Initial revision of Data and Profiling section

This is missing information on giving up information to social media, SaaSS, the "cloud", etc.
2017-03-19 03:35:45 -04:00 · 2017-03-19 03:35:45 -04:00 · a896777647
parent 01c0c4cfc5
commit a896777647
4 changed files with 365 additions and 36 deletions
--- a/images/tp/SHA256SUM
+++ b/images/tp/SHA256SUM
@ -15,3 +15,9 @@ ee2c1e8325221cc5ae01b078930d7e74d447cec25cebeb18c0aaa1989994b918  tor-diagram.pn
 f9600308d10debbc56e116087aa83a1ada126f3979f8b528228e1e89a87efd12  torbrowser.png
 4f231d937e622d9012706d57d5b0faa233f83d1e864db3b1b50d40d714aa8244  tails.png
 dce3dbf6572077dd495a9413ff11d7017d785142af85286a5ab51b7c7e4da728  whonix.png
+9cb6cfd3c0c07c605f514e9b262a9baf224c622a86aea7d6b978e73127685e76  networks-of-control.png
+e52d8250d9a98ae68a68a758e1421231aebd4933cc44bc5a2364222984e1ee7f  oracle-id-fuu.png
+4d1a1bb46f21f8d88336b6316a1131fc8f21400b96820c4b54e07288ff23fbf7  lexisnexis.png
+912270ce97ece82c5a335ce84d80e9470c6fb7e1822aa937fa7550a499d87952  palantir.png
+cbf3495473a9b111b3ba9723d5ebb9476bd6abf9bf3af711bdbe803baf98067f  target-logo.png
+0a47a1e0b74fa4ec168d935357081a6d15e55ba77edad483ecb7fe14c3f6f4dc  trustev-graph.png
--- a/images/tp/remote-list
+++ b/images/tp/remote-list
@ -15,3 +15,9 @@ tor-diagram.png https://web.archive.org/web/20170318055957/https://www.torprojec
 torbrowser.png https://web.archive.org/web/20170318161549/https://www.torproject.org/images/tb-lg.png -crop 185x135+0+0
 tails.png https://web.archive.org/web/20170318162345/https://tails.boum.org/lib/banner.png -crop 495x114+30+0
 whonix.png https://web.archive.org/web/20170318164321/https://upload.wikimedia.org/wikipedia/en/7/75/Whonix_Logo.png
+networks-of-control.png https://web.archive.org/web/20170318184646/http://www.facultas.at/upload/verlag/networksofcontrol/Christl_Networks_300.jpg -scale 50%
+oracle-id-fuu.png https://web.archive.org/web/20170318183230/http://www.oracle.com/us/corporate/acquisitions/datalogix/general-presentation-2395307.pdf oracle-id-fuu.png[7]
+lexisnexis.png https://web.archive.org/web/20170319033528/http://www.lexisnexis.com/risk/img/logo-lexisnexis.png
+palantir.png https://web.archive.org/web/20170319035510/https://www.palantir.com/build/images/global/opengraph-banner.png -crop 170x210+515+170
+target-logo.png https://web.archive.org/web/20170319055701/https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Target_Corporation_logo_%28vector%29.svg/240px-Target_Corporation_logo_%28vector%29.svg.png
+trustev-graph.png https://web.archive.org/web/20170319060719/http://www.trustev.com/hs-fs/hubfs/JANUARY-2016/Technology/r-feb-t-circle1.png?t=1473256538000&width=1788&name=r-feb-t-circle1.png
--- a/sapsf.bib
+++ b/sapsf.bib
@ -868,7 +868,23 @@
  urldate =      {2017-03-17},
 }

