[Update, Feb 21: here’s the deck I used: web version, pptx deck.]
I’m pleased to say that we have some first results from our threat modeling for Seattle resident privacy project. In this post, I’m going to share those results, and look forward to what we might do next. (See A Privacy Threat Model for the People of Seattle and Introducing Threat Modeling For Seattlites for more background.)
This blog post provides an overview, and there’s a longer discussion in Seattle Resident Threat Model white paper (draft).
Overall, I’m happy to say that the effort has been a success, and opens up a set of possibilities.
What we can learn from this:
We also looked at phones. There’s a set of radios, some of which (bluetooh, wifi) can be turned off with less impact on usability. The cellular network radios can only be turned off with a substantial loss of function. We also discussed differences in usability of turning off app access to location between various brands.
One of the things we did not do was a risk assessment for any particular vulnerable group, but we believe that the information we’ve gathered can support and accelerate such analysis. For example, we know that cell site location information can only be disabled by discarding a mobile phone or leaving it in airplane mode. We also know that DHS collected mobile phone information from DACA applicants . We have not attempted to analyze this or its implications, but we’d be happy to do so in partnership with organizations that have specific concerns.
Since we were exploring how we might do this, we have not yet produced a guide to doing it yourselves.
The raw data is available under a creative-commons attribution license. Here it is as an Excel spreadsheet. (We use xlsx rather than CSV because we needed Excel’s “sheets” feature.) Here’s a version in Excel and a web view, exported HTM here.
]]>I have a complicated international trip coming up, and I want to protect my private information from border officials. Abroad or in the US, border officials can and do abuse their discretionary power to interrogate travelers, seize electronic devices, demand passwords, and generally inquire into matters unrelated to border safety. This post summarizes my plan. Later I’ll let you know how it went.
I started preparing by making my Twitter account anonymous and taking down my personal blog. Now I don’t pop up in Google, so I’m protected from a casual search on my name. It took a full year for my name to fade off of Google, so start this in advance if you want to do it.
I am not important enough to need to worry about state security agencies, and this post isn’t for people who are. . I just want to provide zero information to border guards. All they need to know is that I’m not carrying weapons on a flight, and beyond that, in matters of my heart and mind, they can piss off. My border crossings double as resistance to the erosion of my legal and human rights.
I carry a lot of electronic equipment with me when I travel, though no more that what a typical business traveler might. Basically, a phone, a tablet, and a laptop, though no laptop on this trip . I’m leaving behind many computer services that I need to stay in touch with:
These are the devices I’ll be carrying:
Why Android?
I know that iOS devices are regarded as more secure by the extremely careful and/or extremely threatened. I’m not an Android expert who can improvise my own iOS-equivalent security. However, I am not trying to defend myself against intelligence services at the border, I’m just trying to beat border guards. Stock Android with encryption will work. I prefer Android because I like to tinker, so that’s what I’m taking. Loyal iOS users reading this will have no trouble translating its suggestions into the language of their favorite mobile platform.
Don’t be a hostage to your stuff. My travel devices are cheap and/or old enough to make losing them to government seizure acceptable. It’s the data that matters.
My data protection strategy is to keep my sensitive data in the cloud where I can access it when it is safe to do so. My sensitive data in this case includes:
I’ll be keeping data of this sort in the cloud (private or public) and accessing them through secure connections (HTTPS, SSH) or by secure synchronization services (Android sync, Google Drive, Mozilla sync). I also store configuration profiles for important applications (for example, email) so I don’t have to remember them. I have made several layers of backups for everything, in several locations, including my private cloud and a virtual machine I pay a cloud services provider for. If the sync services fail or I lose my devices, I’ll be able to access my important data from any Internet-connected computer.
Passwords are a problem. I use around one hundred strong, random passwords for various websites and services, which means I have to use a password manager to keep track of them. I don’t care much for the hosted password management services, so I run my own and sync its database through my private cloud. My Android devices automatically sync up with my password database.
