Google’s Maddie Stone and ACLU’s Jennifer Granick join us for a crash course in the surveillance state — from spyware makers to location data brokers. Find out what the changing cybersecurity threat and legal landscape means for today’s data-hungry startups.
So startups obviously put a ton of work Into building their products most of the Time those products are powered by data And one I mean there's actually a bunch Of things that can screw you over but One for sure Is a lapse in cyber security so our next Panelists are going to talk about what's Out there coming at you and the best Ways to avoid that lapse please welcome To the stage from Google Maddie Stone And from the ACLU Jennifer granick as Well as your moderator Zach Whitaker Warm welcome please Thank you [Music] But it's so nice to be back after two Years away thank you so much for joining Us Maddie and Jennifer thanks every Startup in this audience and watching Live has something in common and that's Surveillance some of you are actively Defending against it and some of you are Blissfully unaware that you're Sleepwalking your startups into becoming Extensions of the next surveillance State So this talk might scare the out of Some of you I apologize in advance thank You so much for being here uh Jennifer I'd love to start with you Um as the aclu's cyber security and Surveillance Council you closely follow The public sentiment with regards to
Privacy looking around us we have uh our Devices are encrypted some of our Messages are encrypted how did we get Here or why has there been such an Intense Trend towards privacy in recent years And especially the last few months yeah I mean privacy has always been really Important for a variety of reasons Stemming from either protecting yourself From Identity thieves or hackers to Um protecting yourself from over zealous Law enforcement here in this country and In other countries but I think more and More people are realizing how important Privacy is in the post Roe v Wade world Now that the Dobbs decision came down I Think people are realizing that the data That we produce can be used by law Enforcement and some of the abortion ban States to go after and to prosecute People for exercising their right to get An abortion and so people are really Sensitive now like all this data is out There about me and it's nice for those Of us who have been working on privacy For a long time because it feels like People finally appreciate us so it's Unfortunate this has to be it but it's Really great that the public is becoming Sensitized to the problem of having our Data just out there we have so many Examples of that coming along the way as Well Maddie welcome your security
Researcher at Google's Project zero a Team where you've investigated how Security bugs are exploited by spyware And other Bad actors Um for the budding csos watching and in The audience today how much does cyber Security factor into defending against Surveillance So it's everything when it comes to Defending against surveillance because If they can't access your data they Can't get gain access to the camera the Microphone Um all of the different parts that could Be used to surveil Then you can't really do surveillance at This easy across the world across the City not being in physical proximity so Security can address all those concerns And on Project zero our goal is make Zero day hard and so that doesn't say Make zero day exploits which are the Exploits that are targeting the Vulnerabilities no one yet knows exists And are generally used by the commercial Surveillance companies or State-sponsored actors we're not saying Make zero day non-existent we're saying Make zero day hard meaning that it's so Costly so requires so much expertise Requires such a Time investment from These folks who want to do surveillance That it's really not worth it to go After you know folks phones or after
Companies storing data or things like That and so that's really what it is is Changing this balance of the return on Investment and right now it's just too Easy Can I just can I just add to that I Think to add to what Maggie's saying you Know our legal regime is not that Protective it actually makes it quite Easy for law enforcement and for foreign Intelligence agencies never mind from Other countries other than the US to get This data so really security and Technology are the first and best step Towards protecting our privacy so is Defending against powerful adversaries Like governments and impossible tasks is Is there hope yes I would not be waking Up and doing my job every day if I did Not think we could make a difference There are a lot of practical and Tangible actions we can take that will Actually make it really really difficult For folks to be able to say hey I want To scan all these people's phones and See who's in this location at this time Um let's check who's Sending WhatsApp Messages or signal messages you know to Each other By raising basic levels of security Things like you know are people applying Patches uh as two-factor authentication Which means you don't just put in one Password that someone actually has
Another token or piece of information That's added to it All these basic sort of security hygiene Things that we've been talking about for Decades Directly makes it harder for these Nation-state and very sophisticated Adversaries because the thing is is when I study zero days the most sophisticated Type of Security tax someone could use And it's Interesting right now because those are Being used in these highly impactful Societal ways of targeting politicians And journalists and human rights Defenders But as long as other people are able to Use less sophisticated means that's why We're not talking about these zero days As of being used by crimeware groups or You know a dime a dozen because they can Use easier things so by continuing to Raise that bar yeah we can make a big Difference and make their lives really Really hard so there is hope yes and so I really want to focus on for a second Why we're talking about this today and The harms that surveillance has on on People uh Jennifer why should every Company here be thinking about Surveillance and what are the Consequences if they don't I mean I Think um there's a feeling that well if I'm not doing anything wrong then I
