Skip to main content

tv   Cato Institute 2018 Surveillence Conference Part 2  CSPAN  December 15, 2018 1:25am-2:56am EST

1:25 am
you talk about represents those employees the department of justice who elect campaign contributions that is not necessarily an accurate reflection of the overall political worldview essentially of the department of justice as a whole talking samples we have to be careful. now we will take a 15 minute break give my friends a shout out. [applause]
1:26 am
[inaudible conversations] >> welcome back there are so manyis fascinating issues with new technologies if we were to cover them all with the conference that even i have limits to my capacity to focus for that long. and then to present a shorter flash talk and then for what they have been doing with the
1:27 am
rerange of hard questions we face as citizens. with those issues a face recognition then i just quickly introduce the speakers look on the website to those fiagenda leaks for the more extensive biography without legislation in australia to mandate law enforcement access to encrypted software but that could be a model so than to
1:28 am
invite the new america the chairman. >> i am the chairman with the technology institute and if you told me one year ago i would be here today to talk about australia i would think that you were joking but i'm glad to have the opportunity to speak with you today about the law passed earlier this month how this could allow the united states to look at foreign encryptions next-door. so for those of you who may be familiar with that debate of
1:29 am
encryption pits security against security for years us justice department and the fbi have an ongoing discussion of encryption they complain they can no longer asks access electronic communications even with a valid corridor many companies encryption by default with products and services do not have access to communications they want to require that they guaranteed the government has access now that they call responsible encryption to access otherwise they are hampered in the ability to keep americansy safe but the tech companies have pointed out this would be the
1:30 am
encryption backdoor to be exploited by others there is no way that guarantee they could use any such mechanism rather this is deliberately building vulnerabilities of products answers - - services because it would harm everyone's privacy and create new threats with criminal activity. as we explored encryption protection economic security and the personal safety and freedom of journalist and individuals in vulnerable communities including domestic violence this debate which has been going on for yearse has gone global with a quick flareup down under in australia this past august the australian government released
1:31 am
the exposure draft with the telecommunications and other legislation amendments and those that take months and months or years before passing anything managed to wrap up in four months. following public comment. a slightly modified version referred to the parliamentary joint committee that opened a new public comment. the technology institute organized an international coalition and the trade associations that the committee held a series of hearings but it issued a report and then early in the
1:32 am
morning december 6 the department released 173 amendments but at the end of the day and then pass the bill into law. the combinedbi stupidity of the coalition of labor those made in australia is automatically too risky to use of concerned about cybersecurity. and the wind that is under encryption other sections have additional privacy but we are
1:33 am
focusing on schedule one encryption. it appears to be an encouraging statement to purport to prohibit the government of the back door and we have it appear on the slide section 317 says the government may not request or require to implement about the vulnerability and also the government cannot prevent telecommunications provider for systemic vulnerabilities. however it creates new authorities and specifically it creates new priorities for the government notices and technical capabilities the
1:34 am
request is supposed to be voluntary but the notices are mandatory but the difference depends on which government official is authorized to issue the notice. all of these authorized australian government to request or demand and the listed act that is a long list and it includes things like moving one or more forms of mprotection on behalf of the provider to facilitate that modification of those characteristics provided by the dedicated communications provider. those that weaken the security feature the australian government could now make this a request to apple the fbi made with the san bernardino shooter case.
1:35 am
to have a new operating cisystem. it in the san bernardino case. with cybersecurity with lawsuits here in the us and to be sure that 1789 they were permitted to make this demand of apple that supported by other tech companies argue this demand was unconstitutional the justice department withdrew itsts command before the court could resolve and they could pay the outside vendor that now they have a specific authority to make these types of demands.
1:36 am
into use that authority in the same way and then of the uk which essentially is the nsa had a proposal that tech companies would ask or require as a participant in end to and encrypted chats. you do not even haveou to touch the encryption and that is from the encrypted chat. and in addition to explain that new power i addressed three other three constructs. it allow any independent
1:37 am
independent review. such as that capabilities notices and what was passed in 2016 but then section 254 of the uk act does require that judicial commissioner must review and approve the capabilities before the me the issue having questions of the adequacy of this review under the uk law with even greater thoughts to cybersecurity but there is no provision for any type of independent review. so while those procedures this is more difficult and have the
1:38 am
same legal argument available as they would in countries like the uk and us. with that transparency with that nondisclosure requirement. but that is a criminal sense there are no limits such as what we have here for the reason of the confidentiality. and that definition of communication providers is overbroad including anyone who provides electronic service in australia.