However, to be truly independent of particular devices and safe from government seizure, I need to carry a few strong but unforgettable passwords in my head. I use one to access my private cloud, where everything important is stored. I have another memorized password for my password database, which is itself encrypted, and one more for my backup email account. In general, the correct-battery-horse-staple (https://xkcd.com/936/) method of password building is the way to go for these master, memorized passwords.
In addition to the sensitive data, I’ll be carrying some relatively bulky, non-sensitive stuff:
I’ll keep this data on the external MicroSD cards in each device, unencrypted. I’ll avoid carrying anything controversial. These things are already backed up at home, but are too bulky to sync if I lose them. Worst case scenario, I can’t listen to LCD Soundsystem on the funicular. It’s something of a technical trick, though, to keep sensitive data from being saved to those cards by the ever-helpful Android operating system.
Putting all this together, here is my planned device security protocol for before and after entering a country:
Coming soon: How this worked in a “liberal democracy” with draconian security measures, and in an “undemocratic regime” with the same.
]]>
Techno-Activism Third Mondays (TA3M) is an informal meetup designed to connect software creators and activists who are interested in censorship, surveillance, and open technology. Currently, TA3M are held in various cities throughout the world, with many more launching in the near future. In Seattle, thanks to a special donor, there will be free pizza!
When: Monday, October 16, 6-8pm
Where: University of Washington Seattle Communications Building CMU 104.
We are looking forward to a great talk from Michelangelo van Dam about the new privacy rights and international effects of the General Data Protection Regulation in the EU. Michelangelo is a senior software engineer, co-founder and CEO of In2It, community leader at PHP Benelux, and a coach with Coder Dojo.
Join the email list:
https://lists.ghserv.net/mailman/listinfo/ta3m-seattle
We’re on Twitter!
To best support the global TA3M meetup, please tweet using the #TA3M hashtag.
@TA3Mseattle
@SeattlePrivacy
@TechnoActivism
Techno-Activism Third Mondays (TA3M) is an informal meetup designed to connect software creators and activists who are interested in censorship, surveillance, and open technology. Currently, TA3M are held in various cities throughout the world, with many more launching in the near future. In Seattle, thanks to a special donor, there will be free pizza!
When: Monday, July 17, 2017, 6:30 – 9:00 PM
Where: Tor Office, Pioneer, Square https://goo.gl/maps/aun6E4r4s5E2 80 S. Washington st. Suite 203 Seattle
WA, 98194
Pump.io is a promising project to create a federated social network – think email, where you can have multiple providers that all work together, but for social networking. It stagnated for a while, but the project has recently completed the transfer of governance and code maintenance to the community. This presentation will talk about pump.io’s history (right up to its newly-created community governance), its API, and why it’s pretty freakin’ neat. We’ll end with the work that’s gone out the door in recent releases, the work that remains, and how you can (should?) get involved. Attendees will walk out with an understanding of the historical context behind pump.io, an understanding of how the software works on a technical level, and how it fits into wider social web efforts. No prior knowledge necessary, although a basic familiarity with JSON and HTTP will help.
AJ is a core developer of the Pump.io reference implementation.
Sign up to give a Lightning Talks by emailing the list. Feel free ask questions of the list too!
Talks:
https://lists.ghserv.net/mailman/listinfo/ta3m-seattle
To best support the global TA3M meetup, please tweet using the #TA3M hashtag.
]]>“I would like to ask Seattle Privacy to think about privacy more holistically: What threats exist? How are we, as residents and citizens, tracked, monitored, or analyzed throughout the day?”
Adam said something I think we all know: there are so many ways that data is gathered on any one of us at any given time, it’s hard for us to wrap our heads around it, much less muster defenses.
He asked us to take the tool well-known to technical experts, threat modeling, and apply it to ourselves and our fellow Seattle residents. Another board member, Number Six, rose to the challenge, and “Threat modeling for Seattlites” was underway.
At our first meeting at Delridge Public Library, Adam got us started by making a chart on a whiteboard with the following columns across the top. Then we proceeded through an imaginary day:
We brainstormed “A Day in the Life of a Seattlite” for three hours. The result was an epic spreadsheet.