Don't have anything to worry about and Then the corresponding feeling well you Know then my this data that I collect Isn't dangerous to my users and that's Just not true anymore if it ever was we Mentioned the abortion example but um You know first of all a ton of things Are illegal that you don't even and Realize are illegal so it makes it Possible to put people at risk or in the Fear of risk to you know just based on What the information is that out that's Out there and then the other you know Saying is if you give me six lines Written in the hand of an innocent man I'll find enough to hang him and that is Totally true and just like a very quick Story I had a friend who had a client His client witnessed a murder but the Police didn't believe he was a witness They thought that he was a member of the Gang involved in the murder and so they Got 10 years of his Facebook history all His photos and basically just Cherry-picked out of the thousands and Thousands of photos the ones where he Was wearing red and then said okay this Means that he was in the gang and so you Know even the most innocent of Information in the wrong hands can be Misused so let's take a look Um a closer look at some of the Headlines we've seen recently These are just a few big examples of
Surveillance you might have seen in the Past few years and let's stick with Spyware or surveillance by zero day Where security flaws are exploited to Spy on people so let's start there Um Maddie as you said you know part of Your job is is trying to make it harder For Bad actors to exploit zero days Um you did mention a little earlier but Could you just give us a little example Of what is is there a day and why do we Call them that So a zero day is a bug a mistake a Vulnerability in the code base that Defenders don't yet know exists we don't Know about that specific one so an In-day vulnerability the opposite of a Zero day is one where it's been reported The vendor or someone found it and you Know there's a path you can go and Download There's antivirus signatures to Be able to find when someone's trying to Exploit it the zero days are the ones That we all know there's mistakes in Code I hope that's not groundbreaking But they're the ones that a adversary or An attacker has found But Defenders and the security teams Don't yet know and so as teams working On the zero day area we're trying to Find things that we don't know what they Look like and that's really why they're So powerful is because you can't have These you know running your antivirus
Signatures or things like that to Protect yourself and the zero day term Comes from there has been zero days Since it's been known So governments are known for among many Things but they're they're excessive use Of surveillance um what are the risks And consequences of governments using Undisclosed zero days Yeah so One they're huge but to break it down You know even bigger than that is Most organizations or individuals today Probably do not need to worry about Being individually targeted with zero Day exploits However they impact each and every one Of us when our politicians and political Systems are being hacked with these zero Days when our critical infrastructure When minoritized populations are being Mass exploited with this to monitor Their movements journalists human rights Defenders that impacts us all at this Very large societal level and so we need To all care about these things not just Be like oh yeah there was a zero day in Blah blah phone operating system Um But we don't really need to pay that Much attention because it was only used Against this one group No like we all need to care when the Most vulnerable Among Us are being
Targeted and from selfishly it affects Us all Just from a legal point of view also set A bad precedent if governments are using Zero days it's almost like one rule for Them one rule for Rose which I know Applies to governments a lot of the time But should it apply for them yeah I mean It's not even so much a fairness thing But it's a question of what do we want Our government to be incentivized to do And really the government should be Incentivized to try to protect us from Attackers protect us from hackers but When the government when governments use Zero days they have a investment in our Communications technology remaining Insecure and so instead of having a Defender mentality they have an offender Mentality and that results in Insufficient investment and sufficient Efforts to try to help people secure Themselves and if a government can get In then other actors can get in as well So it's really dangerous just to have The government not on your side and to To add on to that As Jennifer were saying where it's Leaving this whole These vulnerabilities in zero day Exploits are not a tangible thing that Only one person can have and no one else Can have it if they have it and what we See as a team who also tries to mimic
The behaviors of attackers and finding These zeroidable and their abilities and Reporting them publicly is that there's A huge amount of bug collisions meaning We're finding the same bugs as other Security researchers as also the Offensive surveillance Um Uh vendors and people who sell exploits So how do we make it more difficult for Surveillance actors like nation states To exploit zero days Well so one is when a vulnerability is Uh reported to you Patch it as quickly as possible but also Use that information to figure out where All the other holes are in your system So talking to some of the folks who work In the offensive exploit Market Currently and just from the data I'm Collecting of all of the zero days being Actively exploited in the wild is that Attackers are having success right now By using variants of zero day Vulnerabilities that are already public Known so basically someone reports the Vulnerability at in the code base they Provide a proof of concept well that Same pattern exists elsewhere in the Code base yet the vendor only fixed that One place and so all the attacker has to Do is Plug and Play find that exact same Pattern somewhere else and that's what People are doing right now is in the
First half of This year 2022 more than 50 percent of The in the wild zero days so the ones That were being actively exploited were Variants of things we've seen in the Last two or three years yeah And how much does communication and Transparency play into that you're very Vocal about these things you have a Public spreadsheet documenting what is Known about the zero day so far this Year and by year Um but how much does communication and Being public and transparent and Explaining these things to the public And the blog posts and Publications and So on it's it's one of the biggest Things I need I think we need to be Focused on and one of the reasons why I'm optimistic so for the last three Years you know really pushing on the Fact that hey if you're a vendor Whenever you're issuing a security Bulletin and Patch if you have reason to Believe that it's being actively exploit In the wild disclose that to Everyone that it's not just another Vulnerability and the reason behind that Is one for targeted populations even if There might not be evidence they Specifically were targeted you're giving Them a piece of information to take Their own autonomy and make their own Choices of okay I know these types of