1:39 am
so anybody doing business in australia or providing services is subject to government demand with those tproducts and services. >> what is it mean for the united states? it to be a part of the coordinating effort if you are not familiar with the term it is the intelligence alliance comprised of australia and new zealand united kingdom and united states dating back to world war ii since 2013 these five nations also form a ministerial with strategy and information sharing and those avwith strategies and policies to weaken encryption and the
1:40 am
five countries to release a statement on principles and that statement that if they continue to have those encrypted communications they may have legislative mandates. and with that exposure draft. so now australia's law can provide the united states and other governments with the back door to the encryption backdoor. australia has the authority to compel providers t and then to build weaknesses into their products i have already mentioned the example with that capability notice to have a new operating system with the ice phone security feature
1:41 am
and then to no longer argue to have capacity to turnover in similar cases. so to reengineer the encrypted chats those are also vulnerable to other government demands and finally as the new model for responsible encryption legislationes so whether as a pathway or a model with security and privacy that extend well beyond australia's borders. thank you. [applause]e]
1:42 am
>> the french philosopher for his analysis with surveillance it is usually translated into english but for surveillance and to punish but it is always a key part in the children are closely monitored of every little part of raising children safely so we need to worry if we are going down for
1:43 am
compliance of surveillance that that technological capability ever more closely it becomes a reality. i often wonder if we are preparing children to accept this is a normal world where everything is scrutinized so with that media surveillance. >> thank you so much with the perfect introduction coming back you the and of my presentation with the national security programs me will be talking about the surveillance of students and to start this off talking about the
1:44 am
prevalence that kids have on mind so to the pew internet study 97 percent between 13 3 and 17 -year-olds are on one major online media platform. 95 percent fromre a smartphone and 25 percent is almost constantly. so there is a lot of content and a lot of time and with that social media presence come social media laundering to prevent school shootings or suicides or other online threats.
1:45 am
so spending by public schools nationwide the social media monitoring companies you can see from the mountains and valleys and those spikes and 2015 and the big spike in 2018 potentially driven by the shooting in parkland florida. this is asked attending more and more money on more tools this is similar reflected by the research in contracts between public schools and again showing the spikes with those significant increases and a major spike in 2018.
1:46 am
so based on the statistics you may think schools are getting more dangerous but the opposite isge true. they are actually getting safer. and with that risk of school shootings among the developed countries and single shooting or even serious bullying is one too many but the overall crime holds true with schools the k-12 student shot and killed at a public school is one out of 614 million. by way of contrast one at a 3400 if you choke 199510 percent of students aged 12 to 18 being a victim at school the previous six months in 2016 school year only 3 percent so and that 20
1:47 am
year. a major decrease from 10 percent down to 3 percent and less thanrc 3 percent of suicides have occurred at school. of course i hope the social media monitoring picking up the risk off of school grounds as well that by any measure it is a pretty safe place to be. now the one state that has legislated social media monitoring is florida they are familiar with parkland last february when the former student at marjorie stoneman douglas shot and killed 17 students and staff members injuring 17 other others. in the wake of the shooting the florida legislature passed a law of the office of state within the state department of education that is required to coordinate withth the law enforcement to be a centralized database about
1:48 am
social media data and to establish a safety commission to recommend the development of protocols but does it look like that has been done yet but likely to do so in the new year. and with those intentions before the shooting people had taken notice he was reported to the fbi and local police three times for disturbing post one call warned he could become a school shooter and a scepter call flagged a youtube post in which the user said he wanted to become a professional school shooterer although was identified until after the shooting there were warning signs on social media but it wasn't that they were flying blind because people would see them and were trying
1:49 am
to act. it really failed those students wasn't a failure to see the post according to a review of the school district's actions in august was more the district it didn't give him the support services he needed. so why not? if a single school shooting is one too many if monitoring could catch one future suicidal student then why not? what is the harm and there arere a lot of reasons because we are cautious of this type of monitoring.
1:50 am
in one way is through overreach to pull more information like jacksonville florida set up a social media monitoring tool. to indicate a risk of criminal activity to set up the word bomb if there is a bomb threat but it turns out there were no bomb f threats but instead inundated like pizza was the bomb and photo bomb. so a lot of stuff coming in was little use. by which i mean those kind of risks of social media but i mention earlier about his
1:51 am
intentions and that they reported them soxt it isn't clear those extra monitoring software would have been but as it turns out he was the exception there was an informal survey of major school shootings and that is the category since sandy hook in 2012 only one otheror perpetrator according to the public that put up social media postings that strongly indicated interest in violence that was the shooter from sandy hook he had posted in discussion forums about the columbine high school shooting and operated tumblermb accounts named after school shooters. while they may not have known at the time to take it seriously it's hard to imagine
1:52 am
that now it wouldn't be reported to authorities. but these other school shooters they don't show anything to flag them for the automated tool saw the perpetrator of the 2014 shooting in oregon and the call of duty and also various night in gun pages. they seem like warning signs. for the call of duty world war 224 million followers with over one.3 million likes so sending up aas red flag about
1:53 am
every single person would have a huge quantity of noise so i automated tools have built-in shortcomings sora a terrific report called mixed messages that did a lot of research on this that shows they generally work best and to be easily fooled by lingo or pop-culture references and the best example comes from the 2015 tryout from the boston marathon bomber during the trial several quotes from the twitter account toxt show that he was not just an extremist and he just tweeted a quote
1:54 am
that said i shall die young which may be suggested something about his intent but also from a russian pop song and he winked in the tweets. and then to see it was a song lyric. also from jay-z and south park episodes. social media is contextualal and either the automated tools are the analyst are that great. the second major concern is the risk of discrimination so the keywords themselves that are discriminatory so the aclu report said when the boston police department set up theme tool that #included black lives matter and ferguson.