-@article{ars:fingerprint,
+@article{ijcseit:biometric,
+  author =       {Mudholkar, Smita S.
+                  and Shende, Pradnya M.
+                  and Sarode, Milind V.},
+  title =        {Biometrics Authentication Technique for Intrustion Detection
+                  Systems Using Fingerprint Recognition},
+  journal =      {International Journal of Computer Science, Engineering and
+                  Information Technology},
+  volume =       2,
+  number =       4,
+  doi =          {10.5121/ijcseit.2012.2106},
+  date =         {2012-02},
+  url =          {http://airccse.org/journal/ijcseit/papers/2112ijcseit06.pdf},
+  urldate =      {2017-03-19},
+}
+
+@online{ars:fingerprint,
  author =       {Goodwin, Dan},
  title =        {Now sites can fingerprint you online even when you use multiple
                  browsers},
@ -934,9 +950,78 @@
  urldate =      {2017-03-17},
 }

-@cite{tor:browser,
+@online{tor:browser,
  title =        {Tor Browser},
  organization = {Tor Project},
  url =          {https://www.torproject.org/projects/torbrowser.html.en},
  urldate =      {2017-03-17},
 }
+
+@online{ghostery:companies,
+  title =        {Company Database},
+  organization = {Ghostery Enterprise},
+  url =          {http://www.ghosteryenterprise.com/company-database/},
+  urldate =      {2017-03-17},
+}
+
+@online{networks-of-control,
+  author =       {Christl, Wolfie,
+                  and Spiekermann, Sarah},
+  title =        {Networks of Control},
+  date =         {2016},
+  url =          {http://crackedlabs.org/en/networksofcontrol},
+  urldate =      {2017-03-18},
+}
+
+@online{33c3:surveil,
+  author =       {Christl, Wolfie},
+  title =        {Corporare surveillance, digital tracking, big data~\&~privacy},
+  subtitle =     {How thousands of companies are profiling, categorizing, rating
+                  and affecting the lives of billions},
+  location =     {33^{rd} Chaos Communication Congress},
+  date =         {2016-12-30},
+  url =          {https://media.ccc.de/v/33c3-8414-corporate_surveillance_digital_tracking_big_data_privacy},
+  urldate =      {2017-03-18},
+  annotation =   {See also \cite{networks-of-control}}
+}
+
+@online{oracle:datalogix-acq,
+  title =        {Oracle Buys Datalogix},
+  subtitle =     {Creates the World's Most Valuable Data Cloud to Maximize the
+                  Power of Digital Marketing},
+  organization = {Oracle},
+  url =          {http://www.oracle.com/us/corporate/acquisitions/datalogix/general-presentation-2395307.pdf},
+  urldate =      {2017-03-18},
+}
+
+@online{lexisnexis:trueid,
+  title =        {LexisNexis TrueID},
+  organization = {LexisNexis},
+  url =          {http://www.lexisnexis.com/risk/downloads/literature/trueid.pdf},
+  urldate =      {2017-03-18},
+}
+
+@online{techcrunch:palantir,
+  author =       {Burns, Matt},
+  title =        {Leaked Palantir Doc Reveals Uses, Specific Functions And Key Clients},
+  organization = {TechCrunch},
+  date =         {2015-01-11},
+  url =          {https://techcrunch.com/2015/01/11/leaked-palantir-doc-reveals-uses-specific-functions-and-key-clients/},
+  urldate =      {2017-03-19},
+}
+
+@online{nyt:learn-secrets,
+  author =       {Duhigg, Charles},
+  title =        {How Companies Learn Your Secrets},
+  organization = {The New York Times},
+  date =         {2016-02-16},
+  url =          {http://www.nytimes.com/2012/02/19/magazine/shopping-habits.html},
+  urldate =      {2017-03-19},
+}
+
+@online{trustev:tech,
+  title =        {TransUnion | Trustev -- Technology},
+  organization = {TransUnion},
+  url =          {http://www.trustev.com/technology},
+  urldate =      {2017-03-19},
+}
--- a/slides.org
+++ b/slides.org
@ -1429,7 +1429,8 @@ Very creative ones.