Actors have targeted me in the past they May now I need to assume everything that Happened on that app or that device was Compromised and that can provide more Physical safety but as the industry Perspective it means we can all learn From each other we can figure out what The chains look like because today a Zero day capability almost always has Two or three exploits chained together And so that often means you're talking Through different products you know it Might start on Chrome and then go to Windows it might go messaging app to Um a app another app on the phone to Finally an Android privilege escalation So these capabilities are Collaborative then that means we need to All be working together 2021 was the Most zero day we'd ever seen in the wild Um And I think that's actually because of The transparency in the industry both Android and Apple began Um publishing this information when they Knew of active exploitation happening And that just gave us so much more view Into what are these attackers actually Doing so that we can have this ground Truth when as Defenders you know it Helps us be able to make those choices Of where do we invest what's actually Going to make it harder for them Yeah I want to talk about another kind
Of pervasive tracking one that might hit A little close to home with some of the Folks in the audience Um data Brokers the companies that Collect and buy the granular location Data from smartphone apps from billions Of devices around the world and then Sell it to governments and militaries so Why would governments want that data What's so valuable about location data From smartphone apps I mean location Data is extremely sensitive whether you Are looking for it in mass as like kind Of a bulk collection and you want to see Where populations are moving and that Was something that the government Governments were interested in in the Early days of covid where there were Quarantines or uh yeah shelter in place Type orders it's like our people leaving Brooklyn and coming to Manhattan for Example are people crossing the border And going to abortion clinics in Aggregate who was at the bank robbery Who was at the black lives matter Protest who was at January 6th so this Information in both book is extremely Is extremely revealing and it also you Know location history allows you to Track an individual or individuals they Went to the Um you know AAA meeting they went to the Mosque they went to their parents house They went you know that sort of thing so
The information is very revealing and One of the great things about buying it From a data broker is you don't have to Go get a warrant from a court so there's No a point where the law enforcement Agent has to prove that the need for the Information exists it's really just what They want and so there is an assumption That if you've got nothing to hide or if You think you've done nothing wrong that There's no fear from the government but We've also seen that's not necessarily The case on several you know many cases And we've also seen the US government Buying both location data data Brokers So how much of a threat are data Brokers I think data Brokers are a big threat Because it is a way of circumvent seeing The even modest legal protections that We have for this data and it's really Not transparent we don't know how much Data law enforcement gets from data Brokers we don't know how they're using That data we don't know what their you Know how they keep it and you know Sometimes we never know because there's No criminal charges they're following People who are you know innocent for Some reason or even when there are some Charges there's this thing called Parallel construction where law Enforcement can go and pretend that they Found the information through a Legitimate path even though they found
It through a different way that they Want to keep secret there's all kinds of Doctrines that law enforcement uses in Order to keep secret what they're Actually doing in terms of surveillance So let us startups you know use sdks and They use you know all kinds of plugins And codes to extract location data and Give that to data Brokers it's part of You know it's a way to make money and a Lot of data Brokers offer money to Developers for location data but it's Not us doing the surveillance they might Say so who's whose response possible Ultimately for apps and services that Give data to data Brokers who's Responsible for that the app developer Any of us who are writing software and Then delivering it to customers are Responsible for whatever code we're Giving to our customers and that means Looking at libraries looking at the sdks All of those different pieces if you're Putting it out there then your users can Be harmed and that's on each of us to Really evaluate what are we Handing over to them and that comes both With the data collection along with you Know vulnerabilities too are you making Your users more vulnerable by using this Library and not taking updates and Things like that an example is back Prior to project zero I worked on the Android malware team and we discovered
This giant botnet that was on millions Of devices around the world and it got On all of those devices because they had Sold themselves as a monetization SDK to All these app developers but it did lots Of different types of things to monetize Itself such as not as common here in the US but premium SMS fraud where it would Send a bunch it would register a premium Number send a bunch of these text Messages and then that money comes from The user's bill so things like that of Yeah the app developers were like no It's just a monetization SDK but it's Actively stealing money from each of Your users so historically data is money And selling access to users location Data or any of the data is how a lot of Startups make money so so how much Surveillance or how well how much Surveillance or Um as as a whole or even on a you know On a granular level can be fixed by new Business models I I think the business Model is a really important piece of the Vulnerability like if you don't know how You're going to make money that's a Problem Um because eventually you know investors Or if you go public and sell shares There's going to be some point at which Somebody's like okay what do you have to Make money off of and if all you have is The user data there's going to be a huge
