Introducing Threat Modeling for Seattlites

In May, one of our board members, Adam Shostack, author of Threat Modeling, Designing for Security, issued a challenge to the Seattle Privacy Coalition discussion list:

“I would like to ask Seattle Privacy to think about privacy more holistically: What threats exist? How are we, as residents and citizens, tracked, monitored, or analyzed throughout the day?”

Adam said something I think we all know: there are so many ways that data is gathered on any one of us at any given time, it’s hard for us to wrap our heads around it, much less muster defenses.

He asked us to take the tool well-known to technical experts, threat modeling, and apply it to ourselves and our fellow Seattle residents. Another board member,  Number Six, rose to the challenge, and “Threat modeling for Seattlites” was underway.

Four questions to start with

At our first meeting at Delridge Public Library, Adam got us started by making a chart on a whiteboard with the following columns across the top. Then we proceeded through an imaginary day:

  • What are you doing? (The task you want to accomplish, and what information is involved.)
  • What can go wrong? (How might your personal information be gathered in ways that are bad.)
  • What are your possible defenses? (Are there alternatives you can use to avoid the risk?)
  • What are the costs of your alternatives?

We brainstormed “A Day in the Life of a Seattlite” for three hours. The result was an epic spreadsheet.

 

 

 

 

 

 

 

 

Somewhat absurdly, with our fitbits, phone-based alarm clocks, CPAP machines, instructions to Alexa, Siri, Google Home, or whoever, and our social media time, it took us an hour to list the potentially gathered data before we would even leave our imaginary homes to start the day.

Define “required”

As we worked through the day, encountering various aspects of the internet of things both private and publicly owned, it emerged that we needed another column. Is the task, and the corresponding use of the technology, required or optional?

For example, it’s easy enough to use a cheap old-fashioned non-connected scale to weigh yourself in the morning, instead of an internet-connected device. Or is it? What if your health insurance requires that you transmit this data to keep your policy? Or, what if you can get a lower premium if you opt to transmit the information?

This means that we need to characterize the data collection: is it easy to avoid? Required by law? Easy to avoid if you’re rich?  (In particular, we don’t want to fall into the trap of treating ‘opt-in/opt-out’ as if it’s a
reasonable and nuanced thing.)

It also became clear that who was collecting data needed categorization. We settled with three categories for starters:

  • Government
  • Employer
  • Third-party

A few surprises

I learned a few tidbits during this process that were new to me, although I’ve been tracking privacy issues for a few years now. For example, I learned that some types of car insurance offer usage- or behavior-based policies, in which your driving habits, such as rate of acceleration or speed relative to speed limit, are captured and evaluated to adjust the cost of your policy. Perhaps this is also already happening, I don’t know, but one person had read recently that insurers were considering sending along tips to drivers about how they might improve their driving (and thus lower their premiums).

I also learned that it is already not-uncommon for insurers to insist upon the use of connected CPAP machines or blood sugar monitors, to ensure that the insured is actually using the care paid for. Doctors can also remotely check the status of these devices.

Building out the model

In our second meeting, in July, we began thinking about what we needed to do next. Our data set was fairly messed up, because we hadn’t made any effort to normalize it while brainstorming, and we knew we’d captured only those tasks and data-gathering technologies that those of us in the room knew about. We knew we needed to run our data by many more people before we could consider it complete.

We also started thinking about ways to communicate the information we were gathering. We thought about ways to graph “effort against hurdles,” such as:

  • x,y, where x is task and y is Legal Requirement | Benefit | Cost to Avoid | Effort
  • Pie charts, where size represents total effort.
  • Stoplight charts that could indicate relative risk, and allow people to drill into details if they want them.

We concluded that we definitely wanted to make our data free for others to use and easily available to incorporate into presentations of all kinds.

(Here is a downloadable version of our first very rough cut at the data. Much more to do, and we’ll set it up for proper use when we’re farther along. Threat Model grid v3.)

Trying a walkthrough

We decided to try to walk through fleshing out one example. We selected “Commute.”