1:55 am
then to say as a public safety threat these are only as good as using them but you could further discriminatory mindset. the second is the risk of discriminatory impact. whatever keywords are flagged there will be a huge amount of discretion in what was done with the results including where the students are brought in who is punished or subjected to criminal justice we already know students of color at every level experience all harsher discipline and even when they commit ear infections so social media monitoring during that i suspect we will hear
1:56 am
from the muslim teenager who brought a gun to school arrested on the suspension and it e contained a bomb he was well known for tinkering he even told his teachers repeatedly that it was a bomb. so raising suspicions that he was put under with his arrest was grounded it is, phobia but on the other front and fbi agent was paid to go through social media accounts on the basis of anonymousas tips and on the basis of what he found each of those expelled were black even if they made up only 40 percent. m those to be identified the
1:57 am
consequences can be serious one posted on snapchat a toy airsoft gun that resembled a real rifle but he knew his friends also think it is awesome and said that he reported to school officials it doesn't just strike me as the crazy thing to do but they had googled the name on the side of the gun they would e see it was a toy gun even though it did bear a resemblance. but instead of discussing it with him and her social media use not only suspended for the day but for breach of peace with a misdemeanor. because it's so hard to reliably pinpoint they have a
1:58 am
perverse incentive and then to assure their customers with that needle in the haystack to have very little reliable way to gauge their effectiveness that 2015 investigationci revealed and then to measure effectiveness to say we have succeeded and at the same time and that those that are to be
1:59 am
tracked by posting public sites students believe they are prohibited from sharing personal information with third parties it is a real lack of information how they operate. and finally it's worth thinking about what it means to be under constant surveillance they could stop posting which would blend any effectiveness that they had may be more concerning teaching students to expect surveillance with the authority figures opinion and act accordingly so that could be good dental hygiene that we need to think before we post what that looks like who might see it now or in the future
2:00 am
cracks but it's not clear it is healthy for students in a democracy that they are under that surveillance all the time and to act accordingly. so at the very least the social media monitoring program it is the benefits to parents and students in a frank discussion of what it means and then not to set forth that there is a lot of concern people out there. thank you so much. [applause]h. >> thanks so much rachel am. there is a science fiction writer who has a more opt mystic
2:01 am
view of this. we are training our children to develop counter intelligence trade craft just to be able to have a normal childhood so the next generation will be very sophisticated about evading surveillance. i don'ti suppose we'll find out. two talks that focus on privacy in public, the myriad ways that just walking down an ordinary city street we are being observed in ways we may not recognize and also the ways existing networks of surveillance like closed circuit cameras can be transformed and fairly deep ways by existing infrastructure becoming a platform for new methods of monitoring. so the first of these is going to be an examation of camera networks for facial recognize surveillance from -- of the
2:02 am
project and government oversight. >> thank you so much for having me here. i'm jay peruke, i'm a senior counsel at the pogo and i'm excited to be talking about facial recognize and a specific aspect of facial recognize how cameras and various aspects can empower and grow facial recognize surveillance into drag nets. so as a quick start about facial recognize surveillance itself, this is no longer a sci-fi technology or minority report in the future. it is happening now. the fbi conducts over 4,000 facial recognize searches a month.
2:03 am
a quarter of all state and local police departments have the ability to do facial recognize scans. they use facial recognizes for outgoing flights, and they will apply this to sea ports and land ports across the country, and ice is looking to buy facial recognition technology as well. it is a very real and live surveillance threat. facial recognition depends on three key factors to be a powerful force for surveillance. first, you need a database of photos that are identified with people. they have about half of all american adults in the photo database. you need very powerful software technology that can scan across hundreds of millions of photos and scan phases rapidly, lots of companies is developing the technology, and other companies as well. and the government. you need a network of cameras you can tap into and use to see
2:04 am
people's faces everywhere, all the time. there are four areas where this you have the potential to build these camera networks. first, government surveillance cameras cctb, second, police body cameras, third, privately owned security cameras and last social media photo databases. so let's start first with government surveillance programs cctb programs. about a decade ago then chicago mayor richard daily said he expected one day we would have a police camera basically on every corner. i want you to keep that quote in mind as we talk more about cctv in american cities but first let's go to where we truly have a cctv photo drag net and where it seems we achieved big brother status, and that is in china. china is by far the most powerful network of government surveillance cameras we can see in the world. the country has an estimated 200 million government run
2:05 am
surveillance cameras throughout the country. and the effectives of this are profound. if you look at cities these networks are incredibly dense and incredibly powerful. for example, beijing maintains over 46,000cctb cameras that blanket the city. state media and police in beijing boston this network allows them to have 100 percent coverage of the city and see everything going on all the time. this can have powerful impacts for facial recognition. so for example, recent bbc reporter asked to test the system. he went to a city of 3.5 million people. gave his photo to the government to input in the system, asked them to find him. using their cameras and system, the automatic facial recognition software found him in 7 minutes in a city of 3.5 million people. so that is surveillance cameras at its peak.
2:06 am
cctv is america to a strong degree. instituted in large cities such as new york, chicago, washington, and los angeles. in new york there is a cctv network hub this is called the domain awareness system the way it works is you have all cameras networked into a centralized hub that can be subject to realtime viewing analysis, and other tools facial recognition could become one of those in the future. oakland considered voting its own domain awareness hub this would link cameras all across the city used by government involving everything from port authority to police cars to cameras outside schools. smaller cities such as st. louis and new orleans have mass cctv networks and centralized hubs they used to watch. the city was largest by far with the largest is chicago. chicago is the closest to achieving big brother stats in america. right now chicago maintains a police surveillance network of
2:07 am
cameras that is over 30,000 total cameras in the city. this in some ways surpasses the level of surveillance drag net that you'll see in china. although 30,000 cameras in chicago is less than the total 46,000 in beijing, if you look at area density the 128 cameras per square mile is far higher than the beijing drag net that covered 100 percent of the population. this can have really powerful effects for facial recognition and it's starting to in america. we're seeing this in orlando. they are where can a pilot program with amazon's realty recognition program, the way the system works is that you have cameras scanning throughout the city and they will try to scan faces and people and identify them and flag any persons of interest. whatever persons of interest means, not sure.