 - Panopticlick (EFF)\cite{panopti:about}
 - User Agent, cookies, screen resolution, fonts, language, session storage,
-  canvas, WebGL, ad blocker, audio, keystrokes, mouse movement, \ldots
+  canvas, WebGL, ad blocker, audio, keystrokes,
+    mouse movement,\nbsp{}\ldots\cite{ijcseit:biometric}
 - Can even track separate browsers on the same
  hardware\cite{hardware-fingerprint,ars:fingerprint}

@ -1571,7 +1572,7 @@ Well, it depends on your threat model,
 #+BEAMER: \only<2-3>{
 - <2-3> Preempt most sophisticated and damning fingerprinting methods
  - <2-3> Stop hardware profiling
-  - <2-3> Stop keystroke/mouse analysis
+  - <2-3> Stop keystroke/mouse analysis\cite{ijcseit:biometric}
  - <3> Remember those audio beacons?\cite{bleep:ultrasound-tor}
 #+BEAMER: }
 #+BEAMER: \only<4-5>{
@ -1860,21 +1861,29 @@ There's obvious tradeoffs there for both;
 #+END_COMMENT


-** LACKING Data Analytics [0/2]
-*** DRAFT Introduction [0/1]                              :B_ignoreheading:
+** REVIEWED Data and Profiling [0/3]
+*** REVIEWED Introduction                                 :B_ignoreheading:
 :PROPERTIES:
 :BEAMER_env: ignoreheading
 :END:
-**** DRAFT Introduction                                      :B_fullframe:
+**** REVIEWED Introduction                                   :B_fullframe:
 :PROPERTIES:
-:DURATION: 00:00
+:DURATION: 00:00:05
 :BEAMER_env: fullframe
 :END:

 #+BEGIN_CENTER
-``Big Data''
+#+BEAMER: \only<1>{
+\Huge ``Big Data''

 (/Your/ Big Data)
+#+BEAMER: }
+#+BEAMER: \only<2>{
+\Huge ``Business Intelligence''
+#+BEAMER: }
+#+BEAMER: \only<3>{
+\Huge ``Data Brokers''
+#+BEAMER: }
 #+END_CENTER

 #+BEGIN_COMMENT
@ -1882,52 +1891,275 @@ We've seen adversaries with different motives.
 Let's explore what some of them do with all those data.
 #+END_COMMENT

-
-*** LACKING Headings [0/3]
-**** LACKING Advertisers
+*** REVIEWED Those Who Spy
+**** REVIEWED Data Brokers
 :PROPERTIES:
-:DURATION: 00:02
+:DURATION: 00:00:15
 :END:

- Most users' threat models don't include the NSA
- Biggest threat to privacy are companies that aggregate data to understand
-  you (often /better than you/)
-
-#+BEGIN_COMMENT
-The biggest threat to privacy to the average user is by companies that
-  aggregate data for the purpose of understanding _you_.
-Probably better than you understand you.
-I'm sure many of you heard of the story of Target knowing a girl was
-  pregnant before she did.
-
-<<user profiles>>
-#+END_COMMENT
-
-
-**** DEVOID Social Media
+***** Lightbeam Reminder
 :PROPERTIES:
-:DURATION: 00:01
+:BEAMER_col: 0.50
 :END:

-TODO
+[[./images/lightbeam-ex.png]]
+
+***** Summary
+:PROPERTIES:
+:BEAMER_col: 0.50
+:END:
+
+- Ghostery lists *over 3,000 companies receiving web/app
+  data*\cite{ghostery:companies}
+

 #+BEGIN_COMMENT
-(Where you are, what you do.)
+Back to that Lightbeam graph of third parties.
+Ghostery has a list of third parties receiving web and app data.
+There's over 3,000 of them.
+
+Looking at this graph from a few sites,
+  that might not be too surprising.
 #+END_COMMENT