An area that we struggled with was how to define when we had enough information to be useful to share with others. This sort segued into discussion about the right level of modeling versus detail. That’s an open issue. Here are the steps we followed just to get something down that we could respond to:

  1. Choose category: commute.
  2. Identify Methods of commute.
  3. List data-gathering technologies.
  4. List potential defenses.
  5. List cost of defenses.
Method Tech that gathers data Defense Cost of defense
Walk Camera (Mounted)

Camera (Mobile)

Microphone

SmartApp

Meshnet

RF

Threats: cameras, microphones, smart apps,

Cell

Wi-Fi

RFID/NFC/Bluetooth

Do nothing

Clothing

Avoid officers and known cameras

Stay home

Turn off devices

Airplane mode

Farraday pouch

Policy

Join SPC and advocate

Privacy loss

Social stigma (tinfoil hat)

Financial

Time

Backlash unintended consequences

Stress

Loss of convenience of device

Watchdogging

Meetings

Drive own car
Bike
Carshare
Ride corporate bus

Next steps

Obviously, we still have a lot of work to do. Here’s how we plan to do it:

  • We will meet again in August to finish the commute example, so that we have something substantial to share with reviewers. Watch twitter for an announcement; it will be in Delridge again.
  • We’ll present a prototype for feedback to Seattle-TA3M in October and ask for volunteers to help us continue fleshing out the data set.
  • We’ll reach out for help finding under-represented communities who can supplement our data set and help us understand what kinds of building blocks would make it useful for scenarios we might not have thought of.
  • Finally, we’ll identify ways that our information about the total cost of privacy invasions can be used to help educate policy makers, technologists, and individuals.

This project is fun and fascinating. If you are in the Seattle area and are interested in participating, please do join us for our next meeting in August. We also welcome ideas about how our data set might best be used.

Letter to Council re Surveillance Ordinance CB 118930

Today I sent the following email to the Gender Equity, Safe Communities, and New Americans Committee of Seattle City Council, speaking only for myself as an individual, not for the Seattle Privacy Coalition or board.

(The board is currently discussing possibilities for a unified position on this legislation that we could endorse as a group.)

I strongly encourage anyone interested in privacy to contact the committee with your own thoughts on this issue.

Dear Councilmembers Gonzales, Burgess, and Bagshaw,

I’m a 30-year resident of Seattle; I live in Councilmember Bagshaw’s district, and I work for Google in the cloud computing division. Previously I have worked for both Microsoft and Amazon on documenting online privacy and security issues.

I am the Chair of the Board of the Seattle Privacy Coalition, and I am a former LA to Councilmember Bagshaw and former Councilmember Sally J. Clark.

I’m writing to call on your committee to discuss and vote for the strongest possible version of the ACLU’s amendments to CB 118930, the Seattle Surveillance Ordinance, and to follow that by tackling the issue of strengthening protections from data-gathering software or hardware that is purchased for reasons other than surveillance.

I am absolutely opposed to council passing any version of this bill that fails to mandate oversight, reporting, auditing, and enforcement (enforcement through such mechanisms as the right to sue for privacy harms).

Finally, please be aware that even the strongest version of the amendments to the ordinance submitted by the ACLU address only a small subset of data-gathering technologies. The world of data-gathering is moving so quickly that technologies not purchased for the use of surveillance can easily become surveillance technology, particularly when information from multiple technologies is combined and shared.

This is an issue that urgently needs to be addressed, since we are now literally being pressured by the federal government to provide information on people for use in deporting them, while at the same time promising those same people that we will protect them as a sanctuary city.

The city must vigorously enforce its privacy program and hire an effective and committed Chief Privacy Officer as soon as possible.

I participated in an Electronic Frontier Foundation call last week in which grassroots activists from around the country discussed surveillance ordinances they are working to enact on municipal, county, and state levels. Seattle’s was cited as “well-intended, but weak.”

Please, help change how people talk about the hard work you do to protect Seattlites, so that they call this legislation “a brilliant model for other municipalities to follow,” instead.

Sawant is a privacy badass; some hope for Dems

With a few very notable exceptions (Mike O’Brien), it has been a huge uphill battle to get Dems at any level of government to acknowledge need for privacy protections or oversight of big data use and sharing, or protection from federal overreach. (Indeed, we had some city council staff openly laughing at us before the Snowden revelations.)

(Councilmember Kshama Sawant deserves special mention for having been on top of this problematic issue since her first day in office, but of course she is not a Dem.)