2:08 am
so that is government cctv. next, i want to look at police body cameras this is the area of greatest risk in terms of establishing video surveillance drag nets in the united states. and the simple reason for that is that body cameras are becoming incredibly popular in america and in american police departments. axon, america's largest body camera producer in the united states has a systems already in half of american largest cities this is a huge -- because they offer cameras to police departments for free. so then you use axon the video storage system. studies from recent years of police departments indicate that 97% of the largest police departments in america all either have body camera programs in place, are in pilot and testing stages or if they don't havethet yem, are planning to build them in the future. so this is going to be a universal phenomenon of police
2:09 am
wearing body cameras and that being a common thing we will see on streets as beat calms walk by. why is this a big deal for a proliferation of government surveillance cameras? it's because cities have lots of police in them. on average localities have between 16-24 police officers per 10,000 residents. big cities this amount gets higher. plenty of cities have 40 officers for every 10,000 residents or more dc's over 50. if you look at area density some cities are plopped with police officers for example ten different cities have over 20 police officers per square mile topping the list is new york city which has well over 100 police officers for every square mile. now, in terms of facial recognition we have actually seen a little bit of progress here. axon recently back tracked on a long-term plan to put facial recognition in his body cameras they acknowledge the fact that this tech in a lot of ways is
2:10 am
flawed, very prone to misidentification so they scrapped plans that might have happened as soon as this year to put facial recognition in its system. not all vendors are taking that cautious approach. some are charging ahead with facial recognition and body cameras and it's only a matter of time until companies like axon are satisfied that it's good enough for their work and begin to institute it. after all an axon vp described their interest in body cameras a couple years ago that by putting a facial recognition in body cameras one day every cop in america would be robow cop. this is very worrying because well virtually all police departments are charging ahead with pleas body cameras very few are setting rules and standards for facial recognition. according to a score card on body cameras maintained by the leadership conference, basically no cities that pretty body camera programs have official rules on facial recognition.
2:11 am
and that is many, many cities that are not acting with appropriate standards. so that's police body cameras. next i want to talk about private surveillance camerases and the capacity to build network surveillance cameras from them. now cooperating private cameras is a r similar to cctv and a way government could build out video surveillance networks but do so with very little work without the infrastructure, and at a fraction of the cost. we may not have the 200 million surveillance cameras that china does a but we do have 30 million privately owned security cameras throughout the country. so to tap into these instead of building your own cameras it's no surprise government may want to turn this into this. otherwise the quist aside a couple of cameras are amazon's ripping doorbell, it's a video doorbell system. just last night news broke amazon had patented a technology
2:12 am
to build facial recognition into those door bells and connect to do police networks and notify them when anyone suspicious came up. so another fun innovation from amazon. now, police departments are not just thinking about this idea they are proactively soliciting people with private cameras asking for registration and asking for them to engage in formal agreements whereby those cameras can be accessed and readily used by law enforcement in video surveillance networks. so i mentioned new york before. and the domain awareness system they have there that allows realtime streaming of video cameras. of the 6,000 cameras that are connected to new york's network, two-thirds are privately owned cameras that have agreements that allow the new york police department to access and use them. washington d.c. and a lot of other cities offer incentived to try to get people to hook up their cameras into police networks. so here is a mayor -- saying
2:13 am
police purchase security cameras and connect them to our networks we will pay you to do this. excellent use of emojis mayor becauser. that is privately owned cameras again. it's very similar to government cctv, it's a network of stable cameras that can provide a video drag net that can be cooperated and a simple way to build it out and a simple risk because we don't have the ability to stop the government in its tracks we're just worrying about potentially have law enforcement tap into them. the cameras are already there. last i want to talk about social media photos. this is a different thing we're not talking about cameras taking images they're already images that are being stockpiled. social media photos are potentially the greatest risk in terms of a photo drag net that could be used or corrupted by
2:14 am
government for facial recognition and that's because of the sheer size of photo databases. we've already seen face recognition used for social media to a limited degree by the firm get o feedia a few years ago they got caught and admitted during protests had run social media photos through facial recognition technology during protests in baltimore to find individuals with any outstanding warrant and directly arrest and remove them from the crowd. now luckily when this came out as a product of aclu research companies responded properly and blocked and shut down their access to their services, it's really important that social media companies continue to be vigilant on this front to limit their api to prevent photo data bases to bam means of government surveillance and facial recognition surveillance. i think it's important companies think about data harvesting through api but court orders and
2:15 am
skating those those means. we've seen similar means in the recent past. for example, a couple years ago yahoo received and complied with a court order asking that they scan all email content in their databases for specific bits of content that the government was looking for. it's not hard to ma'am the government coming with a similar court order to someone that maintains databases and asking for a mass scan to find very particular faceprints. so we have google talking about surveillance transparency, and facebook talking about it, these companies maintain very large photo databases, google has over 200 million users store photos in its cloud service, over 24 billion selfies. they have billions of photos up loaded every day. it would be great if these companies build out transparent reports to think about possibly
2:16 am