Somewhat absurdly, with our fitbits, phone-based alarm clocks, CPAP machines, instructions to Alexa, Siri, Google Home, or whoever, and our social media time, it took us an hour to list the potentially gathered data before we would even leave our imaginary homes to start the day.
As we worked through the day, encountering various aspects of the internet of things both private and publicly owned, it emerged that we needed another column. Is the task, and the corresponding use of the technology, required or optional?
For example, it’s easy enough to use a cheap old-fashioned non-connected scale to weigh yourself in the morning, instead of an internet-connected device. Or is it? What if your health insurance requires that you transmit this data to keep your policy? Or, what if you can get a lower premium if you opt to transmit the information?
This means that we need to characterize the data collection: is it easy to avoid? Required by law? Easy to avoid if you’re rich? (In particular, we don’t want to fall into the trap of treating ‘opt-in/opt-out’ as if it’s a
reasonable and nuanced thing.)
It also became clear that who was collecting data needed categorization. We settled with three categories for starters:
I learned a few tidbits during this process that were new to me, although I’ve been tracking privacy issues for a few years now. For example, I learned that some types of car insurance offer usage- or behavior-based policies, in which your driving habits, such as rate of acceleration or speed relative to speed limit, are captured and evaluated to adjust the cost of your policy. Perhaps this is also already happening, I don’t know, but one person had read recently that insurers were considering sending along tips to drivers about how they might improve their driving (and thus lower their premiums).
I also learned that it is already not-uncommon for insurers to insist upon the use of connected CPAP machines or blood sugar monitors, to ensure that the insured is actually using the care paid for. Doctors can also remotely check the status of these devices.
In our second meeting, in July, we began thinking about what we needed to do next. Our data set was fairly messed up, because we hadn’t made any effort to normalize it while brainstorming, and we knew we’d captured only those tasks and data-gathering technologies that those of us in the room knew about. We knew we needed to run our data by many more people before we could consider it complete.
We also started thinking about ways to communicate the information we were gathering. We thought about ways to graph “effort against hurdles,” such as:
We concluded that we definitely wanted to make our data free for others to use and easily available to incorporate into presentations of all kinds.
(Here is a downloadable version of our first very rough cut at the data. Much more to do, and we’ll set it up for proper use when we’re farther along. Threat Model grid v3.)
We decided to try to walk through fleshing out one example. We selected “Commute.”
An area that we struggled with was how to define when we had enough information to be useful to share with others. This sort segued into discussion about the right level of modeling versus detail. That’s an open issue. Here are the steps we followed just to get something down that we could respond to:
| Method | Tech that gathers data | Defense | Cost of defense |
| Walk | Camera (Mounted)
Camera (Mobile) Microphone SmartApp Meshnet RF Threats: cameras, microphones, smart apps, Cell Wi-Fi RFID/NFC/Bluetooth |
Do nothing
Clothing Avoid officers and known cameras Stay home Turn off devices Airplane mode Farraday pouch Policy Join SPC and advocate |
Privacy loss
Social stigma (tinfoil hat) Financial Time Backlash unintended consequences Stress Loss of convenience of device Watchdogging Meetings |
| Drive own car | |||
| Bike | |||
| Carshare | |||
| Ride corporate bus |
Obviously, we still have a lot of work to do. Here’s how we plan to do it:
This project is fun and fascinating. If you are in the Seattle area and are interested in participating, please do join us for our next meeting in August. We also welcome ideas about how our data set might best be used.
]]>But the solar lighting company Sun-In-One has more to offer than just lighting. It also offers street lamp modules with motion detection, video surveillance, and mesh networking. Now cities can light roadways and record every movement of their citizens — all in one, convenient, extensible package. Image analysis software included!
Attention Seattle Police Department: Get those facial recognition databases ready.
Attention Seattle City Light: The ATF won’t have to work through you anymore to put up illegal cameras.
Read the product brochure for details.
