Hello and welcome to day 2 of CFP 2011. Work got in the way this morning and I was forced to watch the morning sessions via webcast while multitasking at the office -- so no blog of the first few sessions. I will
be live blogging to the best of my
ability today to provide those unable to attend a small window into the
conference. Be sure to check the CFP media page
for pictures, video, and more. The Twitter Hashtag for this conference is #CFPConf
note: Live blogging is both for me and you. These are my notes from
the conference. Nothing should be taken as a direct quote. These are
living posts. Edits will be made.
Technology Behind the Challenge to Locational Privacy
- Topic One: Geolocation: Risks and Rewards
James Kasprzak: Professor of Systems Management, National Defense University;
James Churbuck: Assistant Professor of Systems Management, National Defense University
overview of Geolocation, including its history and technology, and the
policy implications for privacy and information assurance. Various types
of geolocation technologies are covered, from GPS to cell phone apps.
Each topic will be illustrated and presented to the audience for comment
and analysis. The session will be wrapped up with some consideration of
trends in geolocation, some predictions for the future, and suggestions
for the preservation of privacy. 60 minutes.
- Topic Two: Privacy for Mobile Users: Laptops, Location-Based Services and Location-Sharing
Janne Lindqvist: Carnegie Mellon University
kind of information leaks about you every time you open your laptop,
even before you have had the chance to do anything with your computer?
What kinds of privacy risks are there in using location-based services?
Why do people check-in on foursquare despite the numerous research
reports of concerns about location-sharing technologies? In this
tutorial, we discuss privacy problems and solutions with laptops,
location-based services and location-sharing systems. 30 minutes.
JK -- Wants to discuss the technology of geolocation and what their limits are. Overview of GPS
-- a military system that is a remnant of the cold war. It was intended to provide nuclear ballistic missile guidance and to provide nuclear launch detection capability. In its free time, it provides access for civilian applications through a separate channel. The military designed the civilian application to be fuzzy, up to 100m; however, geeks have hacked away and used terrestrial fixed position items such as a radio station antenna to provide clearer pinpointing, up to 3in. It cost 1.5B to put the first set of GPS satellites. There are other methods of precise location -- including cell tower, wifi, rfid, and transaction points (POS sale, i.e. Giant). Combined with GPS, this can provide great location info. FCC regulated that all cell phones must have GPS capacity; now we have thousands of terminals accessing GPS and communicating across a the cell/wifi network channels. Explan difference between passive and active RFID
. Used an example of the Operation Desert Sabre
and the "Hail Mary" maneuver as the power of GPS and military applications. New civilian applications of GPS: Flash Crowds, Geotourism, Location Art [He actually gave a nod to William Gibson's Spook Country
too!], Augmented Reality,Personal Location Services, etc. Points to IPv6
as tipping point for the future of geolocation services as *everything* would be addressable.
JC -- Discussed background as a naval aviator and how important it was to know where you were. Fun historical fact: in the British Royal Navy only officers were taught how to navigate, in order to prevent mutiny. Provided an overview of software like MobileME and its practical uses (monitoring his son). Then we watched a 4square ad...Then Please Rob Me...[TomTom and Dutch police...Sunshine on Apple/Google GPS/Wifi data collection...[all the old examples...]
JL -- Identifiers and Protocol stacks...used a picture of fruit covered layered cake as a visualization of a the stack. Fruit = application; bottom of layer cake = MAC address
. Threats: ID device/user, location tracking, etc. MAC Address 48bits hexadecimal format, i.e. aa:1a:1b:2b:3a:4a. Tracking mitigation: change MAC address every time you log into an access point [brilliant!]. MAC address is an explicit identifier. Implicit identifiers such as SSIDs. Devices cache these SSIDs to provider faster network connectivity. The set of cached network names is a privacy risk as it will produce a unique identifier for an individual as they move between access points. Services such as Wigle.net
exploit SSID and GPS. Mitigation strategies? Reduce number of probes. Don't cache. JL produced a paper
(PDF) and solution to re-use crypto in WiFi for privacy-preservicng access-point discovery. [Great presentation!] JL has a website specifically for this conference that provides a tutorial on WiFi and location based services: http://www.cs.cmu.edu/~jklindqv/CFP2011/Keynote Address: Senator Patrick Leahy (D-VT)
Awesome twitter premonition... @Jim_Harper
: Will Senator Leahy tell his #privacy joke about a reporter coming to his house in Vermont?... #cfpconf
Seven minutes later, he did. First time I heard the joke but I'm guessing Jim has heard it many times before.
Senator Leahy delivered his remarks which were consist with all other public remarks he has delivered.Keynote Address: Bruce Schneier
Full Keynote available here: http://cfp.acm.org/wordpress/2011/06/keynote-address-bruce-schneier-the-rhetoric-of-cyberwar/
Going to focus on Cybersecurity and the debate around it...Bruce went about discussing the language surrounding the cyber conflict -- for example, cyber katrina, cyber armageddon, declaring war on websites, etc. Using very extreme terminology to convince the level of threat.
"Perhaps cyberwar is so easy kids can do it" ~discussing the conviction of the 22 year old in Tallinn.
"We dont know if this was state sponsored or kids playing politics"
In America we hate using the word 'war' when it's a real war, but we love using the word 'war' when it's not.
Its not that we're fighting a cyber war but are seeing war-like tactics used in cyber conflicts.
GhostNet -- very large, sophisticate, surveillance network. Assumption that china was behind it.
A lot of people who watch China see the hacking not as state sponsored but state ignored.
Stuxnet -- first military grade cyber weapon we've ever gotten our hands out. A lot of investigative reporting says that US and Israel were responsible.
Discussed Anonymous and LulSec and the things they have pulled off. For example, Anonymous telling NATO not to challenge them
Right now on the internet, the attacker has the advantage.
The politics worries me more than the actual events. We are in the early years of a cyber arms race. Lots of cyber war rhetoric. Lots of money being spent. It has all the hallmarks and dangers of an arms race.
The idea of war changes the debate and changes the solution space. Things we'd never agree to in peacetime we agree to when using the word 'war.'
Curtailing anonymity on the net directly dependent on whether we are at war or at peace.
Worries about US military commandeering private assists like major US backbones to mount cyber-attacks
[Great presentation by Bruce. Good delivery, analysis, and whit. Going to go ahead and say best one of the conference so far.]
The Privacy Profession -- Corporate Apologists, or Agents of Positive Change?
Moderator: Trevor Hughes
: President and CEO, International Association of Privacy Professionals (IAPP) Panelists:Mary Ellen Callahan
: Chief Privacy Officer, Department of Homeland Security (Deputy CPO John Kropf filling in)Nuala O'Connor Kelly
: Senior Counsel and Information Governance & Chief Privacy Leader, General Electric (Filling in for Trevor)Jonathan Cantor
: Chief Privacy Officer / Director of Open Government, Department of CommerceDoug Miller
- Privacy @ AOL
Panelists introduced their backgrounds and path to privacy. Everyone's story was similar, no one chose privacy.
Quoting a tweet from Ian Glazer
, "Most CPOs I meet all have the same back story, quoting Tom Waits, "they all start out w/ bad directions" & up in privacy."
Interesting convo here...nothing really to write about...lots of experience stories for government and corporate CPOs.
Jonathan Cantor working NSTIC issues at Commerce along with many other issues that DoC is taking a position on. Sounds like a great place and great time to be involved with privacy there.
Privacy is not just a legal or IT issue, it's a larger human rights issue. People who do privacy are in a great position to lead those conversations.