including a warrant canary for facial recognition. so if the government ever does come with a broad excessive order saying we want to start scanning all your photos for facial recognition photos we will get the head's up and be able to start acting. and with that i want to conclude by talking about what actions can we take if we start to feed these activities, and how should we response. first of all there's a lot of potential at the local level. oakland had had a proposed domain that would have connected all their cameras into a hub. this was a success story. oakland activates, when they found out about it got organized and got mad and got it shut down. that's the sort of thing we can see in other cities if we take action and i want to give a shout out to the great program, c-cons campaign this is an effort to improve transparency, and limit surveillance in can thes all across the country, i'm sure it will do great work to
2:17 am
limit advanced surveillance tools and video surveillance like facial recognition being built into cameras. on the federal level we have potential in terms of limiting and conditioning funds. so, we talked a little bit about government cctv, a lot of funds for local government cctv networks don't come from those localities, they come from the federal government. doj funds cctv and police grants very often. for example, orlando, which is running a cctv realty official recognition network received funds from the department of justice. it would be great in the future when they handed out funds for video surveillance activities. they say you can not use it for failings recognition. dhs funds surveillance cameras for cities on the largest degree as well. this is another opportunity where sit strict rules and limits could be a very quick way
2:18 am
of stopping these turning into scanning and facial tracking network. the department issues grants in tens of millions of dollar for police body cameras but we do not see virtually any departments putting in good rules for face recognition on body cameras. it would be a fast improvement if when doj was handing out grants they say you need to put in effect rules and guidelines and limits to protect privacy before we give you the money. so threz some actions we should take i think it is important we take now because we are very quickly approaching the point we're all going to on a daily basis be like the bbc reporter tracked down through an automated computer system being monitored with a million little eyes. thank you so much, you can read more at pogo.org and looking forward to the rest of the conference.
2:19 am
[applause] >> so the classic feature of surveillance makes it a mechanism of power is unequal in the jeremy benison punoctgon the prisoners and the ultimately surveillance prison knew they are under potential observes they can be seen but can't see the view fers so when it comes to public networks of cameras one of the most effective things we can do in order to encourage people to react to the changes that are happening around them is to be aware of them. so i'm really fascinated by a tool, electronic frontier foundation has developed to try to help people recognize the ways in which surveillance in public is exploding around us. i'd like to invite dave moss.
2:20 am
>> thank you for having me today. my name is dave moss and i'm with electronic frontier foundation and if you're not familiar we're based in san francisco, around since 1990, and around to make sure our rights and libertiies continue to exists as societies use technology. i particularly work on efs street level surveillance project which aims to ensure there is transparent, regulation, and public awareness of the vawrs technologies that law enforcement is deploying in our communities. and a lot of times that work looks like filing public records requests. so for example with license plate readers, eff teamed up with the organize to file hundreds of public records requests around the country to find out how law enforcement agencies were sharing license
2:21 am
plate reader data among themselves. or let's say drones. we'll file a public records request for mission log reports on how uc berkeley police used drones to surveil protesters in 2017. or we'll file a public records request with the san francisco district attorney's office to get a spreadsheet of every camera in their database, similar to what jake was talking about. and this is all a problem because too often our work looks like this mooch we have chucking public records at people saying here you go. here are documents on document cloud or here's a white paper we wrote, or 3,000 word blog post. or even worse, it's me standing in front of you doing a powerpoint presentation and if we're lucky i have a funny cartoon to go with it. i don't have one today so i had to use this one. really, our work should look like this to the public.
2:22 am
i can textualize within their communities. if i could i would run a walking tour company where i could take people around and show them the surveillance technology around them. i'm a very busy person and i don't know that doing tower groups of 6-7 people is a good way to get the message across. however maybe this concept can transfer over to virtual reality. take a step back we look at virtual reality and law enforcement technology, police are already working on virtual reality stuff. so, this is a company out of georgia called motion reality that has a warehouse side space where police officers put on virtual reality hell unless and given realistic feeling fake electronic firearms, and they're wired up head to toe, and they go and run scenarios and they
2:23 am
can replay it back. one of my favorite ways about this is they're covered in electrodes so if they're shot they get shocked and demobilized in that part of their body. there is a company that has taken one of these to modify it to work as a field sobriety tests. the whole flash. light would happen within an avr visor and a surveillance aspect something called bounce imaging and it is a little ball covered with cameras and a s.w.a.t. team officer might chuck that into a hostage situation and then somebody could set outside in virtual reality looking around before they go in, and then recording a 360 view of everything going on. so i haven't looked at that what can we do on the other side with vr. i'm going give you a background. this is our one of our founders, both a lyricist for the grateful
2:24 am
dead as well as a digital pioneer. in 1909 he wrote an essay after he had gone and consider visited the early vr companies he thought it was a psychedelic experience. of course he thought a lot of things were because i think he was on psychedelics a big chunk of the time. now we're going to jump 25 years because a lot happened since then. in 2015 we saw vr start to move towards the mass commercial market. this was the occuls risk. the htc vibe, the playstation vr, all came out early 2016. for our organize there were two big questions we were looking at. first of all, what are the digital rights implications of virtual reality on our society, and two what is the potential for virtual reality as an advocacy tool and an educational tool. start with the t what the i think of a privacy element.