[pdfviewer]https://seattleprivacy.org/wp-content/uploads/2017/06/SkyEye-Street-Light-System-2.pdf[/pdfviewer]
]]>
Our city has committed to protecting immigrants, refugees, and the many thousands of other vulnerable populations. We argue that this is not possible without strong privacy oversight, safeguards, and enforcement. The local privacy community urges Seattle’s leadership to set aside for the moment the discussion of our Surveillance Ordinance and any amendments to it, and instead to develop an ordinance that holistically addresses the government’s role in data collection, retention, and sharing.
Why pause now? The ACLU of Washington has proposed a stronger version of the existing bill, which has been watered down by multiple revisions that remove the many critical elements including independent oversight, auditing, reporting, and enforcement requirements. But even with the ACLU’s original, stronger proposal, the foundation of the bill is inadequate.
We now live in a very different environment than when the Surveillance Ordinance was first crafted, although it has only been 3 years. This legislation was drafted in response to the public outcry that accompanied the Seattle Police Department’s acquisition of drones without public knowledge. Council chambers were repeatedly packed with demonstrators. After having wasted $82,000 dollars, the drones were ultimately decommissioned. The Surveillance Ordinance was successful to meet that immediate challenge.
Now we promise vulnerable people that we are a sanctuary city that will defend their human rights. We are literally in the crosshairs of a hostile federal government, one that has been shown to disregard local regulations and make backroom deals with city agencies. For example, putting cameras on City Light poles in direct violation of our existing surveillance law, putting nothing in writing, and further, evading any form of FOIA or PDR process.
“As a sanctuary city we have a greater obligation to protect private citizens.” — Kshama Sawant
We have autonomous cars coming, including wireless car to car technology, wireless car to infrastructure technology, and the lobbyists that come with them. We have facial recognition technologies coming and the lobbyists that come with them. We will be seeing the largest developments of these technologies within President Trump’s term.
Seattle’s Race and Social Justice Initiative clearly states:
By 2017, the City of Seattle will work with community-based organizations to support the movement to end structural racism.
We can tell you that the City has not asked the Seattle Privacy Coalition for input on how we might accomplish this, and we are well into 2017. Further, CTAB-Privacy has not been asked for input on these amendments by the Council. How can Seattle’s Surveillance Ordinance go on to exempt technologies designed and purchased for surveillance? Do black lives really matter to Seattle when data collection, retention, and sharing technologies are historically and routinely purchased in the name of defense but used offensively?
If we do not hold ourselves accountable, a government for the people, how are we going to ethically govern the use of these technologies when they are funded, deployed, and managed by third parties? How is Seattle going to defend our human rights if we have a “surveillance ordinance” that is not adequate for the complexity of a major municipality? Common sense demands that we broaden the scope to include all forms of data collection, retention, and sharing. This would eliminate splitting hairs on terms that exclude any technology not specifically purchased to support law enforcement.
The Electronic Frontier Foundation is a legal digital rights organization that maintains an umbrella grassroots organization called Electronic Frontier Alliance. Last week we discussed surveillance ordinances under development in more than 11 municipalities across the United States. The Seattle Washington ordinance was cited as being “well-intended but weak” whereas the Oakland California legislation was cited as effective because their draft legislation includes provisions for independent oversight that are fundamental to all controls, auditing and reporting requirements, and enforcement options such as the public’s right to sue for privacy harms. We strongly advise that Council review the Oakland California ordinance.
The Seattle ordinance MUST include oversight, auditing, reporting, and enforcement, and it cannot be limited to a false notion of what is or it not for surveillance. Without these fundamental changes, we are a sanctuary city in name only. With federal access to municipal databases unmonitored, unchecked, and unreported, anyone who makes use of a city service is vulnerable. When privacy is by design and policies are made to support the most vulnerable in our city, we, in effect, defend everyone’s human rights.