I have high hopes of the new party leadership in Washington state however, Tina Podlodowski and Joe Pakootas, and now that Mayor Ed Murray is taking a very unambiguous stand on our sanctuary status, hopes that we might get some enforcement teeth in our municipal surveillance ordinance and start setting some precedents. (Such as the right to sue over privacy harms.)

Surveillance most harms vulnerable populations such as immigrants, survivors of domestic violence, and people of color — the people we offer sanctuary.

Here’s a round up of coverage on Sawant’s committee meeting that started investigating federal cameras on SCL poles last week:

Video of the committee meeting

Sawant Blasts Secret Federal Surveillance Cameras on Seattle Utility Poles

Fearing Trump administration’s reach, Seattle City Council fights FBIand SPD’s ‘warrantless surveillance cameras’

Sawant wants to strengthen Seattle’s laws against warrantless surveillance

Surveillance on Seattle’s mind in light of Trump presidency

Sawant moves to curb federal surveillance

Seattle City councilmember wants federal surveillance cameras removed

New push to restrict law enforcement surveillance cameras on City Lightpoles

Court Says Location Of FBI’s Utility Pole-Piggybacking Surveillance Cameras Can Remain Secret

Membership meeting 1/30; meet Seattle CTO

Hey Seattle friends of privacy!

It’s all true: The New York Times reports that President Obama admin today permitted NSA to give raw (that is, unminimized to protect privacy) 12333 surveillance to FBI/CIA/DEA/etc., and here’s the buried lede: “…if analysts stumble across evidence that an American has committed any crime, they will send it to the Justice Department…”.

Furthermore, Rudy Guliani is going to be our nation’s CyberCyber!

Only seven days remain until a junta takes over the surveillance state.

This calls for action. Take a first step by meeting the Chief Technical Officer of the city of Seattle: a good person to talk to about how we can make our own city a refuge.

Please join us at our first general membership meeting of 2017!

When: Monday, Jan 30 545pm – 745pm
Where: Greenwood Library ( 8016 Greenwood Ave N, Seattle, WA 98103)

We will be in the main library meeting room, right as you come in the front door on the right. Free parking is available underneath the building until library close at 8pm; the #5 Metro bus stops directly outside the library going northbound.

Our special guest this month is Michael Mattmiller, the CTO for the City of Seattle.

Like all general Seattle Privacy meetings, the public is most welcome.

Meeting agenda:

– Open meeting with welcome (545pm)

– Intro Michael Mattmiller, CTO for the City of Seattle

10-15 min on role of city CTO generally, background of Mr Mattmiller prior to this position

30-45 min on current City activities as regards privacy (incl some limited Q&A):

– status of Seattle Privacy Initiative
– Seattle City Light programs of late,
– status of SPD mesh network downtown (still hopefully off, but?)
– SDOT networks downtown – what do they do, where are they?

Second Hour: – An open discussion on a day in the life of a Seattleite: the privacy perspective
– daily tasks/activities from privacy perspective for ‘avg’ Seattle resident
– areas of risk
– usual tradeoffs (and why choose one or another)
– mitigation strategies

– wrap up, meeting adjourn

Indivisible: A resource and roadmap to resistance

I’ll admit it; I was one of the people who never in her wildest dreams imagined that our nation would elect Trump, even with the help of Russia, hackers, voter suppression laws, and all the other evils people talked about before the election.

So I’ve been pulling myself together after a period of paralysis.

I can’t see this as anything but a huge setback for all civil rights activists everywhere.

I wonder what will happen to privacy activists as the new junta inherits the surveillance state.

Meanwhile I’m looking for ideas about resistance. This online guide, Indivisible, compiled by former progressive congressional staffers, is very aligned with the principles under which Seattle Privacy was founded: the idea that we in the public can positively influence the actions of our elected officials. At Seattle Privacy we address the municipal government, but Indivisible explains how the Tea Party managed to influence Congress, despite having a minority (and toxic) viewpoint.

In some ways “working to change the system from within” seems quaint now, in the post-Truth era. The morning of the day I wrote this, Trump declared that his takeaway from meeting with the IC was that the election was won by him fair and square. This is literally an insane interpretation of what they reported.

Anyway, I’m reading Indivisible and getting ready to go out and bother representatives at public events, and I encourage everyone interested in civil rights to do the same.