2:25 am
the intercept had a great piece in 2016 about hypothesizes the virtual reality might be the most nefarious kind of additional surveillance in regards to the internet yet. and i tend to agree with this. this voices a lot of concerns i was having and me were talking amongst ourselves and we hadn't seen it floated publicly yet. the reason is biometrics, virtual reality tends to rely on our physical characteristics in order to function. so on a very basic level that is how your head is moving, the distance between your hands and your head. how long your arms are, if you're left-handed or right-handed but even something simple as how your head is moving in a virtual reality conditions can be correlated to mental health conditions. more advanced technology is starting to involve devices that measure your breath or track your eyes or map out facial expressions and that's a whole other world of it. and one of the creepy things is
2:26 am
when you have companies in order to gather reactional biometrics are throwing stimul little at you in fairly quite manner without saying why so they can find something measurable to how you respond to it. we'll not going to get into aug.ed reality. a lot of the devices are scanning the world around you to produce con tent. in augmented reality. there was a research study that found in pluto vr. 90% of vr users are taking steps to protect their privacy whether that is jeffing adjusting their facebook settings or using an ad blocker. while. p three-quarters of users was okay for companies using their biometric for product development, but they were against it being sold to other
2:27 am
entities. , now as far as vr as an advocacy tool we're not the first one to try this. planned parenthood has an experience called "across the line " that puts people in the position of a woman trying to seek health reproductive services that has angry protesters there. peta has a virtual reality to step inside a factory farming situation. what's it look tike a calf at a farm or chicken. and some groups out of brooklyn massachusetts worked on the united nations to do virtual reality visualizations of data on air pollution and they took that and ran that through a bunch of un delegates in nairobi. so that brings us to eff spots the surveillance project. and this is at its base a
2:28 am
virtual reality experience that uses a very basic simulation to teach people about the various spying technology that police may deploy in their communities. when we were trying to pusewer this we had considerations and wanted it to be a meaningful advocacy experience, we wanted to not collect biometric information, and we wanted it as an organize that supports open source and accessibility to technology we wanted to make sure it worked on humidity platforms not just the occuls or vibe store. we wanted to do function on a modest budget we are a non-profit and we are not sony. what i mean advocacy experience we didn't want to rely on the novelty factor of vr. you can take anything and put it in vr and if it's somebody's first time using vr they say it's amazing. regardless of what it is. we want to make sure ours was representing a way that only vr could allow. and we didn't want people to be
2:29 am
watching a move, we wanted them to be doing something and to be challenged by it, and learn information that even though they were experiencing it in a virtual world we wanted them to carry it back to the real world. once you put the headset on, you can put it on and you're placed in a street scene in western edition neighborhood of san francisco where there is a police encounter going on between a young citizens and two officers and as you look around and find something you get a pop up and a voice over explaining what it is. it's not meant how quickly you can go through it and score points about the surveillance technology. it is supposed to be an educational tools. four goals, one was can we do a virtual reality, can we do the experience cheaply and if we can do it the first time can we do other things down the road. number two just to educate people about the forms of surveillance then we also wanted to help them figure out where
2:30 am
they are in their communities. and then finally we had a thought that police encounters are very stressful situations, protester stressful situations things move quickly but it can be useful for people to take note of what surveillance technology they saw in those scenes. so perhaps by putting people in a simulation where they're able to gain practice looking for technologies it might carry over to these higher stress situations. so we decided not to go with a computer generated environment and go with a 360-degree photo. this is the rico state of v you can see it here and on the screen. it has two concave lenses one on each side and it captures beyond 180 degrees on each side and stitches them together. so you're able to take a photo of everything. if you used it now you'd get all of this and this. the only thing you might not get
2:31 am
is the base of the tripod underneath the camera. this helped us get past what people refer to as the uncanny valley when it comes to video games, the more you try to create a realistic person or environment the more creepy it is to people. by using an actual photo with a real scene with a fuse things photo shopped in it by passed that although. this is what the photo looks like that we took. it's obviously once you're in the virtual reality headset it's wrapped all the way around you. you can see there is a scenario there going on and you can see us at the bottom we are going to show you a little bit. this is what it looked like and you don't see this in the game. this is a behind the scenes exclusive here. we were hiding under a longer version of this pole, and hiding there outside this police station hoping police would come outside, and eventually it did, and it being san francisco, they didn't question two people with a weird piece of technology on
2:32 am
the street. [laughter] which was great because it was kind of the perfect shot for us. for those of you who won't have a chance this is what it looks like on there, if you looked at the body cam you would get a pop up that explains what it is and has a voice over. such a violence medium we didn't want it to be that you have to be fully sided to enjoy this experiences or learn from it. so if you are only able to see out of one eye or have limited visibility, but you have a certain amount of awareness of an environment you can actually go in and still learn things through audio. we did our beta launch on november 5. this is at the internet archive at the air force international hack thon. that's brewster kale the founder testing it out. for the most part we're looking at having tables like this. there's not a lot of at this point not a lot of people have devices in their homes even though this one dropped down to
2:33 am