As defined by Seattle’s Privacy Program, we have a Privacy Review Process (PDF) that we can leverage for all forms of data collection. All forms, because there cannot be a lack of transparency and accountability. This must be baked into a Data Collection, Retention and Sharing Ordinance. Every act by the City that takes in information should have a corresponding unique identifier that must be published so that anyone can learn more about the data being collected, what it is being used for, and who is responsible for it. This will build trust. In line with Councilmember Sawant’s wishes to pull down foreign cameras from City utility poles, people have the right to be informed about what their government is collecting about them and their community. We should have the ability to learn about and to respond to our government in constructive ways. With the City’s drive for increasing open data and community engagement, why haven’t we started doing this yet?
Privacy is at risk from always-on microphones, cameras, smartphones, smart meters, automobiles, internet assistants like Alexa, Siri, Echo, and Cortona, Internet connected children’s toys, home appliances, and so many other things that have yet to even be invented. The city of Seattle cannot protect people today from predatory corporate data exploitation. We can, however, model what a human-rights respecting privacy policy looks like. And we must.
Please do not pass the watered-down Surveillance Ordinance rewrite into law because it will cause more harm than good. Instead, we urge the City Council to reach out to local community organizations such as the Seattle Privacy Coalition, Electronic Rights Rainier, and the body that the City Council assembled to advise them on technical issues, the Community Technology Advisory Board, to create a bill we can all be proud of.
]]>
In Seattle tomorrow, City Council will be discussing Surveillance Ordinance amendments originally proposed by ACLU of Washington and watered down by the council. The Surveillance Ordinance would be incredibly deficient if we passed these amendments. Of primary concern, there are multiple exemptions that are *crazy* if you were to juxtapose a United Nations privacy report.
Surveillance technology does not include:
(a) technology used to collect data from individuals who knowingly and voluntarily consent to provide, or who do not avail themselves of an opportunity to opt out of providing, such data for use by a City department;
(b) social media sites or news monitoring and news alert services;
(c) a body-worn camera;
(d) a camera installed in or on a police vehicle;
(e) a camera installed in or on any vehicle or along a public right-of-way used to record traffic patterns or traffic violations or to otherwise operate the transportation system safely and efficiently, including in any public right-of-way;
(f) a camera installed on City property for security purposes;
(g) a camera installed solely to protect the physical integrity of City infrastructure, such as Seattle Public Utilities reservoirs; and
(h) routine patches, firmware and software updates, and hardware lifecycle replacements.
In February, I spoke along side ACLU of Washington lawyers, University of Washington lawyers, and a domestic violence survivor at a public hearing in our state capitol to support an ACLU bill limiting Automatic Licence Plate Readers. Domestic violence survivors’ privacy, specifically their physical location privacy, is paramount to them and their families. Further, many survivors are victims to police men and women, making this under-served population a critical voice in discussions concerning surveillance technologies. At the hearing, A women with incredible courage showed up to educate the committee about her and the other 5,000+ Address Confidentiality Program participants. With permission, below is her testimony.
As content on our website is licensed using Creative Commons, please feel free to use share her testimony to further privacy rights.
]]>Madame Chair, and members of the committee,
I am here today to discuss a part of my life so terrifying that, at times, I have actually contemplated writing a horror movie script.
Please forgive me, but by the end, it will make sense to today’s hearing.
I am here as a participant in the Washington State Address Confidentiality Program, ACP for short.
You will never understand, nor will I ever be able to convey the fear and torment that one individual can deliver. His words are still etched in my mind: “No woman is going to tell me, a man, what to do.” When trying to end a relationship, what I got in return was physical abuse and psychological terror. I would see him outside my home, my work, at my children’s school or stalking me in my rear-view mirror.
At times, he would convey to me each and every way or place he could have killed me that day.
I discovered that he had made duplicate keys of both my home and my car. Changing door locks didn’t matter. He still got inside. He was letting me know that he was in control.
My oldest son and I would eventually bobby trap our doors when we left, to more easily determine if he might be inside when we returned.
And though time, our much-loved pet cats disappeared one by one.
I lived through death and kidnapping threats to my children’s lives. I feared for my own life.
And in utter, desperate fear one night, I called a helpline, told them of my situation, and was advised to leave the state immediately. I did. On their advice, I gave my house keys to a friend, told nobody where I was going, put my kids and some clothes in my car, and drove to a state where I was offered protection.