Pressure to do that I think that you Know the question is how what kind of Advertising model or other model can you Do without collecting so much Personally identifiable information that Can be traced back to a real person so I Think there's some technological Approaches which could be like Anonymization or pseudomization or you Know there's a lot of Technologies where You can do data analysis without having The information be aggregated or Re-identified and I think that's is Really important obviously you could Have a pay for your subscription model That works for some things doesn't work For everything and you know I don't Think everybody should necessarily have To pay but we really need to think very Carefully about how we collect and Analyze the data lest you end up being Part of this you know surveillance Capitalism Um you know pollution of data that's out There so let's stay with that um for a Moment you know let's try to end on a on A positive note Um let's say that your business relies On user data unavoidably a lot of Companies do how would you defend that Data what are some of the things that Startups can do to prevent their users Data from ending up in the hands of Hackers and governments Maddie you
Touched on this a little bit at the Start yeah yeah so really evaluating Your security hygiene so there's a lot Of documents out there nowadays like Even cisa for the US government Publishes a lot of these guidelines of Things of you know even at the beginning Evaluating your password situation like Is the same password used elsewhere if You're buying software and products from Some people are you changing that so Until you get those I would say you Don't need to quite worry fully about The zero day problem Um because by forcing people to use zero Days that's That is better than them being able to Use cheaper techniques Um but also one of the ways that I don't Think a lot of people think about that They can make an impact is a lot of Companies and startups are buying Software or products or laptops Computers from other big companies to Use And so There actually is power in that of Trying to get these changes in the Industry that we're looking for of How often are you going to provide me Security bulletins do you promise that If you know of something being exploited That you will tell me about it uh what Type of analyzes do you do when they're
Report reported to you and that's where I think a lot it's very easy to get into That individual mindset of oh I'm just One person I'm just one company But when you're paying people to do Stuff it suddenly becomes much more Powerful to start asking and Um sort of demanding some of these Answers and when lots and lots of you Know individual companies start doing This then that becomes this wave of We need to start doing this if we want To keep making money and selling our Products to folks yeah there are an Increasing number of privacy protecting Technologies that are out there like I'm On the board of let's encrypt the Certificate Authority and one of our Projects as part of the Internet Security research group is a product Divvy up which is designed to try to do Analysis on data without it all being Like aggregated and identified so you Need to think about and look for that And kind of build security and privacy In from the very beginning instead of Thinking about it as a as a aftermath And I would just say the same thing About law if you have data people are Going to try to come and get it and you Need to have a robust process in place For when those uh government demands Come in we only have a few minutes left Um what more can we do on an individual
Level especially here in the US I know There are some laws in in Congress Aiming to tackle some of the the data Broker issues but what more can we do Yeah from a legal perspective Um you know call your Congress person And both at the federal level there's a Bill called the um Fourth Amendment is Not for sale act that would deal with Data Brokers there's a couple of Transparency bills out there about data Requests and especially at the state Level we're seeing real progress in Terms of legislation especially here in California but also in New York and There's just a real um like enthusiasm For States passing more privacy laws Because of jobs Yeah and Mandy what would you say what More can we do on an individual level Um here in the US Uh well I don't know all the legal so From me from my perspective on the Technical is individual level protect Yourself of apply patches as soon as They're available a lot of systems now Have auto update because that really is What protects you from the mass Exploitation because as soon as those Vulnerabilities are out there in a patch There are thousands of people around the World doing what's called patch diffing To figure out what's the vulnerability And how do I exploit it because that's
Much easier than the zero days and so While you might not be a target of the State sponsored actors the non-state Sponsored actors that there's a whole Lot more of Um are looking to get anyone they can so Applying the updates is probably the Biggest way to protect yourself And surveillance you know isn't just a As a just a us thing um I also just want To kind of um end on a bit of a brighter Note we've got about a minute left on The clock um in terms of startups that Are doing things you mentioned let's Encrypt as a non-profit Let's uh Um gives out free TLS certificates um Are there any other startups that you Can think of that are doing some really Good things at the moment that you can That you can share with the audience Less encrypt is a good one to be fair Yeah I mean I'm on the board so I'm Familiar with isrg's products we also Have a project prossimo which is about Trying to take code libraries and put Them in a more secure programming Language and so I just you know I I on The board it's a really awesome Organization we're doing some really Cutting edge things yeah Uh We hope everybody in the audience are The ones who are going to be doing Really awesome things after having
Listened to this panel that's the best And I hope you folks uh when wouldn't Scared too much uh thank you so much for Joining us thank you again thank you for Having me thank you thank you