$200 recent, not a lot of people have it but it is something we can take to conferences and have our grassroots activists when they're going to community groups bring it with them like they would bring one-pagers or brochures, they could bring one of these with them. we've run it through 500 people in the lastal month if you think about it in terms of an activism organize. eighty four able to spend 7-9 minutes get them to only exclusively focus on surveillance, that's like -- that's a lot of time. but it was available on the internet, and so one of the things i found gratifying is that portland, maine is as far from san francisco as you can get but you can see there are hacker spaces and media labs that are trying this out and having people demo it and we started to see social media respond to it as well. my favorite tweet is the one in the middle. vr tech is so rad, i went spinning through my apartment,
2:34 am
lol sob is exactly what we were going for with this. so i feel pretty good about that. so next steps for us, we're still in beta mode so we're going to continue doing demo to gather user feedback, we're going to improve experience, one of the things working with open source technology there might be a tweac in the language and everything breaks. so we've had bugs come up and we need to fix them and get everything stable for an april 2019 launch. once we have that we'll send it to communities, come up with a educational curriculum, and then look at what would the next version of this project be. and we have a few ideas. some of them are let's do an internet of things version merchandise let's do a home office, you see a printer and ways you might be surveilled through divided in your home. or we do one where not everyone is in san francisco, or they
2:35 am
want to know what it's like in new york city so we build the same thing for various areas. or we abandon vr and we go on to ar and have ways for people's phones to project things into the world. all these depend on how the technology develops and what kind of interest we get, whether there is a return on investment, and what kind of grants there are. it's a new world and we don't quo where it will be in a year or five years. i can tell you where it's going to be after lunch. time and that is just outside the lunchroom, if you want to try it out i have two devices and i'd be happy to show you the camera. if you do have a headset at home, or play it around on your computer browse it's eff.org -- spot. >> i love this idea there was a concept called the tetras effect the idea that when people play games especially if it involved
2:36 am
pattern recognizing behavior very often it spills over to the non-game lives. the tetras is named after people that start seeing shapes everywhere, and see how they can fit them together. it shows up in the assassin's creed games the bleeding effect where someone is reliving a smulings of his ancestor's lives and takes on their super human murder abilities, and that seems realistic and desirable, but it might be imaginable to spot surveillance through games. a more useful version of the tetras device. turning back to the question of encryption as we heard from sharon bradford franklin earlier. law enforcement have for years been complaining that the spread of encryption is causing them to go dark, making it more difficult to do electronic surveillance with
2:37 am
communications. the fascinating report from the center for -- studies that's really points out there are a lot of ways that difficulties law enforcement is having with intercepting electronic communications really doesn't have a lot to do with the need to book doors, and a lot of low-hanging fruit being left on the table that we ought to examine before we talk about legislating breaches in -- platforms for breaches in the tools we rely e rely on. to talk about that i want to invite gendasessal to discuss a report you'll turbined on the table outside. >> thank you julian. and thanks to cato for putting on this excellent conference.
2:38 am
as julian said the focus of my talk is the range of challenges that law enforcement faces and accessing digital evidence separate and apart from the encryption related challenges. and this talk through the report i worked on with co-author will carter under the auspices for the center of strategic or international studies. oh cis. the debates about encryption will continue but it is and was more emphatically more so our view in working on the report that encryption and debates about encryption have taken up so much of the lime light there are a range of other challenges that law enforcement faces that need to be dealt with. and they can be dealt with relatively easily, and they need to be dealt with now. and so, as -- and these challenges will continue no matter what happens with respect
2:39 am
to encryption. no matter if in fact there ever were a clear decription mandate there would be other ongoing challenges that need to be dealt with. so as our title low-hanging fruit indicates these are problems that can be relatively solved, not completely, nothing in the space ever pleads to a complete solution and we make a mistake if we assume we are seeking a complete solution or that we ever trying to eliminate some of the friction in the process. some of that friction is in fact healthy. but some of the friction is unnecessary, and actually collectively harmful to both security and to privacy, and minimizing that friction is not only a laudable goal but one that is eminently achievable. to that end i'll note the report that we worked on was endorsed by a number of individuals and also groups and entities it was endorsed by the former cia
2:40 am
director john brennan, former fbi ken wine stein, two form f democrat do you understand, the former boston commissioner, police commissioner eddavis, a former assistant attorney general for national security david chris, it's been praised by a number of different groups and providers and several providers have introduced a number of reforms consistent with what we called for in this report. so now that i've given you the hard sell i'm going to spend the reminder of my time talking about the substance and talk a little bit about the methodology we used in doing this report a little bit about our findings and ultimately recommendations. so this report stems from a year's worth of research including a series of qualitative interviews with state, local, and federal law enforcement officials. prosecutors, representatives from a range of different tech companies and members of the civil society community. it also involved a quantitative survey of state, local, and federal law enforcement
2:41 am
officials. and the survey results are notable, hopefully you can all read at least a little bit of this. the survey according to the survey results, those surveys found difficulties accessing analyzes and utilizing difficult evidence in over a third of their cases. we believe that's a problem only going to continue to grow. as digital information becomes more and more you bick wutasis and digitals evidence is need in every criminal investigation. this chart shows the response to the question what is the biggest challenge that your department's encounters in using digital evidence? and accessing data from service providers was ranked as the key challenge amongst our respondents, separate and apart from questions about interpretation. identifying which service provider has the data was reported as the number one challenge. 30% of our respondents ranks it as their biggest problem.