-
-**** DEVOID Governments
+**** REVIEWED Oracle Identity Graph
 :PROPERTIES:
 :DURATION: 00:00:30
 :END:

-TODO
+#+BEGIN_CENTER
+#+ATTR_LATEX: :height 2in
+[[./images/tp/oracle-id-fuu.png]]
+#+END_CENTER
+
+#+BEGIN_QUOTE
+\footnotesize ``Aggregates and provides insights on over $2\nbsp{}trillion in
+consumer spending from 1,500 data partners across 110 million US
+households''\cite{oracle:datalogix-acq}
+#+END_QUOTE

 #+BEGIN_COMMENT
-(Segue into government surveillance.)
+Look how happy she is to be tracked!
+I'm kidding of course.
+If we put some random person's picture in her place,
+  they might feel a bit uncomfortable.
+
+<Read quote>
+
+Look at that last bullet point there.
 #+END_COMMENT


+**** REVIEWED All About the Experience                       :B_fullframe:
+:PROPERTIES:
+:BEAMER_env: fullframe
+:DURATION: 00:00:05
+:END:
+
+#+BEGIN_CENTER
+\Huge ``More Relevant Customer Experience''
+#+END_CENTER
+
+
+**** REVIEWED Target Pregnancy Prediction
+:PROPERTIES:
+:DURATION: 00:00:25
+:END:
+
+#+BEGIN_CENTER
+#+ATTR_LATEX: :height 1in
+[[./images/tp/target-logo.png]]
+#+END_CENTER
+
+- <1-> Records purchases, credit cards, coupons, surveys, refunds, customer
+       helpline calls, email, website visits, \ldots\cite{networks-of-control}
+- <1-> Purchase more information from third parties\cite{networks-of-control}
+- <2-> Identified 25 products to create a ``pregnancy prediction'' score and
+       estimate due date\cite{nyt:learn-secrets}
+  - <2-> Quantities of types of lotions, soaps, cotton balls,
+         supplements,\nbsp{}etc
+
+#+BEGIN_COMMENT
+One of the most popular examples of these types of analytics is a case where
+  a father received coupons for baby clothes in the mail for his daughter.
+Target successfully predicted that she was pregnant based on certain items
+  that she purchased,
+    like quantities of certain lotions,
+    and even things like cotton balls.
+They call this a ``pregnancy prediction''.
+It's creepy.
+It's lucrative.
+#+END_COMMENT
+
+
+**** REVIEWED Transparency Needed
+:PROPERTIES:
+:DURATION: 00:00:40
+:END:
+
+***** Trustev Graph
+:PROPERTIES:
+:BEAMER_col: 0.50
+:END:
+
+#+BEGIN_CENTER
+[[./images/tp/trustev-graph.png]]
+
+\incite{trustev:tech}
+#+END_CENTER
+
+***** Summary
+:PROPERTIES:
+:BEAMER_col: 0.50
+:END:
+- *Let users see their data in this graph!*
+- Erase nonpublic information that they don't want to be known
+- Let them correct what is wrong
+  - <3> Also a problem with law enforcement / government
+- <2-> Let them *opt out!*
+
+#+BEGIN_COMMENT
+Look, at the end of the day,
+  some people do legitimately want this.
+They want to have this ``relevant customer experience''.
+
+What we need is transparency.
+
+Companies like Oracle should let you see your data in this graph.
+Let you correct it if it's wrong.
+Erase it if it's nonpublic information that you don't want to be known.
+And allow you to /opt out/!
+
+We talked about government surveillance a while ago.
+This is a problem there as well.
+What if you're flagged as suspicious?
+Put on some no-fly list or terrorism watch list?
+What if it were based on completely wrong information inferred by some
+  algorithm?
+
+Let's look at that graph on the left a little more closely.
+#+END_COMMENT
+
+
+*** REVIEWED These Data Affect Your Life!
+**** REVIEWED Trustev Fraud Detection