I thank you so very much WA for the ACP. I no longer have to be afraid. It took me months but I no longer have to fear looking in my rear-view mirror.
This is hopefully the end of my desperate story.
But now, I want you to clearly understand one implication of unrestricted ALPR technology
I am here representing a vulnerable part of society, those who live in domestic violence situations. My ex-boyfriend kept telling me that he had connections to the police department, that there was no place to hide.What if that was true? What if someone like me, couldn’t hide ever?
With unrestricted and retained ALPR data that becomes a real possibility.
I want you to consider the lives of spouses of law enforcement who might be in a domestic violence situation. My tale of torture existed because my stalker knew where I lived. Please protect your citizens, all your citizens, from potential location abuse. Please put restrictions on ALPR data.
(The board is currently discussing possibilities for a unified position on this legislation that we could endorse as a group.)
I strongly encourage anyone interested in privacy to contact the committee with your own thoughts on this issue.
Dear Councilmembers Gonzales, Burgess, and Bagshaw,
I’m a 30-year resident of Seattle; I live in Councilmember Bagshaw’s district, and I work for Google in the cloud computing division. Previously I have worked for both Microsoft and Amazon on documenting online privacy and security issues.
I am the Chair of the Board of the Seattle Privacy Coalition, and I am a former LA to Councilmember Bagshaw and former Councilmember Sally J. Clark.
I’m writing to call on your committee to discuss and vote for the strongest possible version of the ACLU’s amendments to CB 118930, the Seattle Surveillance Ordinance, and to follow that by tackling the issue of strengthening protections from data-gathering software or hardware that is purchased for reasons other than surveillance.
I am absolutely opposed to council passing any version of this bill that fails to mandate oversight, reporting, auditing, and enforcement (enforcement through such mechanisms as the right to sue for privacy harms).
Finally, please be aware that even the strongest version of the amendments to the ordinance submitted by the ACLU address only a small subset of data-gathering technologies. The world of data-gathering is moving so quickly that technologies not purchased for the use of surveillance can easily become surveillance technology, particularly when information from multiple technologies is combined and shared.
This is an issue that urgently needs to be addressed, since we are now literally being pressured by the federal government to provide information on people for use in deporting them, while at the same time promising those same people that we will protect them as a sanctuary city.
The city must vigorously enforce its privacy program and hire an effective and committed Chief Privacy Officer as soon as possible.
I participated in an Electronic Frontier Foundation call last week in which grassroots activists from around the country discussed surveillance ordinances they are working to enact on municipal, county, and state levels. Seattle’s was cited as “well-intended, but weak.”
Please, help change how people talk about the hard work you do to protect Seattlites, so that they call this legislation “a brilliant model for other municipalities to follow,” instead.
]]>(Councilmember Kshama Sawant deserves special mention for having been on top of this problematic issue since her first day in office, but of course she is not a Dem.)
I have high hopes of the new party leadership in Washington state however, Tina Podlodowski and Joe Pakootas, and now that Mayor Ed Murray is taking a very unambiguous stand on our sanctuary status, hopes that we might get some enforcement teeth in our municipal surveillance ordinance and start setting some precedents. (Such as the right to sue over privacy harms.)
Surveillance most harms vulnerable populations such as immigrants, survivors of domestic violence, and people of color — the people we offer sanctuary.
Here’s a round up of coverage on Sawant’s committee meeting that started investigating federal cameras on SCL poles last week:
Video of the committee meeting
Sawant Blasts Secret Federal Surveillance Cameras on Seattle Utility Poles
Sawant wants to strengthen Seattle’s laws against warrantless surveillance
Surveillance on Seattle’s mind in light of Trump presidency
Sawant moves to curb federal surveillance
Seattle City councilmember wants federal surveillance cameras removed
New push to restrict law enforcement surveillance cameras on City Lightpoles
Court Says Location Of FBI’s Utility Pole-Piggybacking Surveillance Cameras Can Remain Secret
]]>