2:42 am
obtaining the data once it was identified was reported as the number two challenge, 29% of ous ranked it as their biggest challenge. accessing data from a device wad 19% ranked it as the biggest challenge they faced and collectively analyzing data from devices and analyzing data from providers that's been disclosed from providers which are two separate things that's 21% so that was their biggest problem. that's important because these are problems that can be fixed or at least largely reduced. without huge changes in the system but with more resources and more dedicated system@ic thoughts as to how to address the problems. so to the extent that law enforcement doesn't know where to go to get data of interest, that is a problem that can be solved with better information
2:43 am
flows, and better training. to the extent that law enforcement faces challenges in obtaining data, that is a bigger challenge, and we heard two very different stories from the law enforcement officials we talked to and the provider community. the law enforcement officials talked about what they perceived as very long delays in getting information back from service providers, what they perceived as service providers dragging their feet of service providers having inseventy six resources to respond to their needs of requesting slow -- or turned down in what they perceive to be invalid circumstances. providers on their side told us a very different story. they complained about what they saw odds as over broad requests, law enforcement asking for things that just simply weren't available, as delays being the fault of law enforcement as they were internally debating and deciding whether or not to get
2:44 am
nondiscloser orders that would prohibit there the customers data had been obtained and providers holding off at law enforcement requests on turning over the data until they learned whether or not they had permission to tell the customer or the subscribe. now the data interestingly kind of supports both sides of the story. this chart shows the requests from -- that the u.s. law enforcement issued to six key companies facebook, microsoft, twitter google yahoo and apple. over time this is based on the company's own transparent reporting, the there is no other good source of data. you see from this chart a pretty dramatic increase over time. this shows requests in 6-month intervals, so ending in decembe0
2:45 am
requests to these six u.s. based providers by december 2017, the previous six months before that almost doubled or at least increased by a significant amount in about 650,000, almost 700,000 requests in the prior six month-period. what's interesting about the chart is that the grant rates have hovered more or less the seam rate. 80%. consistent over time in terms of percentage of requests or demands that providers complied with but that also means the number the absolute number of requests that are being turned down are the number of disclosure demands that are not being complied with is higher given there's a bigger volume of actual requests. so to some extent law enforcement is frustrated because they're sensing this bigger number of request denials where as providers are saying we're pretty consistent in how
2:46 am
we're treating this over time. two caveats about the data, the chart only shows where the requests were made not where they weren't made. the law enforcement didn't know where to go over otherwise estymied requests and the grant rates say nothing about the legitimacy about the requests or the grounds for rejecting the requests and there is and should be ongoing disagreement about the appropriate scope of a request this is an area where some friction is not only healthy it's actually productive, and it's just going to persist inevitably because there's different views about the appropriate scopes of these requests. but there's also a number of areas with respect to grant rates and law enforcement issuance of request of providers where there is unnecessary friction and some of the reduction in this friction can both support privacy and security at the same time. so some of the things that can be helpful in this regard are
2:47 am
better up to date law enforcement guides provided by the providers, resourcing of law enforcement teams by the providers, better training and dissemination of training to state and local law enforcement officers, better training of judges that review and approve the range of requests subject to court order or warrants. and these have obvious security benefits in the sense that it provides law enforcement more streamlined ability to access data of interest but it also has privacy benefits to the extent it leads to better tailored, better more privacy protective requests and less -- and as a result more tailored more narrow requests. now, to the extent that law enforcement cannot interpret that if that's disclosed this is a problem that stemmed in part from encryption but also what we heard from over and over again was the absence of technical
2:48 am
tools to decipher nonencrypted data that was disclosed. so, this is a problem that results one from a absence of tools to some extent and a distribution problem. so sometimes some of the bigger law enforcement entities would have access to the appropriate tools, but it was not disseminated to the 18,000 state and local law enforcement entities that exist around the country. so despite what appears to be pretty clear need, and a pretty easy to identify solutions with respect to resourcing training, resources training and dissemnations of tools, the sole federal entity with an explicit mission to better facility cooperation between law enforcement and providers is an fbi's national domestic communication center, it has a budget of 11.4 million this fiscal year and that is spread out among several different
2:49 am
programs designed to distribute knowledge about service providers policies and products, develop and share technical tools, train law enforcement, maintain a 24/7 hotline center among p many other initiatives. that is a drop in the bucket given the need out there. . .
2:50 am
>> what is working and what doesn't. so this is the recommendations with the creation to be authorized and resourced by congress to do that kind of work that is needed with the distribution of research including grantmaking of the
2:51 am
data that is collected with authentication systems to ensure that the person who was asking for the request is in fact entitled on those international efforts to report to congress of what is in fact going on it does not have an independent authorization act two articles on - - adequately resourced to do its job in the broader digital policy office of the
2:52 am
technology and allow them to do on a very slim budget to disseminate information about service providers and to provide a hotline system and we've also been cleary included a hearing of recommendations and where they could facilitate that that we do do that but it with those across the country with wrapper one - - rapid turnover that could disseminate the training leading to more request that is helpful for
2:53 am
law enforcement. >> with the online portal to facilitate the request process to help with the authentication to provide rejection with a dialogue with rapid responses that is being requested with that transparency that providers are doing with that law enforcement request even more in terms of the categories of request over the different smaller categories as well but it's important to think as well the bigger providers
2:54 am
helping to develop best practices so those challenges will only grow over time and these are structures and resources that need to be put in place now because to argue this has benefits for privacy and allows us to do something with encryption. [applause] >> but they are encrypted as a
2:55 am
spreadsheet you need to open it. [laughter] and as we see very often and that ability to navigate and is always easiest and with that afternoon's question on - - session as well and at the end of the day so please join me in thanking our speakers one last time.

7 Views

info Stream Only

Uploaded by TV Archive on