+:PROPERTIES:
+:DURATION: 00:00:25
+:END:
+#+BEGIN_CENTER
+[[./images/tp/trustev-graph.png]]
+
+\incite{trustev:tech}
+#+END_CENTER
+
+#+BEGIN_COMMENT
+This is a graph of sources for TransUnion's fraud prevention system.
+There are a lot of data sources here.
+And look at the node at the bottom---
+  ``machine learning''.
+
+What if this were wrong?
+You'd be flagged as a fraud.
+This could be inconvenient---
+  like not being able to make an online purchase.
+But what if you are denied a loan because of things like this?
+Or...denied employment?
+#+END_COMMENT
+
+
+**** REVIEWED LexisNexis
+:PROPERTIES:
+:DURATION: 00:00:45
+:END:
+#+BEGIN_CENTER
+#+ATTR_LATEX: :height 0.25in
+[[./images/tp/lexisnexis.png]]
+#+END_CENTER
+
+- Risk management for insurance, finance, retail, travel,
+  government, gaming, and healthcare\cite{networks-of-control}
+- Data on over 500 million customers
+- TrueID---34 billion records from over 10,000 sources\cite{lexisnexis:trueid}
+
+#+BEGIN_QUOTE
+``We help insurers assess their risk and streamline the underwriting process
+in 99% of all U.S. auto insurance claims and more than 90% of all homeowner
+claims.''
+#+END_QUOTE
+
+#+BEGIN_COMMENT
+There's a ton of these companies;
+  we only have time for a few.
+LexisNexis is another popular one.
+And it's fun to say.
+
+They handle risk management for various industries.
+And they pull from a pool of data of over 500 million customers.
+
+<read quote>
+
+To give you an idea of their scale:
+  they also have a system called TrueID,
+    which does identity verification for fraud detection.
+  They aggregate tens of billions of records from over ten thousand sources.
+#+END_COMMENT
+
+**** REVIEWED Palantir
+:PROPERTIES:
+:DURATION: 00:00:25
+:END:
+
+#+BEGIN_CENTER
+#+ATTR_LATEX: :height 1in
+[[./images/tp/palantir.png]]
+#+END_CENTER
+
+- Co-founded by Peter Thiel of PayPal
+- CIA, DHS, NSA, FBI, the CDC, the Marine Corps, the Air Force, Special
+  Operations Command, West Point, the Joint IED-defeat organization and
+  Allies, the Recovery Accountability and Transparency Board and the
+  National Center for Missing and Exploited Children.\cite{techcrunch:palantir}
+
+#+BEGIN_COMMENT
+Another highly controversial one is Palantir.
+It was started by one of the co-founders of PayPal, Peter Thiel,
+  for terrorism intelligence.
+It's now used for its powerful analytic capabilities
+  by not only private corporations,
+    but numerous government agencies,
+    a few of them being the CIA, DHS, FBI, and the NSA itself.
+
+Yeah.
+What if these data are wrong?
+#+END_COMMENT
+
+
+*** REVIEWED More Information
+
+**** REVIEWED Networks of Control                            :B_fullframe:
+:PROPERTIES:
+:DURATION: 00:00:15
+:BEAMER_env: fullframe
+:END:
+
+#+BEGIN_CENTER
+#+ATTR_LATEX: :height 2in
+[[./images/tp/networks-of-control.png]]
+
+\incite{networks-of-control,33c3:surveil}
+
+Shock and Awe
+#+END_CENTER
+
+#+BEGIN_COMMENT
+If this topic interests you,
+  you need to read the paper Networks of Control.
+One of the authors gave a talk at the recent Chaos Communication Congress,
+  and I was in both shock and awe.
+I've only had the chance to skim the paper.
+Both are referenced here.
+#+END_COMMENT
+
 ** LACKING Policy and Government [0/6]
 *** DRAFT Introduction [0/1]                              :B_ignoreheading:
 :PROPERTIES: