers to make changes and not just the individuals who had brought wallpaper into their homes England's to this day has never passed any meaningful laws banning the sale or use of arsenic in wallpaper but it turned out that regulations in other countries like France and Germany had much more of an impact on how much arsenic turned up in English households and this was mostly down to fashion and consumer choice most European countries had outright bans the use of arsenic and pigment manufacturing since the 1860s because of this they suddenly became innovators for new paint pigments that created bright colors without using arsenic on because everything French is automatically fancy people were into it fashion like it does eventually trickled

down through the whole industry and over time lots of places in England ended up offering arsenic free products like wallpaper for affordable prices in fact most manufacturers had no choice the pigments that they used to color their wallpaper mostly came from Europe in the first place so it was getting difficult to find any that contained arsenic even if they wanted to one of the best things about this outcome was that it created accessible alternatives for everybody including people who still believed in things like the miasma theory it was unrealistic to expect that every single person in 19 century england was subtly going to develop a scientific understand understanding equivalent to that of a professional chemist people have jobs to

do and lives to get on with the vast majority of people did not have access to the kinds of educational backgrounds that would allow them to even begin to start understanding just exactly how domestic arsenic use was a problem so the creation of arsenic free tech that was affordable to obtain and easy to use and provided just the same kind of experience meant that those people were being carried along and helped to solve the problem without having to become activists themselves and nowadays it's rare to see arsenical wallpaper except behind thick glass in museums for those of you who've already read this far into the analogy you know that we're already doing a whole lot of these things when

it comes to the privacy fied we're doing the awareness bit it seems like everyone and their goldfish has either beans who will run at least one crypto party and every other day there's a new how-to guide about how do you signal or tor that gets published VPNs things they get advertised on commercial television and we're doing the resistance bit to you make you but you've been quite a safety TPS thing and the gdpr is a thing firefox build ad blockers into their browsers now password managers the things that our relatives have started asking us about Apple markets privacy as a feature of their tech and people who can afford it pay thousands of dollars to get it where

we are calling out the companies who are perpetuating unfair systems we're pressuring them in a thousand ways to do things differently so why does it still feel like nothing has changed I mean don't get me wrong all of these things are positive steps in pushing back against accepting data harvesting and privacy violation as normal or inevitable but the third thing which the arsenic fight had going for it which we don't have yet is time this all took a lot of time and a lot of effort and a lot of repeating information a lot of petitioning governments to make changes and sometimes it worked and sometimes it didn't work but people kept doing it because arsenic kept poisoning people

and it was the right thing to do and now we have wall decorations that don't kill us slowly in our sleep thinking about the long game it's really damn hard I mean I am a millennial and if you believe the papers I'm something avocados and patience is difficult but time is really the key ingredient we have to keep doing this and not give up and not given the cynicism and repeat ourselves until we're sick of it and then keep going keep pushing for grassroots education efforts like and public education I was like crypto parties and community events official education efforts from local governments and anyone who wants to get on board talk to your friends and your relatives

when they ask you about it help the people who want to understand this get the information that they need keep writing and speaking and about these issues wherever you can and if you can't boost the voices of others who are already doing it keep the heat on lawmakers inside and outside of your country you know if your government isn't doing anything meaningful remember that the French and German laws had a significant impact on English attitudes to arsenic in a lot of ways gdpr is doing a similar thing precedent-setting really helps and push for more legislation that gives us back control of our private information and imposes strong penalties for its misuse and push against every piece of legislation that

threatens to weaken that argue thing considered regulations that will actually work in practice do it even though we already did this last month and three months ago and last year and in the 90s organisations will keep trying it on again and again they trust it will get tired we need to be aware of that and to work around it be a voice of reason in your own communities there probably people in this room who probably knows someone who's stolen information and used it to mess someone else up or know people who've said meaningless data gathering as a KPI challenge these folks to do better and if you've ever been one of these people it is not a perfect universe challenge

yourselves to keep doing better too and do you research fact check corporate privacy spin we know Facebook especially invests big money into saying that it's doing the right thing they just paid through the nose for a global billboard setup and an apology to it to do it so hold them accountable we probably have the biggest responsible to try will to keep trying to make the world better for the people who don't have the level of knowledge that a lot of us do the average person in the 19th century wasn't a chemist and the average person in the 21st century isn't a hacker not everybody wants to be and not everybody is able to be and there's

absolutely nothing wrong with that some folks are gonna keep calling it's paranoid forever oh they'll minimize the risks or they'll insist that they have nothing to hide and that anyone who does is a criminal but we can keep making the world better anyway because we're the ones who can all of us in this room are in a unique position to understand the scale of suffering and the damage that's caused by pervasive surveillance and privacy invading systems no matter whose hands they're in it's likely that most of us are here because we like breaking things and solving puzzles and getting creative with computers and because we have that knowledge we can do something about it we have to keep doing something

about it the scariest thing about giving this talk here in this room to you folks is that nothing is so incredibly uncool as optimism but I really want to be optimistic and I really want you folks to be optimistic and to keep giving a damn it's cynicism gets you retweets and dunking on optimism there's a lot easier than caring about something but if you actually do give a damn you have to think about the long game and have patience and keep doing what you think is right even though there are days and years where it seems like nothing ever changes I know some of you burnt out on this stuff years ago decades ago it

really does take a lot of time it sucks though now it's real and it's a thing that you were definitely allowed to feel but we can do it and if you're exhausted by it support other people to keep trying imagine that someone's giving this talk and 150 years provided we've somehow managed to survive the sea levels rising what does the long view of this fight look like what's the optimistic angle who are the Mary Ann Cotton's in this future version of the talk and who are the James marshes and the John snows what did shadows from the walls of death contain that is so toxic that nobody wants to touch it anymore we can't answer these questions as long

as we don't give up thank you so much to all of these people who we make this talk of thing and if you've got any questions or thoughts on this topic feel free to come and chat to me during the lunch break without thank you for coming along to hear me [Applause]